27/4/2016 Aerohive CLI Guide

The following is a complete list of commands available in the HiveOS 6.6r1 release for the AP230 along with explanations of every keyword.
Click a command to see its keyword explanations. Then click the Back Arrow in your browser to return to the list of commands. For an
introduction to the Aerohive CLI, explaining different ways to access it, some keyboard shortcuts, and usage tips, click here.

802.1x­mac­table expire­time <number>

802.1x­mac­table suppress­interval <number>
aaa attribute NAS­Identifier <string>
aaa attribute Operator­Name namespace­id <number>
aaa attribute Operator­Name namespace­id {TADIG|REALM|E212|ICC}
aaa attribute Operator­Name value <string>
aaa attribute user­profile­attribute vendor­id <number> attribute­id <number>
aaa mac­format case­sensitivity {lower­case|upper­case}
aaa mac­format delimiter {dash|dot|colon}
aaa mac­format style {two­delimiter|five­delimiter|no­delimiter}
aaa ppsk­server auto­save­interval <number>
aaa ppsk­server radius­server {primary|backup1|backup2|backup3} <ip_addr|string> [ shared­secret <string> ] [
auth­port <number> ] [ via­vpn­tunnel ]
aaa radius­server account­interim­interval <number>
aaa radius­server accounting {primary|backup1|backup2|backup3} <ip_addr|string> [ shared­secret <string> ] [ acct­
port <number> ] [ via­vpn­tunnel ]
aaa radius­server dynamic­auth­extension
aaa radius­server inject Operator­Name
aaa radius­server keepalive enable
aaa radius­server keepalive interval <number>
aaa radius­server keepalive retry <number>
aaa radius­server keepalive retry­interval <number>
aaa radius­server keepalive username <string> password <string>
aaa radius­server local acct­enable
aaa radius­server local attr­map group­attr­name <string>
aaa radius­server local attr­map reauth­attr­name <string>
aaa radius­server local attr­map user­profile­attr­name <string>
aaa radius­server local attr­map vlan­attr­name <string>
aaa radius­server local cache lifetime <number>
aaa radius­server local concurrent­session age­timeout <number>
aaa radius­server local concurrent­session limit <number>
aaa radius­server local db­type active­directory {primary|backup1|backup2|backup3} computer­ou <string>
aaa radius­server local db­type active­directory {primary|backup1|backup2|backup3} domain <string> binddn <string>
password <string>
aaa radius­server local db­type active­directory {primary|backup1|backup2|backup3} domain <string> fullname
<string> [ default ]
aaa radius­server local db­type active­directory {primary|backup1|backup2|backup3} domain <string> server <string>
aaa radius­server local db­type active­directory {primary|backup1|backup2|backup3} login admin­user <string>
password <string>
aaa radius­server local db­type active­directory {primary|backup1|backup2|backup3} {server} <string> [ {via­vpn­
tunnel} ]
aaa radius­server local db­type active­directory {primary|backup1|backup2|backup3} {tls­enable|global­catalog}
aaa radius­server local db­type ldap­server sub­type edirectory
aaa radius­server local db­type ldap­server sub­type edirectory acct­policy­check
aaa radius­server local db­type ldap­server {primary|backup1|backup2|backup3} basedn <string>
aaa radius­server local db­type ldap­server {primary|backup1|backup2|backup3} binddn <string> password <string>
aaa radius­server local db­type ldap­server {primary|backup1|backup2|backup3} filter­attr <string>
aaa radius­server local db­type ldap­server {primary|backup1|backup2|backup3} no­strip­filter
aaa radius­server local db­type ldap­server {primary|backup1|backup2|backup3} port <number>
aaa radius­server local db­type ldap­server {primary|backup1|backup2|backup3} protocol {ldap|ldaps}
aaa radius­server local db­type ldap­server {primary|backup1|backup2|backup3} {server} <string> [ {via­vpn­tunnel}
]
aaa radius­server local db­type library­sip­server {primary} institution­id <string>
aaa radius­server local db­type library­sip­server {primary} login­enable
aaa radius­server local db­type library­sip­server {primary} login­user <string> password <string>
aaa radius­server local db­type library­sip­server {primary} port <port>
aaa radius­server local db­type library­sip­server {primary} separator <string>
aaa radius­server local db­type library­sip­server {primary} {server} <string>
aaa radius­server local db­type local
aaa radius­server local db­type open­directory {primary|backup1|backup2|backup3} admin­user <string> password
<string>
aaa radius­server local db­type open­directory {primary|backup1|backup2|backup3} domain <string> binddn <string>
password <string>
aaa radius­server local db­type open­directory {primary|backup1|backup2|backup3} domain <string> fullname <string>
aaa radius­server local db­type open­directory {primary|backup1|backup2|backup3} filter­attr <string>
aaa radius­server local db­type open­directory {primary|backup1|backup2|backup3} no­strip­filter
aaa radius­server local db­type open­directory {primary|backup1|backup2|backup3} tls­enable
aaa radius­server local ldap­auth {primary|backup1|backup2|backup3} type tls ca­cert <string> [ client­cert
<string> private­key <string> [ private­key­password <string> ] ] [ verify­server {never|try|demand} ]
aaa radius­server local library­sip­policy <string>
aaa radius­server local local­check­period <number>

http://docs.aerohive.com/330000/docs/help/english/documentation/cli_guide_ap230_6­6r1.htm#cmd7 1/315
27/4/2016 Aerohive CLI Guide
aaa radius­server local nas <string> shared­key <string>
aaa radius­server local nas <string> tls
aaa radius­server local port <number>
aaa radius­server local remote­check­period <number>
aaa radius­server local require­message­authenticator
aaa radius­server local retry­interval <number>
aaa radius­server local shared­secret­auto­gen
aaa radius­server local sta­auth ca­cert <string> server­cert <string> private­key <string> [ private­key­password
<string> ]
aaa radius­server local sta­auth default­type {leap|peap|tls|ttls|md5}
aaa radius­server local sta­auth type tls {check­cert­cn|check­in­db}
aaa radius­server local sta­auth type {leap|peap|tls|ttls|md5}
aaa radius­server local sta­auth type {peap|ttls} check­in­db
aaa radius­server local user­group <string>
aaa radius­server local {enable|cache}
aaa radius­server name <string> acct­port <port>
aaa radius­server name <string> auth­port <port>
aaa radius­server name <string> server <string> shared­secret <string>
aaa radius­server name <string> server <string> tls
aaa radius­server name <string> tls­port <port>
aaa radius­server proxy dead­time <number>
aaa radius­server proxy inject operator­name
aaa radius­server proxy radsec acct­port <port>
aaa radius­server proxy radsec auth­port <port>
aaa radius­server proxy radsec dynamic­auth­extension
aaa radius­server proxy radsec enable
aaa radius­server proxy radsec realm <string> {primary|backup} <string>
aaa radius­server proxy radsec tls­port <port>
aaa radius­server proxy realm <string> no­strip
aaa radius­server proxy realm <string> {primary|backup} <string>
aaa radius­server proxy realm format {nai|nt­domain}
aaa radius­server proxy retry­delay <number> retry­count <number>
aaa radius­server retry­interval <number>
aaa radius­server {primary|backup1|backup2|backup3} <ip_addr|string> [ shared­secret <string> ] [ auth­port
<number> ] [ acct­port <number> ] [ via­vpn­tunnel ]
access­console custom­ssid <string>
access­console hide­ssid
access­console max­client <number>
access­console mode {auto|disable|enable}
access­console security mac­filter <string>
access­console security protocol­suite open
access­console security protocol­suite {wpa2­aes­psk|wpa2­tkip­psk|wpa­auto­psk} ascii­key <string>
access­console telnet
admin auth radius­method [ {pap|chap|ms­chap­v2} ]
admin auth {local|radius|both}
admin manager­ip <ip_addr/netmask>
admin min­password­length <number>
admin root­admin <string> password <string>
admin {read­write|read­only} <string> password <string>
alg {ftp|tftp|sip|dns|http} enable
alg {ftp|tftp|sip|dns} qos <number>
alg {ftp|tftp|sip} inactive­data­timeout <number>
alg {ftp|tftp|sip} max­duration <number>
amrp interface <ethx|redx|aggx> priority <number>
amrp l2­neighbor­keepalive­count <number>
amrp metric poll­interval <number>
amrp metric type {aggressive|conservative|normal}
amrp neighbor <mac_addr> metric min <number> max <number>
amrp vpn­tunnel heartbeat interval <number> retry <number>
application identification cdp­index <number> cdp­name <string>
application identification cdp­index <number> cdp­rule <string> cdp­module {TCP|UDP|HTTP|TLS}
application identification name <string> value <string>
application identification shutdown
application reporting app­id <string>
application reporting app­id <string> enable
application reporting collection­period <number> report­period <number>
application reporting upload <url> time­window <number> [ admin <string> password <string> {basic|digest} ]
application reporting watch­list <string>
application reporting watch­list <string> enable
application reporting {enable|disable|auto}
bonjour­gateway enable
bonjour­gateway filter rule <number> [ from <string> ] <string> [ to <string> ] [ metric <number> ]
bonjour­gateway filter rule <number> {before|after} rule <number>
bonjour­gateway neighbor <ip_addr|string>
bonjour­gateway priority <number>
bonjour­gateway realm <string>
bonjour­gateway vlan <number> [ <number> ]

http://docs.aerohive.com/330000/docs/help/english/documentation/cli_guide_ap230_6­6r1.htm#cmd7 2/315
27/4/2016 Aerohive CLI Guide
boot­param boot­file <string>
boot­param boot­password <string>
boot­param country­code <number>
boot­param device <ip_addr/netmask>
boot­param device <ip_addr> <netmask>
boot­param gateway <ip_addr>
boot­param native­vlan <number>
boot­param netboot enable
boot­param netdump dump­file [ <string> ]
boot­param netdump enable
boot­param server <ip_addr>
boot­param vlan <number>
cac airtime­per­second <number>
cac enable
cac roaming airtime­percentage <number>
capture interface <wifix> [ count <number> ] [ filter <number> ] [ promiscuous ]
capture save interface <wifix> <string>
capwap client HTTP proxy name <string> port <number>
capwap client HTTP proxy user <string> password <string>
capwap client default­server­name <string>
capwap client discovery interval <number>
capwap client discovery maximum interval <number>
capwap client discovery method {broadcast}
capwap client dtls accept­bootstrap­passphrase
capwap client dtls bootstrap­passphrase <string>
capwap client dtls enable
capwap client dtls handshake­wait­time <number>
capwap client dtls hm­defined­passphrase <string> key­id <number>
capwap client dtls max­retries <number>
capwap client dtls negotiation enable
capwap client dtls psk <string>
capwap client dtls session­delete­wait­time <number>
capwap client enable
capwap client join timeout <number>
capwap client neighbor dead interval <number>
capwap client neighbor heartbeat interval <number>
capwap client pci­alert enable
capwap client server [ {backup} ] name <string> [ connect­delay <number> ] [ via­vpn­tunnel ]
capwap client server port <number>
capwap client silent interval <number>
capwap client transport HTTP
capwap client vhm­name <string>
capwap max­discoveries counter <number>
capwap ping <string> [ port <number> ] [ count <number> ] [ size <number> ] [ timeout <number> ]
capwap ping <string> [ port <number> ] flood <number> [ size <number> ] [ timeout <number> ]
clear aaa radius­server cache [ username <string> ]
clear aaa radius­server­key [ {radius­server|ldap­client} ] [ <string> ]
clear aaa radius­server­key radsec ca
clear application reporting app­stats
clear application reporting statistics
clear arp­cache
clear auth roaming­cache mac <mac_addr> {hive­neighbors|hive­all}
clear auth roaming­cache {hive­neighbors}
clear auth username <string>
clear auth {local­cache|roaming­cache|station} [ mac <mac_addr> ]
clear auth {local­cache|roaming­cache|station} ssid <string>
clear cac station­airtime [ mac <mac_addr> ]
clear capture local [ <string> ]
clear capwap client counter
clear config rollback
clear forwarding­engine counters [ interface <wifix|wifix.y|ethx|mgtx|aggx|redx> ] [ station <mac_addr> ] [ drop ]
[ tunnel ] [ policy ]
clear forwarding­engine ip­sessions [ src­ip <ip_addr> ] [ dst­ip <ip_addr> ] [ src­port <number> ] [ dst­port
<number> ] [ protocol <number> ]
clear forwarding­engine ip­sessions id <number>
clear forwarding­engine mac­sessions [ src­mac <mac_addr> ] [ dst­mac <mac_addr> ]
clear forwarding­engine mac­sessions id <number>
clear gre­tunnel counters tunnel
clear hive <string> counter neighbor [ <mac_addr> ]
clear interface <ethx|aggx|redx> mac­learning dynamic <mac_addr>
clear interface <ethx|aggx|redx> mac­learning dynamic all
clear interface <ethx|wifix|wifix.y|aggx|redx> counter
clear interface <mgtx|mgtx.y> dhcp­server lease all
clear interface <mgtx|mgtx.y> dhcp­server lease ip <ip_addr>
clear interface <mgtx|mgtx.y> dhcp­server lease mac <mac_addr>
clear interface <wifix> wlan­idp mitigate rogue­ap [ <mac_addr> ]
clear lldp [ {cdp} ] table

http://docs.aerohive.com/330000/docs/help/english/documentation/cli_guide_ap230_6­6r1.htm#cmd7 3/315
27/4/2016 Aerohive CLI Guide
clear location {aeroscout|tzsp} counter
clear log [ {buffered|debug|flash|all} ]
clear mdnsd counter [ vlan <number> ]
clear network­firewall session all
clear qos counter
clear service [ <string> ] counter
clear ssh known_host <string>
clear ssid <string> counter station [ <mac_addr> ]
clear supplicant cert­file [ <string> ]
clear user­and­group all
clear vpn certificate­key
clear vpn {ike|ipsec} sa
clear web­directory [ {ppsk­self­reg} ]
clear wlan­idp mitigate [ <mac_addr> ]
client­monitor enable
client­monitor policy <string> problem­type {association|authentication|networking} [ trigger­times <number> ] [
report­interval <number> ] [ quiet­time <number> ]
client­tracing <mac_addr>
clock date­time <date> <time>
clock time­zone <number> [ {30|45} ]
clock time­zone daylight­saving­time <date> <time> <date> <time>
config rollback enable
config rollback manual [ wait­time <number> ]
config rollback now
config rollback {capwap­disconnect|next­reboot} [ wait­time <number> ]
config version <number>
console echo obscure­passwords
console page <number>
console serial­port enable
console timeout <number>
data­collection collect interval <number>
data­collection enable
data­collection report interval <number>
data­collection {max­collect} <number>
debug console [ {all} ]
debug console level {emergency|alert|critical|error|warning|notification|info|debug}
debug console timestamp
designated­server idm­proxy announce
designated­server idm­proxy dynamic
device­group <string> [ mac­object <string> ] [ domain­object <string> ] [ os­object <string> ]
device­group <string> ownership {cid|byod}
device­location <string>
dns domain­name <string>
dns dynamic­dns domain­name <string>
dns dynamic­dns enable
dns dynamic­dns server­account {dyndns|noip} username <string> password <string>
dns server­ip <ip_addr|ipv6_addr> [ {second|third} ]
domain­object <string> domain <string>
exec aaa idm­test auth username <string> password <string> [ {pap|ms­chap­v2} ] [ proxy <string> ] [ bind­ssid
<string> ]
exec aaa idm­test {radsec­proxy|auth­proxy}
exec aaa ldap­search server­type {active­directory|ldap­server|open­directory} server <string> basedn <string>
binddn <string> password <string> [ {attributes} [ <string> ] ]
exec aaa ldap­search username <string> [ basedn <string> ] [ domain <string> ]
exec aaa library­sip­test primary username <string> password <string>
exec aaa net­ads­info <string>
exec aaa net­join [ {primary|backup1|backup2|backup3} username <string> password <string> ]
exec aaa net­join domain <string> fullname <string> server <string> username <string> password <string> [
computer­ou <string> ]
exec aaa ntlm­auth username <string> password <string> [ domain <string> ]
exec aaa radius­test <string> accounting
exec aaa radius­test <string> call­check <mac_addr>
exec aaa radius­test <string> username <string> password <string> [ {pap|chap|ms­chap­v2} ]
exec active­alarms­resending
exec antenna­alignment interface <wifix> peer <mac_addr> [ count <number> ] [ interval <number> ] [ text­size
<number> ]
exec auth <string> ppsk­mac­unbinding mac <mac_addr>
exec auth <string> ppsk­mac­unbinding mac­ppsk <mac_addr> <string>
exec auth <string> ppsk­mac­unbinding ppsk <string>
exec bypass­wan­hardening
exec capture remote­sniffer [ user <string> <string> ] [ host­allowed <string> ] [ local­port <number> ] [
promiscuous ]
exec client­monitor <mac_addr>
exec data­collection {push|clear}
exec delay­execute [ <number> ]
exec interface <wifix> spectral­scan channel <number>
exec interface <wifix> spectral­scan report­interval <number>

http://docs.aerohive.com/330000/docs/help/english/documentation/cli_guide_ap230_6­6r1.htm#cmd7 4/315
27/4/2016 Aerohive CLI Guide
exec interface <wifix> spectral­scan {start|stop}
exec mobile­device­manager aerohive status­change <string>
exec ssh­client server <string> user <string>
exec user­group <string> psk­to­pmk
exec wlan­idp ap­classify {rogue|friendly} <mac_addr> [ ­ <mac_addr> ]
exec wlan­idp mitigate {rogue­ap} <mac_addr>
exec wlan­idp mitigate {rogue­ap} <mac_addr> interface <wifix>
exec {jss­check|airwatch­check|aerohive­check} mobile­device <mac_addr> enroll­status
exit
filter <number> l2 [ {data|ctl|mgmt} ] [ subtype <hex> ] [ src­mac <mac_addr> ] [ dst­mac <mac_addr> ] [ bssid
<mac_addr> ] [ tx­mac <mac_addr> ] [ rx­mac <mac_addr> ] [ error {crc|decrypt|mic|all|no} ] [ etype <hex> ]
filter <number> l3 [ src­ip <ip_addr> ] [ dst­ip <ip_addr> ] [ protocol <number> ] [ src­port <number> ] [ dst­
port <number> ]
filter [ <number> ] [ direction bidirectional ]
forwarding­engine drop {ip­fragmented­packets|to­self­non­management­traffic}
forwarding­engine inter­ssid­flood enable
forwarding­engine l2­default­route interface <ethx> vlan <number> [ ­ <number> ]
forwarding­engine log {firewall­dropped­packets|to­self­sessions}
forwarding­engine mac­sessions sync­vlan
forwarding­engine max­ip­sessions­per­station <number>
forwarding­engine max­mac­sessions­per­station <number>
forwarding­engine proxy­arp enable
forwarding­engine static­rule <string> action drop in­if <ethx|aggx|redx> dst­mac <mac_addr>
forwarding­engine static­rule <string> action drop in­if <ethx|aggx|redx> src­mac <mac_addr> dst­mac <mac_addr>
forwarding­engine static­rule <string> action drop in­if <ethx|aggx|redx> src­oui <oui> dst­mac <mac_addr>
forwarding­engine static­rule <string> action drop in­if <wifix.y> dst­mac <mac_addr> tx­mac <mac_addr>
forwarding­engine static­rule <string> action drop in­if <wifix.y> src­mac <mac_addr> dst­mac <mac_addr> tx­mac
<mac_addr>
forwarding­engine static­rule <string> action drop in­if <wifix.y> src­oui <oui> dst­mac <mac_addr> tx­mac
<mac_addr>
forwarding­engine static­rule <string> action pass in­if <ethx|aggx|redx> dst­mac <mac_addr> out­if
<ethx|aggx|redx>
forwarding­engine static­rule <string> action pass in­if <ethx|aggx|redx> dst­mac <mac_addr> out­if <wifix.y> rx­
mac <mac_addr>
forwarding­engine static­rule <string> action pass in­if <ethx|aggx|redx> src­mac <mac_addr> dst­mac <mac_addr>
out­if <ethx|aggx|redx>
forwarding­engine static­rule <string> action pass in­if <ethx|aggx|redx> src­mac <mac_addr> dst­mac <mac_addr>
out­if <wifix.y> rx­mac <mac_addr>
forwarding­engine static­rule <string> action pass in­if <ethx|aggx|redx> src­oui <oui> dst­mac <mac_addr> out­if
<ethx|aggx|redx>
forwarding­engine static­rule <string> action pass in­if <ethx|aggx|redx> src­oui <oui> dst­mac <mac_addr> out­if
<wifix.y> rx­mac <mac_addr>
forwarding­engine static­rule <string> action pass in­if <wifix.y> dst­mac <mac_addr> tx­mac <mac_addr> out­if
<ethx|aggx|redx>
forwarding­engine static­rule <string> action pass in­if <wifix.y> dst­mac <mac_addr> tx­mac <mac_addr> out­if
<wifix.y> rx­mac <mac_addr>
forwarding­engine static­rule <string> action pass in­if <wifix.y> src­mac <mac_addr> dst­mac <mac_addr> tx­mac
<mac_addr> out­if <ethx|aggx|redx>
forwarding­engine static­rule <string> action pass in­if <wifix.y> src­mac <mac_addr> dst­mac <mac_addr> tx­mac
<mac_addr> out­if <wifix.y> rx­mac <mac_addr>
forwarding­engine static­rule <string> action pass in­if <wifix.y> src­oui <oui> dst­mac <mac_addr> tx­mac
<mac_addr> out­if <ethx|aggx|redx>
forwarding­engine static­rule <string> action pass in­if <wifix.y> src­oui <oui> dst­mac <mac_addr> tx­mac
<mac_addr> out­if <wifix.y> rx­mac <mac_addr>
forwarding­engine tunnel selective­multicast­forward allow­all except <ip_addr|ip_addr/mask>
forwarding­engine tunnel selective­multicast­forward block­all
forwarding­engine tunnel selective­multicast­forward block­all except <ip_addr|ip_addr/mask>
forwarding­engine tunnel tcp­mss­threshold enable
forwarding­engine tunnel tcp­mss­threshold threshold­size <number>
history <number>
hive <string>
hive <string> frag­threshold <number>
hive <string> manage all
hive <string> manage {Telnet|SSH|SNMP|ping}
hive <string> neighbor connecting­threshold <number> polling­interval <number>
hive <string> neighbor connecting­threshold {low|medium|high} polling­interval <number>
hive <string> password <string>
hive <string> rts­threshold <number>
hive <string> security mac­filter <string>
hive <string> security wlan dos station­level frame­type {assoc­req|auth|eapol} ban <number>
hive <string> security wlan dos station­level frame­type {assoc­req|auth|eapol} ban forever
hive <string> security wlan dos {hive­level|station­level} frame­type {probe­req|probe­resp|assoc­req|assoc­
resp|disassoc|auth|deauth|eapol|all}
hive <string> security wlan dos {hive­level|station­level} frame­type {probe­req|probe­resp|assoc­req|assoc­
resp|disassoc|auth|deauth|eapol|all} alarm <number>
hive <string> security wlan dos {hive­level|station­level} frame­type {probe­req|probe­resp|assoc­req|assoc­
resp|disassoc|auth|deauth|eapol|all} threshold <number>

http://docs.aerohive.com/330000/docs/help/english/documentation/cli_guide_ap230_6­6r1.htm#cmd7 5/315
27/4/2016 Aerohive CLI Guide
hive <string> wlan­idp in­net­ap
hive <string> wlan­idp max­mitigator­num <number>
hive <string> wlan­idp mitigation­mode {automatic|semi­automatic|manual}
hive <string> wlan­idp mitigation­mode {automatic|semi­automatic} action {mitigate|report}
hive <string> wlan­idp mitigator­reeval­period <number>
hive <string> wlan­idp query­interval <number>
hive <string> wlan­idp wait­interval <number>
hiveui cas client server name <string>
hiveui cas client server port <number>
hiveui enable
hostname <string>
interface <blex> ibeacon [ uuid <string> ] [ major <number> ] [ minor <number> ] [ measured­power <number> ]
interface <blex> ibeacon enable
interface <blex> ibeacon­monitor enable
interface <ethx> bind <aggx>
interface <ethx> bind <redx> [ primary ]
interface <ethx> client­monitor­policy <string>
interface <ethx> duplex {full|half|auto}
interface <ethx> ip <ip_addr/netmask>
interface <ethx> mode wan
interface <ethx> native­vlan <number>
interface <ethx> pppoe auth­method {pap|chap|any}
interface <ethx> pppoe enable
interface <ethx> pppoe username <string> password <string>
interface <ethx> security­object <string>
interface <ethx> speed {10|100|1000|auto}
interface <ethx> supplicant <string>
interface <ethx|aggx|redx> allowed­vlan <number> [ ­ <number> ]
interface <ethx|aggx|redx> allowed­vlan {all|auto}
interface <ethx|aggx|redx> inter­station­traffic
interface <ethx|aggx|redx> link­discovery {lldp|cdp}
interface <ethx|aggx|redx> mac­learning enable
interface <ethx|aggx|redx> mac­learning idle­timeout <number>
interface <ethx|aggx|redx> mac­learning static <mac_addr>
interface <ethx|aggx|redx> manage {Telnet|SSH|SNMP|ping|all}
interface <ethx|aggx|redx> mode bridge­802.1q user­profile­attribute <number>
interface <ethx|aggx|redx> mode {bridge­802.1q|backhaul}
interface <ethx|aggx|redx> qos­classifier <string>
interface <ethx|aggx|redx> qos­marker <string>
interface <ethx|aggx|redx> rate­limit broadcast <number>
interface <ethx|aggx|redx> rate­limit multicast <number>
interface <ethx|aggx|redx> rate­limit unicast <number>
interface <ethx|aggx|redx> rate­limit {multicast|broadcast|unicast} enable
interface <ethx|aggx|redx> shutdown
interface <ethx|redx|aggx> mode bridge­access [ user­profile­attribute <number> ]
interface <ethx|usbnetx> mode wan nat
interface <ethx|usbnetx> mode wan nat­policy <string>
interface <ethx|usbnetx> mode wan priority <number>
interface <mgtx.y> ip <ip_addr/netmask>
interface <mgtx.y> manage ping
interface <mgtx.y> vlan <number>
interface <mgtx> default­ip­prefix <ip_addr/netmask>
interface <mgtx> default­ip­prefix <ip_addr>
interface <mgtx> dhcp client fallback­to­static­ip
interface <mgtx> dhcp keepalive enable
interface <mgtx> dhcp keepalive interval <number>
interface <mgtx> dhcp keepalive retry <number>
interface <mgtx> dhcp keepalive timeout <number>
interface <mgtx> dhcp keepalive vlan <number> [ <number> ]
interface <mgtx> dhcp­probe vlan­range <number> <number> [ timeout <number> ] [ retries <number> ]
interface <mgtx> hive <string>
interface <mgtx> ip <ip_addr/netmask>
interface <mgtx> ip <ip_addr> <netmask>
interface <mgtx> ipv6 <ipv6_addr/mask> [ eui­64 ]
interface <mgtx> ipv6 <ipv6_addr> link­local
interface <mgtx> ipv6 autoconfig
interface <mgtx> ipv6 dhcp client
interface <mgtx> mtu <number>
interface <mgtx> native­vlan <number>
interface <mgtx> vlan <number>
interface <mgtx|ethx> dhcp client
interface <mgtx|ethx> dhcp client address­only
interface <mgtx|ethx> dhcp client option custom ppsk­server­ip <number>
interface <mgtx|ethx> dhcp client option custom radius­server­ip <number>
interface <mgtx|ethx> dhcp client option custom radius­server­ip accounting <number>
interface <mgtx|ethx> dhcp client option custom {syslog­server­ip|hivemanager­ip|backup­hivemanager­ip} <number>
interface <mgtx|ethx> dhcp client option custom {syslog­server|hivemanager|backup­hivemanager} <number>

http://docs.aerohive.com/330000/docs/help/english/documentation/cli_guide_ap230_6­6r1.htm#cmd7 6/315
27/4/2016 Aerohive CLI Guide
interface <mgtx|ethx> dhcp client prefer­subnet <ip_addr/netmask>
interface <mgtx|ethx> dhcp client timeout <number>
interface <mgtx|mgtx.y> dhcp­server enable
interface <mgtx|mgtx.y> dhcp­server ip­binding <ip_addr> <mac_addr>
interface <mgtx|mgtx.y> dhcp­server ip­pool <ip_addr> <ip_addr>
interface <mgtx|mgtx.y> dhcp­server options custom <number> hex <string>
interface <mgtx|mgtx.y> dhcp­server options custom <number> integer <number>
interface <mgtx|mgtx.y> dhcp­server options custom <number> ip <ip_addr>
interface <mgtx|mgtx.y> dhcp­server options custom <number> string <string>
interface <mgtx|mgtx.y> dhcp­server options default­gateway <ip_addr> [ {nat­support} ]
interface <mgtx|mgtx.y> dhcp­server options domain­name <string>
interface <mgtx|mgtx.y> dhcp­server options hivemanager <ip_addr>
interface <mgtx|mgtx.y> dhcp­server options hivemanager <string>
interface <mgtx|mgtx.y> dhcp­server options lease­time <number>
interface <mgtx|mgtx.y> dhcp­server options mtu <number>
interface <mgtx|mgtx.y> dhcp­server options netmask <netmask>
interface <mgtx|mgtx.y> dhcp­server options vendor­specific VCI <string>
interface <mgtx|mgtx.y> dhcp­server options vendor­specific VCI <string> <number> ip <ip_addr>
interface <mgtx|mgtx.y> dhcp­server options vendor­specific VCI <string> <number> string <string>
interface <mgtx|mgtx.y> dhcp­server options {dns1|dns2|dns3} <ip_addr>
interface <mgtx|mgtx.y> dhcp­server options {logsrv|pop3|smtp} <ip_addr>
interface <mgtx|mgtx.y> dhcp­server options {ntp1|ntp2} <ip_addr>
interface <mgtx|mgtx.y> dhcp­server options {wins1|wins2} <ip_addr>
interface <mgtx|mgtx.y> dhcp­server reserved­address <ip_addr> <ip_addr>
interface <mgtx|mgtx.y> dhcp­server {arp­check|authoritative­flag}
interface <mgtx|mgtx.y> dns­server enable
interface <mgtx|mgtx.y> dns­server ext­resolve {dns1|dns2|dns3} <ip_addr>
interface <mgtx|mgtx.y> dns­server int­domain­name <string> [ <ip_addr> ]
interface <mgtx|mgtx.y> dns­server int­resolve {dns1|dns2|dns3} <ip_addr>
interface <mgtx|mgtx.y> dns­server mode {split|nonsplit}
interface <mgtx|mgtx.y> dns­server opendns­device­id <string>
interface <mgtx|mgtx.y> ip­helper address <ip_addr>
interface <mgtx|mgtx.y> ip­helper max­hops <number>
interface <mgtx|vlanx> dhcp­server options vendor­specific VCI <string> <number> hex <string>
interface <mgtx|vlanx> dhcp­server options vendor­specific VCI <string> <number> integer <number>
interface <wifix> hive <string> shutdown
interface <wifix> link­discovery {lldp|cdp}
interface <wifix> mode {access|backhaul|dual|sensor}
interface <wifix> radio antenna diversity
interface <wifix> radio channel <string>
interface <wifix> radio channel exclude <string>
interface <wifix> radio power <number>
interface <wifix> radio power auto
interface <wifix> radio power auto floor <number>
interface <wifix> radio power auto maxdrop <number>
interface <wifix> radio profile <string>
interface <wifix> radio range <number>
interface <wifix> radio tx­power­control <number>
interface <wifix> radio tx­power­control auto
interface <wifix> ssid <string>
interface <wifix> ssid <string> ip <ip_addr/netmask>
interface <wifix> ssid <string> shutdown
interface <wifix> wlan­idp profile <string>
ip nat­policy <string>
ip nat­policy <string> type match­net inside <ip_addr/netmask> outside <ip_addr/netmask>
ip nat­policy <string> type virtual­host inside­host <ip_addr> inside­port <port> outside­port <port> protocol
{tcp|udp}
ip path­mtu­discovery enable
ip route default gateway <ip_addr> [ metric <number> ]
ip route host <ip_addr> [ gateway <ip_addr> ] [ metric <number> ]
ip route net <ip_addr> <netmask> [ gateway <ip_addr> ] [ metric <number> ]
ip tcp­mss­threshold enable
ip tcp­mss­threshold l3­vpn­threshold­size <number>
ip tcp­mss­threshold threshold­size <number>
ip version­preference {ipv4|ipv6}
ip­policy <string> [ id <number> ] [ {before|after} id <number> ] [ from <ip_addr|string_64> [ <mask> ] ] [ to
<ip_addr|string_64> [ <mask> ] ] [ service <string> ] [ action {permit|deny|nat|inter­station­traffic­
drop|redirect} ]
ip­policy <string> [ id <number> ] [ {before|after} id <number> ] [ from <ip_addr|string_64> [ <mask> ] ] [ to
<ip_addr|string_64> [ <mask> ] ] [ service <string> ] action deny log packet­drop
ip­policy <string> [ id <number> ] [ {before|after} id <number> ] [ from <ip_addr|string_64> [ <mask> ] ] [ to
<ip_addr|string_64> [ <mask> ] ] [ service <string> ] action inter­station­traffic­drop log [ {initiate­
session|terminate­session|packet­drop} ]
ip­policy <string> [ id <number> ] [ {before|after} id <number> ] [ from <ip_addr|string_64> [ <mask> ] ] [ to
<ip_addr|string_64> [ <mask> ] ] [ service <string> ] action permit log [ {initiate­session|terminate­session} ]
ip­policy <string> [ id <number> ] [ {before|after} id <number> ] [ from <ip_addr|string_64> [ <mask> ] ] to
local­subnet [ service <string> ] [ action {permit|deny|nat|inter­station­traffic­drop|redirect} ]

http://docs.aerohive.com/330000/docs/help/english/documentation/cli_guide_ap230_6­6r1.htm#cmd7 7/315
27/4/2016 Aerohive CLI Guide
iperf client <ip_addr> [ {port} <number> ] [ {udp} ] [ {interval} <number> ] [ {no­delay} ] [ {dual­test} ] [
{tradeoff} ] [ {listen­port} <number> ] [ {window} <number> ] [ {mss} <number> ] [ {bandwidth} <number> ] [ {time}
<number> ] [ {parallel} <number> ]
iperf server [ {port} <number> ] [ {udp} ] [ {single­udp} ] [ {interval} <number> ] [ {no­delay} ] [ {window}
<number> ] [ {mss} <number> ] [ {bind} <ip_addr> ]
ipv6 dhcpv6­shield enable
ipv6 ra­guard stateless enable
ipv6 route <ipv6_addr/mask> <mgtx> gateway <ipv6_addr> [ metric <number> ]
ipv6 route <ipv6_addr/mask> gateway <ipv6_addr> [ metric <number> ]
ipv6 route default <mgtx> gateway <ipv6_addr> [ metric <number> ]
ipv6 route default gateway <ipv6_addr> [ metric <number> ]
kddr enable
library­sip­policy <string> default user­group <string> [ action {permit|restricted|deny} ] [ additional­display­
message <string> ]
library­sip­policy <string> id <number> field <string> {equal|greater­than|less­than} <number> user­group <string>
[ action {permit|restricted|deny} ] [ additional­display­message <string> ]
library­sip­policy <string> id <number> field <string> {matches|differs­from|starts­with|occurs­after|occurs­
before|contains} <string> user­group <string> [ action {permit|restricted|deny} ] [ additional­display­message
<string> ]
library­sip­policy <string> id <number> {after|before} id <number>
license <string> <string>
lldp [ {cdp|receive­only} ]
lldp [ {cdp} ] max­entries <number>
lldp holdtime <number>
lldp max­power <number>
lldp timer <number>
load config {current|backup|bootstrap|default}
location aerohive enable
location aerohive list­match enable
location aerohive mac <mac_addr>
location aerohive oui <oui>
location aerohive report­interval <number>
location aerohive rssi­hold­time <number>
location aerohive rssi­update­threshold <number>
location aerohive rssi­valid­period <number>
location aerohive suppress­report <number>
location rate­threshold {tag|station|rogue­ap} <number>
location {aeroscout|tzsp} enable
location {aeroscout} server <string>
location {aeroscout} {tag|station|rogue­ap}
location {tzsp} mcast­mac <mac_addr>
location {tzsp} server­config server <string> port <number>
logging buffered level {emergency|alert|critical|error|warning|notification|info|debug}
logging debug
logging facility {local0|local1|local2|local3|local4|local5|local6|local7|auth|authpriv|security|user}
logging flash level {emergency|alert|critical|error|warning|notification|info|debug}
logging server <string> [ level {emergency|alert|critical|error|warning|notification|info|debug} ] [ {via­vpn­
tunnel} ]
logging trap level [ {emerg|alert|crit|err|warning|notice|info} ]
login banner <string>
mac­object <string> mac­range <mac_addr> ­ <mac_addr>
mac­policy <string> [ id <number> ] [ {before|after} id <number> ] [ from <mac_addr> [ <number> ] ] [ to
<mac_addr> [ <number> ] ] [ action {permit|deny} ]
mac­policy <string> [ id <number> ] [ {before|after} id <number> ] [ from <mac_addr> [ <number> ] ] [ to
<mac_addr> [ <number> ] ] action deny log packet­drop
mac­policy <string> [ id <number> ] [ {before|after} id <number> ] [ from <mac_addr> [ <number> ] ] [ to
<mac_addr> [ <number> ] ] action permit log [ {initiate­session|terminate­session} ]
mdm­object <string> [ enroll­status {enrolled|non­enrolled|unknown} ] [ compliance­status {compliant|non­
compliant|unknown} ] [ client­tag <string> ]
mobile­device­policy <string> [ rule <number> ] [ original­user­profile <string> ] device­group <string>
reassigned­user­profile­attr <number>
mobile­device­policy <string> apply {once|multiple­times}
mobile­device­policy <string> client­classification [ {mac} ] [ {domain} ] [ {os} ]
mobile­device­policy <string> rule <number> {before|after} rule <number>
mobility­policy <string> dnxp
mobility­policy <string> dnxp nomadic­roaming
mobility­policy <string> dnxp unroam­threshold <number> <number>
mobility­policy <string> inxp gre­tunnel from <ip_addr/netmask> password <string>
mobility­policy <string> inxp gre­tunnel to <ip_addr> <ip_addr> password <string>
mobility­policy <string> inxp gre­tunnel to <ip_addr> password <string>
mobility­threshold gre­tunnel permitted­load {low|medium|high}
network­firewall name <string> [ from {any|vpn} ] [ to {any|vpn} ] [ service <string> ] [ action {permit|deny} ]
logging {on|off}
network­firewall name <string> [ from {any|vpn} ] to hostname <string> [ service <string> ] [ action {permit|deny}
] logging {on|off}
network­firewall name <string> [ from {any|vpn} ] to ip­range <ip_addr> <ip_addr> [ service <string> ] [ action
{permit|deny} ] logging {on|off}

http://docs.aerohive.com/330000/docs/help/english/documentation/cli_guide_ap230_6­6r1.htm#cmd7 8/315
27/4/2016 Aerohive CLI Guide
network­firewall name <string> [ from {any|vpn} ] to network <ip_addr> <mask> [ service <string> ] [ action
{permit|deny} ] logging {on|off}
network­firewall name <string> [ from {any|vpn} ] to wildcard <ip_addr> <mask> [ service <string> ] [ action
{permit|deny} ] logging {on|off}
network­firewall name <string> from ip­range <ip_addr> <ip_addr> [ to {any|vpn} ] [ service <string> ] [ action
{permit|deny} ] logging {on|off}
network­firewall name <string> from ip­range <ip_addr> <ip_addr> to hostname <string> [ service <string> ] [
action {permit|deny} ] logging {on|off}
network­firewall name <string> from ip­range <ip_addr> <ip_addr> to ip­range <ip_addr> <ip_addr> [ service
<string> ] [ action {permit|deny} ] logging {on|off}
network­firewall name <string> from ip­range <ip_addr> <ip_addr> to network <ip_addr> <mask> [ service <string> ]
[ action {permit|deny} ] logging {on|off}
network­firewall name <string> from ip­range <ip_addr> <ip_addr> to wildcard <ip_addr> <mask> [ service <string> ]
[ action {permit|deny} ] logging {on|off}
network­firewall name <string> from network <ip_addr> <mask> [ to {any|vpn} ] [ service <string> ] [ action
{permit|deny} ] logging {on|off}
network­firewall name <string> from network <ip_addr> <mask> to hostname <string> [ service <string> ] [ action
{permit|deny} ] logging {on|off}
network­firewall name <string> from network <ip_addr> <mask> to ip­range <ip_addr> <ip_addr> [ service <string> ]
[ action {permit|deny} ] logging {on|off}
network­firewall name <string> from network <ip_addr> <mask> to network <ip_addr> <mask> [ service <string> ] [
action {permit|deny} ] logging {on|off}
network­firewall name <string> from network <ip_addr> <mask> to wildcard <ip_addr> <mask> [ service <string> ] [
action {permit|deny} ] logging {on|off}
network­firewall name <string> from user­profile <string> [ to {any|vpn} ] [ service <string> ] [ action
{permit|deny} ] logging {on|off}
network­firewall name <string> from user­profile <string> to hostname <string> [ service <string> ] [ action
{permit|deny} ] logging {on|off}
network­firewall name <string> from user­profile <string> to ip­range <ip_addr> <ip_addr> [ service <string> ] [
action {permit|deny} ] logging {on|off}
network­firewall name <string> from user­profile <string> to network <ip_addr> <mask> [ service <string> ] [
action {permit|deny} ] logging {on|off}
network­firewall name <string> from user­profile <string> to wildcard <ip_addr> <mask> [ service <string> ] [
action {permit|deny} ] logging {on|off}
network­firewall name <string> from wildcard <ip_addr> <mask> [ to {any|vpn} ] [ service <string> ] [ action
{permit|deny} ] logging {on|off}
network­firewall name <string> from wildcard <ip_addr> <mask> to hostname <string> [ service <string> ] [ action
{permit|deny} ] logging {on|off}
network­firewall name <string> from wildcard <ip_addr> <mask> to ip­range <ip_addr> <ip_addr> [ service <string> ]
[ action {permit|deny} ] logging {on|off}
network­firewall name <string> from wildcard <ip_addr> <mask> to network <ip_addr> <mask> [ service <string> ] [
action {permit|deny} ] logging {on|off}
network­firewall name <string> from wildcard <ip_addr> <mask> to wildcard <ip_addr> <mask> [ service <string> ] [
action {permit|deny} ] logging {on|off}
ntp enable
ntp interval <number>
ntp server <string> [ {second|third|fourth} ] [ {via­vpn­tunnel} ]
os­detection enable
os­detection method dhcp­option55
os­detection method user­agent
os­object <string> os­version <string>
os­version <string> option55 <string>
performance­sentinel notification­interval <number>
ping <ip_addr> [ count <number> ] [ size <number> ] [ ttl <number> ] [ timeout <number> ]
ping <string> [ count <number> ] [ size <number> ] [ ttl <number> ] [ timeout <number> ]
ping6 <ipv6_addr> [ interface <string> ] [ count <number> ] [ size <number> ] [ ttl <number> ] [ timeout <number>
]
ping6 <string> [ interface <string> ] [ count <number> ] [ size <number> ] [ ttl <number> ] [ timeout <number> ]
probe <ip_addr|mac_addr> [ size <number> ] [ src­mac <mac_addr> ] [ wait­time <number> ] [ ttl <number> ] [ count
<number> ]
probe portal [ size <number> ] [ src­mac <mac_addr> ] [ wait­time <number> ] [ ttl <number> ] [ count <number> ]
qos airtime enable
qos airtime rate­preference­weight {none|moderate|high}
qos classifier­map 80211e <number> <number>
qos classifier­map 8021p <number> <number>
qos classifier­map diffserv <number> <number>
qos classifier­map interface <ethx|aggx|redx> <number>
qos classifier­map oui <oui> [ qos <number> ] [ action {permit|deny|log} ] [ comment <string> ]
qos classifier­map service <string> [ qos <number> ] [ action {permit|deny|log} ]
qos classifier­map ssid <string> <number>
qos classifier­profile <string> [ {interface/ssid­only|8021p|80211e|diffserv|interface/ssid|mac|service} ]
qos enable
qos l3­police interface <string> enable
qos l3­police interface <string> max­download­bw <number>
qos l3­police interface <string> max­upload­bw <number>
qos l3­police voip­detect­timeout <number>
qos marker­map 80211e <number> <number>

http://docs.aerohive.com/330000/docs/help/english/documentation/cli_guide_ap230_6­6r1.htm#cmd7 9/315
27/4/2016 Aerohive CLI Guide
qos marker­map 8021p <number> <number>
qos marker­map 8021p <string> [ <number> <number> ]
qos marker­map diffserv <number> <number>
qos marker­map diffserv <string> [ <number> <number> ]
qos marker­profile <string> [ {8021p|80211e|diffserv} ]
qos policy <string> [ user­profile <number> <number> ] [ user <number> ] [ qos <number> {strict|wrr} <number>
<number> ]
quit
radio profile <string>
radio profile <string> acsp access channel­auto­select time­range <time> <time> [ station <number> ]
radio profile <string> acsp all­channels­model enable
radio profile <string> acsp channel­model 4­channels [ <channel_g4> ]
radio profile <string> acsp channel­model {3­channels} [ <channel_g3> ]
radio profile <string> acsp interference­switch crc­err­threshold <number>
radio profile <string> acsp interference­switch iu­threshold <number>
radio profile <string> acsp interference­switch {enable|no­station­enable|disable}
radio profile <string> acsp max­tx­power <number>
radio profile <string> ampdu
radio profile <string> amsdu
radio profile <string> backhaul failover [ trigger­time <number> ] [ hold­time <number> ]
radio profile <string> band­steering balance­band threshold <number>
radio profile <string> band­steering enable
radio profile <string> band­steering mode {balance­band|prefer­5g|force­5g}
radio profile <string> band­steering prefer­5g suppression­limit <number>
radio profile <string> beacon­period <number>
radio profile <string> benchmark phymode 11a rate {6|9|12|18|24|36|48|54} success <number> usage <number>
radio profile <string> benchmark phymode 11ac rate
{6|9|12|18|24|36|48|54|mcs0/1|mcs1/1|mcs2/1|mcs3/1|mcs4/1|mcs5/1|mcs6/1|mcs7/1|mcs8/1|mcs9/1|mcs0/2|mcs1/2|mcs2/2|mcs3/2|mc
success <number> usage <number>
radio profile <string> benchmark phymode 11b rate {1|2|5.5|11} success <number> usage <number>
radio profile <string> benchmark phymode 11g rate {1|2|5.5|11|6|9|12|18|24|36|48|54} success <number> usage
<number>
radio profile <string> benchmark phymode 11n rate
{6|9|12|18|24|36|48|54|mcs0|mcs1|mcs2|mcs3|mcs4|mcs5|mcs6|mcs7|mcs8|mcs9|mcs10|mcs11|mcs12|mcs13|mcs14|mcs15|mcs16|mcs17|mc
success <number> usage <number>
radio profile <string> channel­width {20|40|40­above|40­below|80}
radio profile <string> client­load­balance crc­error­limit <number>
radio profile <string> client­load­balance enable
radio profile <string> client­load­balance hold­time <number>
radio profile <string> client­load­balance interference­limit <number>
radio profile <string> client­load­balance mode {airtime|sta­num}
radio profile <string> client­load­balance neighbor­load­query­interval <number>
radio profile <string> client­load­balance sta­mini­airtime <number>
radio profile <string> deny­client {11b|11abg}
radio profile <string> detect­bssid­spoofing
radio profile <string> dfs
radio profile <string> dfs radar­detect­only
radio profile <string> frameburst
radio profile <string> high­density broadcast­probe­suppress oui <oui>
radio profile <string> high­density continuous­probe­suppress enable
radio profile <string> high­density enable
radio profile <string> high­density mgmt­frame­tx­rate {low|high}
radio profile <string> interference­map crc­err­threshold <number>
radio profile <string> interference­map cu­threshold <number>
radio profile <string> interference­map enable
radio profile <string> interference­map short­term­interval <number>
radio profile <string> max­client <number>
radio profile <string> phymode {11a|11b/g|11na|11ng|11ac}
radio profile <string> presence aggr­interval <number>
radio profile <string> presence aging­time <number>
radio profile <string> presence enable
radio profile <string> presence trap­interval <number>
radio profile <string> primary­channel­offset {auto|0|1|2|3}
radio profile <string> receive­chain <number>
radio profile <string> safety­net enable
radio profile <string> safety­net timeout <number>
radio profile <string> scan access
radio profile <string> scan access client
radio profile <string> scan access client power­save
radio profile <string> scan access interval <number>
radio profile <string> scan access voice
radio profile <string> sensor channel­list <string>
radio profile <string> sensor dwell­time <number>
radio profile <string> short­guard­interval
radio profile <string> short­preamble
radio profile <string> transmit­chain <number>
radio profile <string> tx­beamforming [ {explicit­only|auto} ]

http://docs.aerohive.com/330000/docs/help/english/documentation/cli_guide_ap230_6­6r1.htm#cmd7 10/315
27/4/2016 Aerohive CLI Guide
radio profile <string> tx­rate vht­mcs
{MCS0/1|MCS1/1|MCS2/1|MCS3/1|MCS4/1|MCS5/1|MCS6/1|MCS7/1|MCS8/1|MCS9/1|MCS0/2|MCS1/2|MCS2/2|MCS3/2|MCS4/2|MCS5/2|MCS6/2|MCS
radio profile <string> tx­rate
{auto|1Mbps|2Mbps|5.5Mbps|6Mbps|9Mbps|11Mbps|12Mbps|18Mbps|24Mbps|36Mbps|48Mbps|54Mbps|MCS0|MCS1|MCS2|MCS3|MCS4|MCS5|MCS6|M
radio profile <string> vht­2g
radio profile <string> weak­snr­suppress enable
radio profile <string> weak­snr­suppress threshold <number>
radio profile <string> wmm ac {background|best­effort|video|voice} aifs <number>
radio profile <string> wmm ac {background|best­effort|video|voice} cwmax <number>
radio profile <string> wmm ac {background|best­effort|video|voice} cwmin <number>
radio profile <string> wmm ac {background|best­effort|video|voice} noack
radio profile <string> wmm ac {background|best­effort|video|voice} txoplimit <number>
reboot
reboot date <date> time <time>
reboot offset <time>
reboot {backup|current}
reboot {backup|current} date <date> time <time>
reboot {backup|current} offset <time>
report statistic alarm­threshold client {tx­drop­rate|rx­drop­rate|tx­retry­rate|airtime­consumption} <number>
report statistic alarm­threshold interface {crc­error­rate|tx­drop­rate|rx­drop­rate|tx­retry­rate|airtime­
consumption} <number>
report statistic enable
report statistic period <number>
reset config [ {bootstrap} ]
reset web­directory [ <string> [ {save­to­flash} ] ]
reset web­directory all­running­ssid
reset­button reset­config­enable
roaming cache update­interval <number> ageout <number>
roaming cache­broadcast neighbor­type access enable
roaming cache­broadcast neighbor­type backhaul enable
roaming hop <number>
roaming neighbor exclude ip <ip_addr>
roaming neighbor include ip <ip_addr> <netmask>
roaming neighbor query­interval <number> query­times <number>
roaming port <number>
route <mac_addr> outgoing­interface <string> next­hop <mac_addr>
routing internal­sub­network <ip_addr/netmask> [ {tunnel­dist­only} ]
routing match­map <string> from {any} to {any|private}
routing match­map <string> from {any} to {hostname} <string>
routing match­map <string> from {any} to {iprange} <ip_addr> <ip_addr>
routing match­map <string> from {any} to {network} <ip_addr/netmask>
routing match­map <string> from {iprange} <ip_addr> <ip_addr> to {any|private}
routing match­map <string> from {iprange} <ip_addr> <ip_addr> to {hostname} <string>
routing match­map <string> from {iprange} <ip_addr> <ip_addr> to {iprange} <ip_addr> <ip_addr>
routing match­map <string> from {iprange} <ip_addr> <ip_addr> to {network} <ip_addr/netmask>
routing match­map <string> from {network} <ip_addr/netmask> to {any|private}
routing match­map <string> from {network} <ip_addr/netmask> to {hostname} <string>
routing match­map <string> from {network} <ip_addr/netmask> to {iprange} <ip_addr> <ip_addr>
routing match­map <string> from {network} <ip_addr/netmask> to {network} <ip_addr/netmask>
routing match­map <string> {iif} <ethx> to {any|private}
routing match­map <string> {iif} <ethx> to {hostname} <string>
routing match­map <string> {iif} <ethx> to {iprange} <ip_addr> <ip_addr>
routing match­map <string> {iif} <ethx> to {network} <ip_addr/netmask>
routing match­map <string> {user­profile} <string> to {any|private}
routing match­map <string> {user­profile} <string> to {hostname} <string>
routing match­map <string> {user­profile} <string> to {iprange} <ip_addr> <ip_addr>
routing match­map <string> {user­profile} <string> to {network} <ip_addr/netmask>
routing policy <string> id <number> match­map <string> route­map <string>
routing route­map <string> via <ethx|usbnetx|wifix>
routing route­map <string> via {encrypted|blackhole}
routing route­request enable
routing route­request interval <number>
save ble ibeacon firmware
save config <location> bootstrap
save config <location> current
save config <location> current <time> [ <date> ]
save config <location> current now
save config <location> current offset <time>
save config <url> bootstrap [ admin <string> password <string> {basic|digest} ] [ proxy <string> [ proxy­admin
<string> password <string> ] ]
save config <url> current <time> [ <date> ] [ admin <string> password <string> {basic|digest} ] [ proxy <string> [
proxy­admin <string> password <string> ] ]
save config <url> current [ {now} ] [ admin <string> password <string> {basic|digest} ] [ proxy <string> [ proxy­
admin <string> password <string> ] ]
save config <url> current offset <time> [ admin <string> password <string> {basic|digest} ] [ proxy <string> [
proxy­admin <string> password <string> ] ]
save config [ running current ]

http://docs.aerohive.com/330000/docs/help/english/documentation/cli_guide_ap230_6­6r1.htm#cmd7 11/315
27/4/2016 Aerohive CLI Guide
save config bootstrap <location>
save config current <location>
save config current bootstrap
save config running bootstrap
save config users [ bootstrap ]
save config {current|bootstrap} <url> [ admin <string> password <string> {basic|digest} ] [ proxy <string> [
proxy­admin <string> password <string> ] ]
save dhcp­fingerprint {option55} <location>
save dhcp­fingerprint {option55} <url> [ admin <string> password <string> {basic|digest} ] [ proxy <string> [
proxy­admin <string> password <string> ] ]
save image <location> <time> [ <date> ] [ limit <number> ]
save image <location> [ {now} ] [ limit <number> ]
save image <location> offset <time> [ limit <number> ]
save image <url> <time> [ <date> ] [ admin <string> password <string> {basic|digest} ] [ proxy <string> [ proxy­
admin <string> password <string> ] ]
save image <url> [ {now} ] [ admin <string> password <string> {basic|digest} ] [ proxy <string> [ proxy­admin
<string> password <string> ] ]
save image <url> offset <time> [ admin <string> password <string> {basic|digest} ] [ proxy <string> [ proxy­admin
<string> password <string> ] ]
save radius­server­key radsec {cert|ca} <location>
save radius­server­key radsec {cert|ca} <url> [ admin <string> password <string> {basic|digest} ] [ proxy <string>
[ proxy­admin <string> password <string> ] ]
save radius­server­key {radius­server|ldap­client} <location>
save radius­server­key {radius­server|ldap­client} <url> [ admin <string> password <string> {basic|digest} ] [
proxy <string> [ proxy­admin <string> password <string> ] ]
save server­files
save signature­file <location> [ limit <number> ]
save signature­file <url> [ admin <string> password <string> {basic|digest} ] [ proxy <string> [ proxy­admin
<string> password <string> ] ]
save ssid <string> mac­bind <location>
save supplicant cert­file <location>
save supplicant cert­file <url> [ admin <string> password <string> {basic|digest} ] [ proxy <string> [ proxy­admin
<string> password <string> ] ]
save users <location>
save users <url> [ admin <string> password <string> {basic|digest} ] [ proxy <string> [ proxy­admin <string>
password <string> ] ]
save vpn {ca­cert|ee­cert|private­key} <url> [ admin <string> password <string> {basic|digest} ] [ proxy <string>
[ proxy­admin <string> password <string> ] ]
save vpn {ee­cert|private­key|ca­cert} <location>
save web­page [ ppsk­self­reg ] web­directory <string> <location>
save web­page [ ppsk­self­reg ] web­directory <string> <url> [ admin <string> password <string> {basic|digest} ] [
proxy <string> [ proxy­admin <string> password <string> ] ]
save web­server­key <number> <location> [ comment <string> ]
save web­server­key <number> <url> [ comment <string> ] [ admin <string> password <string> {basic|digest} ] [
proxy <string> [ proxy­admin <string> password <string> ] ]
save {capture} local <string> <location>
save {capture} local <string> <url> [ admin <string> password <string> {basic|digest} ] [ proxy <string> [ proxy­
admin <string> password <string> ] ]
schedule <string> once <date> <time> to <date> <time> [ time­zone <number> ] [ comment <string> ]
schedule <string> ppsk once <date> <time> to <date> <time> [ time­zone <number> ] [ comment <string> ]
schedule <string> ppsk recurrent [ date­range <date> [ to <date> ] ] [ weekday <string> ] time­range <time> to
<time> [ time­range <time> to <time> ] [ time­zone <number> ] [ comment <string> ]
schedule <string> recurrent [ date­range <date> [ to <date> ] ] [ weekday­range
{Monday|Tuesday|Wednesday|Thursday|Friday|Saturday|Sunday} [ to
{Monday|Tuesday|Wednesday|Thursday|Friday|Saturday|Sunday} ] ] time­range <time> to <time> [ time­range <time> to
<time> ] [ time­zone <number> ] [ comment <string> ]
security mac­filter <string> address <mac_addr> {permit|deny} [ comment <string> ]
security mac­filter <string> default {permit|deny}
security mac­filter <string> oui <oui> {permit|deny} [ comment <string> ]
security wlan­idp profile <string>
security wlan­idp profile <string> adhoc
security wlan­idp profile <string> ap­detection client­mac­in­net
security wlan­idp profile <string> ap­detection connected
security wlan­idp profile <string> ap­policy
security wlan­idp profile <string> ap­policy ap­oui
security wlan­idp profile <string> ap­policy ap­oui entry <oui>
security wlan­idp profile <string> ap­policy short­beacon
security wlan­idp profile <string> ap­policy short­preamble
security wlan­idp profile <string> ap­policy ssid
security wlan­idp profile <string> ap­policy ssid entry <string>
security wlan­idp profile <string> ap­policy ssid entry <string> encryption
security wlan­idp profile <string> ap­policy ssid entry <string> encryption {open|wep|wpa}
security wlan­idp profile <string> ap­policy wmm
security wlan­idp profile <string> mitigate deauth­time <number>
security wlan­idp profile <string> mitigate duration <number> quiet­time <number>
security wlan­idp profile <string> mitigate period <number>
security wlan­idp profile <string> sta­report

http://docs.aerohive.com/330000/docs/help/english/documentation/cli_guide_ap230_6­6r1.htm#cmd7 12/315
27/4/2016 Aerohive CLI Guide
security wlan­idp profile <string> sta­report age­time <number>
security­object <string>
security­object <string> default­user­profile­attr <number>
security­object <string> dhcp­server lease­time <number>
security­object <string> dhcp­server renewal­response {renew­nak­unicast|keep­silent}
security­object <string> mobile­device­policy <string>
security­object <string> ppsk­web­server auth­user
security­object <string> ppsk­web­server bind­to­ppsk­ssid <string>
security­object <string> ppsk­web­server https
security­object <string> ppsk­web­server login­page <string>
security­object <string> ppsk­web­server login­script <string>
security­object <string> ppsk­web­server web­directory <string>
security­object <string> security aaa radius­server [ first­retry­interval <number> ] [ max­retries <number> ]
security­object <string> security aaa radius­server account­interim­interval <number>
security­object <string> security aaa radius­server accounting {primary|backup1|backup2|backup3} <ip_addr|string>
[ shared­secret <string> ] [ acct­port <number> ] [ via­vpn­tunnel ]
security­object <string> security aaa radius­server dynamic­auth­extension
security­object <string> security aaa radius­server idm [ pri ]
security­object <string> security aaa radius­server inject Operator­Name
security­object <string> security aaa radius­server msg­auth­all­messages
security­object <string> security aaa radius­server retry­interval <number>
security­object <string> security aaa radius­server {primary|backup1|backup2|backup3} <ip_addr|string> [ shared­
secret <string> ] [ auth­port <number> ] [ acct­port <number> ] [ via­vpn­tunnel ]
security­object <string> security aaa user­profile­mapping attribute­id <number>
security­object <string> security aaa user­profile­mapping enable
security­object <string> security aaa user­profile­mapping vendor­id <number> attribute­id <number>
security­object <string> security additional­auth­method captive­web­portal [ reg­user­profile­attr <number> ] [
auth­user­profile­attr <number> ] [ timeout <number> ] [ timer­display ]
security­object <string> security additional­auth­method captive­web­portal anonymous­access
security­object <string> security additional­auth­method captive­web­portal auth­method [ {pap|chap|ms­chap­v2} ]
security­object <string> security additional­auth­method captive­web­portal check­use­policy
security­object <string> security additional­auth­method captive­web­portal cloud­cwp api­key <string> api­nonce
<string>
security­object <string> security additional­auth­method captive­web­portal cloud­cwp customer­id <string>
security­object <string> security additional­auth­method captive­web­portal cloud­cwp enable
security­object <string> security additional­auth­method captive­web­portal cloud­cwp service­id <number>
security­object <string> security additional­auth­method captive­web­portal cloud­cwp url­root­path <string>
security­object <string> security additional­auth­method captive­web­portal default­language {chinese­
simple|chinese­traditional|dutch|english|french|german|italian|korean|spanish}
security­object <string> security additional­auth­method captive­web­portal external­server {primary} login­page
<string>
security­object <string> security additional­auth­method captive­web­portal external­server {primary} password­
encryption uam­basic
security­object <string> security additional­auth­method captive­web­portal external­server {primary} password­
encryption uam­shared <string>
security­object <string> security additional­auth­method captive­web­portal external­server {primary} {success­
register|no­roaming­at­login|no­radius­auth}
security­object <string> security additional­auth­method captive­web­portal failure­redirect external­page
<string> [ delay <number> ]
security­object <string> security additional­auth­method captive­web­portal failure­redirect login­page [ delay
<number> ]
security­object <string> security additional­auth­method captive­web­portal internal­pages {no­success­page|no­
failure­page}
security­object <string> security additional­auth­method captive­web­portal internal­servers
security­object <string> security additional­auth­method captive­web­portal login­page­method http302
security­object <string> security additional­auth­method captive­web­portal pass­through vlan <number>
security­object <string> security additional­auth­method captive­web­portal process­sip­info
security­object <string> security additional­auth­method captive­web­portal process­sip­info block­redirect
<string>
security­object <string> security additional­auth­method captive­web­portal report­guest­info
security­object <string> security additional­auth­method captive­web­portal self­reg­via­idm
security­object <string> security additional­auth­method captive­web­portal self­reg­via­idm api <string>
security­object <string> security additional­auth­method captive­web­portal self­reg­via­idm crl­file <string>
security­object <string> security additional­auth­method captive­web­portal server­name <string>
security­object <string> security additional­auth­method captive­web­portal server­name cert­dn
security­object <string> security additional­auth­method captive­web­portal success­redirect external­page
<string> [ delay <number> ]
security­object <string> security additional­auth­method captive­web­portal success­redirect original­page [ delay
<number> ]
security­object <string> security additional­auth­method captive­web­portal timer­display alert <number>
security­object <string> security additional­auth­method mac­based­auth [ {auth­method} {pap|chap|ms­chap­v2} ]
security­object <string> security additional­auth­method mac­based­auth call­check
security­object <string> security additional­auth­method mac­based­auth fallback­to­ecwp
security­object <string> security additional­auth­method mobile­device­manager aerohive api­key <string> api­
instance­id <string>
security­object <string> security additional­auth­method mobile­device­manager aerohive onboard access­ssid
<string>

http://docs.aerohive.com/330000/docs/help/english/documentation/cli_guide_ap230_6­6r1.htm#cmd7 13/315
27/4/2016 Aerohive CLI Guide
security­object <string> security additional­auth­method mobile­device­manager airwatch api­key <string>
security­object <string> security additional­auth­method mobile­device­manager airwatch non­compliant disconnect­
for­vlan­change
security­object <string> security additional­auth­method mobile­device­manager airwatch non­compliant guest­upid
<number>
security­object <string> security additional­auth­method mobile­device­manager airwatch non­compliant send­message
content <string>
security­object <string> security additional­auth­method mobile­device­manager airwatch non­compliant send­message
title <string>
security­object <string> security additional­auth­method mobile­device­manager airwatch non­compliant send­message
type {email|sms|push|all}
security­object <string> security additional­auth­method mobile­device­manager airwatch url­enrollment <url>
security­object <string> security additional­auth­method mobile­device­manager airwatch url­rest­api <url>
security­object <string> security additional­auth­method mobile­device­manager {jss|aerohive} url­root­path <url>
security­object <string> security additional­auth­method mobile­device­manager {jss|airwatch|aerohive} enable
security­object <string> security additional­auth­method mobile­device­manager {jss|airwatch|aerohive} os­object
<string> [ {ios|mac­os} ]
security­object <string> security additional­auth­method mobile­device­manager {jss|airwatch} http­auth user
<string> password <string>
security­object <string> security additional­auth­method mobile­device­manager {jss|airwatch} poll­status [
interval <number> ]
security­object <string> security auth­mode host­based
security­object <string> security auth­mode {port­based} [ failure­user­profile­attr <number> ]
security­object <string> security eap retries <number>
security­object <string> security eap timeout <number>
security­object <string> security ft
security­object <string> security ft mobility­domain­id <number>
security­object <string> security initial­auth­method mac­based­auth
security­object <string> security local­cache timeout <number>
security­object <string> security mac­white­list bypass­cwp
security­object <string> security mac­white­list mac­object <string>
security­object <string> security preauth [ interface <ethx|wifix.y|redx|aggx> ]
security­object <string> security private­psk
security­object <string> security private­psk default­psk­disabled
security­object <string> security private­psk external­server [ {web­portal} ]
security­object <string> security private­psk mac­binding­enable
security­object <string> security private­psk mac­binding­keys­per­mac <number>
security­object <string> security private­psk mac­binding­macs­per­key <number>
security­object <string> security private­psk ppsk­server <ip_addr>
security­object <string> security private­psk radius­auth [ {pap|chap|ms­chap­v2} ]
security­object <string> security private­psk same­user­limit <number>
security­object <string> security private­psk self­reg­enable
security­object <string> security protocol­suite 802.1x
security­object <string> security protocol­suite open
security­object <string> security protocol­suite wep­open <number> {hex­key|ascii­key} <string> [ default ]
security­object <string> security protocol­suite wep­shared <number> {hex­key|ascii­key} <string> [ default ]
security­object <string> security protocol­suite wep104­8021x [ rekey­period <number> ]
security­object <string> security protocol­suite wep40­8021x [ rekey­period <number> ]
security­object <string> security protocol­suite wpa­auto­8021x [ rekey­period <number> ] [ {non­strict|strict} ]
[ gmk­rekey­period <number> ] [ ptk­timeout <number> ] [ ptk­retry <number> ] [ gtk­timeout <number> ] [ gtk­retry
<number> ] [ roaming proactive­pmkid­response ] [ ptk­rekey­period <number> ]
security­object <string> security protocol­suite wpa­auto­psk {hex­key|ascii­key} <string> [ rekey­period <number>
] [ {non­strict|strict} ] [ gmk­rekey­period <number> ] [ ptk­timeout <number> ] [ ptk­retry <number> ] [ gtk­
timeout <number> ] [ gtk­retry <number> ] [ ptk­rekey­period <number> ]
security­object <string> security protocol­suite wpa2­aes­8021x [ rekey­period <number> ] [ {non­strict|strict} ]
[ gmk­rekey­period <number> ] [ ptk­timeout <number> ] [ ptk­retry <number> ] [ gtk­timeout <number> ] [ gtk­retry
<number> ] [ roaming proactive­pmkid­response ] [ ptk­rekey­period <number> ]
security­object <string> security protocol­suite wpa2­aes­psk {hex­key|ascii­key} <string> [ rekey­period <number>
] [ {non­strict|strict} ] [ gmk­rekey­period <number> ] [ ptk­timeout <number> ] [ ptk­retry <number> ] [ gtk­
timeout <number> ] [ gtk­retry <number> ] [ ptk­rekey­period <number> ]
security­object <string> security protocol­suite wpa2­tkip­8021x [ rekey­period <number> ] [ {non­strict|strict} ]
[ gmk­rekey­period <number> ] [ ptk­timeout <number> ] [ ptk­retry <number> ] [ gtk­timeout <number> ] [ gtk­retry
<number> ] [ roaming proactive­pmkid­response ] [ ptk­rekey­period <number> ]
security­object <string> security protocol­suite wpa2­tkip­psk {hex­key|ascii­key} <string> [ rekey­period
<number> ] [ {non­strict|strict} ] [ gmk­rekey­period <number> ] [ ptk­timeout <number> ] [ ptk­retry <number> ] [
gtk­timeout <number> ] [ gtk­retry <number> ] [ ptk­rekey­period <number> ]
security­object <string> security protocol­suite {wpa­auto­8021x[wpa2­tkip­8021x[wpa2­aes­8021x} reauth­interval
<number>
security­object <string> security protocol­suite {wpa­auto­8021x[wpa2­tkip­8021x|wpa­auto­psk[wpa2­tkip­psk[wpa2­
aes­psk[wpa2­aes­8021x} replay­window <number>
security­object <string> security protocol­suite {wpa­auto­8021x[wpa2­tkip­8021x|wpa­auto­psk[wpa2­tkip­psk}
local­tkip­counter­measure
security­object <string> security protocol­suite {wpa­auto­8021x[wpa2­tkip­8021x|wpa­auto­psk[wpa2­tkip­psk}
remote­tkip­counter­measure
security­object <string> security protocol­suite {wpa2­aes­psk|wpa2­aes­8021x} mfp {mandatory|optional} [ bip ]
security­object <string> security roaming cache update­interval <number> ageout <number>
security­object <string> user­profile­allowed <string>

http://docs.aerohive.com/330000/docs/help/english/documentation/cli_guide_ap230_6­6r1.htm#cmd7 14/315
27/4/2016 Aerohive CLI Guide
security­object <string> user­profile­allowed {all}
security­object <string> user­profile­deny action ban [ <number> ] [ strict ]
security­object <string> user­profile­deny action {ban­forever|disconnect} [ strict ]
security­object <string> user­profile­policy <string>
security­object <string> user­profile­sequence {cwp­ssid­mac|cwp­mac­ssid|ssid­cwp­mac|ssid­mac­cwp|mac­ssid­
cwp|mac­cwp­ssid}
security­object <string> walled­garden hostname <string> [ service {all|web} ]
security­object <string> walled­garden hostname <string> service protocol <number> port <number>
security­object <string> walled­garden ip­address <ip_addr|ip_addr/mask> [ service {all|web} ]
security­object <string> walled­garden ip­address <ip_addr|ip_addr/mask> service protocol <number> port <number>
security­object <string> web­directory <string>
security­object <string> web­server [ port <number> ] [ index­file <string> ] [ success­file <string> ] [ failure­
file <string> ] [ ssl server­key <number> ]
security­object <string> web­server web­page {mandatory­field} <number> [ optional­field <number> ]
service <string> alg {ftp|tftp|sip|dns|http}
service <string> app­id <number> [ timeout <number> ]
service <string> protocol <number> [ port <number> ] [ timeout <number> ]
service <string> protocol {tcp|udp|svp} [ port <number> ] [ timeout <number> ]
sflow enable
sflow instance <string> interface <ethx|wifix> collector­addr <ip_addr> [ collector­port <number> ] [ sampling­
rate <number> ] [ polling­interval <number> ] [ direction {ingress|egress|both} ]
show 802.1x­mac­table [ interface <ethx> ] [ mac <mac_addr> ]
show aaa
show aaa radius­server
show aaa radius­server NAS [ <string> ]
show aaa radius­server active­session [ username <string> ]
show aaa radius­server cache
show aaa radius­server domain
show aaa radius­server proxy [ server ]
show aaa radius­server­key {radius­server|ldap­client}
show access­console
show acsp
show acsp channel­info [ {detail|arbiter} ]
show acsp neighbor
show admin [ active ]
show admin auth
show admin manager­ip
show alg [ {ftp|tftp|sip|dns|http} ]
show alg sip calls [ <string> ]
show amrp
show amrp Ethlink
show amrp Ethlink <mac_addr>
show amrp bonjour [ <ip_addr> ]
show amrp client [ <mac_addr> ]
show amrp dnxp cache [ <mac_addr> ]
show amrp dnxp neighbor [ <mac_addr> ]
show amrp interface
show amrp interface <ethx|redx|aggx> bmt­table
show amrp interface <ethx|redx|aggx> mac­learning
show amrp interface <ethx|redx|aggx|mgtx|wifix.y>
show amrp neighbor [ {Ethernet|WiFi} ]
show amrp node <ip_addr|mac_addr>
show amrp node [ all ]
show amrp static­neighbor
show amrp tunnel [ <ip_addr> ]
show amrp tunnel route [ <ip_addr> ]
show application identification [ cdp­index <number> ] [ cdp­name <string> ]
show application reporting app­stats
show application reporting applications
show application reporting configuration
show application reporting statistics
show arp­cache
show auth [ interface <wifix.y|ethx> ]
show auth mac­binding <string> [ <mac_addr> ] [ <string> ]
show auth private­psk
show band­steering status
show bonjour­gateway filter
show bonjour­gateway service local [ vlan <number> ] [ detail ]
show bonjour­gateway service remote [ vlan <number> ] [ detail ]
show bonjour­gateway status
show bonjour­gateway vlan
show boot­param
show boot­param country­code
show cac summary
show capture interface <wifix>
show capture local
show capture remote­sniffer

http://docs.aerohive.com/330000/docs/help/english/documentation/cli_guide_ap230_6­6r1.htm#cmd7 15/315
27/4/2016 Aerohive CLI Guide
show capwap client
show client­info­collection [ ip <ip_addr> ]
show client­load­balance status
show client­monitor info
show client­monitor policy [ <string> ]
show clock
show cmds
show config rollback
show config running
show config running password
show config version
show config {current|backup|bootstrap|default|failed}
show console
show cpu [ {detail} ]
show data­collection
show device­group [ <string> ]
show dns
show dns dynamic­dns
show domain­object [ <string> ]
show filter [ <number> ]
show forwarding­engine counters [ interface <wifix|wifix.y|ethx|mgtx|aggx|redx> ] [ station <mac_addr> ] [ drop ]
show forwarding­engine inter­ssid­flood
show forwarding­engine ip­gates
show forwarding­engine ip­sessions [ src­ip <ip_addr> ] [ dst­ip <ip_addr> ] [ src­port <number> ] [ dst­port
<number> ] [ protocol <number> ] [ qos <number> ]
show forwarding­engine ip­sessions id <number>
show forwarding­engine mac­sessions [ src­mac <mac_addr> ] [ dst­mac <mac_addr> ] [ vlan <number> ]
show forwarding­engine mac­sessions id <number>
show forwarding­engine max­ip­sess­per­station
show forwarding­engine max­mac­sess­per­station
show forwarding­engine open­ports­to­self
show forwarding­engine policy
show forwarding­engine static­rule
show forwarding­engine tunnel selective­multicast­forward
show forwarding­engine tunnel tcp­mss­threshold
show gre­tunnel
show high­density status
show history
show hive <string> connecting­threshold
show hive <string> counter neighbor [ <mac_addr> ]
show hive <string> manage
show hive <string> neighbor [ mac <mac_addr> ]
show hive <string> security wlan dos
show hive [ <string> ]
show hivemanager
show hiveui cas client
show hw­info
show icsa
show idm
show interface <blex> ibeacon
show interface <blex> ibeacon­monitor list
show interface <ethx> default­route­vlan
show interface <ethx> pppoe
show interface <ethx|aggx|redx> allowed­vlan
show interface <ethx|aggx|redx> mac­learning {static|dynamic|all}
show interface <ethx|aggx|redx> manage
show interface <ethx|aggx|redx> qos­classifier
show interface <ethx|aggx|redx> qos­marker
show interface <ethx|aggx|redx> rate­limit
show interface <mgtx.y> manage
show interface <mgtx> dhcp keepalive
show interface <mgtx> dhcp­probe results­summary
show interface <mgtx> ipv6 dhcp client
show interface <mgtx|ethx|bgdx.y|usbnetx|wifix.y> dhcp client
show interface <mgtx|mgtx.y> dhcp­server [ detail ]
show interface <mgtx|mgtx.y> dhcp­server ip­binding
show interface <mgtx|mgtx.y> dhcp­server reserved­address
show interface <mgtx|mgtx.y> ip­helper
show interface <mgtx|mgtx.y> ip­helper max­hops
show interface <wifix.y> multicast
show interface <wifix> channel
show interface <wifix> dfs
show interface <wifix> multicast
show interface <wifix> wlan­idp ap­info
show interface <wifix> wlan­idp ap­info compliance {compliant|non­compliant}
show interface <wifix> wlan­idp ap­info type {rogue|valid|external}
show interface <wifix> wlan­idp client­info

http://docs.aerohive.com/330000/docs/help/english/documentation/cli_guide_ap230_6­6r1.htm#cmd7 16/315
27/4/2016 Aerohive CLI Guide
show interface <wifix> wlan­idp mitigate rogue­ap [ <mac_addr> ]
show interface <wifix|wifix.y> counter
show interface [ <ethx|mgtx|mgtx.y|wifix|wifix.y|redx|aggx|tunnelx|bgdx.y> ]
show ip nat­policy
show ip nat­policy <string>
show ip nat­policy service­port­list
show ip path­mtu­discovery
show ip policy­route [ {l3­tunnel­all|l3­tunnel­exception|l3­tunnel­split|l3­tunnel­drop} ]
show ip route
show ip session nat­policy
show ip session nat­policy <string>
show ip tcp­mss­threshold
show ip­policy
show ip­policy <string>
show ip­policy user­profile <number|string> [ {from­access|to­access} ] [ from <ip_addr|string> <mask> ] [ to
<ip_addr|string> <mask> ] [ service <string> ] [ action {permit|deny|inter­station­traffic­drop} ] [ lines
<number> ]
show ipv6 route
show l3 interface [ ipv6 ]
show library­sip­policy [ <string> ]
show license
show lldp [ {cdp} ] [ {neighbor} ]
show location [ {aeroscout|tzsp} ]
show location aerohive
show location aerohive list
show location aerohive rssi
show location aerohive rssi mac <mac_addr>
show location aerohive rssi oui <oui>
show location {aeroscout|tzsp} counter
show logging
show logging {buffered|flash|debug} [ level {emergency|alert|critical|error|warning|notification|info|debug} ] [
tail <number> ] [ date <date> ] [ time <time> ]
show mac­object [ <string> ]
show mac­policy
show mac­policy <string> [ from <mac_addr> [ <number> ] ] [ to <mac_addr> [ <number> ] ] [ action {permit|deny} ]
[ lines <number> ]
show mac­policy user­profile <number|string> [ {from­access|to­access} ] [ from <mac_addr> [ <number> ] ] [ to
<mac_addr> [ <number> ] ] [ action {permit|deny} ] [ lines <number> ]
show mdnsd [ {cache|auth­record|duplicate­record|auth­record­proxied|duplicate­record­proxied|active­client­
requests|interface|questions|memory|others} ]
show mdnsd counter [ vlan <number> ]
show memory [ {detail} ]
show min­password­length
show mobile­device­policy [ <string> ]
show mobility­policy [ <string> ]
show mobility­threshold gre­tunnel permitted­load
show network­firewall
show ntp
show os­detection [ {option55­to­os­database|dhcp­fingerprint­version} ]
show os­object [ <string> ]
show performance­sentinel
show ppsk schedule [ <string> ]
show proxy
show qos
show qos classifier­map 80211e [ <number> ]
show qos classifier­map 8021p [ <number> ]
show qos classifier­map diffserv [ <number> ]
show qos classifier­map interface <ethx|aggx|redx>
show qos classifier­map oui [ <oui> ]
show qos classifier­map service [ <string> ]
show qos classifier­map ssid <string>
show qos classifier­profile [ <string> ]
show qos counter user [ <mac_addr> ]
show qos counter user­profile [ <string> ]
show qos l3­police [ detail ]
show qos l3­police interface <string> [ detail ]
show qos l3­police statistics [ detail ]
show qos l3­police statistics interface <string> [ detail ]
show qos marker­map 80211e [ <number> ]
show qos marker­map 8021p [ <number> ]
show qos marker­map diffserv [ <number> ]
show qos marker­map {diffserv|8021p} <string>
show qos marker­profile [ <string> ]
show qos policy [ <string> ]
show radio profile [ <string> ]
show reboot schedule
show report statistic

http://docs.aerohive.com/330000/docs/help/english/documentation/cli_guide_ap230_6­6r1.htm#cmd7 17/315
27/4/2016 Aerohive CLI Guide
show reset­button
show roaming cache
show roaming cache mac <mac_addr>
show roaming neighbor [ mac <mac_addr> ] [ ip <ip_addr> ]
show route
show routing internal­sub­network
show routing policy
show routing policy <string>
show routing policy <string> route
show routing route­request
show routing {match­map|route­map} [ <string> ]
show running­config
show running­config password
show running­config users [ password ] [ all ]
show running­config xauth­clients [ password ]
show schedule [ <string> ]
show schedule­in­detail
show security mac­filter [ <string> ]
show security protocol­suite
show security­object <string> dhcp­server
show security­object <string> dns­server
show security­object <string> mobile­device­manager {jss|airwatch|aerohive}
show security­object <string> mobile­device­policy
show security­object <string> security aaa
show security­object <string> security mac­white­list
show security­object <string> security protocol­suite
show security­object <string> walled­garden
show security­object <string> web­server
show security­object [ <string> ]
show service [ <string> ]
show service [ <string> ] counter
show sflow
show sflow instance [ <string> ]
show snmp [ {v3­admin} ]
show snmp community [ {read­only} ]
show snmp contact
show snmp location
show snmp trap­host
show ssh­tunnel
show ssid <string> admctl tsinfo [ sta <mac_addr> ]
show ssid <string> counter station [ <mac_addr> ]
show ssid <string> manage
show ssid <string> multicast
show ssid <string> qos­classifier
show ssid <string> qos­marker
show ssid <string> schedule [ detail ]
show ssid <string> security screening [ detail ]
show ssid <string> security wlan dos
show ssid <string> station [ mac <mac_addr> ]
show ssid <string> station ipv6
show ssid <string> user­group
show ssid [ <string> ]
show ssid­schedule
show station [ <mac_addr> ]
show station [ <mac_addr> ] counter
show station ipv6
show supplicant cert­file [ <string> ]
show supplicant name [ <string> ]
show system
show system connection­trap delay
show system disk­info
show system led
show system power mode
show system power status
show system processes [ state ]
show system temperature
show teacher­view resource­map
show tech
show tech <url> [ admin <string> password <string> {basic|digest} ] [ proxy <string> [ proxy­admin <string>
password <string> ] ]
show time­zone
show track [ <string> ]
show track­wan
show usb­device
show usbmodem [ modem­id <string> ]
show usbmodem descriptor
show usbmodem info

http://docs.aerohive.com/330000/docs/help/english/documentation/cli_guide_ap230_6­6r1.htm#cmd7 18/315
27/4/2016 Aerohive CLI Guide
show usbmodem modeswitch
show usbmodem network­mode
show usbmodem network­service
show usbmodem rssi
show usbmodem sim­info
show usbmodem status
show user
show user­group <string> psk­digest [ <string> ]
show user­group [ <string> ]
show user­profile <string> cac airtime­percentage
show user­profile <string> schedule [ detail ]
show user­profile [ <string> ]
show user­profile­policy [ <string> ]
show user­profile­schedule
show version [ {detail} ]
show video ip <ip_addr> <number>
show video ip <ip_addr> dst­port­range <number> ­ <number>
show vlan­group
show vpn gre­tunnel
show vpn ike configuration
show vpn ike {sa|event}
show vpn ike {sp}
show vpn ipsec sa
show vpn ipsec­tunnel
show vpn l3­tunnel­exception
show vpn layer­3­tunnel
show vpn tunnel­id [ <number> ]
show vpn tunnel­policy
show vpn {socket|timer|memory|queue|ph2|sp|rekey}
show wan db
show wan failover
show wan interface
show wan interface <ethx|usbnetx|wifix|tunnelx>
show web­directory [ ppsk­self­reg ] [ <string> ]
show web­security­proxy {websense­v1|barracuda­v1}
show web­server­key
show wlan­idp mitigate [ <mac_addr> ]
show wlan­idp profile [ <string> ]
snmp contact <string>
snmp location <string>
snmp reader version v3 admin <string> [ auth {md5|sha} password <string> ] [ encryption {aes|des} password
<string> ]
snmp reader version {v1|v2c|any} community <string> [ <string> ]
snmp trap­host {v1|v2c} <ip_addr|string> [ port <number> ] [ {via­vpn­tunnel} ] [ community <string> ]
snmp trap­host {v3} <ip_addr|string> [ port <number> ] [ {via­vpn­tunnel} ] admin <string>
snmp trap­host {v3} admin <string> auth {md5|sha} password <string> [ encryption {aes|des} password <string> ]
snmp trap­info {over­snmp|over­capwap}
ssh­tunnel server <string> tunnel­port <number> user <string> password <string> [ timeout <number> ]
ssid <string>
ssid <string> 11a­rate­set [ {6|6­basic} ] [ {9|9­basic} ] [ {12|12­basic} ] [ {18|18­basic} ] [ {24|24­basic} ] [
{36|36­basic} ] [ {48|48­basic} ] [ {54|54­basic} ]
ssid <string> 11ac­mcs­rate­set <string>
ssid <string> 11g­rate­set [ {1|1­basic} ] [ {2|2­basic} ] [ {5.5|5.5­basic} ] [ {11|11­basic} ] [ {6|6­basic} ] [
{9|9­basic} ] [ {12|12­basic} ] [ {18|18­basic} ] [ {24|24­basic} ] [ {36|36­basic} ] [ {48|48­basic} ] [ {54|54­
basic} ]
ssid <string> 11n­mcs­expand­rate­set <string>
ssid <string> admctl ac <number> enable
ssid <string> admctl delts sta <mac_addr> tid <number>
ssid <string> block­to­wifi­mcast
ssid <string> client­age­out <number>
ssid <string> client­monitor­policy <string>
ssid <string> dtim­period <number>
ssid <string> frag­threshold <number>
ssid <string> hide­ssid
ssid <string> ignore­broadcast­probe
ssid <string> inter­station­traffic
ssid <string> manage all
ssid <string> manage {Telnet|SSH|SNMP|ping}
ssid <string> max­client <number>
ssid <string> mode compliance
ssid <string> mode legacy
ssid <string> multicast conversion­to­unicast {auto|always|disable}
ssid <string> multicast cu­threshold <number>
ssid <string> multicast member­threshold <number>
ssid <string> qos­classifier <string>
ssid <string> qos­marker <string>
ssid <string> rrm enable

http://docs.aerohive.com/330000/docs/help/english/documentation/cli_guide_ap230_6­6r1.htm#cmd7 19/315
27/4/2016 Aerohive CLI Guide
ssid <string> rts­threshold <number>
ssid <string> schedule <string>
ssid <string> security mac­filter <string>
ssid <string> security screening radius­attack
ssid <string> security screening radius­attack action ban­forever
ssid <string> security screening radius­attack action {alarm|ban} [ [ <number> ] ]
ssid <string> security screening radius­attack threshold <number> [ action {alarm|ban} [ <number> ] ]
ssid <string> security screening radius­attack threshold <number> action ban­forever
ssid <string> security screening tcp­syn­check
ssid <string> security screening {icmp­flood|udp­flood|syn­flood|arp­flood|address­sweep|port­scan|ip­spoof} [
threshold <number> ]
ssid <string> security screening {icmp­flood|udp­flood|syn­flood|arp­flood|address­sweep|port­scan|ip­spoof}
action ban­forever
ssid <string> security screening {icmp­flood|udp­flood|syn­flood|arp­flood|address­sweep|port­scan|ip­spoof}
action disconnect
ssid <string> security screening {icmp­flood|udp­flood|syn­flood|arp­flood|address­sweep|port­scan|ip­spoof}
action {alarm|drop|ban} <number>
ssid <string> security screening {icmp­flood|udp­flood|syn­flood|arp­flood|address­sweep|port­scan|ip­spoof}
threshold <number> action ban­forever
ssid <string> security screening {icmp­flood|udp­flood|syn­flood|arp­flood|address­sweep|port­scan|ip­spoof}
threshold <number> action disconnect
ssid <string> security screening {icmp­flood|udp­flood|syn­flood|arp­flood|address­sweep|port­scan|ip­spoof}
threshold <number> action {alarm|drop|ban} <number>
ssid <string> security wlan dos station­level frame­type {assoc­req|auth|eapol} ban <number>
ssid <string> security wlan dos station­level frame­type {assoc­req|auth|eapol} ban forever
ssid <string> security wlan dos {ssid­level|station­level} frame­type {probe­req|probe­resp|assoc­req|assoc­
resp|disassoc|auth|deauth|eapol|all}
ssid <string> security wlan dos {ssid­level|station­level} frame­type {probe­req|probe­resp|assoc­req|assoc­
resp|disassoc|auth|deauth|eapol|all} alarm <number>
ssid <string> security wlan dos {ssid­level|station­level} frame­type {probe­req|probe­resp|assoc­req|assoc­
resp|disassoc|auth|deauth|eapol|all} threshold <number>
ssid <string> security­object <string>
ssid <string> uapsd
ssid <string> user­group <string>
ssid <string> wmm
ssid <string> wnm enable
ssid <string> wnm sta <mac_addr> send bstmreq
supplicant <string>
supplicant <string> ca­cert <string>
supplicant <string> client­cert <string> private­key <string> [ private­key­password <string> ]
supplicant <string> eap­type {md5|peap|tls|ttls}
supplicant <string> password <string>
supplicant <string> username <string> [ password <string> ]
system connection­trap delay <number>
system disable­multicast­ping
system environment {indoor|outdoor}
system icmp­redirect enable
system led brightness {bright|soft|dim|off}
system power­mode {802.3at|802.3af|auto}
system web­server enable
teacher­view prompt­for­deny­url
teacher­view resource­map name <string> ip <ip_addr> port <port>
time­object <string> once <date> <time> to <date> <time> [ time­zone <number> ]
time­object <string> recurrent [ date­range <date> [ to <date> ] ] [ weekday­range
{Monday|Tuesday|Wednesday|Thursday|Friday|Saturday|Sunday} [ to
{Monday|Tuesday|Wednesday|Thursday|Friday|Saturday|Sunday} ] ] time­range <time> to <time> [ time­range <time> to
<time> ] [ time­zone <number> ]
tracert <ip_addr> [ max­hops <number> ] [ timeout <number> ] [ no­resolve ]
tracert <string> [ max­hops <number> ] [ timeout <number> ] [ no­resolve ]
track <string> [ ip <ip_addr> ]
track <string> action start­mesh­failover
track <string> action {enable­access­console|disable­access­radio}
track <string> default­gateway
track <string> enable
track <string> interval <number>
track <string> multi­dst­logic {and|or}
track <string> retry <number>
track­wan <string>
track­wan <string> default­gateway
track­wan <string> enable
track­wan <string> interface <ethx|usbnetx|wifix>
track­wan <string> interval <number>
track­wan <string> ip <ip_addr>
track­wan <string> multi­dst­logic {and|or}
track­wan <string> retry <number>
usbmodem enable
usbmodem mode {on­demand|always­connected|primary­wan}

http://docs.aerohive.com/330000/docs/help/english/documentation/cli_guide_ap230_6­6r1.htm#cmd7 20/315
27/4/2016 Aerohive CLI Guide
usbmodem modem­id <string>
usbmodem modem­id <string> apn [ <string> ]
usbmodem modem­id <string> at­cmd­get {card­info|signal­strength} <string>
usbmodem modem­id <string> at­cmd­set {network­mode­auto|network­mode­lte|network­mode­3g|network­mode­2g|modem­
reset} <string>
usbmodem modem­id <string> connect­cmd <string>
usbmodem modem­id <string> connect­status­cmd <string> connected­pattern <string> disconnect­pattern <string>
usbmodem modem­id <string> connect­type {ppp­dialup|atcmd­directip|qmi­directip}
usbmodem modem­id <string> dialup­number [ <string> ]
usbmodem modem­id <string> dialup­password [ <string> ]
usbmodem modem­id <string> dialup­username [ <string> ]
usbmodem modem­id <string> disconnect­cmd <string>
usbmodem modem­id <string> usbnet {cdc­ether|sierra­net}
usbmodem modem­id <string> usbserial {option|sierra|cdc­acm}
usbmodem modem­id <string> vendor­id <string> product­id <string>
usbmodem modeswitch vendor­id <string> product­id <string> message <string>
usbmodem network­mode {auto|lte|3g|2g}
usbmodem power cycle
usbmodem power enable
usbmodem reset­device
usbmodem rssi­threshold <number>
usbport power {auto|enable|disable}
user <string>
user <string> group <string>
user <string> password <string>
user­group <string>
user­group <string> auto­generation bulk­number <number> bulk­interval <number> <time>
user­group <string> auto­generation index­range <number> [ <number> ]
user­group <string> auto­generation location <string>
user­group <string> auto­generation password­length <number>
user­group <string> auto­generation prefix <string>
user­group <string> auto­generation revoke­user <number> [ <number> ]
user­group <string> auto­generation schedule <string>
user­group <string> auto­generation shared­secret <string>
user­group <string> cache­mode {temporary|mandatory}
user­group <string> expired­time <date/time>
user­group <string> password­generation­method {manual|auto}
user­group <string> pmk­auto­save
user­group <string> psk­format character­pattern {letters|digits|special­characters}
user­group <string> psk­format combo­pattern {or|and|no}
user­group <string> psk­format version {0|1}
user­group <string> psk­generation­method username­and­password concatenated­characters <string>
user­group <string> psk­generation­method {password­only|username­and­password}
user­group <string> reauth­interval <number>
user­group <string> start­time <date/time>
user­group <string> user­attribute <number>
user­group <string> vlan­id <number>
user­group <string> voice­device
user­profile <string> [ qos­policy <string> ] [ vlan­id <number> ] [ mobility­policy <string> ] [ attribute
<number> [ ­ <number> ] ]
user­profile <string> cac airtime­percentage <number> [ share­time ]
user­profile <string> deny­action­for­schedule {ban|quarantine}
user­profile <string> ip­policy­default­action {permit|deny|inter­station­traffic­drop}
user­profile <string> ip­policy­redirect­url <string>
user­profile <string> l3­tunnel­action {all|with­exception|split|drop­tunnel­traffic}
user­profile <string> mac­policy­default­action {permit|deny}
user­profile <string> qos­marker­map {diffserv|8021p} <string>
user­profile <string> schedule <string>
user­profile <string> security deny {ipv4|ipv6}
user­profile <string> security ip­policy [ from­access <string> ] [ to­access <string> ]
user­profile <string> security mac­policy [ from­access <string> ] [ to­access <string> ]
user­profile <string> tunnel­policy <string>
user­profile <string> vlan­group <string>
user­profile <string> {after|before} <string>
user­profile <string> {performance­sentinel} action {log|boost}
user­profile <string> {performance­sentinel} enable
user­profile <string> {performance­sentinel} guaranteed­bandwidth <number>
user­profile­policy <string>
user­profile­policy <string> action­for­upid­change {switch|sustain|ignore}
user­profile­policy <string> mdm­timeout <number>
user­profile­policy <string> rule <number> auth­attrs <string>
user­profile­policy <string> rule <number> device­location <string>
user­profile­policy <string> rule <number> group­name <string>
user­profile­policy <string> rule <number> mac­object <string>
user­profile­policy <string> rule <number> mdm­object <string>
user­profile­policy <string> rule <number> os­object <string>
user­profile­policy <string> rule <number> time­object <string>

http://docs.aerohive.com/330000/docs/help/english/documentation/cli_guide_ap230_6­6r1.htm#cmd7 21/315
27/4/2016 Aerohive CLI Guide
user­profile­policy <string> rule <number> user­profile­attr­id <number>
vlan­group <string> <number> [ <number> ]
vpn client­ip­pool <string> local <ip_addr> <ip_addr> netmask <ip_addr>
vpn ipsec­tunnel <string> client­list <string> [ client­ip­pool <string> dns­server <ip_addr> ]
vpn ipsec­tunnel <string> dpd idle­interval <number> retry <number> retry­interval <number>
vpn ipsec­tunnel <string> gateway <ip_addr> client­name <string> password <string>
vpn ipsec­tunnel <string> ike phase1 auth­method {hybrid|rsa­sig|psk}
vpn ipsec­tunnel <string> ike phase1 dh­group {group1|group2|group5}
vpn ipsec­tunnel <string> ike phase1 mode {main|aggressive}
vpn ipsec­tunnel <string> ike phase1 psk <string>
vpn ipsec­tunnel <string> ike phase2 pfs­group {no­pfs|group1|group2|group5}
vpn ipsec­tunnel <string> ike {phase1|phase2} encryption­algorithm {3des|aes128|aes192|aes256}
vpn ipsec­tunnel <string> ike {phase1|phase2} hash {md5|sha1}
vpn ipsec­tunnel <string> ike {phase1|phase2} lifetime <number>
vpn ipsec­tunnel <string> local­ike­id {asn1dn|address|fqdn|ufqdn|keyid} <string>
vpn ipsec­tunnel <string> nat­policy <string>
vpn ipsec­tunnel <string> nat­traversal enable
vpn ipsec­tunnel <string> peer­ike­id {asn1dn|address|fqdn|ufqdn} <string>
vpn l3­tunnel­exception <ip_addr|ip_addr/mask|string>
vpn tunnel­policy <string> client ipsec­tunnel <string> [ primary ]
vpn tunnel­policy <string> password <string>
vpn tunnel­policy <string> server ipsec­tunnel <string>
vpn xauth­client­list <string> client­name <string> password <string>
vpn xauth­client­list <string> local
vpn {client­ipsec­tunnel|server­ipsec­tunnel} <string> [ vpn­mode {layer­2|layer­3} ]
web­directory <string> link­to­resources <string> <string>
web­directory [ {ppsk­self­reg} ] <string>
web­security­proxy client­info­collection enable
web­security­proxy websense­v1 account­key <string>
web­security­proxy {websense­v1|barracuda­v1} account­id <string>
web­security­proxy {websense­v1|barracuda­v1} default­domain <string>
web­security­proxy {websense­v1|barracuda­v1} default­username <string>
web­security­proxy {websense­v1|barracuda­v1} enable
web­security­proxy {websense­v1|barracuda­v1} http­proxy­host <string>
web­security­proxy {websense­v1|barracuda­v1} http­proxy­port <port>
web­security­proxy {websense­v1|barracuda­v1} https­proxy­host <string>
web­security­proxy {websense­v1|barracuda­v1} https­proxy­port <port>
web­security­proxy {websense­v1|barracuda­v1} subnet <ip_addr/netmask> [ action­if­unreachable {allow|block} ]
web­security­proxy {websense­v1|barracuda­v1} whitelist <string>

802.1x­mac­table expire­time <number>

Set parameters for the client MAC address table that is used to track the status of
802.1x­mac­table
authenticated clients and those attempting authentication through 802.1X/EAP
expire­time Set the interval of idle time after which the status of an authenticated client elapses
<number> Enter an expiration time interval in seconds (Range: 60­86400; Default: 300)

802.1x­mac­table suppress­interval <number>

Set parameters for the client MAC address table that is used to track the status of
802.1x­mac­table
authenticated clients and those attempting authentication through 802.1X/EAP
Set a length of time to ignore further authentication requests after a client fails an
suppress­interval
authentication check
Enter a suppress interval in seconds (Range: 0­3600; Default: 0; Note: 0 means that no
<number>
suppression is applied after an authentication failure.)

aaa attribute NAS­Identifier <string>

aaa Set parameters for AAA (authentication, authorization, accounting)
attribute Set attribute parameters for RADIUS Access­Request and Accounting­Request packets
Set the RADIUS Access­Request and Accounting­Request packets NAS­Identifier parameter
NAS­Identifier (Note: The NAS identifier contains a string that identifies the NAS that is originating
the access or accounting request.)
<string> Enter the custom NAS­Identifier (Default: HiveAP host name; 1­64 chars)

aaa attribute Operator­Name namespace­id <number>

aaa Set parameters for AAA (authentication, authorization, accounting)
attribute Set attribute parameters for RADIUS Access­Request and Accounting­Request packets
Set the operator name of the RADIUS Access­Request and Accounting­Request packets (Note:
The operator name contains the operator namespace ID and the operator name. The operator

http://docs.aerohive.com/330000/docs/help/english/documentation/cli_guide_ap230_6­6r1.htm#cmd7 22/315
27/4/2016 Aerohive CLI Guide
Operator­Name name is combined with the namespace ID to uniquely identify the owner of the access
network.)

namespace­id Set the namespace ID parameter of the Operator­Name (Default: realm)

Enter a number used for namespace ID (Range: 4­206; Note: These namespace ID values
<number> anticipate future additions to the list of namespaces as defined by IANA and reference
in RFC 5580.)

aaa attribute Operator­Name namespace­id {TADIG|REALM|E212|ICC}

aaa Set parameters for AAA (authentication, authorization, accounting)
attribute Set attribute parameters for RADIUS Access­Request and Accounting­Request packets
Set the operator name of the RADIUS Access­Request and Accounting­Request packets (Note:
The operator name contains the operator namespace ID and the operator name. The operator
Operator­Name
name is combined with the namespace ID to uniquely identify the owner of the access
network.)
namespace­id Set the namespace ID parameter of the Operator­Name (Default: realm)
Set the Namespace­ID parameter to TADIG (Transferred Account Data Interchange Group;
TADIG Note: TADIG namespaces include a country code and a company code, and are used in
cellular telephone networks.)
Set the Namespace­ID parameter to REALM (Note: Realm namespaces must be globally unique,
REALM
so administrators commonly use device fully qualified domain name.)
Set the Namespace­ID parameter to E212 (Note: The E.212 standard is defined in the ITU
E212 (International Telecommunication Union) standard. E.212 namespaces include a mobile
country code and a mobile network code, and are used in cellular telephone networks.)
Set the Namespace­ID parameter to ICC (ITU carrier code; Note: ICC namespaces consist of
ICC
a country code and the carrier code, and are used in cellular telephone networks.)

aaa attribute Operator­Name value <string>

aaa Set parameters for AAA (authentication, authorization, accounting)
attribute Set attribute parameters for RADIUS Access­Request and Accounting­Request packets
Set the operator name of the RADIUS Access­Request and Accounting­Request packets (Note:
The operator name contains the operator namespace ID and the operator name. The operator
Operator­Name
name is combined with the namespace ID to uniquely identify the owner of the access
network.)
value Set the value for the operator name attribute
<string> Enter a string for Operator­Name(1­64 chars)

aaa attribute user­profile­attribute vendor­id <number> attribute­id <number>

aaa Set parameters for AAA (authentication, authorization, accounting)
attribute Set attribute parameters for RADIUS Access­Request and Accounting­Request packets
user­profile­attribute Map a RADIUS attribute to the user profile
vendor­id Set a vendor ID RADIUS attribute
Enter the vendor ID number (Range: 1­65535; Note: Aerohive recommends a vendor ID of
<number>
26928, which identifies Aerohive as the vendor.)
attribute­id Set an ID for a private RADIUS attribute
Enter the private RADIUS attribute ID number to be combined with the vendor ID
<number> number(Range: 1­255; Note: Aerohive recommends an attribute ID of 6, which corresponds
to the user profile attribute.)

aaa mac­format case­sensitivity {lower­case|upper­case}

aaa Set parameters for AAA (authentication, authorization, accounting)
Set the MAC address format to use when sending client MAC addresses to an external
mac­format
authentication server
case­sensitivity Set the letter case to use when formatting MAC addresses
lower­case Use lowercase formatting (Example: 01ab23cd45ef; Default: lower­case)

upper­case Use uppercase formatting (Example: 01AB23CD45EF; Default: lower­case)

http://docs.aerohive.com/330000/docs/help/english/documentation/cli_guide_ap230_6­6r1.htm#cmd7 23/315
27/4/2016 Aerohive CLI Guide
aaa mac­format delimiter {dash|dot|colon}
aaa Set parameters for AAA (authentication, authorization, accounting)
Set the MAC address format to use when sending client MAC addresses to an external
mac­format
authentication server
delimiter Set the type of delimiter to use when formatting MAC addresses
dash Set a dash ( ­ ) as the MAC address delimiter (Default: colon)
dot Set a dot ( . ) as the MAC address delimiter (Default: colon)
colon Set a colon ( : ) as the MAC address delimiter (Default: colon)

aaa mac­format style {two­delimiter|five­delimiter|no­delimiter}

aaa Set parameters for AAA (authentication, authorization, accounting)
Set the MAC address format to use when sending client MAC addresses to an external
mac­format
authentication server
Set the number of delimiters to use when grouping the hexadecimal digits in a MAC
style
address
Set the number of delimiters in a MAC address as two (Example: 0123.4567.89ab; Default:
two­delimiter
no­delimiter)
Set the number of delimiters in a MAC address as five (Example: 01­23­45­67­89­ab;
five­delimiter
Default: no­delimiter)
Set the number of delimiters in a MAC address as none (Example: 0123456789ab; Default:
no­delimiter
no­delimiter)

aaa ppsk­server auto­save­interval <number>

aaa Set parameters for AAA (authentication, authorization, accounting)
ppsk­server Set parameters for the local HiveAP when it is acting as a private PSK server
Set the length of time to save the list of private PSK­to­client MAC address bindings to
auto­save­interval
flash memory
<number> Enter the interval in seconds(Default: 600 sec; Range: 60­3600)

aaa ppsk­server radius­server {primary|backup1|backup2|backup3} <ip_addr|string> [ shared­secret

<string> ] [ auth­port <number> ] [ via­vpn­tunnel ]
aaa Set parameters for AAA (authentication, authorization, accounting)
ppsk­server Set parameters for the local HiveAP when it is acting as a private PSK server
radius­server Set parameters for a RADIUS (Remote Authentication Dial In User Service) server
primary Set the RADIUS server that is first queried when authenticating users
backup1 Set the RADIUS server that is queried if the primary server stops responding
backup2 Set the RADIUS server that is queried if the backup1 server stops responding
backup3 Set the RADIUS server that is queried if the backup2 server stops responding
<ip_addr> Enter an IP address or a domain name for the RADIUS server (max 32 chars)
<string> Enter an IP address or a domain name for the RADIUS server (max 32 chars)
shared­secret Set the shared secret for authenticating communications with a RADIUS server
Enter the shared secret for authenticating communications with a RADIUS server (1­64
<string>
chars)
auth­port Set the RADIUS authentication port number
<number> Enter the RADIUS authentication port number (Default: 1812; Range: 1­65535)
Send all RADIUS traffic through a VPN tunnel (Note: Set this option on VPN clients when
via­vpn­tunnel the RADIUS server is in a different subnet from the tunnel interface. When they are in
the same subnet, tunneling is automatic.)

aaa radius­server account­interim­interval <number>

aaa Set parameters for AAA (authentication, authorization, accounting)
radius­server Set parameters for a RADIUS (Remote Authentication Dial In User Service) server
account­interim­
Set the interval in seconds for sending RADIUS accounting updates
interval
Enter the interval in seconds for sending RADIUS accounting updates (Default: 600;
<number>

http://docs.aerohive.com/330000/docs/help/english/documentation/cli_guide_ap230_6­6r1.htm#cmd7 24/315
27/4/2016 Aerohive CLI Guide
Range: 10­100000000)

aaa radius­server accounting {primary|backup1|backup2|backup3} <ip_addr|string> [ shared­secret

<string> ] [ acct­port <number> ] [ via­vpn­tunnel ]
aaa Set parameters for AAA (authentication, authorization, accounting)
radius­server Set parameters for a RADIUS (Remote Authentication Dial In User Service) server
accounting Set parameters for a RADIUS accounting server
Set the RADIUS accounting server to which the HiveAP sends Accounting­Request packets
primary
first
Set the RADIUS accounting server to which the HiveAP sends Accounting­Request packets if
backup1
the primary server does not respond
Set the RADIUS accounting server to which the HiveAP sends Accounting­Request packets if
backup2
the backup1 server does not respond
Set the RADIUS accounting server to which the HiveAP sends Accounting­Request packets if
backup3
the backup2 server does not respond
<ip_addr> Enter the IP address or domain name for the RADIUS accounting server (max 32 chars)
<string> Enter the IP address or domain name for the RADIUS accounting server (max 32 chars)
shared­secret Set the shared secret for securing communications with RADIUS accounting servers
Enter the shared secret (1­64 chars; Note: The RADIUS shared secret is case sensitive
<string>
and can contain spaces.)
acct­port Set the RADIUS accounting port number
<number> Enter the RADIUS accounting port number (Default: 1813; Range: 1­65535)
Send all RADIUS traffic through a VPN tunnel (Note: Set this option on VPN clients when
via­vpn­tunnel the RADIUS server is in a different subnet from the tunnel interface. When they are in
the same subnet, tunneling is automatic.)

aaa radius­server dynamic­auth­extension

aaa Set parameters for AAA (authentication, authorization, accounting)
radius­server Set parameters for a RADIUS (Remote Authentication Dial In User Service) server
Enable the HiveAP acting as a NAS to accept unsolicited messages from the RADIUS
dynamic­auth­extension
authentication server (Default: Disabled)

aaa radius­server inject Operator­Name

aaa Set parameters for AAA (authentication, authorization, accounting)
radius­server Set parameters for a RADIUS (Remote Authentication Dial In User Service) server
inject Set injection parameters for RADIUS Access­Request and Accounting­Request packets
Set the operator name of the RADIUS Access­Request and Accounting­Request packets (Note:
The operator name contains the operator namespace ID and the operator name. The operator
Operator­Name
name is combined with the namespace ID to uniquely identify the owner of the access
network.)

aaa radius­server keepalive enable

aaa Set parameters for AAA (authentication, authorization, accounting)
radius­server Set parameters for a RADIUS (Remote Authentication Dial In User Service) server
keepalive Set parameters for periodically checking network connectivity to RADIUS servers
enable Set parameters for periodically checking network connectivity to RADIUS servers

aaa radius­server keepalive interval <number>

aaa Set parameters for AAA (authentication, authorization, accounting)
radius­server Set parameters for a RADIUS (Remote Authentication Dial In User Service) server
keepalive Set parameters for periodically checking network connectivity to RADIUS servers
interval Set the interval between periodic connectivity status checks
<number> Enter the interval in seconds (Default: 60; Range: 60­86400)

aaa radius­server keepalive retry <number>

http://docs.aerohive.com/330000/docs/help/english/documentation/cli_guide_ap230_6­6r1.htm#cmd7 25/315
27/4/2016 Aerohive CLI Guide

aaa Set parameters for AAA (authentication, authorization, accounting)

radius­server Set parameters for a RADIUS (Remote Authentication Dial In User Service) server
keepalive Set parameters for periodically checking network connectivity to RADIUS servers
Set the number of times to retry sending an Access­Request or Accounting­Request that
retry
does not elicit a response from a RADIUS authentication or accounting server
<number> Enter the retry value (Default: 3; Range: 1­10)

aaa radius­server keepalive retry­interval <number>

aaa Set parameters for AAA (authentication, authorization, accounting)
radius­server Set parameters for a RADIUS (Remote Authentication Dial In User Service) server
keepalive Set parameters for periodically checking network connectivity to RADIUS servers
retry­interval Set the interval between retries if no response is received from the RADIUS server
<number> Enter the retry interval value in seconds (Default: 10; Range: 1­60)

aaa radius­server keepalive username <string> password <string>

aaa Set parameters for AAA (authentication, authorization, accounting)
radius­server Set parameters for a RADIUS (Remote Authentication Dial In User Service) server
keepalive Set parameters for periodically checking network connectivity to RADIUS servers
Set the user name to submit in Access­Request messages when checking the connectivity to
username
RADIUS authentication servers
<string> Enter the user name (1­32 chars)
password Set the password to submit in Access­Request messages
<string> Enter the password (1­64 chars)

aaa radius­server local acct­enable

aaa Set parameters for AAA (authentication, authorization, accounting)
radius­server Set parameters for a RADIUS (Remote Authentication Dial In User Service) server
local Set the local Aerohive device as a RADIUS server
acct­enable Enable the local RADIUS server accounting functionality

aaa radius­server local attr­map group­attr­name <string>

aaa Set parameters for AAA (authentication, authorization, accounting)
radius­server Set parameters for a RADIUS (Remote Authentication Dial In User Service) server
local Set the local Aerohive device as a RADIUS server
Map an attribute defined on a remote LDAP server to an attribute on the local RADIUS
attr­map
server
group­attr­name Set the user group attribute name that is defined on the LDAP server
Enter the attribute name (1­32 chars; Note: The attribute type must be "string". Default
<string>
attribute in AD: memberOf; in OD: apple­group­realname; in LDAP server: radiusGroupName)

aaa radius­server local attr­map reauth­attr­name <string>

aaa Set parameters for AAA (authentication, authorization, accounting)
radius­server Set parameters for a RADIUS (Remote Authentication Dial In User Service) server
local Set the local Aerohive device as a RADIUS server
Map an attribute defined on a remote LDAP server to an attribute on the local RADIUS
attr­map
server
reauth­attr­name Set the user reauthentication time attribute name that is defined on the LDAP server
Enter the attribute name (1­32 chars; Note: The attribute type must be "integer".
<string>
Default attribute in AD: msRADIUSServiceType; in LDAP server: radiusServiceType)

aaa radius­server local attr­map user­profile­attr­name <string>

aaa Set parameters for AAA (authentication, authorization, accounting)

http://docs.aerohive.com/330000/docs/help/english/documentation/cli_guide_ap230_6­6r1.htm#cmd7 26/315
27/4/2016 Aerohive CLI Guide

radius­server Set parameters for a RADIUS (Remote Authentication Dial In User Service) server
local Set the local Aerohive device as a RADIUS server
Map an attribute defined on a remote LDAP server to an attribute on the local RADIUS
attr­map
server
user­profile­attr­name Set the user group ID attribute name that is defined on the LDAP server
Enter the attribute name (1­32 chars; Note: The attribute type must be "string". Default
<string>
attribute in AD: msRADIUSCallbackNumber; in LDAP server: radiusCallbackNumber)

aaa radius­server local attr­map vlan­attr­name <string>

aaa Set parameters for AAA (authentication, authorization, accounting)
radius­server Set parameters for a RADIUS (Remote Authentication Dial In User Service) server
local Set the local Aerohive device as a RADIUS server
Map an attribute defined on a remote LDAP server to an attribute on the local RADIUS
attr­map
server
vlan­attr­name Set the VLAN ID attribute that is defined on the LDAP server
Enter the attribute name (1­32 chars; Note: The attribute type must be "string". Default
<string>
attribute in AD: msRASSavedCallbackNumber; in LDAP server: radiusCallbackId)

aaa radius­server local cache lifetime <number>

aaa Set parameters for AAA (authentication, authorization, accounting)
radius­server Set parameters for a RADIUS (Remote Authentication Dial In User Service) server
local Set the local Aerohive device as a RADIUS server
cache Set parameters for caching user­authentication responses from external LDAP servers
lifetime Set the lifetime for entries in the RADIUS server cache
Enter the lifetime for keeping entries in the RADIUS server cache (Default: 86400
<number>
seconds; Range: 3600­2592000)

aaa radius­server local concurrent­session age­timeout <number>

aaa Set parameters for AAA (authentication, authorization, accounting)
radius­server Set parameters for a RADIUS (Remote Authentication Dial In User Service) server
local Set the local Aerohive device as a RADIUS server
concurrent­session Set parameters for concurrent sessions on a RADIUS server
age­timeout Set the age timeout value for a session
Enter the age timeout value, suggest to be 3 times of the account­interim­interval time
<number>
on NAS(Range: 30­300000000; Default: 1800)

aaa radius­server local concurrent­session limit <number>

aaa Set parameters for AAA (authentication, authorization, accounting)
radius­server Set parameters for a RADIUS (Remote Authentication Dial In User Service) server
local Set the local Aerohive device as a RADIUS server
concurrent­session Set parameters for concurrent sessions on a RADIUS server
limit Limit the concurrent sessions of the same user
Enter the limit number (Range: 0­15; Default: 0, which means concurrent limit is
<number>
disabled)

aaa radius­server local db­type active­directory {primary|backup1|backup2|backup3} computer­ou

<string>
aaa Set parameters for AAA (authentication, authorization, accounting)
radius­server Set parameters for a RADIUS (Remote Authentication Dial In User Service) server
local Set the local Aerohive device as a RADIUS server
db­type Set the type and location of the user database
active­directory Set the user database on an AD (Active Directory) server
primary Set the AD server that is first queried when authenticating users

http://docs.aerohive.com/330000/docs/help/english/documentation/cli_guide_ap230_6­6r1.htm#cmd7 27/315
27/4/2016 Aerohive CLI Guide
backup1 Set the AD server that is queried if the primary server stops responding
backup2 Set the AD server that is queried if the backup1 server stops responding
backup3 Set the AD server that is queried if the backup2 server stops responding
Set the OU (organizational unit) used on the Active Directory server where the AP RADIUS
computer­ou
server admin has privileges to add the AP as a computer in the domain
Enter the OU (Max: 256 chars; Format: ou/sub­ou/sub­ou; Note: If there are any spaces,
<string>
enclose the entire string in quotation marks.)

aaa radius­server local db­type active­directory {primary|backup1|backup2|backup3} domain <string>

binddn <string> password <string>
aaa Set parameters for AAA (authentication, authorization, accounting)
radius­server Set parameters for a RADIUS (Remote Authentication Dial In User Service) server
local Set the local Aerohive device as a RADIUS server
db­type Set the type and location of the user database
active­directory Set the user database on an AD (Active Directory) server
primary Set the AD server that is first queried when authenticating users
backup1 Set the AD server that is queried if the primary server stops responding
backup2 Set the AD server that is queried if the backup1 server stops responding
backup3 Set the AD server that is queried if the backup2 server stops responding
domain Set the domain name of the AD domain controller
Enter the NetBOIS name of the domain (1­64 chars; Note: The domain name cannot contain
<string>
multiple­level domains delimited by dots.)
Set the bindDN (distinguished name) under which LDAP searches are done (Note: bindDN
binddn must be set if want to get attributes from AD server or want to check TLS username
against LDAP server.)
<string> Enter the bindDN name (1­256 chars)
password Set the password which authenticate the bindDN
<string> Enter the password (1­64 chars)

aaa radius­server local db­type active­directory {primary|backup1|backup2|backup3} domain <string>

fullname <string> [ default ]
aaa Set parameters for AAA (authentication, authorization, accounting)
radius­server Set parameters for a RADIUS (Remote Authentication Dial In User Service) server
local Set the local Aerohive device as a RADIUS server
db­type Set the type and location of the user database
active­directory Set the user database on an AD (Active Directory) server
primary Set the AD server that is first queried when authenticating users
backup1 Set the AD server that is queried if the primary server stops responding
backup2 Set the AD server that is queried if the backup1 server stops responding
backup3 Set the AD server that is queried if the backup2 server stops responding
domain Set the domain name of the AD domain controller
Enter the NetBOIS name of the domain (1­64 chars; Note: The domain name cannot contain
<string>
multiple­level domains delimited by dots.)
Set the full DNS name of the domain to which the RADIUS server (local AP) and AD server
fullname
both belong
<string> Enter the full DNS name of the domain (1­64 chars)
Set the domain as the default domain, which will be added to the RADIUS request if no
default
domain name appears in the request

aaa radius­server local db­type active­directory {primary|backup1|backup2|backup3} domain <string>

server <string>
aaa Set parameters for AAA (authentication, authorization, accounting)
radius­server Set parameters for a RADIUS (Remote Authentication Dial In User Service) server
local Set the local Aerohive device as a RADIUS server

http://docs.aerohive.com/330000/docs/help/english/documentation/cli_guide_ap230_6­6r1.htm#cmd7 28/315
27/4/2016 Aerohive CLI Guide
db­type Set the type and location of the user database
active­directory Set the user database on an AD (Active Directory) server
primary Set the AD server that is first queried when authenticating users
backup1 Set the AD server that is queried if the primary server stops responding
backup2 Set the AD server that is queried if the backup1 server stops responding
backup3 Set the AD server that is queried if the backup2 server stops responding
domain Set the domain name of the AD domain controller
Enter the NetBOIS name of the domain (1­64 chars; Note: The domain name cannot contain
<string>
multiple­level domains delimited by dots.)
Set the IP address or resolvable domain name for the AD server (Note: The AD server is
server
the same as the domain controller.)
<string> Enter the IP address or domain name (1­64 chars)

aaa radius­server local db­type active­directory {primary|backup1|backup2|backup3} login admin­user

<string> password <string>
aaa Set parameters for AAA (authentication, authorization, accounting)
radius­server Set parameters for a RADIUS (Remote Authentication Dial In User Service) server
local Set the local Aerohive device as a RADIUS server
db­type Set the type and location of the user database
active­directory Set the user database on an AD (Active Directory) server
primary Set the AD server that is first queried when authenticating users
backup1 Set the AD server that is queried if the primary server stops responding
backup2 Set the AD server that is queried if the backup1 server stops responding
backup3 Set the AD server that is queried if the backup2 server stops responding
login Set admin user name and password that the local AP will use to access the AD server
admin­user Set the admin user name
<string> Enter the user name (1­32 chars)
password Set the password which authenticate the login user
<string> Enter the password (1­64 chars)

aaa radius­server local db­type active­directory {primary|backup1|backup2|backup3} {server} <string> [

{via­vpn­tunnel} ]
aaa Set parameters for AAA (authentication, authorization, accounting)
radius­server Set parameters for a RADIUS (Remote Authentication Dial In User Service) server
local Set the local Aerohive device as a RADIUS server
db­type Set the type and location of the user database
active­directory Set the user database on an AD (Active Directory) server
primary Set the AD server that is first queried when authenticating users
backup1 Set the AD server that is queried if the primary server stops responding
backup2 Set the AD server that is queried if the backup1 server stops responding
backup3 Set the AD server that is queried if the backup2 server stops responding
server Set the IP address or resolvable domain name for the AD server
<string> Enter the IP address or domain name (1­64 chars)
Send all traffic from the AP RADIUS authentication server to the AD server through a VPN
via­vpn­tunnel tunnel (Note: Set this option on VPN clients when the AD server is in a different subnet
from the tunnel interface. When they are in the same subnet, tunneling is automatic.)

aaa radius­server local db­type active­directory {primary|backup1|backup2|backup3} {tls­enable|global­

catalog}
aaa Set parameters for AAA (authentication, authorization, accounting)
radius­server Set parameters for a RADIUS (Remote Authentication Dial In User Service) server
local Set the local Aerohive device as a RADIUS server

http://docs.aerohive.com/330000/docs/help/english/documentation/cli_guide_ap230_6­6r1.htm#cmd7 29/315
27/4/2016 Aerohive CLI Guide
db­type Set the type and location of the user database
active­directory Set the user database on an AD (Active Directory) server
primary Set the AD server that is first queried when authenticating users
backup1 Set the AD server that is queried if the primary server stops responding
backup2 Set the AD server that is queried if the backup1 server stops responding
backup3 Set the AD server that is queried if the backup2 server stops responding
Enable TLS authentication that the local AP, as an LDAP client, uses with the AD server
tls­enable
(Default: Disabled)
Set the AP to use TCP port 3268 when doing an LDAP search on an AD global catalog server
global­catalog
(Default: Disabled)

aaa radius­server local db­type ldap­server sub­type edirectory

aaa Set parameters for AAA (authentication, authorization, accounting)
radius­server Set parameters for a RADIUS (Remote Authentication Dial In User Service) server
local Set the local Aerohive device as a RADIUS server
db­type Set the type and location of the user database
ldap­server Set the user database on an LDAP server
sub­type Set the type of LDAP server
edirectory Set the user database on an eDirectory LDAP server

aaa radius­server local db­type ldap­server sub­type edirectory acct­policy­check

aaa Set parameters for AAA (authentication, authorization, accounting)
radius­server Set parameters for a RADIUS (Remote Authentication Dial In User Service) server
local Set the local Aerohive device as a RADIUS server
db­type Set the type and location of the user database
ldap­server Set the user database on an LDAP server
sub­type Set the type of LDAP server
edirectory Set the user database on an eDirectory LDAP server
Enable the Novell eDirectory account policy check and intruder detection for RADIUS
acct­policy­check
users (Default: Disabled)

aaa radius­server local db­type ldap­server {primary|backup1|backup2|backup3} basedn <string>

aaa Set parameters for AAA (authentication, authorization, accounting)
radius­server Set parameters for a RADIUS (Remote Authentication Dial In User Service) server
local Set the local Aerohive device as a RADIUS server
db­type Set the type and location of the user database
ldap­server Set the user database on an LDAP server
primary Set the LDAP server that is first queried when authenticating users
backup1 Set the LDAP server that is queried if the primary server stops responding
backup2 Set the LDAP server that is queried if the backup1 server stops responding
backup3 Set the LDAP server that is queried if the backup2 server stops responding
Set the base DN (distinguished name) where the user profiles are located in the LDAP
basedn
tree structure
Enter the base DN (1­256 chars; Note: If there are any spaces, enclose the whole string
<string>
in quotation marks.)

aaa radius­server local db­type ldap­server {primary|backup1|backup2|backup3} binddn <string> password

<string>
aaa Set parameters for AAA (authentication, authorization, accounting)
radius­server Set parameters for a RADIUS (Remote Authentication Dial In User Service) server
local Set the local Aerohive device as a RADIUS server

db­type Set the type and location of the user database

http://docs.aerohive.com/330000/docs/help/english/documentation/cli_guide_ap230_6­6r1.htm#cmd7 30/315
27/4/2016 Aerohive CLI Guide
ldap­server Set the user database on an LDAP server
primary Set the LDAP server that is first queried when authenticating users
backup1 Set the LDAP server that is queried if the primary server stops responding
backup2 Set the LDAP server that is queried if the backup1 server stops responding
backup3 Set the LDAP server that is queried if the backup2 server stops responding
binddn Set the bind DN (distinguished name) under which LDAP searches are done
Enter the bind DN (1­256 chars; Note: If there are any spaces, enclose the whole string
<string>
in quotation marks.)
password Set the password which authenticate the bindDN
<string> Enter the password (1­64 chars)

aaa radius­server local db­type ldap­server {primary|backup1|backup2|backup3} filter­attr <string>

aaa Set parameters for AAA (authentication, authorization, accounting)
radius­server Set parameters for a RADIUS (Remote Authentication Dial In User Service) server
local Set the local Aerohive device as a RADIUS server
db­type Set the type and location of the user database
ldap­server Set the user database on an LDAP server
primary Set the LDAP server that is first queried when authenticating users
backup1 Set the LDAP server that is queried if the primary server stops responding
backup2 Set the LDAP server that is queried if the backup1 server stops responding
backup3 Set the LDAP server that is queried if the backup2 server stops responding
Set the LDAP search filter to locate user objects using the name the client supplies
filter­attr
during RADIUS authentication
<string> Enter the filter attribute used to search for the user (Default: "cn"; 1­32 chars)

aaa radius­server local db­type ldap­server {primary|backup1|backup2|backup3} no­strip­filter

aaa Set parameters for AAA (authentication, authorization, accounting)
radius­server Set parameters for a RADIUS (Remote Authentication Dial In User Service) server
local Set the local Aerohive device as a RADIUS server
db­type Set the type and location of the user database
ldap­server Set the user database on an LDAP server
primary Set the LDAP server that is first queried when authenticating users
backup1 Set the LDAP server that is queried if the primary server stops responding
backup2 Set the LDAP server that is queried if the backup1 server stops responding
backup3 Set the LDAP server that is queried if the backup2 server stops responding
no­strip­filter Do not strip the realm name

aaa radius­server local db­type ldap­server {primary|backup1|backup2|backup3} port <number>

aaa Set parameters for AAA (authentication, authorization, accounting)
radius­server Set parameters for a RADIUS (Remote Authentication Dial In User Service) server
local Set the local Aerohive device as a RADIUS server
db­type Set the type and location of the user database
ldap­server Set the user database on an LDAP server
primary Set the LDAP server that is first queried when authenticating users
backup1 Set the LDAP server that is queried if the primary server stops responding
backup2 Set the LDAP server that is queried if the backup1 server stops responding
backup3 Set the LDAP server that is queried if the backup2 server stops responding
port Set the destination port number for communicating with the LDAP server
<number> Enter the destination port number (Default: 389, 636 for LDAPS; Range: 1­65535)

http://docs.aerohive.com/330000/docs/help/english/documentation/cli_guide_ap230_6­6r1.htm#cmd7 31/315
27/4/2016 Aerohive CLI Guide
aaa radius­server local db­type ldap­server {primary|backup1|backup2|backup3} protocol {ldap|ldaps}
aaa Set parameters for AAA (authentication, authorization, accounting)
radius­server Set parameters for a RADIUS (Remote Authentication Dial In User Service) server
local Set the local Aerohive device as a RADIUS server
db­type Set the type and location of the user database
ldap­server Set the user database on an LDAP server
primary Set the LDAP server that is first queried when authenticating users
backup1 Set the LDAP server that is queried if the primary server stops responding
backup2 Set the LDAP server that is queried if the backup1 server stops responding
backup3 Set the LDAP server that is queried if the backup2 server stops responding
protocol Set the protocol for communicating with the LDAP server
ldap Set LDAP as the protocol for communicating with the LDAP server (Default: LDAP)
Set LDAPS (Secure LDAP) as the protocol for communicating with the LDAP server (Default:
ldaps
LDAP)

aaa radius­server local db­type ldap­server {primary|backup1|backup2|backup3} {server} <string> [

{via­vpn­tunnel} ]
aaa Set parameters for AAA (authentication, authorization, accounting)
radius­server Set parameters for a RADIUS (Remote Authentication Dial In User Service) server
local Set the local Aerohive device as a RADIUS server
db­type Set the type and location of the user database
ldap­server Set the user database on an LDAP server
primary Set the LDAP server that is first queried when authenticating users
backup1 Set the LDAP server that is queried if the primary server stops responding
backup2 Set the LDAP server that is queried if the backup1 server stops responding
backup3 Set the LDAP server that is queried if the backup2 server stops responding
server Set the IP address or resolvable domain name for the LDAP server
<string> Enter the IP address or domain name (1­32 chars)
Send all traffic from the AP RADIUS authentication server to the LDAP server through a
VPN tunnel(Note: Set this option on VPN clients when the LDAP server is in a different
via­vpn­tunnel
subnet from the tunnel interface. When they are in the same subnet, tunneling is
automatic.)

aaa radius­server local db­type library­sip­server {primary} institution­id <string>

aaa Set parameters for AAA (authentication, authorization, accounting)
radius­server Set parameters for a RADIUS (Remote Authentication Dial In User Service) server
local Set the local Aerohive device as a RADIUS server
db­type Set the type and location of the user database
Set parameters for the local RADIUS server to communicate with a library SIP (Standard
library­sip­server
Interchange Protocol) server
primary Set the library SIP server that is first queried when authenticating users
Set institution ID that the local RADIUS server provides when exchanging messages with
institution­id
the library SIP server
<string> Enter the institution ID (1­64 chars)

aaa radius­server local db­type library­sip­server {primary} login­enable

aaa Set parameters for AAA (authentication, authorization, accounting)
radius­server Set parameters for a RADIUS (Remote Authentication Dial In User Service) server
local Set the local Aerohive device as a RADIUS server
db­type Set the type and location of the user database
Set parameters for the local RADIUS server to communicate with a library SIP (Standard
library­sip­server Interchange Protocol) server

http://docs.aerohive.com/330000/docs/help/english/documentation/cli_guide_ap230_6­6r1.htm#cmd7 32/315
27/4/2016 Aerohive CLI Guide
primary Set the library SIP server that is first queried when authenticating users
Enable the AP, acting as a library SIP client, to log in when connecting to the library
login­enable
SIP server (Default: Disabled)

aaa radius­server local db­type library­sip­server {primary} login­user <string> password <string>
aaa Set parameters for AAA (authentication, authorization, accounting)
radius­server Set parameters for a RADIUS (Remote Authentication Dial In User Service) server
local Set the local Aerohive device as a RADIUS server
db­type Set the type and location of the user database
Set parameters for the local RADIUS server to communicate with a library SIP (Standard
library­sip­server
Interchange Protocol) server
primary Set the library SIP server that is first queried when authenticating users
Set the user name that the local RADIUS server submits when logging in to the library
login­user
SIP server
<string> Enter the user name (1­32 chars)
Set the password that the local AP RADIUS server submits when logging in to the library
password
SIP server
<string> Enter the password (1­32 chars)

aaa radius­server local db­type library­sip­server {primary} port <port>

aaa Set parameters for AAA (authentication, authorization, accounting)
radius­server Set parameters for a RADIUS (Remote Authentication Dial In User Service) server
local Set the local Aerohive device as a RADIUS server
db­type Set the type and location of the user database
Set parameters for the local RADIUS server to communicate with a library SIP (Standard
library­sip­server
Interchange Protocol) server
primary Set the library SIP server that is first queried when authenticating users
port Set the library SIP server port number
<port> [1~65535]Enter the port number (Default: 6001; Range: 1­65535)

aaa radius­server local db­type library­sip­server {primary} separator <string>

aaa Set parameters for AAA (authentication, authorization, accounting)
radius­server Set parameters for a RADIUS (Remote Authentication Dial In User Service) server
local Set the local Aerohive device as a RADIUS server
db­type Set the type and location of the user database
Set parameters for the local RADIUS server to communicate with a library SIP (Standard
library­sip­server
Interchange Protocol) server
primary Set the library SIP server that is first queried when authenticating users
Set the character that the library SIP server uses to separate multiple field name +
separator
value entries
<string> Enter the separator (1 char; Default: '|')

aaa radius­server local db­type library­sip­server {primary} {server} <string>

aaa Set parameters for AAA (authentication, authorization, accounting)
radius­server Set parameters for a RADIUS (Remote Authentication Dial In User Service) server
local Set the local Aerohive device as a RADIUS server
db­type Set the type and location of the user database
Set parameters for the local RADIUS server to communicate with a library SIP (Standard
library­sip­server
Interchange Protocol) server
primary Set the library SIP server that is first queried when authenticating users
server Set IP address or domain name of the library SIP server

<string> Enter the IP address or domain name (Domain name: 1­32 chars)

http://docs.aerohive.com/330000/docs/help/english/documentation/cli_guide_ap230_6­6r1.htm#cmd7 33/315
27/4/2016 Aerohive CLI Guide
aaa radius­server local db­type local
aaa Set parameters for AAA (authentication, authorization, accounting)
radius­server Set parameters for a RADIUS (Remote Authentication Dial In User Service) server
local Set the local Aerohive device as a RADIUS server
db­type Set the type and location of the user database
local Set the user database on the local AP

aaa radius­server local db­type open­directory {primary|backup1|backup2|backup3} admin­user <string>

password <string>
aaa Set parameters for AAA (authentication, authorization, accounting)
radius­server Set parameters for a RADIUS (Remote Authentication Dial In User Service) server
local Set the local Aerohive device as a RADIUS server
db­type Set the type and location of the user database
open­directory Set the user database on an OD (Open Directory) server
primary Set the OD server that is first queried when authenticating users
backup1 Set the OD server that is queried if the primary server stops responding
backup2 Set the OD server that is queried if the backup1 server stops responding
backup3 Set the OD server that is queried if the backup2 server stops responding
admin­user Set the admin user name that the local AP uses when logging in to the OD server
<string> Enter the user name (1­32 chars)
password Set the password that the local AP uses when logging in to the OD server
<string> Enter the password (1­64 chars)

aaa radius­server local db­type open­directory {primary|backup1|backup2|backup3} domain <string>

binddn <string> password <string>
aaa Set parameters for AAA (authentication, authorization, accounting)
radius­server Set parameters for a RADIUS (Remote Authentication Dial In User Service) server
local Set the local Aerohive device as a RADIUS server
db­type Set the type and location of the user database
open­directory Set the user database on an OD (Open Directory) server
primary Set the OD server that is first queried when authenticating users
backup1 Set the OD server that is queried if the primary server stops responding
backup2 Set the OD server that is queried if the backup1 server stops responding
backup3 Set the OD server that is queried if the backup2 server stops responding
domain Set the domain name of the OD domain controller
<string> Enter the name of the domain (1­64 chars)
binddn Set the bindDN (distinguished name) under which LDAP searches are done
<string> Enter the bindDN name (1­256 chars)
password Set the password which authenticate the bindDN
<string> Enter the password (1­64 chars)

aaa radius­server local db­type open­directory {primary|backup1|backup2|backup3} domain <string>

fullname <string>
aaa Set parameters for AAA (authentication, authorization, accounting)
radius­server Set parameters for a RADIUS (Remote Authentication Dial In User Service) server
local Set the local Aerohive device as a RADIUS server
db­type Set the type and location of the user database
open­directory Set the user database on an OD (Open Directory) server
primary Set the OD server that is first queried when authenticating users

backup1 Set the OD server that is queried if the primary server stops responding
backup2 Set the OD server that is queried if the backup1 server stops responding
http://docs.aerohive.com/330000/docs/help/english/documentation/cli_guide_ap230_6­6r1.htm#cmd7 34/315
27/4/2016 Aerohive CLI Guide

backup3 Set the OD server that is queried if the backup2 server stops responding
domain Set the domain name of the OD domain controller
<string> Enter the name of the domain (1­64 chars)
fullname Set the full DNS name of the OD domain server
<string> Enter the full DNS name of the domain (1­64 chars)

aaa radius­server local db­type open­directory {primary|backup1|backup2|backup3} filter­attr <string>

aaa Set parameters for AAA (authentication, authorization, accounting)
radius­server Set parameters for a RADIUS (Remote Authentication Dial In User Service) server
local Set the local Aerohive device as a RADIUS server
db­type Set the type and location of the user database
open­directory Set the user database on an OD (Open Directory) server
primary Set the OD server that is first queried when authenticating users
backup1 Set the OD server that is queried if the primary server stops responding
backup2 Set the OD server that is queried if the backup1 server stops responding
backup3 Set the OD server that is queried if the backup2 server stops responding
Set the LDAP search filter to locate user objects using the name the client supplies
filter­attr
during RADIUS authentication
<string> Enter the filter attribute used to search for the user (Default: "uid"; 1­32 chars)

aaa radius­server local db­type open­directory {primary|backup1|backup2|backup3} no­strip­filter

aaa Set parameters for AAA (authentication, authorization, accounting)
radius­server Set parameters for a RADIUS (Remote Authentication Dial In User Service) server
local Set the local Aerohive device as a RADIUS server
db­type Set the type and location of the user database
open­directory Set the user database on an OD (Open Directory) server
primary Set the OD server that is first queried when authenticating users
backup1 Set the OD server that is queried if the primary server stops responding
backup2 Set the OD server that is queried if the backup1 server stops responding
backup3 Set the OD server that is queried if the backup2 server stops responding
no­strip­filter Do not strip the realm name

aaa radius­server local db­type open­directory {primary|backup1|backup2|backup3} tls­enable

aaa Set parameters for AAA (authentication, authorization, accounting)
radius­server Set parameters for a RADIUS (Remote Authentication Dial In User Service) server
local Set the local Aerohive device as a RADIUS server
db­type Set the type and location of the user database
open­directory Set the user database on an OD (Open Directory) server
primary Set the OD server that is first queried when authenticating users
backup1 Set the OD server that is queried if the primary server stops responding
backup2 Set the OD server that is queried if the backup1 server stops responding
backup3 Set the OD server that is queried if the backup2 server stops responding
Enable TLS authentication that the local AP, as an LDAP client, uses with the OD server
tls­enable
(Default: Disabled)

aaa radius­server local ldap­auth {primary|backup1|backup2|backup3} type tls ca­cert <string> [

client­cert <string> private­key <string> [ private­key­password <string> ] ] [ verify­server
{never|try|demand} ]
aaa Set parameters for AAA (authentication, authorization, accounting)

radius­server Set parameters for a RADIUS (Remote Authentication Dial In User Service) server

http://docs.aerohive.com/330000/docs/help/english/documentation/cli_guide_ap230_6­6r1.htm#cmd7 35/315
27/4/2016 Aerohive CLI Guide
local Set the local Aerohive device as a RADIUS server
Set the authentication method that the local AP, as an LDAP client, uses with the LDAP
ldap­auth
server
primary Set the authentication method for the first LDAP server
backup1 Set the authentication method for the second LDAP server
backup2 Set the authentication method for the third LDAP server
backup3 Set the authentication method for the fourth LDAP server
type Set the authentication type to use for LDAP communications
tls Set the authentication type as TLS (Transport Layer Security)
Set the CA certificate that the local AP uses when authenticating itself as an LDAP
ca­cert
client to an LDAP server
<string> Enter the file name of the CA certificate (1­32 chars)
Set the client certificate that the local AP uses when authenticating itself to an LDAP
client­cert
server
<string> Enter the file name of the client certificate (1­32 chars)
private­key Set the private key that the local AP uses to authenticate itself to an LDAP server
<string> Enter the name of the private key file (1­32 chars)
private­key­password Set the password for the private key that is used when forming a TLS tunnel
<string> Enter the password (1­32 chars)
verify­server Set options for verifying the LDAP server (Default: LDAP server verification is try.)
never never verify the identity of the LDAP server (Default: try)
try try verify the identity of the LDAP server (Default: try)
demand demand verify the identity of the LDAP server (Default: try)

aaa radius­server local library­sip­policy <string>

aaa Set parameters for AAA (authentication, authorization, accounting)
radius­server Set parameters for a RADIUS (Remote Authentication Dial In User Service) server
local Set the local Aerohive device as a RADIUS server
Set a library SIP policy to enforce when the local RADIUS server acts as a library SIP
library­sip­policy
client
<string> Enter the library SIP policy name (1­32 chars)

aaa radius­server local local­check­period <number>

aaa Set parameters for AAA (authentication, authorization, accounting)
radius­server Set parameters for a RADIUS (Remote Authentication Dial In User Service) server
local Set the local Aerohive device as a RADIUS server
Set the length of time that the local AP RADIUS server checks just its cache of user­
local­check­period authentication responses and its own database before retrying previously unresponsive
LDAP servers
Enter the interval for checking the local RADIUS cache and database (Default: 300 secs;
<number>
Min: 30; Max: 3600)

aaa radius­server local nas <string> shared­key <string>

aaa Set parameters for AAA (authentication, authorization, accounting)
radius­server Set parameters for a RADIUS (Remote Authentication Dial In User Service) server
local Set the local Aerohive device as a RADIUS server
Set parameters for communicating with other hive members acting as the RADIUS NAS
nas
(Network Access Server) devices
Enter the IP address or resolvable domain name (1­32 chars) for a single NAS device or
<string>
the subnet for multiple devices
shared­key Set the shared secret for authenticating communications with the RADIUS NAS
<string> Enter the shared secret (1­31 chars)

http://docs.aerohive.com/330000/docs/help/english/documentation/cli_guide_ap230_6­6r1.htm#cmd7 36/315
27/4/2016 Aerohive CLI Guide
aaa radius­server local nas <string> tls
aaa Set parameters for AAA (authentication, authorization, accounting)
radius­server Set parameters for a RADIUS (Remote Authentication Dial In User Service) server
local Set the local Aerohive device as a RADIUS server
Set parameters for communicating with other hive members acting as the RADIUS NAS
nas
(Network Access Server) devices
Enter the IP address or resolvable domain name (1­32 chars) for a single NAS device or
<string>
the subnet for multiple devices
Set TLS (Transport Layer Security) encryption for securing communications with the
tls
RADIUS NAS devices

aaa radius­server local port <number>

aaa Set parameters for AAA (authentication, authorization, accounting)
radius­server Set parameters for a RADIUS (Remote Authentication Dial In User Service) server
local Set the local Aerohive device as a RADIUS server
port Set the local RADIUS port number
<number> Enter the RADIUS port number (Default: 1812; Range: 1­65535)

aaa radius­server local remote­check­period <number>

aaa Set parameters for AAA (authentication, authorization, accounting)
radius­server Set parameters for a RADIUS (Remote Authentication Dial In User Service) server
local Set the local Aerohive device as a RADIUS server
Set the length of time that the local AP RADIUS server will repeatedly try contacting an
remote­check­period
unresponsive LDAP server before giving up
<number> Enter the LDAP server retry interval (Default: 30 secs; Min: 10; Max: 3600)

aaa radius­server local require­message­authenticator

aaa Set parameters for AAA (authentication, authorization, accounting)
radius­server Set parameters for a RADIUS (Remote Authentication Dial In User Service) server
local Set the local Aerohive device as a RADIUS server
require­message­ Enable the local RADIUS server to require Message­Authenticator, if client doesn't, then
authenticator the packet will be silently discarded(Default: Disabled)

aaa radius­server local retry­interval <number>

aaa Set parameters for AAA (authentication, authorization, accounting)
radius­server Set parameters for a RADIUS (Remote Authentication Dial In User Service) server
local Set the local Aerohive device as a RADIUS server
Set the interval after which the AP RADIUS server tries to contact a previously
retry­interval
unresponsive primary LDAP server (even if a backup server is currently responding)
Enter the interval for retrying the primary LDAP server (Default: 600 secs; Min: 60;
<number>
Max: 200000000)

aaa radius­server local shared­secret­auto­gen

aaa Set parameters for AAA (authentication, authorization, accounting)
radius­server Set parameters for a RADIUS (Remote Authentication Dial In User Service) server
local Set the local Aerohive device as a RADIUS server
Enable the automatic generation of shared secrets when static entries are not found
shared­secret­auto­gen
(Default: Enabled)

aaa radius­server local sta­auth ca­cert <string> server­cert <string> private­key <string> [ private­
key­password <string> ]
aaa Set parameters for AAA (authentication, authorization, accounting)
radius­server
Set parameters for a RADIUS (Remote Authentication Dial In User Service) server

http://docs.aerohive.com/330000/docs/help/english/documentation/cli_guide_ap230_6­6r1.htm#cmd7 37/315
27/4/2016 Aerohive CLI Guide
local Set the local Aerohive device as a RADIUS server
sta­auth Set the authentication type and certificate parameters for authenticating users
ca­cert Set the CA certificate for a TLS (Transport Layer Security) tunnel
<string> Enter the file name of the CA certificate (1­32 chars)
server­cert Set the server certificate used when forming a TLS tunnel
<string> Enter the file name of the server certificate (1­32 chars)
private­key Set the private key used when forming a TLS tunnel
<string> Enter the name of the private key file (1­32 chars)
private­key­password Set the password for encrypting the private key used when forming a TLS tunnel
<string> Enter a password (1­64 chars)

aaa radius­server local sta­auth default­type {leap|peap|tls|ttls|md5}

aaa Set parameters for AAA (authentication, authorization, accounting)
radius­server Set parameters for a RADIUS (Remote Authentication Dial In User Service) server
local Set the local Aerohive device as a RADIUS server
sta­auth Set the authentication type and certificate parameters for authenticating users
default­type Set the default RADIUS authentication type
Set LEAP (Lightweight Extensible Authentication Protocol) as the default RADIUS
leap
authentication type (Default: peap)
Set PEAP (Protected Extensible Authentication Protocol) as the default RADIUS
peap
authentication type (Default: peap)
Set TLS (Transport Layer Security) as the default RADIUS authentication type (Default:
tls
peap)
ttls Set TTLS (Tunneled TLS) as the default RADIUS authentication type (Default: peap)
md5 Set MD5 as the default RADIUS authentication type (Default: peap)

aaa radius­server local sta­auth type tls {check­cert­cn|check­in­db}

aaa Set parameters for AAA (authentication, authorization, accounting)
radius­server Set parameters for a RADIUS (Remote Authentication Dial In User Service) server
local Set the local Aerohive device as a RADIUS server
sta­auth Set the authentication type and certificate parameters for authenticating users
type Set the RADIUS authentication type (Default: tls+peap+ttls+leap+md5)
Set TLS (Transport Layer Security) as the RADIUS authentication type (Default:
tls
tls+peap+ttls+leap+md5)
check­cert­cn Check the CN (common name) in the certificate against the user name (Default: Disabled)
check­in­db Query databases to check if the user exists (Default: Disabled)

aaa radius­server local sta­auth type {leap|peap|tls|ttls|md5}

aaa Set parameters for AAA (authentication, authorization, accounting)
radius­server Set parameters for a RADIUS (Remote Authentication Dial In User Service) server
local Set the local Aerohive device as a RADIUS server
sta­auth Set the authentication type and certificate parameters for authenticating users
type Set the RADIUS authentication type (Default: tls+peap+ttls+leap+md5)
Set LEAP (Lightweight Extensible Authentication Protocol) as the RADIUS authentication
leap
type (Default: tls+peap+ttls+leap+md5)
Set PEAP (Protected Extensible Authentication Protocol) as the RADIUS authentication
peap
type (Default: tls+peap+ttls+leap+md5)
Set TLS (Transport Layer Security) as the RADIUS authentication type (Default:
tls tls+peap+ttls+leap+md5)

Set TTLS (Tunneled TLS) as the RADIUS authentication type (Default:

ttls
tls+peap+ttls+leap+md5)
md5 Set MD5 as the RADIUS authentication type (Default: tls+peap+ttls+leap+md5)

http://docs.aerohive.com/330000/docs/help/english/documentation/cli_guide_ap230_6­6r1.htm#cmd7 38/315
27/4/2016 Aerohive CLI Guide
aaa radius­server local sta­auth type {peap|ttls} check­in­db
aaa Set parameters for AAA (authentication, authorization, accounting)
radius­server Set parameters for a RADIUS (Remote Authentication Dial In User Service) server
local Set the local Aerohive device as a RADIUS server
sta­auth Set the authentication type and certificate parameters for authenticating users
type Set the RADIUS authentication type (Default: tls+peap+ttls+leap+md5)
Set PEAP (Protected Extensible Authentication Protocol) as the RADIUS authentication
peap
type (Default: tls+peap+ttls+leap+md5)
Set TTLS (Tunneled TLS) as the RADIUS authentication type (Default:
ttls
tls+peap+ttls+leap+md5)
Enable the local RADIUS server to query the Active Directory database to check that user
check­in­db accounts are stored under the proper baseDN before authenticating them (Default:
Disabled)

aaa radius­server local user­group <string>

aaa Set parameters for AAA (authentication, authorization, accounting)
radius­server Set parameters for a RADIUS (Remote Authentication Dial In User Service) server
local Set the local Aerohive device as a RADIUS server
user­group Add a user group on the local RADIUS server
<string> Enter the user group name (1­32 chars)

aaa radius­server local {enable|cache}

aaa Set parameters for AAA (authentication, authorization, accounting)
radius­server Set parameters for a RADIUS (Remote Authentication Dial In User Service) server
local Set the local Aerohive device as a RADIUS server
enable Enable RADIUS server functionality on the local AP
cache Set parameters for caching user­authentication responses from external LDAP servers

aaa radius­server name <string> acct­port <port>

aaa Set parameters for AAA (authentication, authorization, accounting)
radius­server Set parameters for a RADIUS (Remote Authentication Dial In User Service) server
name Set the name for the RADIUS server
Enter the name of the RADIUS server (1­32 chars; Note: Use this name when assigning the
<string>
server to a realm.)
acct­port Set the RADIUS accounting port number
<port> [1~65535]Enter the RADIUS accounting port number (Default: 1813; Range: 1­65535)

aaa radius­server name <string> auth­port <port>

aaa Set parameters for AAA (authentication, authorization, accounting)
radius­server Set parameters for a RADIUS (Remote Authentication Dial In User Service) server
name Set the name for the RADIUS server
Enter the name of the RADIUS server (1­32 chars; Note: Use this name when assigning the
<string>
server to a realm.)
auth­port Set the RADIUS authentication port number
<port> [1~65535]Enter the RADIUS authentication port number (Default: 1812; Range: 1­65535)

aaa radius­server name <string> server <string> shared­secret <string>

aaa Set parameters for AAA (authentication, authorization, accounting)
radius­server Set parameters for a RADIUS (Remote Authentication Dial In User Service) server
name Set the name for the RADIUS server
Enter the name of the RADIUS server (1­32 chars; Note: Use this name when assigning the
<string> server to a realm.)

http://docs.aerohive.com/330000/docs/help/english/documentation/cli_guide_ap230_6­6r1.htm#cmd7 39/315
27/4/2016 Aerohive CLI Guide
server Set the IP address or resolvable domain name for the RADIUS server
<string> Enter the IP address or domain name (max 32 chars)
shared­secret Set the shared secret for authenticating communications with a RADIUS server
Enter the shared secret (1­64 chars; Note: The RADIUS shared secret is case sensitive
<string>
and can contain spaces.)

aaa radius­server name <string> server <string> tls

aaa Set parameters for AAA (authentication, authorization, accounting)
radius­server Set parameters for a RADIUS (Remote Authentication Dial In User Service) server
name Set the name for the RADIUS server
Enter the name of the RADIUS server (1­32 chars; Note: Use this name when assigning the
<string>
server to a realm.)
server Set the IP address or resolvable domain name for the RADIUS server
<string> Enter the IP address or domain name (max 32 chars)
Set TLS (Transport Layer Security) encryption for authenticating communications with the
tls
RADIUS server

aaa radius­server name <string> tls­port <port>

aaa Set parameters for AAA (authentication, authorization, accounting)
radius­server Set parameters for a RADIUS (Remote Authentication Dial In User Service) server
name Set the name for the RADIUS server
Enter the name of the RADIUS server (1­32 chars; Note: Use this name when assigning the
<string>
server to a realm.)
tls­port Set the TLS (Transport Layer Security) port number
<port> [1~65535]Enter the TLS port number (Range: 1­65535; Default: 2083)

aaa radius­server proxy dead­time <number>

aaa Set parameters for AAA (authentication, authorization, accounting)
radius­server Set parameters for a RADIUS (Remote Authentication Dial In User Service) server
proxy Set parameters for proxying RADIUS requests
Set the interval after which the AP tries to contact a previously unresponsive RADIUS
dead­time
server
<number> Enter the interval in seconds (Default: 300; Range: 30­3600)

aaa radius­server proxy inject operator­name

aaa Set parameters for AAA (authentication, authorization, accounting)
radius­server Set parameters for a RADIUS (Remote Authentication Dial In User Service) server
proxy Set parameters for proxying RADIUS requests
inject Set injection parameters for RADIUS Access­Request and Accounting­Request packets
Set the operator name of the RADIUS Access­Request and Accounting­Request packets (Note:
The operator name contains the operator namespace ID and the operator name. The operator
operator­name
name is combined with the namespace ID to uniquely identify the owner of the access
network.)

aaa radius­server proxy radsec acct­port <port>

aaa Set parameters for AAA (authentication, authorization, accounting)
radius­server Set parameters for a RADIUS (Remote Authentication Dial In User Service) server
proxy Set parameters for proxying RADIUS requests
Set parameters to proxy RADIUS requests over a secure TLS tunnel between the local
radsec
device and a RADIUS server
acct­port Set the RadSec proxy accounting port number

<port> [1~65535]Enter the RadSec proxy accounting port number (Range: 1­65535; Default: 1813)

http://docs.aerohive.com/330000/docs/help/english/documentation/cli_guide_ap230_6­6r1.htm#cmd7 40/315
27/4/2016 Aerohive CLI Guide
aaa radius­server proxy radsec auth­port <port>
aaa Set parameters for AAA (authentication, authorization, accounting)
radius­server Set parameters for a RADIUS (Remote Authentication Dial In User Service) server
proxy Set parameters for proxying RADIUS requests
Set parameters to proxy RADIUS requests over a secure TLS tunnel between the local
radsec
device and a RADIUS server
auth­port Set the RadSec proxy authentication port number
[1~65535]Enter the RadSec proxy authentication port number (Range: 1­65535; Default:
<port>
1812)

aaa radius­server proxy radsec dynamic­auth­extension

aaa Set parameters for AAA (authentication, authorization, accounting)
radius­server Set parameters for a RADIUS (Remote Authentication Dial In User Service) server
proxy Set parameters for proxying RADIUS requests
Set parameters to proxy RADIUS requests over a secure TLS tunnel between the local
radsec
device and a RADIUS server
Enable the RadSec proxy to accept unsolicited messages from the RADIUS authentication
dynamic­auth­extension
server (Default: Disabled)

aaa radius­server proxy radsec enable

aaa Set parameters for AAA (authentication, authorization, accounting)
radius­server Set parameters for a RADIUS (Remote Authentication Dial In User Service) server
proxy Set parameters for proxying RADIUS requests
Set parameters to proxy RADIUS requests over a secure TLS tunnel between the local
radsec
device and a RADIUS server
enable Enable RadSec proxy functionality on the Aerohive device

aaa radius­server proxy radsec realm <string> {primary|backup} <string>

aaa Set parameters for AAA (authentication, authorization, accounting)
radius­server Set parameters for a RADIUS (Remote Authentication Dial In User Service) server
proxy Set parameters for proxying RADIUS requests
Set parameters to proxy RADIUS requests over a secure TLS tunnel between the local
radsec
device and a RADIUS server
Set parameters for proxying requests to RADIUS servers based on the realm specified in
realm
submitted user names
Enter the realm name (1­32 chars; Note: Assign a server to the "NULL" realm to proxy
<string> requests that do not include a realm name to that server. Assign a server to "DEFAULT"
to send it requests containing an unconfigured realm.)
primary Assign a primary RADIUS server to the realm
backup Assign a backup RADIUS server to the realm
<string> Enter the RADIUS server name (1­32 chars)

aaa radius­server proxy radsec tls­port <port>

aaa Set parameters for AAA (authentication, authorization, accounting)
radius­server Set parameters for a RADIUS (Remote Authentication Dial In User Service) server
proxy Set parameters for proxying RADIUS requests
Set parameters to proxy RADIUS requests over a secure TLS tunnel between the local
radsec
device and a RADIUS server
tls­port Set the auth proxy TLS port number (Max: 8 ports per Aerohive device)
<port> [1~65535]Enter the auth proxy TLS port number (Range: 1­65535; Default: 80,443)

aaa radius­server proxy realm <string> no­strip

aaa Set parameters for AAA (authentication, authorization, accounting)

radius­server Set parameters for a RADIUS (Remote Authentication Dial In User Service) server

http://docs.aerohive.com/330000/docs/help/english/documentation/cli_guide_ap230_6­6r1.htm#cmd7 41/315
27/4/2016 Aerohive CLI Guide

proxy Set parameters for proxying RADIUS requests

Set parameters for proxying requests to RADIUS servers based on the realm specified in
realm
submitted user names
Enter the realm name (1­32 chars; Note: Assign a server to the "NULL" realm to proxy
<string> requests that do not include a realm name to that server. Assign a server to "DEFAULT"
to send it requests containing an unconfigured realm.)
Do not strip the realm name from a submitted user name when proxying requests to the
no­strip
RADIUS server (Default: The realm name is stripped from proxied requests.)

aaa radius­server proxy realm <string> {primary|backup} <string>

aaa Set parameters for AAA (authentication, authorization, accounting)
radius­server Set parameters for a RADIUS (Remote Authentication Dial In User Service) server
proxy Set parameters for proxying RADIUS requests
Set parameters for proxying requests to RADIUS servers based on the realm specified in
realm
submitted user names
Enter the realm name (1­32 chars; Note: Assign a server to the "NULL" realm to proxy
<string> requests that do not include a realm name to that server. Assign a server to "DEFAULT"
to send it requests containing an unconfigured realm.)
primary Assign a primary RADIUS server to the realm
backup Assign a backup RADIUS server to the realm
<string> Enter the RADIUS server name (1­32 chars)

aaa radius­server proxy realm format {nai|nt­domain}

aaa Set parameters for AAA (authentication, authorization, accounting)
radius­server Set parameters for a RADIUS (Remote Authentication Dial In User Service) server
proxy Set parameters for proxying RADIUS requests
Set parameters for proxying requests to RADIUS servers based on the realm specified in
realm
submitted user names
format Set the format in which a realm name is appended to a user's name in request packets
nai Set NAI (network access identifier) as the realm name format: user@realm (Default: NAI)
nt­domain Set Windows NT domain as the realm name format: realm\user (Default: NAI)

aaa radius­server proxy retry­delay <number> retry­count <number>

aaa Set parameters for AAA (authentication, authorization, accounting)
radius­server Set parameters for a RADIUS (Remote Authentication Dial In User Service) server
proxy Set parameters for proxying RADIUS requests
Set the interval to wait for a response from the RADIUS server before resending a
retry­delay
proxied request
<number> Enter the interval between retries in seconds (Default: 5; Range: 3­10)
retry­count Set the number of times to retry proxying a request to the RADIUS server
<number> Enter the number of retries (Default: 3; Range: 1­10)

aaa radius­server retry­interval <number>

aaa Set parameters for AAA (authentication, authorization, accounting)
radius­server Set parameters for a RADIUS (Remote Authentication Dial In User Service) server
retry­interval Set RADIUS server retry interval
<number> Enter RADIUS server retry interval (Default: 600 secs; Range: 60­100000000)

aaa radius­server {primary|backup1|backup2|backup3} <ip_addr|string> [ shared­secret <string> ] [

auth­port <number> ] [ acct­port <number> ] [ via­vpn­tunnel ]
aaa Set parameters for AAA (authentication, authorization, accounting)
radius­server Set parameters for a RADIUS (Remote Authentication Dial In User Service) server
primary Set the RADIUS server that is first queried when authenticating users

http://docs.aerohive.com/330000/docs/help/english/documentation/cli_guide_ap230_6­6r1.htm#cmd7 42/315
27/4/2016 Aerohive CLI Guide
backup1 Set the RADIUS server that is queried if the primary server stops responding
backup2 Set the RADIUS server that is queried if the backup1 server stops responding
backup3 Set the RADIUS server that is queried if the backup2 server stops responding
<ip_addr> Enter an IP address or a domain name for the RADIUS server (max 32 chars)
<string> Enter an IP address or a domain name for the RADIUS server (max 32 chars)
shared­secret Set the shared secret for authenticating communications with a RADIUS server
Enter the shared secret for authenticating communications with a RADIUS server (1­64
<string>
chars)
auth­port Set the RADIUS authentication port number
<number> Enter the RADIUS authentication port number (Default: 1812; Range: 1­65535)
acct­port Set the RADIUS accounting port number
<number> Enter the RADIUS accounting port number (Default: 0; Range: 0­65535)
Send all RADIUS traffic through a VPN tunnel (Note: Set this option on VPN clients when
via­vpn­tunnel the RADIUS server is in a different subnet from the tunnel interface. When they are in
the same subnet, tunneling is automatic.)

access­console custom­ssid <string>

access­console Set access console parameters
custom­ssid Set custom SSID profile name for the access console
<string> Enter an SSID profile name (1­32 chars)

access­console hide­ssid
access­console Set access console parameters
hide­ssid Hide the SSID in beacons and ignore broadcast probe requests(Default: disabled)

access­console max­client <number>

access­console Set access console parameters
max­client Set the maximum number of clients that can associate with the access console SSID
<number> Enter the maximum number of clients that can associate (Default: 2; Range: 1­64)

access­console mode {auto|disable|enable}

access­console Set access console parameters
Set the mode for the access console (Note: 'auto' enables the access console only when
mode there is no Ethernet or wireless backhaul connection. 'enable' and 'disable' set the
mode manually.)
auto Set the mode as auto (Default: auto)
disable Set the mode as disable (Default: auto)
enable Set the mode as enable (Default: auto)

access­console security mac­filter <string>

access­console Set access console parameters
security Set the security parameters for the access console
Assign a MAC filter to the access console to restrict access only to those MAC addresses
mac­filter
and OUIs (organizational unique identifiers) specified in the filter
<string> Enter the filter name (1­32 chars)

access­console security protocol­suite open

access­console Set access console parameters
security Set the security parameters for the access console
protocol­suite Set the security protocol suite for the access console
open Set the security protocol suite as open

http://docs.aerohive.com/330000/docs/help/english/documentation/cli_guide_ap230_6­6r1.htm#cmd7 43/315
27/4/2016 Aerohive CLI Guide
access­console security protocol­suite {wpa2­aes­psk|wpa2­tkip­psk|wpa­auto­psk} ascii­key <string>
access­console Set access console parameters
security Set the security parameters for the access console
protocol­suite Set the security protocol suite for the access console
wpa2­aes­psk Set the security protocol suite as wpa2­aes­psk
wpa2­tkip­psk Set the security protocol suite as wpa2­tkip­psk
wpa­auto­psk Set the security protocol suite as wpa­auto­psk
ascii­key Set key type as an ASCII string
<string> Enter the ASCII key value (8­63 chars)

access­console telnet
access­console Set access console parameters
telnet Enable Telnet manageability of the access console (Default: enabled)

admin auth radius­method [ {pap|chap|ms­chap­v2} ]

admin Set the administrator parameters
auth Set the administrators authentication method
radius­method Authenticate admins by checking accounts stored on an external RADIUS server
Set PAP (Password Authentication Protocol) as the method for sending authentication
pap
requests between the AP and RADIUS server (Default: PAP)
Set CHAP (Challenge­Handshake Authentication Protocol) as the method for sending
chap
authentication requests between the AP and RADIUS server (Default: PAP)
Set MS­CHAP­v2 (Microsoft CHAP Version 2) as the method for sending authentication
ms­chap­v2
requests between the AP and RADIUS server (Default: PAP)

admin auth {local|radius|both}

admin Set the administrator parameters
auth Set the administrators authentication method
local Authenticate admins by checking accounts stored on the local database (Default: local)
radius Authenticate admins by checking accounts stored on an external RADIUS server
Authenticate admins by checking accounts on an external RADIUS server first and the
both
local database second

admin manager­ip <ip_addr/netmask>

admin Set the administrator parameters
Allow administrative access from a host or subnet (By default, access from all addresses
manager­ip
are allowed.)
<ip_addr/netmask> Enter an IP address and netmask

admin min­password­length <number>

admin Set the administrator parameters
min­password­length Set the minimum password length
<number> Enter the minimum password length (Default: 8; Range: 8­32)

admin root­admin <string> password <string>

admin Set the administrator parameters
The root­admin has complete privileges, including the ability to add, modify, and delete
root­admin
other admins
<string> Enter root­admin name (3­20 chars)
password Set password for the root­admin
Set password for the root­admin ([min­password­length]­32 chars, use CLI "show min­
<string>
password­length" to get value of min­password­length, default: 8)

http://docs.aerohive.com/330000/docs/help/english/documentation/cli_guide_ap230_6­6r1.htm#cmd7 44/315
27/4/2016 Aerohive CLI Guide
admin {read­write|read­only} <string> password <string>
admin Set the administrator parameters
The read­write admin has the ability to view, set commands and modify his or her own
read­write password, but not the ability to reset the configuration or add, modify, and delete
other admins
read­only The read­only admin has the ability to view settings
<string> Enter an admin user's name (3­20 chars)
password Set password for the user
Set password for the user ([min­password­length]­32 chars, use CLI "show min­password­
<string>
length" to get value of min­password­length, default: 8)

alg {ftp|tftp|sip|dns|http} enable

alg Set ALG (Application Level Gateway) parameters
ftp Set an FTP (File Transfer Protocol) ALG
tftp Set a TFTP (Trivial File Transfer Protocol) ALG
sip Set a SIP (Session Initiation Protocol) ALG
dns Set a DNS (Domain Name System) ALG
http Set an HTTP ALG
enable Enable ALG functionality

alg {ftp|tftp|sip|dns} qos <number>

alg Set ALG (Application Level Gateway) parameters
ftp Set an FTP (File Transfer Protocol) ALG
tftp Set a TFTP (Trivial File Transfer Protocol) ALG
sip Set a SIP (Session Initiation Protocol) ALG
dns Set a DNS (Domain Name System) ALG
qos Set an Aerohive QoS class for ALG data traffic
Enter an Aerohive QoS class (Default: 0 for FTP, 0 for TFTP, 6 for SIP, 0 for DNS;
<number>
Range: 0­7)

alg {ftp|tftp|sip} inactive­data­timeout <number>

alg Set ALG (Application Level Gateway) parameters
ftp Set an FTP (File Transfer Protocol) ALG
tftp Set a TFTP (Trivial File Transfer Protocol) ALG
sip Set a SIP (Session Initiation Protocol) ALG
inactive­data­timeout Set a timeout to close an inactive gate
Enter an inactive gateway timeout value in seconds (Default: 30 for FTP, 30 for TFTP, 60
<number>
for SIP; Range: 1­1800s)

alg {ftp|tftp|sip} max­duration <number>

alg Set ALG (Application Level Gateway) parameters
ftp Set an FTP (File Transfer Protocol) ALG
tftp Set a TFTP (Trivial File Transfer Protocol) ALG
sip Set a SIP (Session Initiation Protocol) ALG
max­duration Set the maximum duration for the ALG
Enter the maximum duration in minutes (Default: 60 for FTP, 60 for TFTP, 720 for SIP;
<number>
Range: 1­7200(min))

amrp interface <ethx|redx|aggx> priority <number>

amrp Set AMRP (Advanced Mobility Routing Protocol) parameters
interface Set AMRP parameters per interface

<ethx> Enter the name of an Ethernet interface, where x = 0 or 1

http://docs.aerohive.com/330000/docs/help/english/documentation/cli_guide_ap230_6­6r1.htm#cmd7 45/315
27/4/2016 Aerohive CLI Guide

<redx> Enter the name of the redundant interface, where x = 0

<aggx> Enter the name of the aggregate interface, where x = 0
Set a priority for the AP to be elected as a DA (designated AP) on the Ethernet link to
priority
which the interface connects
Enter the priority value (Range: 0­255; Default: 0; Note: The greater the number is, the
<number> higher its priority, and the more preferred the AP will be during the DA election
process. For example, 100 has a higher priority than 50.)

amrp l2­neighbor­keepalive­count <number>

amrp Set AMRP (Advanced Mobility Routing Protocol) parameters
l2­neighbor­keepalive­
Number of keepalive packet loss allowed before mesh failover
count
[1~255] Packet number N. Failover delay time is about 2sec * N (Default: 16; Min: 1;
<number>
Max: 255)

amrp metric poll­interval <number>

amrp Set AMRP (Advanced Mobility Routing Protocol) parameters
metric Set route metric parameters for the backhaul link (Ethernet and wireless)
poll­interval Set the interval for polling neighbors to determine current route metrics
<number> Enter the poll­interval value (Default: 60 secs; Range: 10­300)

amrp metric type {aggressive|conservative|normal}

amrp Set AMRP (Advanced Mobility Routing Protocol) parameters
metric Set route metric parameters for the backhaul link (Ethernet and wireless)
type Set the type of behavior governing dynamic changes to route metrics
aggressive Change route metrics to aggressive (Default: normal)
conservative Change route metrics to conservative (Default: normal)
normal Change route metrics to normal (Default: normal)

amrp neighbor <mac_addr> metric min <number> max <number>

amrp Set AMRP (Advanced Mobility Routing Protocol) parameters
neighbor Specify the neighbor to which you want to set AMRP parameters
Enter a MAC address (Note: You can use colons, dashes, or periods to format the address.
<mac_addr>
Examples: 1111:1111:1111, 11­11­11­11­11­11, 1111.1111.1111 ...)
Set route metric parameters for the backhaul link (Ethernet and wireless) to the
metric
neighbor
min Set the minimum metric value
<number> Enter the minimum metric value (Default: 67; Range: 8­1200)
max Set the maximum metric value equal to or greater than the minimum value
<number> Enter the maximum metric value (Default: 67; Range: 8­1200)

amrp vpn­tunnel heartbeat interval <number> retry <number>

amrp Set AMRP (Advanced Mobility Routing Protocol) parameters
vpn­tunnel Set parameters for VPN tunneling
heartbeat Set AMRP (Advanced Mobility Routing Protocol) heartbeat parameters for VPN tunnel
interval Set the interval for sending AMRP heartbeats through the tunnel
Enter the heartbeat interval in seconds (Range: 0­65535; Default: 10; Note: 0 disables
<number>
AMRP heartbeats.)
retry Set the number of times to retry sending a heartbeat when it does not elicit a response
<number> Enter the number of heartbeats to retry sending (Range: 1­255; Default: 10)

application identification cdp­index <number> cdp­name <string>

application Set L7 related parameters

http://docs.aerohive.com/330000/docs/help/english/documentation/cli_guide_ap230_6­6r1.htm#cmd7 46/315
27/4/2016 Aerohive CLI Guide

identification Set L7 identification related parameters

cdp­index Set index for custom defined application
<number> Enter the index for custom defined application (Range: 19000­19099)
cdp­name Specify name for custom defined application
<string> Enter the name of the custom defined application (1 to 8 characters)

application identification cdp­index <number> cdp­rule <string> cdp­module {TCP|UDP|HTTP|TLS}

application Set L7 related parameters
identification Set L7 identification related parameters
cdp­index Set index for custom defined application
<number> Enter the index for custom defined application (Range: 19000­19099)
cdp­rule Specify the rule for custom defined application
<string> Enter the rule for custom defined application (1 to 255 characaters)
cdp­module Specify the module for custom defined application rule
TCP Enter the module for custom defined application rule TCP
UDP Enter the module for custom defined application rule UDP
HTTP Enter the module for custom defined application rule HTTP
TLS Enter the module for custom defined application rule TLS

application identification name <string> value <string>

application Set L7 related parameters
identification Set L7 identification related parameters
name Enter the name of L7 identification parameter
<string> Enter the name of L7 identification parameter
value Enter the value of L7 identification parameter
<string> Enter the value of L7 identification parameter

application identification shutdown

application Set L7 related parameters
identification Set L7 identification related parameters
shutdown Shutdown L7 service

application reporting app­id <string>

application Set L7 related parameters
reporting Set L7 application reporting related parameters
app­id Set L7 app­id related parameters
<string> Enter an app­ids' list seperated by comma

application reporting app­id <string> enable

application Set L7 related parameters
reporting Set L7 application reporting related parameters
app­id Set L7 app­id related parameters
<string> Enter an app­ids' list seperated by comma
enable Enable L7 application reporting for the specified app­id

application reporting collection­period <number> report­period <number>

application Set L7 related parameters
reporting Set L7 application reporting related parameters
collection­period Set L7 collection­period related parameters

http://docs.aerohive.com/330000/docs/help/english/documentation/cli_guide_ap230_6­6r1.htm#cmd7 47/315
27/4/2016 Aerohive CLI Guide
<number> Enter a number in increments of 60 between 60~3600 (Default: 3600)
report­period Set L7 report­period related parameters
<number> Enter a number in increments of 60 between 60~3600 (Default: 3600)

application reporting upload <url> time­window <number> [ admin <string> password <string>
{basic|digest} ]
application Set L7 related parameters
reporting Set L7 application reporting related parameters
upload Set L7 application reporting upload parameters
Enter the HTTP protocol, remote server domain name, port, directory path, and file name
<url> (Default port: 80; 1­256 chars; Format: http://domain/path/, http://domain:port/path/;
Note: You can substitute 'https' for 'http'.)
time­window Reporting time­window
<number> minutes(Range: 1­30)
admin Set the name of the server administrator
<string> Enter the administrator name (1­32 chars)
password Set the password for the server administrator
<string> Enter the server password (1­64 chars)
Set the access authentication scheme as basic, which appends a user name and password
basic
encoded with the Base64 algorithm to the authorization header in HTTP requests
Set the access authentication scheme as digest, which appends an MD5 checksum of the
digest
username, password, and other values to the authorization header in HTTP requests

application reporting watch­list <string>

application Set L7 related parameters
reporting Set L7 application reporting related parameters
watch­list Set L7 a watch list related parameters
<string> Enter watch list composed of app­ids and separated by comma

application reporting watch­list <string> enable

application Set L7 related parameters
reporting Set L7 application reporting related parameters
watch­list Set L7 a watch list related parameters
<string> Enter watch list composed of app­ids and separated by comma
enable Enable L7 application reporting for the specified app­id forcibly

application reporting {enable|disable|auto}

application Set L7 related parameters
reporting Set L7 application reporting related parameters
enable Enable L7 application reporting
disable Disable L7 application reporting
auto Automate L7 application reporting

bonjour­gateway enable
bonjour­gateway
enable
Set parameters for the device to act as a Bonjour Gateway, collecting, filtering, and
sharing Bonjour services across subnets/VLANs
Enable Bonjour gateway functionality (Default: Enabled)

bonjour­gateway filter rule <number> [ from <string> ] <string> [ to <string> ] [ metric <number> ]
Set parameters for the device to act as a Bonjour Gateway, collecting, filtering, and
bonjour­gateway
sharing Bonjour services across subnets/VLANs
Set a filter to control which Bonjour services the local gateway transmits to remote
filter gateways

http://docs.aerohive.com/330000/docs/help/english/documentation/cli_guide_ap230_6­6r1.htm#cmd7 48/315
27/4/2016 Aerohive CLI Guide

Set a Bonjour gateway filter rule to determine which services get advertised to Bonjour
rule
gateways in other subnets
<number> Enter the ID for the rule (Range 1­128)
from Set the source from which services are advertised
<string> Enter the source VLAN group name (1­32 chars)
Enter the text string to filter which services are advertised (1­64 chars; Note: A
<string> service is advertised if its name matches the string in a rule. You can use asterisks as
wildcards)
to Set the VLAN group to which services are advertised
<string> Enter the destination VLAN group name (1­32 chars)
Set the maximum number of hops away from the local BDD to accept service advertisements
metric (Note: An immediately neighboring BDD is one hop away, a neighbor of that neighbor is
two hops away, and so on.)
Enter the maximum distance from which service advertisements are acceptable (Range: 0­
<number>
100; Default: 0; Note: A value of 0 means that there is no maximum distance.)

bonjour­gateway filter rule <number> {before|after} rule <number>

Set parameters for the device to act as a Bonjour Gateway, collecting, filtering, and
bonjour­gateway
sharing Bonjour services across subnets/VLANs
Set a filter to control which Bonjour services the local gateway transmits to remote
filter
gateways
Set a Bonjour gateway filter rule to determine which services get advertised to Bonjour
rule
gateways in other subnets
<number> Enter the ID for the rule (Range 1­128)
before Move the rule before another rule in the Bonjour Gateway filter
after Move the rule after another rule in the Bonjour Gateway filter
Set a Bonjour gateway filter rule to determine which services get advertised to Bonjour
rule
gateways in other subnets
<number> Enter the ID for the rule (Range 1­128)

bonjour­gateway neighbor <ip_addr|string>

Set parameters for the device to act as a Bonjour Gateway, collecting, filtering, and
bonjour­gateway
sharing Bonjour services across subnets/VLANs
neighbor Set an AP or CVG as a remote BDD (Bonjour Dedicated Device)
<ip_addr> Enter the IP address or resolvable domain name (1­32 chars) of the remote BDD
<string> Enter the IP address or resolvable domain name (1­32 chars) of the remote BDD

bonjour­gateway priority <number>

Set parameters for the device to act as a Bonjour Gateway, collecting, filtering, and
bonjour­gateway
sharing Bonjour services across subnets/VLANs
Set the priority of the local device to be elected as the BDD (Bonjour Designated
priority
Device)
Enter the BDD election priority (Range: 0­255; Defaults: SR series=50, BR200 series=40,
VG­VA/VG­1U=25, AP370/AP390=23, AP230=21, AP330/AP350=20, AP320/AP340=15,
<number>
AP120/AP121/AP130/AP141/AP170/AP1130=10, AP110=5; Note: Values closer to 255 have higher
priority.)

bonjour­gateway realm <string>

Set parameters for the device to act as a Bonjour Gateway, collecting, filtering, and
bonjour­gateway
sharing Bonjour services across subnets/VLANs
realm Set the name of the Bonjour realm to which the local device belongs
<string> Enter the Bonjour realm name (1­128 chars)

bonjour­gateway vlan <number> [ <number> ]

Set parameters for the device to act as a Bonjour Gateway, collecting, filtering, and
bonjour­gateway
sharing Bonjour services across subnets/VLANs
vlan Set the VLAN or range of VLANs in which to probe for DHCP servers

http://docs.aerohive.com/330000/docs/help/english/documentation/cli_guide_ap230_6­6r1.htm#cmd7 49/315
27/4/2016 Aerohive CLI Guide

<number> Enter the VLAN ID to be probed (Range: 1­4094; Note: If you are defining a range of
VLANs, this is the starting point of that range.)
<number> Enter the last VLAN ID in the range (Range: 1­4094)

boot­param boot­file <string>

boot­param Set parameters for the boot loader
Set the file name of the HiveOS image that you want to load on the local HiveAP through
boot­file
a network connection to a TFTP server
<string> Enter the file name (1­127 chars)

boot­param boot­password <string>

boot­param Set parameters for the boot loader
boot­password Set the password that a root admin must enter to interrupt the auto­boot sequence
<string> Enter the password (8­32 chars)

boot­param country­code <number>

boot­param Set parameters for the boot loader
country­code Set the country code used to control radio channel and power selections
<number> Enter a country code value (Default: 840; Range: 1­10000)

boot­param device <ip_addr/netmask>

boot­param Set parameters for the boot loader
device Set the IP address and netmask of the local HiveAP device
<ip_addr/netmask> Enter the IP address and netmask

boot­param device <ip_addr> <netmask>

boot­param Set parameters for the boot loader
device Set the IP address and netmask of the local HiveAP device
<ip_addr> Enter the IP address
<netmask> Enter the IP netmask

boot­param gateway <ip_addr>

boot­param Set parameters for the boot loader
Set the IP address of the gateway so that the local HiveAP can reach the TFTP server
gateway
with the HiveOS image that you want to load
<ip_addr> Enter the IP address

boot­param native­vlan <number>

boot­param Set parameters for the boot loader
native­vlan Set the native VLAN ID of the local HiveAP
<number> Enter the VLAN ID (Default: 0; Range: 0­4094)

boot­param netboot enable

boot­param Set parameters for the boot loader
Set the HiveAP to boot up automatically from an external TFTP server after an
netboot
application crash occurs
Enable the ability to boot up automatically from an external TFTP server after an
enable
application crash occurs

boot­param netdump dump­file [ <string> ]

boot­param Set parameters for the boot loader
Set parameters for saving a core dump to the TFTP server specified in the "boot­param

http://docs.aerohive.com/330000/docs/help/english/documentation/cli_guide_ap230_6­6r1.htm#cmd7 50/315
27/4/2016 Aerohive CLI Guide
netdump server" command (Note: If the HiveAP crashes, it saves a core dump file to the TFTP
server in its next rebooting phase)
dump­file Set the name of the core dump file to be saved to the TFTP server
<string> Enter the name of the core dump file (Default name: .netdump; 1­32 chars)

boot­param netdump enable

boot­param Set parameters for the boot loader
Set parameters for saving a core dump to the TFTP server specified in the "boot­param
netdump server" command (Note: If the HiveAP crashes, it saves a core dump file to the TFTP
server in its next rebooting phase)
enable Enable the netdump feature (Default: Disabled)

boot­param server <ip_addr>

boot­param Set parameters for the boot loader
Set the IP address of the TFTP server that has the HiveOS image file that you want to
server
load
<ip_addr> Enter the IP address

boot­param vlan <number>

boot­param Set parameters for the boot loader
vlan Set the VLAN that the local HiveAP must use to reach the TFTP server
<number> Enter the VLAN ID (Default: 0; Range: 0­4094)

cac airtime­per­second <number>

Set CAC (Call Admission Control) parameters for regulating the admission of new VoIP
cac
calls
airtime­per­second Set airtime reserved for VoIP calls
<number> Enter the airtime for VoIP calls (Default: 500ms; Range: 100ms­1000ms)

cac enable
Set CAC (Call Admission Control) parameters for regulating the admission of new VoIP
cac
calls
enable Enable CAC protection of VoIP traffic

cac roaming airtime­percentage <number>

Set CAC (Call Admission Control) parameters for regulating the admission of new VoIP
cac
calls
roaming Set parameters for VoIP calls when a client roams
airtime­percentage Set the percentage of airtime reserved for VoIP calls during roaming
<number> Enter the percentage of reserved airtime (Default: 20; Range: 0­100)

capture interface <wifix> [ count <number> ] [ filter <number> ] [ promiscuous ]

capture Set packet capture parameters
interface Enable packet capturing on a radio interface
<wifix> Enter the name of a Wi­Fi radio interface, where x = 0 or 1
count Set the number of frames to capture
<number> Enter the number of frames to capture (Default: 2000; Range: 1­100000)
filter Set the packet capture filter
<number> Enter a filter ID (Range: 1­64)
Enable the wifi interfaces to operate in promiscuous mode during packet capturing
promiscuous
(Default: Disabled)

capture save interface <wifix> <string>

http://docs.aerohive.com/330000/docs/help/english/documentation/cli_guide_ap230_6­6r1.htm#cmd7 51/315
27/4/2016 Aerohive CLI Guide
capture Set packet capture parameters
save Set the packet capture tool to save captured packets to a file
interface Set the packet capture tool to save captured packets to a file on a radio interface
<wifix> Enter the name of a Wi­Fi radio interface, where x = 0 or 1
Enter a local file name or the remote location, path, and file name (Format: filename or
<string>
tftp://server:/path/filename; Default: wifix.dmp)

capwap client HTTP proxy name <string> port <number>

capwap Set parameters for CAPWAP (Control and Provisioning of Wireless Access Points)
client Set CAPWAP client parameters
HTTP Set HTTP as the application­level protocol using TCP as the transport mode
proxy Set parameters for the HTTP proxy server
name Set the HTTP proxy server name
<string> Enter the IP address or domain name of the HTTP proxy server (1­32 chars)
port Set the HTTP proxy server port number
<number> Enter the port number (Range: 1­65535)

capwap client HTTP proxy user <string> password <string>

capwap Set parameters for CAPWAP (Control and Provisioning of Wireless Access Points)
client Set CAPWAP client parameters
HTTP Set HTTP as the application­level protocol using TCP as the transport mode
proxy Set parameters for the HTTP proxy server
user Set the user name for authenticating the HiveAP with the HTTP proxy server
<string> Enter the authentication user name (1­32 chars)
password Set the user password for authenticating the HiveAP with the HTTP proxy server
<string> Enter the password (1­32 chars)

capwap client default­server­name <string>

capwap Set parameters for CAPWAP (Control and Provisioning of Wireless Access Points)
client Set CAPWAP client parameters
default­server­name Set the default IP address or domain name for the CAPWAP server
<string> Enter IP address or name for CAPWAP server (1­32 chars)

capwap client discovery interval <number>

capwap Set parameters for CAPWAP (Control and Provisioning of Wireless Access Points)
client Set CAPWAP client parameters
discovery Set CAPWAP client discovery parameters
interval Set CAPWAP discovery interval
<number> Enter the CAPWAP discovery interval (Default: 5 secs; Range:1­999)

capwap client discovery maximum interval <number>

capwap Set parameters for CAPWAP (Control and Provisioning of Wireless Access Points)
client Set CAPWAP client parameters
discovery Set CAPWAP client discovery parameters
maximum Set the max time in seconds to wait for a response to a Discovery Request message
interval Set the max time in seconds to wait for a response to a Discovery Request message
Enter the max time to wait for a response to a Discovery Request message (Default: 10
<number>
secs; Range: 2­180)

capwap client discovery method {broadcast}

http://docs.aerohive.com/330000/docs/help/english/documentation/cli_guide_ap230_6­6r1.htm#cmd7 52/315
27/4/2016 Aerohive CLI Guide
capwap Set parameters for CAPWAP (Control and Provisioning of Wireless Access Points)
client Set CAPWAP client parameters
discovery Set CAPWAP client discovery parameters
method Set the CAPWAP discovery method
Enable the broadcast of CAPWAP Discovery Request messages in the local Layer 2 domain as
broadcast
part of the CAPWAP server discovery process (Default: Enabled)

capwap client dtls accept­bootstrap­passphrase

capwap Set parameters for CAPWAP (Control and Provisioning of Wireless Access Points)
client Set CAPWAP client parameters
Set DTLS (Datagram Transport Layer Security) parameters for securing the CAPWAP
dtls
connection
accept­bootstrap­
Always accept the bootstrap passphrase proposed by HiveManager
passphrase

capwap client dtls bootstrap­passphrase <string>

capwap Set parameters for CAPWAP (Control and Provisioning of Wireless Access Points)
client Set CAPWAP client parameters
Set DTLS (Datagram Transport Layer Security) parameters for securing the CAPWAP
dtls
connection
bootstrap­passphrase Set a passphrase for initial and recovery CAPWAP connections
<string> Enter the bootstrap passphrase (16­32 chars)

capwap client dtls enable

capwap Set parameters for CAPWAP (Control and Provisioning of Wireless Access Points)
client Set CAPWAP client parameters
Set DTLS (Datagram Transport Layer Security) parameters for securing the CAPWAP
dtls
connection
enable Enable CAPWAP client dtls feature

capwap client dtls handshake­wait­time <number>

capwap Set parameters for CAPWAP (Control and Provisioning of Wireless Access Points)
client Set CAPWAP client parameters
Set DTLS (Datagram Transport Layer Security) parameters for securing the CAPWAP
dtls
connection
handshake­wait­time Set the maximum time to wait for a DTLS handshake message from the CAPWAP server
<number> Enter the maximum wait time in seconds (Default: 60; Range: 30­120)

capwap client dtls hm­defined­passphrase <string> key­id <number>

capwap Set parameters for CAPWAP (Control and Provisioning of Wireless Access Points)
client Set CAPWAP client parameters
Set DTLS (Datagram Transport Layer Security) parameters for securing the CAPWAP
dtls
connection
hm­defined­passphrase Use the HiveManager­defined passphrase to secure CAPWAP communications
Enter a passphrase for the HiveAP to use when making a secure CAPWAP connection (16­32
<string>
chars)
key­id Set the key ID for the passphrase
<number> Enter the key ID (Range: 1­255)

capwap client dtls max­retries <number>

capwap Set parameters for CAPWAP (Control and Provisioning of Wireless Access Points)
client Set CAPWAP client parameters

dtls Set DTLS (Datagram Transport Layer Security) parameters for securing the CAPWAP
connection
http://docs.aerohive.com/330000/docs/help/english/documentation/cli_guide_ap230_6­6r1.htm#cmd7 53/315
27/4/2016 Aerohive CLI Guide

max­retries Set the maximum number of times to retry making a DTLS connection
<number> Enter the maximum number of retries (Default: 3; Range: 1­65535)

capwap client dtls negotiation enable

capwap Set parameters for CAPWAP (Control and Provisioning of Wireless Access Points)
client Set CAPWAP client parameters
Set DTLS (Datagram Transport Layer Security) parameters for securing the CAPWAP
dtls
connection
negotiation Set the HiveAP to auto­negotiate the use of DTLS with HiveManager
enable Enable DTLS auto­negotiation

capwap client dtls psk <string>

capwap Set parameters for CAPWAP (Control and Provisioning of Wireless Access Points)
client Set CAPWAP client parameters
Set DTLS (Datagram Transport Layer Security) parameters for securing the CAPWAP
dtls
connection
psk Set the DTLS preshared key manually (instead of deriving it from a passphrase)
<string> Enter the DTLS preshared key in ASCII hex format (1­64 chars)

capwap client dtls session­delete­wait­time <number>

capwap Set parameters for CAPWAP (Control and Provisioning of Wireless Access Points)
client Set CAPWAP client parameters
Set DTLS (Datagram Transport Layer Security) parameters for securing the CAPWAP
dtls
connection
session­delete­wait­
Set the minimum time to wait for DTLS session deletion
time
<number> Enter the wait time in seconds (Default: 5; Range: 1­65535)

capwap client enable

capwap Set parameters for CAPWAP (Control and Provisioning of Wireless Access Points)
client Set CAPWAP client parameters
enable Enable CAPWAP client

capwap client join timeout <number>

capwap Set parameters for CAPWAP (Control and Provisioning of Wireless Access Points)
client Set CAPWAP client parameters
join Set the interval that the HiveAP waits for a CAPWAP Join Response message
timeout Set the interval that the HiveAP waits for a CAPWAP Join Response message
Enter join interval in seconds to wait for Join Response message (Default: 60 secs;
<number>
Range: 30­999)

capwap client neighbor dead interval <number>

capwap Set parameters for CAPWAP (Control and Provisioning of Wireless Access Points)
client Set CAPWAP client parameters
neighbor Set CAPWAP client neighbor parameters
dead Set the dead interval for CAPWAP neighbors
Set the interval in seconds to wait for ping responses before considering a CAPWAP
interval
neighbor dead
Enter interval to wait for responses before considering a neighbor dead (Default: 105
<number>
secs; Range: 60­240)

capwap client neighbor heartbeat interval <number>

http://docs.aerohive.com/330000/docs/help/english/documentation/cli_guide_ap230_6­6r1.htm#cmd7 54/315
27/4/2016 Aerohive CLI Guide
capwap Set parameters for CAPWAP (Control and Provisioning of Wireless Access Points)

client Set CAPWAP client parameters

neighbor Set CAPWAP client neighbor parameters
heartbeat Set the heartbeat parameters for a CAPWAP neighbor
interval Set the heartbeat interval for a CAPWAP neighbor
<number> Enter the heartbeat interval for a CAPWAP neighbor (Default: 30; Range: 30­120)

capwap client pci­alert enable

capwap Set parameters for CAPWAP (Control and Provisioning of Wireless Access Points)
client Set CAPWAP client parameters
pci­alert Report PCI (Payment Card Infrastructure) compliance information to HiveManager
enable Enable the reporting of PCI compliance information

capwap client server [ {backup} ] name <string> [ connect­delay <number> ] [ via­vpn­tunnel ]

capwap Set parameters for CAPWAP (Control and Provisioning of Wireless Access Points)
client Set CAPWAP client parameters
server Set parameters for communicating with the CAPWAP server
backup Set the backup CAPWAP server
name Set the IP address or domain name of the CAPWAP server
<string> Enter IP address or name for CAPWAP server (1­32 chars)
Schedule a connection to the specified CAPWAP server at a time relative to the moment
connect­delay
the HiveAP receives the command
<number> Enter the interval in seconds after which the CAPWAP client connects (Range: 0­65535)
Send all CAPWAP traffic through a VPN tunnel (Note: Set this option on VPN clients when
via­vpn­tunnel the CAPWAP server is in a different subnet from the tunnel interface. When they are in
the same subnet, tunneling is automatic.)

capwap client server port <number>

capwap Set parameters for CAPWAP (Control and Provisioning of Wireless Access Points)
client Set CAPWAP client parameters
server Set parameters for communicating with the CAPWAP server
port Set the destination port number for communicating with the CAPWAP server
<number> Enter the port number (Default: 12222; Range: 1­65535)

capwap client silent interval <number>

capwap Set parameters for CAPWAP (Control and Provisioning of Wireless Access Points)
client Set CAPWAP client parameters
Set an interval to wait after failing to receive Discovery Request responses before
silent
sending more requests
Set an interval to wait after failing to receive Discovery Request responses before
interval
sending more requests
Enter an interval to wait after failing to receive Discovery Request responses (Default:
<number>
15 secs; Range: 1­999)

capwap client transport HTTP

capwap Set parameters for CAPWAP (Control and Provisioning of Wireless Access Points)
client Set CAPWAP client parameters
transport Set the packet transport mode for CAPWAP communications
HTTP Set HTTP as the application­level protocol using TCP as the transport mode

capwap client vhm­name <string>

capwap Set parameters for CAPWAP (Control and Provisioning of Wireless Access Points)

http://docs.aerohive.com/330000/docs/help/english/documentation/cli_guide_ap230_6­6r1.htm#cmd7 55/315
27/4/2016 Aerohive CLI Guide
client Set CAPWAP client parameters
vhm­name Set the name of the virtual HiveManager system
<string> Enter the name of the virtual HiveManager system (1­64 chars)

capwap max­discoveries counter <number>

capwap Set parameters for CAPWAP (Control and Provisioning of Wireless Access Points)
max­discoveries Set the max number of CAPWAP Discovery Request messages
counter Set the max number of CAPWAP Discovery Request messages
<number> Enter the max number of CAPWAP Discovery Request messages (Default: 3; Range: 1­999)

capwap ping <string> [ port <number> ] [ count <number> ] [ size <number> ] [ timeout <number> ]
capwap Set parameters for CAPWAP (Control and Provisioning of Wireless Access Points)
Perform a CAPWAP ping (Note: A CAPWAP ping does not use ICMP echo requests, but UDP
ping
packets similar to those used for CAPWAP heartbeats.)
<string> Enter the IP address or domain name of the CAPWAP server (1­32 chars)
port Set the destination UDP port number for communicating with the CAPWAP server
Enter the destination UDP port number for communicating with the CAPWAP server (Default:
<number>
12222; Range: 1­65535)
count Set the number of CAPWAP UDP packets to send
<number> Enter the number of packets to send (Default: 5; Range: 1­65535)
size Set the size of the UDP packets
<number> Enter the packet size in bytes (Default: 56; Range:1­1300)
timeout Set the length of time to wait for a response
<number> Enter the timeout in seconds (Default: 5; Range: 1­60)

capwap ping <string> [ port <number> ] flood <number> [ size <number> ] [ timeout <number> ]
capwap Set parameters for CAPWAP (Control and Provisioning of Wireless Access Points)
Perform a CAPWAP ping (Note: A CAPWAP ping does not use ICMP echo requests, but UDP
ping
packets similar to those used for CAPWAP heartbeats.)
<string> Enter the IP address or domain name of the CAPWAP server (1­32 chars)
port Set the destination UDP port number for communicating with the CAPWAP server
Enter the destination UDP port number for communicating with the CAPWAP server (Default:
<number>
12222; Range: 1­65535)
Set the number of batches, each consisting of 100 CAPWAP UDP packets, to send at one
flood
time
<number> Enter the number of batches of packets(Range: 1­65535)
size Set the size of the UDP packets
<number> Enter the packet size in bytes (Default: 56; Range:1­1300)
timeout Set the length of time to wait for a response
<number> Enter the timeout in seconds (Default: 5; Range: 1­60)

clear aaa radius­server cache [ username <string> ]

clear Clear dynamic system information or remove all web directories
aaa Clear parameters for AAA (authentication, authorization, accounting)
radius­server Clear RADIUS server parameters
cache Clear all RADIUS server caches or one cache
username Clear the RADIUS server cache by username
<string> Enter the username (1­32 chars)

clear aaa radius­server­key [ {radius­server|ldap­client} ] [ <string> ]

clear Clear dynamic system information or remove all web directories
aaa Clear parameters for AAA (authentication, authorization, accounting)

http://docs.aerohive.com/330000/docs/help/english/documentation/cli_guide_ap230_6­6r1.htm#cmd7 56/315
27/4/2016 Aerohive CLI Guide
Clear all certificates that the local Aerohive device uses as a RADIUS server and LDAP
radius­server­key
client
radius­server Clear certificates that the local AP uses as a RADIUS server
ldap­client Clear certificates that the local AP uses as a LDAP client
<string> Enter the name of the certificate

clear aaa radius­server­key radsec ca

clear Clear dynamic system information or remove all web directories
aaa Clear parameters for AAA (authentication, authorization, accounting)
Clear all certificates that the local Aerohive device uses as a RADIUS server and LDAP
radius­server­key
client
Clear certificates that the local Aerohive device uses as a RadSec proxy server (Note: A
radsec RadSec proxy server can forward RADIUS requests over a secure TLS tunnel between RadSec
peers.)
Clear the CA (certificate authority) certificate that the local Aerohive device uses as
ca
a RadSec proxy server

clear application reporting app­stats

clear Clear dynamic system information or remove all web directories
application Clear L7 related parameters
reporting Clear L7 application reporting related parameters
app­stats Clear L7 application reporting applicaton statistics

clear application reporting statistics

clear Clear dynamic system information or remove all web directories
application Clear L7 related parameters
reporting Clear L7 application reporting related parameters
statistics Clear L7 application reporting statistics

clear arp­cache
clear Clear dynamic system information or remove all web directories
arp­cache Clear the ARP cache

clear auth roaming­cache mac <mac_addr> {hive­neighbors|hive­all}

clear Clear dynamic system information or remove all web directories
auth Clear dynamic authentication information
Clear all entries from the roaming cache, which contains authentication information for
roaming­cache
stations currently connected to neighboring hive members
Set the MAC address of the station whose cached authentication information you want to
mac
clear
Enter a MAC address (Note: You can use colons, dashes, or periods to format the address.
<mac_addr>
Examples: 1111:1111:1111, 11­11­11­11­11­11, 1111.1111.1111 ...)
Clear all entries from the local roaming cache and from the roaming caches of all
hive­neighbors
neighboring hive members
Clear the MAC address from the local roaming cache and from the roaming caches of all
hive­all
hive members

clear auth roaming­cache {hive­neighbors}

clear Clear dynamic system information or remove all web directories
auth Clear dynamic authentication information
Clear all entries from the roaming cache, which contains authentication information for
roaming­cache
stations currently connected to neighboring hive members
Clear all entries from the local roaming cache and from the roaming caches of all
hive­neighbors neighboring hive members

http://docs.aerohive.com/330000/docs/help/english/documentation/cli_guide_ap230_6­6r1.htm#cmd7 57/315
27/4/2016 Aerohive CLI Guide
clear auth username <string>
clear Clear dynamic system information or remove all web directories
auth Clear dynamic authentication information
username Clear dynamic authentication information by user name
<string> Enter a user name (1­32 chars)

clear auth {local­cache|roaming­cache|station} [ mac <mac_addr> ]

clear Clear dynamic system information or remove all web directories
auth Clear dynamic authentication information
Clear all entries from the local cache, which contains authentication information for
local­cache
stations currently connected to the local HiveAP
Clear all entries from the roaming cache, which contains authentication information for
roaming­cache
stations currently connected to neighboring hive members
station Clear authentication information for a specific station
Set the MAC address of the station whose cached authentication information you want to
mac
clear
Enter a MAC address (Note: You can use colons, dashes, or periods to format the address.
<mac_addr>
Examples: 1111:1111:1111, 11­11­11­11­11­11, 1111.1111.1111 ...)

clear auth {local­cache|roaming­cache|station} ssid <string>

clear Clear dynamic system information or remove all web directories
auth Clear dynamic authentication information
Clear all entries from the local cache, which contains authentication information for
local­cache
stations currently connected to the local HiveAP
Clear all entries from the roaming cache, which contains authentication information for
roaming­cache
stations currently connected to neighboring hive members
station Clear authentication information for a specific station
ssid Clear cached authentication information based on the SSID with which stations associated
<string> Enter a user name (1­32 chars)

clear cac station­airtime [ mac <mac_addr> ]

clear Clear dynamic system information or remove all web directories
cac Clear CAC (Call Admission Control) statistics
station­airtime Clear airtime statistics for a specific station
mac Set the specific destination MAC
Enter a MAC address (Note: You can use colons, dashes, or periods to format the address.
<mac_addr>
Examples: 1111:1111:1111, 11­11­11­11­11­11, 1111.1111.1111 ...)

clear capture local [ <string> ]

clear Clear dynamic system information or remove all web directories
capture Clear packet capture parameters
local Clear one or all locally stored packet capture files
<string> Enter the file name to clear

clear capwap client counter

clear Clear dynamic system information or remove all web directories
capwap Clear CAPWAP (Control and Provisioning of Wireless Access Points) statistics
client Clear CAPWAP client statistics
counter Clear CAPWAP client keepalive packet counters

clear config rollback

clear Clear dynamic system information or remove all web directories
config Clear the configuration rollback settings

http://docs.aerohive.com/330000/docs/help/english/documentation/cli_guide_ap230_6­6r1.htm#cmd7 58/315
27/4/2016 Aerohive CLI Guide

rollback Clear the current configuration rollback point and related settings

clear forwarding­engine counters [ interface <wifix|wifix.y|ethx|mgtx|aggx|redx> ] [ station

<mac_addr> ] [ drop ] [ tunnel ] [ policy ]
clear Clear dynamic system information or remove all web directories
forwarding­engine Clear dynamically generated data from the forwarding engine
counters Clear forwarding engine counter statistics
interface Clear forwarding engine counter by interface
<wifix> Enter the name of a Wi­Fi radio interface, where x = 0 or 1
<wifix.y> Enter the name of a Wi­Fi radio subinterface (Ranges: x: 0­1; y: 1­16)
<ethx> Enter the name of an Ethernet interface, where x = 0 or 1
<mgtx> Enter the name of the management interface, where x = 0
<aggx> Enter the name of the aggregate interface, where x = 0
<redx> Enter the name of the redundant interface, where x = 0
station Clear forwarding engine counter by station MAC
Enter a MAC address (Note: You can use colons, dashes, or periods to format the address.
<mac_addr>
Examples: 1111:1111:1111, 11­11­11­11­11­11, 1111.1111.1111 ...)
drop Clear the drop packet counter
tunnel Clear the counter on tunnels
policy Clear the counter on policies

clear forwarding­engine ip­sessions [ src­ip <ip_addr> ] [ dst­ip <ip_addr> ] [ src­port <number> ] [

dst­port <number> ] [ protocol <number> ]
clear Clear dynamic system information or remove all web directories
forwarding­engine Clear dynamically generated data from the forwarding engine
ip­sessions Clear IP sessions
src­ip Clear IP sessions by source IP address
<ip_addr> Source IP address
dst­ip Clear IP sessions by destination IP address
<ip_addr> Destination IP address
src­port Clear IP essions by source port number
<number> source IP port (Range: 1­65535)
dst­port Clear IP sessions by destination port number
<number> destination IP port (Range: 1­65535)
protocol Clear IP sessions by protocol type
<number> source IP port (Range: 1­255)

clear forwarding­engine ip­sessions id <number>

clear Clear dynamic system information or remove all web directories
forwarding­engine Clear dynamically generated data from the forwarding engine
ip­sessions Clear IP sessions
id Clear IP sessions by session ID number
<number> Enter the IP session ID (Range: 1­9999)

clear forwarding­engine mac­sessions [ src­mac <mac_addr> ] [ dst­mac <mac_addr> ]

clear Clear dynamic system information or remove all web directories
forwarding­engine Clear dynamically generated data from the forwarding engine
mac­sessions Clear MAC sessions
src­mac Clear MAC sessions by source MAC address

Enter a MAC address (Note: You can use colons, dashes, or periods to format the address.
<mac_addr>
http://docs.aerohive.com/330000/docs/help/english/documentation/cli_guide_ap230_6­6r1.htm#cmd7 59/315
27/4/2016 Aerohive CLI Guide
Examples: 1111:1111:1111, 11­11­11­11­11­11, 1111.1111.1111 ...)
dst­mac Clear MAC sessions by destination MAC address
Enter a MAC address (Note: You can use colons, dashes, or periods to format the address.
<mac_addr>
Examples: 1111:1111:1111, 11­11­11­11­11­11, 1111.1111.1111 ...)

clear forwarding­engine mac­sessions id <number>

clear Clear dynamic system information or remove all web directories
forwarding­engine Clear dynamically generated data from the forwarding engine
mac­sessions Clear MAC sessions
id Clear MAC sessions by session ID number
<number> Enter the MAC session ID (Range: 1­9999)

clear gre­tunnel counters tunnel

clear Clear dynamic system information or remove all web directories
gre­tunnel Clear GRE (Generic Routing Encapsulation) tunnel information
counters Clear GRE tunnel counter statistics
tunnel Clear the counter on tunnels

clear hive <string> counter neighbor [ <mac_addr> ]

clear Clear dynamic system information or remove all web directories
hive Clear hive info
<string> Enter a hive profile name (1­32 chars)
counter Clear counters for neighboring hive members
neighbor Clear counters for all neighbors or a specific neighbor in this hive
Enter a MAC address (Note: You can use colons, dashes, or periods to format the address.
<mac_addr>
Examples: 1111:1111:1111, 11­11­11­11­11­11, 1111.1111.1111 ...)

clear interface <ethx|aggx|redx> mac­learning dynamic <mac_addr>

clear Clear dynamic system information or remove all web directories
interface Clear interface info
<ethx> Enter the name of an Ethernet interface, where x = 0 or 1
<aggx> Enter the name of the aggregate interface, where x = 0
<redx> Enter the name of the redundant interface, where x = 0
mac­learning Clear entries in the MAC address learning table
dynamic Clear dynamically learned MAC address entries
Enter a MAC address (Note: You can use colons, dashes, or periods to format the address.
<mac_addr>
Examples: 1111:1111:1111, 11­11­11­11­11­11, 1111.1111.1111 ...)

clear interface <ethx|aggx|redx> mac­learning dynamic all

clear Clear dynamic system information or remove all web directories
interface Clear interface info
<ethx> Enter the name of an Ethernet interface, where x = 0 or 1
<aggx> Enter the name of the aggregate interface, where x = 0
<redx> Enter the name of the redundant interface, where x = 0
mac­learning Clear entries in the MAC address learning table
dynamic Clear dynamically learned MAC address entries
all Clear all dynamically learned MAC address entries

clear interface <ethx|wifix|wifix.y|aggx|redx> counter

clear Clear dynamic system information or remove all web directories
interface Clear interface info

http://docs.aerohive.com/330000/docs/help/english/documentation/cli_guide_ap230_6­6r1.htm#cmd7 60/315
27/4/2016 Aerohive CLI Guide

<ethx> Enter the name of an Ethernet interface, where x = 0 or 1

<wifix> Enter the name of a Wi­Fi radio interface, where x = 0 or 1
<wifix.y> Enter the name of a Wi­Fi radio subinterface (Ranges: x: 0­1; y: 1­16)
<aggx> Enter the name of the aggregate interface, where x = 0
<redx> Enter the name of the redundant interface, where x = 0
counter Clear all counters for the interface

clear interface <mgtx|mgtx.y> dhcp­server lease all

clear Clear dynamic system information or remove all web directories
interface Clear interface info
<mgtx> Enter the name of the management interface, where x = 0
<mgtx.y> Enter the name of the virtual management interface (Ranges: x: 0; y: 1­16)
dhcp­server Clear the DHCP server lease
lease Clear a specific DHCP lease or all leases
all Clear all DHCP leases

clear interface <mgtx|mgtx.y> dhcp­server lease ip <ip_addr>

clear Clear dynamic system information or remove all web directories
interface Clear interface info
<mgtx> Enter the name of the management interface, where x = 0
<mgtx.y> Enter the name of the virtual management interface (Ranges: x: 0; y: 1­16)
dhcp­server Clear the DHCP server lease
lease Clear a specific DHCP lease or all leases
ip Clear the DHCP lease that uses a specific IP address
<ip_addr> Enter the IP address

clear interface <mgtx|mgtx.y> dhcp­server lease mac <mac_addr>

clear Clear dynamic system information or remove all web directories
interface Clear interface info
<mgtx> Enter the name of the management interface, where x = 0
<mgtx.y> Enter the name of the virtual management interface (Ranges: x: 0; y: 1­16)
dhcp­server Clear the DHCP server lease
lease Clear a specific DHCP lease or all leases
mac Clear the DHCP lease assigned to a client with a specific MAC address
Enter a MAC address (Note: You can use colons, dashes, or periods to format the address.
<mac_addr>
Examples: 1111:1111:1111, 11­11­11­11­11­11, 1111.1111.1111 ...)

clear interface <wifix> wlan­idp mitigate rogue­ap [ <mac_addr> ]

clear Clear dynamic system information or remove all web directories
interface Clear interface info
<wifix> Enter the name of a Wi­Fi radio interface, where x = 0 or 1
wlan­idp Clear rogue AP entries from the WLAN IDP (intrusion detection and prevention) table
mitigate Clear mitigated rogue APs
rogue­ap Clear all mitigated rogue APs or a specific rogue AP
Enter a MAC address (Note: You can use colons, dashes, or periods to format the address.
<mac_addr>
Examples: 1111:1111:1111, 11­11­11­11­11­11, 1111.1111.1111 ...)

clear lldp [ {cdp} ] table

clear Clear dynamic system information or remove all web directories
lldp Set LLDP (Link Layer Discovery Protocol) parameters

http://docs.aerohive.com/330000/docs/help/english/documentation/cli_guide_ap230_6­6r1.htm#cmd7 61/315
27/4/2016 Aerohive CLI Guide

cdp Set CDP (Cisco Discovery Protocol) parameters

table Clear LLDP or CDP neighbor table

clear location {aeroscout|tzsp} counter

clear Clear dynamic system information or remove all web directories
location Clear parameters for location tracking
aeroscout Clear parameters for the aeroscout location processing engine
tzsp Clear parameters for the tzsp location processing engine
counter Clear statistics for location reports sent to the location processing engine

clear log [ {buffered|debug|flash|all} ]

clear Clear dynamic system information or remove all web directories
log Clear logging messages
buffered Clear buffered log messages
debug Clear debug log messages
flash Clear flash log messages
all Clear all log messages

clear mdnsd counter [ vlan <number> ]

clear Clear dynamic system information or remove all web directories
mdnsd Clear MDNS information
counter Clear MDNS packet counter
vlan Clear MDNS packet counters on a specific VLAN
<number> Enter the VLAN ID number (Range: 1­4094)

clear network­firewall session all

clear Clear dynamic system information or remove all web directories
network­firewall Clear Layer 3 firewall information
session Clear Layer 3 firewall sessions
Clear all sessions (Note: You must clear all existing sessions for new or changed
all firewall policy rules to take effect. Once the new rules are in effect, the HiveAP
applies them to new sessions.)

clear qos counter

clear Clear dynamic system information or remove all web directories
qos Clear dynamic QoS information
counter Clear dynamic QoS statistics counters

clear service [ <string> ] counter

clear Clear dynamic system information or remove all web directories
service Clear dynamically generated information for all services or for a specific service
<string> Enter the name of the service whose counters you want to clear
counter Clear the counter statistics for all services or for a specific service

clear ssh known_host <string>

clear Clear dynamic system information or remove all web directories
ssh Secure Shell
known_host List of known saved hosts
<string> Enter the domain name (1­64 chars) or IP address

http://docs.aerohive.com/330000/docs/help/english/documentation/cli_guide_ap230_6­6r1.htm#cmd7 62/315
27/4/2016 Aerohive CLI Guide
clear ssid <string> counter station [ <mac_addr> ]
clear Clear dynamic system information or remove all web directories
ssid Clear SSID info
<string> Enter an SSID profile name (1­32 chars)
counter Clear counters for stations (wireless clients) associated with the SSID
station Clear counters for all stations or a specific station associated with the SSID
Enter a MAC address (Note: You can use colons, dashes, or periods to format the address.
<mac_addr>
Examples: 1111:1111:1111, 11­11­11­11­11­11, 1111.1111.1111 ...)

clear supplicant cert­file [ <string> ]

clear Show settings, parameters, or dynamically generated information
supplicant Clear objects for supplicant
cert­file Clear cert files for supplicant
<string> Enter the name of the certificate

clear user­and­group all

clear Clear dynamic system information or remove all web directories
user­and­group Clear all users and user­groups
all Clear all users and user­groups

clear vpn certificate­key

clear Clear dynamic system information or remove all web directories
vpn Clear VPN information
Clear all certificates that the local HiveAP uses when authenticating its identity to a
certificate­key
VPN peer and when verifying the identity of a VPN peer

clear vpn {ike|ipsec} sa

clear Clear dynamic system information or remove all web directories
vpn Clear VPN information
ike Clear IKE SA information established during IKE phase 1 negotiations
ipsec Clear IPsec SA information established during IKE phase 2 negotiations
sa Clear SA (security association) information

clear web­directory [ {ppsk­self­reg} ]

clear Clear dynamic system information or remove all web directories
web­directory Remove all web directories
ppsk­self­reg Remove all self­registration web directories from the private PSK server

clear wlan­idp mitigate [ <mac_addr> ]

clear Clear dynamic system information or remove all web directories
wlan­idp Clear rogue AP entries from the WLAN IDP (intrusion detection and prevention) table
Clear one or a list of the rogue APs against which mitigation was performed and the
mitigate
HiveAPs that reported them
Enter a MAC address (Note: You can use colons, dashes, or periods to format the address.
<mac_addr>
Examples: 1111:1111:1111, 11­11­11­11­11­11, 1111.1111.1111 ...)

client­monitor enable
client­monitor Set parameters for Client Monitor
Enable client monitor to detect client issues and report client connection activities
enable
and problems to HiveManager (Default: Enabled)

client­monitor policy <string> problem­type {association|authentication|networking} [ trigger­times

http://docs.aerohive.com/330000/docs/help/english/documentation/cli_guide_ap230_6­6r1.htm#cmd7 63/315
27/4/2016 Aerohive CLI Guide
<number> ] [ report­interval <number> ] [ quiet­time <number> ]
client­monitor Set parameters for Client Monitor
policy Set parameters for a Client Monitor policy
<string> Enter the Client Monitor policy name (1­32 chars)
problem­type Set the problem type which specifies a category of client­centric problems
association Detect, analyze and report the client association problem
authentication Detect, analyze and report the client authentication problem
networking Detect, analyze and report the client networking problem
Set how many times the problem type is detected to trigger reporting the problem and
trigger­times
related logs
<number> Enter trigger times for the problem type (Range: 1­10; Default: 1)
report­interval Set the interval to report the problem and related logs
Enter a report interval in seconds for the problem type (Range: 0 or 30­3600; Default:
<number>
0; Note: The default value of 0 reports every instance of the problem)
quiet­time Set the time period after which the problem elapses
<number> Enter quiet time in seconds for the problem type (Range: 60­86400; Default: 300)

client­tracing <mac_addr>
client­tracing Test client tracing
Enter a MAC address (Note: You can use colons, dashes, or periods to format the address.
<mac_addr>
Examples: 1111:1111:1111, 11­11­11­11­11­11, 1111.1111.1111 ...)

clock date­time <date> <time>

clock Set the internal clock
date­time Set the date and time for the internal clock
Enter the date for the internal clock, (Format: YYYY­MM­DD, Range: 1970­01­01 to 2035­
<date>
12­31)
Enter the time for the internal clock, (Format: hh:mm:ss, Range: hh(00­23), mm(00­59),
<time>
ss(00­59)

clock time­zone <number> [ {30|45} ]

clock Set the internal clock
time­zone Set the time zone for the internal clock
<number> Enter the time zone for the internal clock (Default: 0; Range: from ­12 to 12)
30 Add 30 minutes to the specified time zone
45 Add 45 minutes to the specified time zone

clock time­zone daylight­saving­time <date> <time> <date> <time>

clock Set the internal clock
time­zone Set the time zone for the internal clock
daylight­saving­time Set the daylight saving time parameters
<date> Enter the start date for the daylight saving time (Format: MM­DD, Range: 01­01 to 12­31)
Enter the start time for the daylight saving time (Format: hh:mm:ss, Range: hh(00­23),
<time>
mm(00­59), ss(00­59)
<date> Enter the end date for the daylight saving time (Format: MM­DD, Range: 01­01 to 12­31)
Enter the end time for the daylight saving time (Format: hh:mm:ss, Range: hh(00­23),
<time>
mm(00­59), ss(00­59)

config rollback enable

Set parameters for the current configuration file, which is a flash file containing
config
default and admin­defined settings
Set the current config as a rollback point to which the AP can return after a length of
rollback time elapses or if it becomes disconnected from the CAPWAP server, or return the config
to a previously set rollback point immediately

http://docs.aerohive.com/330000/docs/help/english/documentation/cli_guide_ap230_6­6r1.htm#cmd7 64/315
27/4/2016 Aerohive CLI Guide

enable Enable the configuration rollback feature

config rollback manual [ wait­time <number> ]

Set parameters for the current configuration file, which is a flash file containing
config
default and admin­defined settings
Set the current config as a rollback point to which the AP can return after a length of
rollback time elapses or if it becomes disconnected from the CAPWAP server, or return the config
to a previously set rollback point immediately
Perform the configuration rollback after the defined length of time elapses regardless
of its CAPWAP connectivity (Note: This option is useful when accessing the CLI remotely
manual
and you are concerned that some commands might cause the AP to lose its network
connection.)
Set the length of time that the AP must be disconnected from the CAPWAP server before
wait­time
rolling back the configuration
Enter the length of time in minutes to wait before rolling back the configuration
<number> (Default: 10 minutes; Range: 0­60000: Note: 0 means that the rollback point persists
indefinitely until the 'config rollback now' command is entered.)

config rollback now

Set parameters for the current configuration file, which is a flash file containing
config
default and admin­defined settings
Set the current config as a rollback point to which the AP can return after a length of
rollback time elapses or if it becomes disconnected from the CAPWAP server, or return the config
to a previously set rollback point immediately
now Return the configuration to a previously set rollback point immediately

config rollback {capwap­disconnect|next­reboot} [ wait­time <number> ]

Set parameters for the current configuration file, which is a flash file containing
config
default and admin­defined settings
Set the current config as a rollback point to which the AP can return after a length of
rollback time elapses or if it becomes disconnected from the CAPWAP server, or return the config
to a previously set rollback point immediately
Perform the configuration rollback if a CAPWAP disconnection occurs for the defined
length of time (Note: This is useful when uploading a delta configuration, which does
capwap­disconnect
not require the AP to reboot, and you are concerned that some changes might disrupt
network connectivity for the AP.)
Perform the configuration rollback if a CAPWAP disconnection occurs for the defined
length of time after the AP reboots (Note: This is useful when uploading a full
next­reboot
configuration, which requires the AP to reboot, and you are concerned that the new
config might disrupt network connectivity for the AP.)
Set the length of time that the AP must be disconnected from the CAPWAP server before
wait­time
rolling back the configuration
Enter the length of time in minutes to wait before rolling back the configuration
<number>
(Default: 10 minutes; Range: 2­60000)

config version <number>

Set parameters for the current configuration file, which is a flash file containing
config
default and admin­defined settings
version Set the version number for the current configuration file
<number> Enter the version number (Range: 1­4294967295)

console echo obscure­passwords

console Set console parameters
echo Set parameters for the display of data in the terminal window
Display passwords and sensitive networking keys as asterisks (***) in the CLI (Default:
obscure­passwords
Passwords and keys are replaced by asterisks instead of displaying original text)

console page <number>

console Set console parameters
Set the maximum number of lines of data displayed as a batch when retrieved from a

http://docs.aerohive.com/330000/docs/help/english/documentation/cli_guide_ap230_6­6r1.htm#cmd7 65/315
27/4/2016 Aerohive CLI Guide
device (Note: If the number of retrieved lines exceeds the maximum, press TAB to return
page
the next batch or ENTER to retrieve the next single line. Press the Q key to cancel the
display of all further requested data and return to the command prompt.)
Set the maximum number of lines to display at a time (Default: 22, Range: 10­100,
<number>
Disable: 0, which means that there is no maximum limit)

console serial­port enable

console Set console parameters
serial­port Set administrative access to the serial port
enable Enable access to the console serial port

console timeout <number>

console Set console parameters
timeout Set the amount of time required to close a console connection due to inactivity
<number> Set the console timeout value in minutes (Default: 10, Range: 0­60, Disable: 0)

data­collection collect interval <number>

Set parameters for collecting data about the types and capabilities of devices on the
data­collection
network and the types of applications and IP protocols they use
collect Set parameters for collecting data
interval Set the interval for collecting data about devices and their network usage
Enter the amount of time in hours during which the HiveAP collects data (Default: 1;
<number>
Range: 1­48)

data­collection enable
Set parameters for collecting data about the types and capabilities of devices on the
data­collection
network and the types of applications and IP protocols they use
Enable the local HiveAP to collect data about types and capabilities of devices on the
enable
network and their network usage (Default: Disabled)

data­collection report interval <number>

Set parameters for collecting data about the types and capabilities of devices on the
data­collection
network and the types of applications and IP protocols they use
report Set parameters for reporting data to HiveManager
interval Set the interval for reporting data to HiveManager
Enter the amount of time in hours between data reports to HiveManager (Default: 6;
<number>
Range: 0­48; Note: 0 disables sending reports to HiveManager.)

data­collection {max­collect} <number>

Set parameters for collecting data about the types and capabilities of devices on the
data­collection
network and the types of applications and IP protocols they use
Set the maximum number of collection times that must elapse before clearing data that
max­collect cannot be reported to HiveManager (Note: The default collection interval is 1 hour and
the default report interval is 6 hours.)
Enter the maximum number of times to collect data before clearing it if it cannot be
<number>
reported to HiveManager (Default: 24; Range: Range:1­48)

debug console [ {all} ]

debug Enable debug messages
console Show debug messages on the console
all Show all messages on the console

debug console level {emergency|alert|critical|error|warning|notification|info|debug}

debug Enable debug messages
console Show debug messages on the console

http://docs.aerohive.com/330000/docs/help/english/documentation/cli_guide_ap230_6­6r1.htm#cmd7 66/315
27/4/2016 Aerohive CLI Guide
level Specify a logging level
emergency Show emergency­level log entries (Default: debug)
alert Show log entries from alert to emergency levels (Default: debug)
critical Show log entries from critical to emergency levels (Default: debug)
error Show log entries from error to emergency levels (Default: debug)
warning Show log entries from warning to emergency levels (Default: debug)
notification Show log entries from notification to emergency levels (Default: debug)
info Show log entries from info to emergency levels (Default: debug)
debug Show log entries for all severity levels (Default: debug)

debug console timestamp

debug Enable debug messages
console Show debug messages on the console
timestamp Show debug messages timestamp

designated­server idm­proxy announce

designated­server Set parameters for a dynamic server
Set parameters for a dynamic proxy server to forward RADIUS requests over a secure TLS
idm­proxy
tunnel between the local device and ID Manager
Enable the designated proxy server on the Aerohive device and announce the server
announce
information to all devices in a DA domain (Default: Disabled)

designated­server idm­proxy dynamic

designated­server Set parameters for a dynamic server
Set parameters for a dynamic proxy server to forward RADIUS requests over a secure TLS
idm­proxy
tunnel between the local device and ID Manager
Enable the Aerohive device acting as a NAS to send RADIUS requests to the designated
dynamic
proxy server (Default: Disabled)

device­group <string> [ mac­object <string> ] [ domain­object <string> ] [ os­object <string> ]

Set a device group containing various objects that the HiveAP can use to classify client
device­group
devices (Max: 64 groups)
<string> Enter a device group name (1­32 chars)
mac­object Add a MAC object to the device group
<string> Enter the MAC object name (1­32 chars)
domain­object Add a domain object to the device group
<string> Enter the domain object name (1­32 chars)
os­object Add an OS object to the device group
<string> Enter the OS object name (1­32 chars)

device­group <string> ownership {cid|byod}

Set a device group containing various objects that the HiveAP can use to classify client
device­group
devices (Max: 64 groups)
<string> Enter a device group name (1­32 chars)
Set an attribute for the client device group identifying its devices as user­owned
ownership
(BYOD=bring your own device) or company­issued (CID=company­issued device)
cid Set the devices in the device group as company­issued
byod Set the devices in the device group as user­owned

device­location <string>
device­location Set the device location
<string> Enter a device location (1­128 chars)

http://docs.aerohive.com/330000/docs/help/english/documentation/cli_guide_ap230_6­6r1.htm#cmd7 67/315
27/4/2016 Aerohive CLI Guide
dns domain­name <string>
dns Set DNS (Domain Name System) parameters
domain­name Set the domain name suffix for the local AP
<string> Enter the domain name suffix for the local AP (1­32 chars)

dns dynamic­dns domain­name <string>

dns Set DNS (Domain Name System) parameters
dynamic­dns Set dynamic DNS parameters
domain­name Set dynamic DNS hostname
<string> Enter the dynamic DNS domain­name (up to 256 chars)

dns dynamic­dns enable

dns Set DNS (Domain Name System) parameters
dynamic­dns Set dynamic DNS parameters
enable Enable dynamic DNS

dns dynamic­dns server­account {dyndns|noip} username <string> password <string>

dns Set DNS (Domain Name System) parameters
dynamic­dns Set dynamic DNS parameters
server­account Set dynamic DNS server account
dyndns Use no­ip server
noip Use no­ip server
username Set server account username
<string> Enter the server account username (1­32 chars)
password Set server account password
<string> Enter the service account password (1­32 chars)

dns server­ip <ip_addr|ipv6_addr> [ {second|third} ]

dns Set DNS (Domain Name System) parameters
server­ip Set the IP address of the primary, secondary, or tertiary DNS server
<ip_addr> Enter the IP address of the primary, secondary, or tertiary DNS server
<ipv6_addr> Enter the IP address of the primary, secondary, or tertiary DNS server
second Assign the IP address to a secondary DNS server
third Assign the IP address to a tertiary DNS server

domain­object <string> domain <string>

Set parameters for a domain object that the HiveAP can use to assign a client that
domain­object belongs to a matching device domain to a user profile (Max: 64 domain objects per
HiveAP)
Enter a domain object name (1­32 chars; Note: The object name is an admin­defined name
<string>
and does not have to be the name of a device domain.)
Add a device domain to the domain object (Note: Specify the domain to which devices in
domain
an LDAP­structured database belong.)
<string> Enter an domain name (1­64 chars)

exec aaa idm­test auth username <string> password <string> [ {pap|ms­chap­v2} ] [ proxy <string> ] [
bind­ssid <string> ]
exec Execute a command to initiate a task immediately
aaa Set parameters for AAA (authentication, authorization, accounting)
Test TLS connectivity from the Aerohive device acting as the RadSec or AUTH proxy to the
idm­test
ID Manager gateway
auth Send a RADIUS Access­Request message from the Aerohive device to the ID Manager

http://docs.aerohive.com/330000/docs/help/english/documentation/cli_guide_ap230_6­6r1.htm#cmd7 68/315
27/4/2016 Aerohive CLI Guide
username Set the user name belonging to an account on the ID Manager
<string> Enter the user name (1­32 chars)
password Set the password that belongs to the same account as the user name on the ID Manager
<string> Enter the password (1­64 chars)
Set PAP (Password Authentication Protocol) as the method for sending authentication
pap
requests between the Aerohive device and ID Manager (Default: MS­CHAP­v2)
Set MS­CHAP­v2 (Microsoft CHAP Version 2) as the method for sending authentication
ms­chap­v2
requests between the Aerohive device and ID Manager (Default: MS­CHAP­v2)
proxy Set parameters for connecting to an ID Manager proxy server
<string> Enter the IP address or domain name of the ID Manager proxy server (1­32 chars)
Set the SSID to which the user name binds for ID Manager testing (Note: By default,
bind­ssid wired links use the user name­password pair for testing ID Manager accounts, so the user
name does not need to bind to an SSID.)
<string> Enter the name of the SSID to which you want to bind the user name (1­32 chars)

exec aaa idm­test {radsec­proxy|auth­proxy}

exec Execute a command to initiate a task immediately
aaa Set parameters for AAA (authentication, authorization, accounting)
Test TLS connectivity from the Aerohive device acting as the RadSec or AUTH proxy to the
idm­test
ID Manager gateway
radsec­proxy Test TLS connectivity from the RadSec proxy to the ID Manager gateway
auth­proxy Test TLS connectivity from the AUTH proxy to the ID Manager gateway

exec aaa ldap­search server­type {active­directory|ldap­server|open­directory} server <string> basedn

<string> binddn <string> password <string> [ {attributes} [ <string> ] ]
exec Execute a command to initiate a task immediately
aaa Set parameters for AAA (authentication, authorization, accounting)
ldap­search Execute a search of the LDAP database
server­type Set the type of LDAP server whose database you want to search
active­directory Set the server type as an Active Directory server
ldap­server Set the server type as an OpenLDAP server
open­directory Set the server type as an Open Directory server
server Set the IP address or resolvable domain name of the LDAP server
<string> Enter the IP address or domain name (up to 32 chars)
Set a node in the LDAP tree structure as the baseDN (distinguished name) from which to
basedn search for nodes one level below it or for information about one or all of its
attributes
Enter the baseDN (up to 256 chars) (Note: If there are any spaces, enclose the whole
<string>
string in quotation marks.)
Set the bindDN name and password for the user that has permission to search the LDAP
binddn
directory
<string> Enter the bindDN name (up to 256 chars)
password Set the bindDN password
<string> Enter the password (1­64 chars)
attributes Search for attributes of the node specified as the baseDN
Enter the name of a specific attribute for which to search (Note: To see the user group
<string> attribute of the baseDN node when the default group attribute name is being used, do not
enter anything.)

exec aaa ldap­search username <string> [ basedn <string> ] [ domain <string> ]

exec Execute a command to initiate a task immediately
aaa Set parameters for AAA (authentication, authorization, accounting)
ldap­search Execute a search of the LDAP database
username Set the user name to search for in the LDAP database

http://docs.aerohive.com/330000/docs/help/english/documentation/cli_guide_ap230_6­6r1.htm#cmd7 69/315
27/4/2016 Aerohive CLI Guide
<string> Enter a user name (1­32 chars)
Set the baseDN (distinguished name) where the user profiles are located in the LDAP tree
basedn
structure
Enter the baseDN (1­256 chars; Note: If there are any spaces, enclose the whole string
<string>
in quotation marks.)
domain Set the domain name of the domain controller
<string> Enter a NT domain name (1­64 chars)

exec aaa library­sip­test primary username <string> password <string>

exec Execute a command to initiate a task immediately
aaa Set parameters for AAA (authentication, authorization, accounting)
Test a simulated authentication process for a library patron on a library SIP (Standard
library­sip­test
Interchange Protocol) server
primary Test the authentication process on the primary library SIP server
username Set the library patron's user name to submit to the library SIP server
<string> Enter the user name (1­32 chars)
password Set the library patron's password to submit to the library SIP server
<string> Enter the password (1­64 chars)

exec aaa net­ads­info <string>

exec Execute a command to initiate a task immediately
aaa Set parameters for AAA (authentication, authorization, accounting)
Retrieve information from the Active Directory server such as its IP address, Active
net­ads­info
Directory domain name, root BaseDN, and realm name
Enter the name of the realm to which the Active Directory server belongs (Example:
<string>
corp123.com; Note: The realm name is not case sensitive; Range: 1­64 chars)

exec aaa net­join [ {primary|backup1|backup2|backup3} username <string> password <string> ]

exec Execute a command to initiate a task immediately
aaa Set parameters for AAA (authentication, authorization, accounting)
net­join Join the local AP RADIUS server to the domain controller
primary Join the local AP RADIUS server to the primary domain controller
backup1 Join the local AP RADIUS server to the backup1 domain controller
backup2 Join the local AP RADIUS server to the backup2 domain controller
backup3 Join the local AP RADIUS server to the backup3 domain controller
Set the admin user name for the local AP RADIUS server (Note: For the AP RADIUS server
username
to join the domain, its user account must have domain admin privileges or higher.)
<string> Enter a user name (1­32 chars)
password Set the password for the user name
<string> Enter a password (1­64 chars)

exec aaa net­join domain <string> fullname <string> server <string> username <string> password
<string> [ computer­ou <string> ]
exec Execute a command to initiate a task immediately
aaa Set parameters for AAA (authentication, authorization, accounting)
net­join Join the local AP RADIUS server to the domain controller
domain Set the domain name of the AD domain controller
Enter the NetBIOS name of the domain (1­64 chars; Note: The domain name cannot contain
<string>
multiple­level domains delimited by dots.)
Set the full name of the domain to which the RADIUS server (local AP) and AD server both
fullname
belong
<string> Enter the full domain name (1­64 chars)

Set the IP address or resolvable domain name for the AD server (Note: The AD server is
server
the same as the domain controller.)

http://docs.aerohive.com/330000/docs/help/english/documentation/cli_guide_ap230_6­6r1.htm#cmd7 70/315
27/4/2016 Aerohive CLI Guide
<string> Enter the IP address or domain name (up to 32 chars)
Set the admin user name that the local AP RADIUS server submits to the AD server (Note:
username For the AP RADIUS server to join the domain, its user account must have domain admin
privileges or higher.)
<string> Enter a user name (1­32 chars)
password Set the password for the user name
<string> Enter a password (1­64 chars)
Set the OU (organizational unit) used on the Active Directory server where the AP RADIUS
computer­ou
server admin has privileges to add the AP as a computer in the domain
Enter the OU (Max: 256 chars; Format: ou/sub­ou/sub­ou; Note: If there are any spaces,
<string>
enclose the entire string in quotation marks.)

exec aaa ntlm­auth username <string> password <string> [ domain <string> ]

exec Execute a command to initiate a task immediately
aaa Set parameters for AAA (authentication, authorization, accounting)
Initiate NTLM (NT LAN Manager) authentication between the AP RADIUS server and the
ntlm­auth
domain controller
Set the user name that the AP RADIUS server uses when authenticating itself to the
username
domain controller
<string> Enter a user name (1­32 chars)
Set the password that the AP RADIUS server uses when authenticating itself to the domain
password
controller
<string> Enter a password (1­64 chars)
domain Set the domain name of the domain controller
<string> Enter a NT domain name (1­64 chars)

exec aaa radius­test <string> accounting

exec Execute a command to initiate a task immediately
aaa Set parameters for AAA (authentication, authorization, accounting)
Send a RADIUS Access­Request message from the HiveAP to a RADIUS authentication server
radius­test
or an Accounting­Request message to a RADIUS accounting server
<string> Enter the IP address or domain name of the RADIUS server (1­32 chars)
Check the network connectivity status of a RADIUS accounting server (Default: Check the
accounting
status of a RADIUS authentication server.)

exec aaa radius­test <string> call­check <mac_addr>

exec Execute a command to initiate a task immediately
aaa Set parameters for AAA (authentication, authorization, accounting)
Send a RADIUS Access­Request message from the HiveAP to a RADIUS authentication server
radius­test
or an Accounting­Request message to a RADIUS accounting server
<string> Enter the IP address or domain name of the RADIUS server (1­32 chars)
call­check Do mac­base­auth call­check with Radius server
Enter a MAC address (Note: You can use colons, dashes, or periods to format the address.
<mac_addr>
Examples: 1111:1111:1111, 11­11­11­11­11­11, 1111.1111.1111 ...)

exec aaa radius­test <string> username <string> password <string> [ {pap|chap|ms­chap­v2} ]

exec Execute a command to initiate a task immediately
aaa Set parameters for AAA (authentication, authorization, accounting)
Send a RADIUS Access­Request message from the HiveAP to a RADIUS authentication server
radius­test
or an Accounting­Request message to a RADIUS accounting server
<string> Enter the IP address or domain name of the RADIUS server (1­32 chars)
username Set the user name belonging to an account on the RADIUS server
<string> Enter the user name (1­32 chars)

password Set the password that belongs to the same account as the user name on the RADIUS server
<string> Enter the password (1­64 chars)

http://docs.aerohive.com/330000/docs/help/english/documentation/cli_guide_ap230_6­6r1.htm#cmd7 71/315
27/4/2016 Aerohive CLI Guide
Set PAP (Password Authentication Protocol) as the method for sending authentication
pap
requests between the HiveAP and RADIUS server (Default: MS­CHAP­v2)
Set CHAP (Challenge­Handshake Authentication Protocol) as the method for sending
chap
authentication requests between the HiveAP and RADIUS server (Default: MS­CHAP­v2)
Set MS­CHAP­v2 (Microsoft CHAP Version 2) as the method for sending authentication
ms­chap­v2
requests between the HiveAP and RADIUS server (Default: MS­CHAP­v2)

exec active­alarms­resending
exec Execute a command to initiate a task immediately
active­alarms­
Make device resend all active alarms to HiveManager
resending

exec antenna­alignment interface <wifix> peer <mac_addr> [ count <number> ] [ interval <number> ] [
text­size <number> ]
exec Execute a command to initiate a task immediately
Set parameters for aligning a directional or sectional antenna connected to a radio in
antenna­alignment
backhaul or dual (access and backhaul) mode with a specified peer
interface Set the interface bound to the radio whose antenna you want to align with that of a peer
<wifix> Enter the name of a Wi­Fi radio interface, where x = 0 or 1
Set the MAC address of the peer to which the HiveAP sends antenna alignment request
peer
frames
Enter a MAC address (Note: You can use colons, dashes, or periods to format the address.
<mac_addr>
Examples: 1111:1111:1111, 11­11­11­11­11­11, 1111.1111.1111 ...)
count Set the total number of request frames to send to the peer
<number> Enter the total number of request frames (Default: 60; Range: 1­1000)
interval Set the interval between each request frame transmission
<number> Enter the interval in seconds (Default: 1; Range: 1­30)
text­size Set the amount of filler text in each request frame
<number> Enter the amount of filler text in bytes (Default: 16; Range: 16­2048)

exec auth <string> ppsk­mac­unbinding mac <mac_addr>

exec Execute a command to initiate a task immediately
auth Execute an auth module command
<string> Enter an SSID profile name (1­32 chars)
ppsk­mac­unbinding Execute a PPSK MAC address­unbinding command
mac Remove the PPSK MAC address binding from a MAC address
Enter a MAC address (Note: You can use colons, dashes, or periods to format the address.
<mac_addr>
Examples: 1111:1111:1111, 11­11­11­11­11­11, 1111.1111.1111 ...)

exec auth <string> ppsk­mac­unbinding mac­ppsk <mac_addr> <string>

exec Execute a command to initiate a task immediately
auth Execute an auth module command
<string> Enter an SSID profile name (1­32 chars)
ppsk­mac­unbinding Execute a PPSK MAC address­unbinding command
mac­ppsk Remove the PPSK MAC address binding from MAC address and PPSK
Enter a MAC address (Note: You can use colons, dashes, or periods to format the address.
<mac_addr>
Examples: 1111:1111:1111, 11­11­11­11­11­11, 1111.1111.1111 ...)
<string> Enter the PPSK of the station used (1­32 chars)

exec auth <string> ppsk­mac­unbinding ppsk <string>

exec Execute a command to initiate a task immediately
auth Execute an auth module command
<string> Enter an SSID profile name (1­32 chars)
ppsk­mac­unbinding Execute a PPSK MAC address­unbinding command

http://docs.aerohive.com/330000/docs/help/english/documentation/cli_guide_ap230_6­6r1.htm#cmd7 72/315
27/4/2016 Aerohive CLI Guide
ppsk Remove the PPSK MAC address binding from a PPSK
<string> Enter the PPSK of the station used (1­32 chars)

exec bypass­wan­hardening
exec
bypass­wan­hardening
Execute a command to initiate a task immediately
Disable WAN hardening to allow SSH, Telnet, and the remote sniffer tool to access the
device over the WAN interface (Note: Execute this command to allow remote access for
troubleshooting. To restore WAN hardening, enter "no exec bypass­wan­hardening" or
reboot the device.)

exec capture remote­sniffer [ user <string> <string> ] [ host­allowed <string> ] [ local­port <number>
] [ promiscuous ]
exec Execute a command to initiate a task immediately
capture Initiate packet capturing
remote­sniffer Set parameters for a remote packet sniffer
Set user name and password that the remote sniffer uses when authenticating itself to
user
the HiveAP
<string> Enter the user name (1­32 chars)
<string> Enter the password (1­32 chars)
Set the IP address or domain name of the remote packet sniffer that is allowed to
host­allowed
connect to the HiveAP
<string> Enter the IP address or domain name (1­32 chars)
Set the port number on which the HiveAP listens for connection requests from the remote
local­port
sniffer
<number> Enter the port number (Default: 2002; Range: 1024­65535)
Enable the wifi interfaces to operate in promiscuous mode during packet capturing
promiscuous
(Default: Disabled)

exec client­monitor <mac_addr>

exec Execute a command to initiate a task immediately
client­monitor Monitor the activities of a client
Enter a MAC address (Note: You can use colons, dashes, or periods to format the address.
<mac_addr>
Examples: 1111:1111:1111, 11­11­11­11­11­11, 1111.1111.1111 ...)

exec data­collection {push|clear}

exec Execute a command to initiate a task immediately
Perform an action on the data collected about the types and capabilities of devices on
data­collection
the network and the types of applications and IP protocols they use
push Push all collected data to HiveManager
clear Clear all collected data that is currently stored in the local HiveAP

exec delay­execute [ <number> ]

exec Execute a command to initiate a task immediately
Delay the execution of commands for a period of time (Note: The delay period starts the
delay­execute moment you enter this command and ends when you enter the "no exec delay­execute"
command. This does not affect "show" commands.)
Enter an interval in seconds to wait after the delay period ends before executing the
<number>
submitted commands (Default: 5; Range: 1­60)

exec interface <wifix> spectral­scan channel <number>

exec Execute a command to initiate a task immediately
interface Execute the command through a specific interface
<wifix> Enter the name of a Wi­Fi radio interface, where x = 0 or 1
Execute a spectral scan of all the channels specified in the channel scan list and
spectral­scan report signal frequency and amplitude, channel utilization, and types of interference to
HiveManager

http://docs.aerohive.com/330000/docs/help/english/documentation/cli_guide_ap230_6­6r1.htm#cmd7 73/315
27/4/2016 Aerohive CLI Guide

channel Set the channel to be scanned

Enter the channel number (Note: To create a list of multiple channels, repeatedly enter
<number> this command with a different channel number for each one that you want to scan.)
(Range: 1­165)

exec interface <wifix> spectral­scan report­interval <number>

exec Execute a command to initiate a task immediately
interface Execute the command through a specific interface
<wifix> Enter the name of a Wi­Fi radio interface, where x = 0 or 1
Execute a spectral scan of all the channels specified in the channel scan list and
spectral­scan report signal frequency and amplitude, channel utilization, and types of interference to
HiveManager
report­interval Set the length of time to collect spectral data and then report it to HiveManager
<number> Enter the report interval in seconds (Default: 1; Range: 1­30)

exec interface <wifix> spectral­scan {start|stop}

exec Execute a command to initiate a task immediately
interface Execute the command through a specific interface
<wifix> Enter the name of a Wi­Fi radio interface, where x = 0 or 1
Execute a spectral scan of all the channels specified in the channel scan list and
spectral­scan report signal frequency and amplitude, channel utilization, and types of interference to
HiveManager
start Start a spectral scan
stop Stop a spectral scan that is currently in progress

exec mobile­device­manager aerohive status­change <string>

exec Execute a command to initiate a task immediately
mobile­device­manager Set the mobile device manager parameters
aerohive Aerohive MDM notifies client status change to AP
status­change Set status notification body as parameter
<string> MDM status notification body(1­256 chars)

exec ssh­client server <string> user <string>

exec Execute a command to initiate a task immediately
ssh­client Secure Shell client
server Set the domain name or IP address of the SSH server and, optionally, its port number
Enter the domain name (1­64 chars) or IP address and, optionally, the port number
<string>
(Default port: 22; Range: 1024­65535; Format: name:port or ip:port)
user Set the user name for logging in to the SSH server
<string> Enter the user name (1­32 chars)

exec user­group <string> psk­to­pmk

exec Execute a command to initiate a task immediately
user­group Execute a user­group command
<string> Enter the user group name (1­32 chars)
psk­to­pmk Regenerate all users' PMKs (pairwise master keys) based on their PSKs (preshared keys)

exec wlan­idp ap­classify {rogue|friendly} <mac_addr> [ ­ <mac_addr> ]

exec Execute a command to initiate a task immediately
wlan­idp Execute a command relating to WLAN IDP (intrusion detection and prevention)
ap­classify
Classify one or more APs as rogue or friendly by MAC address

http://docs.aerohive.com/330000/docs/help/english/documentation/cli_guide_ap230_6­6r1.htm#cmd7 74/315
27/4/2016 Aerohive CLI Guide
rogue Classify APs as rogue
friendly Classify APs as friendly
Enter a MAC address (Note: You can use colons, dashes, or periods to format the address.
<mac_addr>
Examples: 1111:1111:1111, 11­11­11­11­11­11, 1111.1111.1111 ...)
­ Set a range of MAC addresses
Enter a MAC address (Note: You can use colons, dashes, or periods to format the address.
<mac_addr>
Examples: 1111:1111:1111, 11­11­11­11­11­11, 1111.1111.1111 ...)

exec wlan­idp mitigate {rogue­ap} <mac_addr>

exec Execute a command to initiate a task immediately
wlan­idp Execute a command relating to WLAN IDP (intrusion detection and prevention)
mitigate Mitigate a specific rogue AP and its clients by sending a deauth DoS attack against them
rogue­ap Mitigate a specific rogue AP
Enter a MAC address (Note: You can use colons, dashes, or periods to format the address.
<mac_addr>
Examples: 1111:1111:1111, 11­11­11­11­11­11, 1111.1111.1111 ...)

exec wlan­idp mitigate {rogue­ap} <mac_addr> interface <wifix>

exec Execute a command to initiate a task immediately
wlan­idp Execute a command relating to WLAN IDP (intrusion detection and prevention)
mitigate Mitigate a specific rogue AP and its clients by sending a deauth DoS attack against them
rogue­ap Mitigate a specific rogue AP
Enter a MAC address (Note: You can use colons, dashes, or periods to format the address.
<mac_addr>
Examples: 1111:1111:1111, 11­11­11­11­11­11, 1111.1111.1111 ...)
interface Execute the command through a specific interface
<wifix> Enter the name of a Wi­Fi radio interface, where x = 0 or 1

exec {jss­check|airwatch­check|aerohive­check} mobile­device <mac_addr> enroll­status

exec Execute a command to initiate a task immediately
jss­check Check the enrollment status of a mobile device on the JSS (JAMF software server)
airwatch­check Check the enrollment status of a mobile device on the AirWatch
aerohive­check Check the enrollment status of a mobile device on the Aerohive MDM server
mobile­device Set the MAC address or ID of a mobile device
Enter a MAC address (Note: You can use colons, dashes, or periods to format the address.
<mac_addr>
Examples: 1111:1111:1111, 11­11­11­11­11­11, 1111.1111.1111 ...)
enroll­status Retrieve the enrollment status of the mobile device

exit
exit Exit from the current mode

filter <number> l2 [ {data|ctl|mgmt} ] [ subtype <hex> ] [ src­mac <mac_addr> ] [ dst­mac <mac_addr> ]

[ bssid <mac_addr> ] [ tx­mac <mac_addr> ] [ rx­mac <mac_addr> ] [ error {crc|decrypt|mic|all|no} ] [
etype <hex> ]
filter Set packet capture filter parameters
<number> Enter a filter ID (Range: 1­64)
l2 Set packet capture filter for layer 2 parameters
data Filter by data traffic
ctl Filter by ctl traffic
mgmt Filter by mgmt traffic
subtype Filter by frame subtype
<hex> Enter frame subtype value
src­mac Filter by source MAC address
Enter a MAC address (Note: You can use colons, dashes, or periods to format the address.
<mac_addr>
Examples: 1111:1111:1111, 11­11­11­11­11­11, 1111.1111.1111 ...)

http://docs.aerohive.com/330000/docs/help/english/documentation/cli_guide_ap230_6­6r1.htm#cmd7 75/315
27/4/2016 Aerohive CLI Guide

dst­mac Filter by destination MAC address

Enter a MAC address (Note: You can use colons, dashes, or periods to format the address.
<mac_addr>
Examples: 1111:1111:1111, 11­11­11­11­11­11, 1111.1111.1111 ...)
bssid Filter by BSSID
Enter a MAC address (Note: You can use colons, dashes, or periods to format the address.
<mac_addr>
Examples: 1111:1111:1111, 11­11­11­11­11­11, 1111.1111.1111 ...)
tx­mac Filter by transmitter MAC address
Enter a MAC address (Note: You can use colons, dashes, or periods to format the address.
<mac_addr>
Examples: 1111:1111:1111, 11­11­11­11­11­11, 1111.1111.1111 ...)
rx­mac Filter by receiver MAC address
Enter a MAC address (Note: You can use colons, dashes, or periods to format the address.
<mac_addr>
Examples: 1111:1111:1111, 11­11­11­11­11­11, 1111.1111.1111 ...)
error Filter by error condition
crc Filter by crc error
decrypt Filter by decrypt error
mic Filter by mic error
all Filter by all error
no Filter by no error
etype Filter by Ethernet value
<hex> Enter the value indicating an ethernet type (ARP:0806; IP:0800; IPX:8137; RARP:8035)

filter <number> l3 [ src­ip <ip_addr> ] [ dst­ip <ip_addr> ] [ protocol <number> ] [ src­port <number>
] [ dst­port <number> ]
filter Set packet capture filter parameters
<number> Enter a filter ID (Range: 1­64)
l3 Set packet capture filter for layer 3 parameters
src­ip Filter by source IP address
<ip_addr> Enter a source IP address
dst­ip Filter by destination IP address
<ip_addr> Enter a destination IP address
protocol Filter by protocol number in IP header
<number> Enter a protocol value (UDP:17; TCP:6 ICMP:1)
src­port Filter by source port filter
<number> Enter a source port number
dst­port Filter by destination port
<number> Enter a destination port number (HTTP:80; FTP:21; TELNET:23; DHCP:67; TFTP:79)

filter [ <number> ] [ direction bidirectional ]

filter Set packet capture filter parameters
<number> Enter a filter ID (Range: 1­64)
direction Set filter traffic flowing direction
bidirectional Filter traffic flowing in both directions

forwarding­engine drop {ip­fragmented­packets|to­self­non­management­traffic}

forwarding­engine Set parameters to shape the behavior of the forwarding engine
drop Set parameters for dropping packets
ip­fragmented­packets Drop fragmented IP packets
to­self­non­
Drop all non­management traffic destined to the HiveAP itself
management­traffic

forwarding­engine inter­ssid­flood enable

forwarding­engine Set parameters to shape the behavior of the forwarding engine

http://docs.aerohive.com/330000/docs/help/english/documentation/cli_guide_ap230_6­6r1.htm#cmd7 76/315
27/4/2016 Aerohive CLI Guide

inter­ssid­flood Forward multicast and broadcast traffic between access interfaces to protect SSIDs from
flooding (Default: Enabled)
enable Enable the protection of SSIDs from multicast and broadcast flooding

forwarding­engine l2­default­route interface <ethx> vlan <number> [ ­ <number> ]

forwarding­engine Set parameters to shape the behavior of the forwarding engine
Set the default Layer 2 route for VLANs that must use an interface other than eth0
l2­default­route
(Note: Do not set for the eth0 interface.)
Set the Ethernet interface that connects to the VLANs for which you want to create
interface
default routes (Note: Do not set this command for the eth0 interface.)
<ethx> Enter the name of an Ethernet interface, where x = 0 or 1
vlan Set a range of VLAN IDs that use the default Layer 2 route for the specified interface
<number> Enter the VLAN ID (Range: 1­4094)
­ Set a range of VLAN IDs
Enter the last VLAN ID in the range (Range: 1­4094; Note: The end of the VLAN ID range
<number>
must be equal to or greater than the VLAN ID at the start.)

forwarding­engine log {firewall­dropped­packets|to­self­sessions}

forwarding­engine
log
firewall­dropped­
packets
to­self­sessions
Set parameters to shape the behavior of the forwarding engine
Set logging parameters for packets
Log dropped packets that are denied by IP or MAC firewall policies (Default: Do not log
dropped packets)
Log the first packets of sessions destined for the HiveAP itself (Default: Do not log
first packets)

forwarding­engine mac­sessions sync­vlan

forwarding­engine Set parameters to shape the behavior of the forwarding engine
mac­sessions Set MAC session parameters
Enable the local AP to inform its neighbors of the VLAN ID assigned to a client that
sync­vlan initially connected it (Default: Disabled; Note: Enabling this option allows neighbors
to do a Layer 2 default route lookup based on VLAN.)

forwarding­engine max­ip­sessions­per­station <number>

forwarding­engine Set parameters to shape the behavior of the forwarding engine
max­ip­sessions­per­
Set the maximum number of IP sessions that can be created to or from a station
station
Enter the maximum IP sessions number per station (Range: 1­8000; Note: By default, IP
<number>
session limiting is disabled.)

forwarding­engine max­mac­sessions­per­station <number>

forwarding­engine Set parameters to shape the behavior of the forwarding engine
max­mac­sessions­per­
Set the maximum number of MAC sessions that can be created to or from a station
station
Enter the maximum MAC sessions number per station (Range: 1­8000; Note: By default, MAC
<number>
session limiting is disabled.)

forwarding­engine proxy­arp enable

forwarding­engine Set parameters to shape the behavior of the forwarding engine
proxy­arp Set ARP proxying parameters
enable Enable learning MAC addresses and proxy replies to ARP requests

forwarding­engine static­rule <string> action drop in­if <ethx|aggx|redx> dst­mac <mac_addr>

forwarding­engine Set parameters to shape the behavior of the forwarding engine
static­rule Add a static packet­forwarding rule that preempts dynamic forwarding decisions
<string> Enter the name of the packet­forwarding rule (1­32 chars)

http://docs.aerohive.com/330000/docs/help/english/documentation/cli_guide_ap230_6­6r1.htm#cmd7 77/315
27/4/2016 Aerohive CLI Guide
action Set the action to apply to packets matching the static packet­forwarding rule
drop Drop packets that match the rule
in­if Set the inbound interface
<ethx> Enter the name of an Ethernet interface, where x = 0 or 1
<aggx> Enter the name of the aggregate interface, where x = 0
<redx> Enter the name of the redundant interface, where x = 0
dst­mac Set the destination MAC address
Enter a MAC address (Note: You can use colons, dashes, or periods to format the address.
<mac_addr>
Examples: 1111:1111:1111, 11­11­11­11­11­11, 1111.1111.1111 ...)

forwarding­engine static­rule <string> action drop in­if <ethx|aggx|redx> src­mac <mac_addr> dst­mac
<mac_addr>
forwarding­engine Set parameters to shape the behavior of the forwarding engine
static­rule Add a static packet­forwarding rule that preempts dynamic forwarding decisions
<string> Enter the name of the packet­forwarding rule (1­32 chars)
action Set the action to apply to packets matching the static packet­forwarding rule
drop Drop packets that match the rule
in­if Set the inbound interface
<ethx> Enter the name of an Ethernet interface, where x = 0 or 1
<aggx> Enter the name of the aggregate interface, where x = 0
<redx> Enter the name of the redundant interface, where x = 0
src­mac Set the source MAC address
Enter a MAC address (Note: You can use colons, dashes, or periods to format the address.
<mac_addr>
Examples: 1111:1111:1111, 11­11­11­11­11­11, 1111.1111.1111 ...)
dst­mac Set the destination MAC address
Enter a MAC address (Note: You can use colons, dashes, or periods to format the address.
<mac_addr>
Examples: 1111:1111:1111, 11­11­11­11­11­11, 1111.1111.1111 ...)

forwarding­engine static­rule <string> action drop in­if <ethx|aggx|redx> src­oui <oui> dst­mac
<mac_addr>
forwarding­engine Set parameters to shape the behavior of the forwarding engine
static­rule Add a static packet­forwarding rule that preempts dynamic forwarding decisions
<string> Enter the name of the packet­forwarding rule (1­32 chars)
action Set the action to apply to packets matching the static packet­forwarding rule
drop Drop packets that match the rule
in­if Set the inbound interface
<ethx> Enter the name of an Ethernet interface, where x = 0 or 1
<aggx> Enter the name of the aggregate interface, where x = 0
<redx> Enter the name of the redundant interface, where x = 0
Set the source OUI, apply the rule to any MAC address sharing the same OUI as the MAC
src­oui
address
Enter the OUI (Note: You can use colons, dashes, or periods to format the OUI. Examples:
<oui>
Apple iPhone=00:1b:63; D­Link Phone=00­17­9a; Vocera=00.09.ef.)
dst­mac Set the destination MAC address
Enter a MAC address (Note: You can use colons, dashes, or periods to format the address.
<mac_addr>
Examples: 1111:1111:1111, 11­11­11­11­11­11, 1111.1111.1111 ...)

forwarding­engine static­rule <string> action drop in­if <wifix.y> dst­mac <mac_addr> tx­mac
<mac_addr>
forwarding­engine Set parameters to shape the behavior of the forwarding engine
static­rule Add a static packet­forwarding rule that preempts dynamic forwarding decisions
<string> Enter the name of the packet­forwarding rule (1­32 chars)
action Set the action to apply to packets matching the static packet­forwarding rule

http://docs.aerohive.com/330000/docs/help/english/documentation/cli_guide_ap230_6­6r1.htm#cmd7 78/315
27/4/2016 Aerohive CLI Guide
drop Drop packets that match the rule
in­if Set the inbound interface
<wifix.y> Enter the name of a Wi­Fi radio subinterface (Ranges: x: 0­1; y: 1­16)
dst­mac Set the destination MAC address
Enter a MAC address (Note: You can use colons, dashes, or periods to format the address.
<mac_addr>
Examples: 1111:1111:1111, 11­11­11­11­11­11, 1111.1111.1111 ...)
Set the MAC address of the transmitter; that is the MAC address of the device on the
tx­mac
network that forwarded the frame to the HiveAP
Enter a MAC address (Note: You can use colons, dashes, or periods to format the address.
<mac_addr>
Examples: 1111:1111:1111, 11­11­11­11­11­11, 1111.1111.1111 ...)

forwarding­engine static­rule <string> action drop in­if <wifix.y> src­mac <mac_addr> dst­mac
<mac_addr> tx­mac <mac_addr>
forwarding­engine Set parameters to shape the behavior of the forwarding engine
static­rule Add a static packet­forwarding rule that preempts dynamic forwarding decisions
<string> Enter the name of the packet­forwarding rule (1­32 chars)
action Set the action to apply to packets matching the static packet­forwarding rule
drop Drop packets that match the rule
in­if Set the inbound interface
<wifix.y> Enter the name of a Wi­Fi radio subinterface (Ranges: x: 0­1; y: 1­16)
src­mac Set the source MAC address
Enter a MAC address (Note: You can use colons, dashes, or periods to format the address.
<mac_addr>
Examples: 1111:1111:1111, 11­11­11­11­11­11, 1111.1111.1111 ...)
dst­mac Set the destination MAC address
Enter a MAC address (Note: You can use colons, dashes, or periods to format the address.
<mac_addr>
Examples: 1111:1111:1111, 11­11­11­11­11­11, 1111.1111.1111 ...)
Set the MAC address of the transmitter; that is the MAC address of the device on the
tx­mac
network that forwarded the frame to the HiveAP
Enter a MAC address (Note: You can use colons, dashes, or periods to format the address.
<mac_addr>
Examples: 1111:1111:1111, 11­11­11­11­11­11, 1111.1111.1111 ...)

forwarding­engine static­rule <string> action drop in­if <wifix.y> src­oui <oui> dst­mac <mac_addr>
tx­mac <mac_addr>
forwarding­engine Set parameters to shape the behavior of the forwarding engine
static­rule Add a static packet­forwarding rule that preempts dynamic forwarding decisions
<string> Enter the name of the packet­forwarding rule (1­32 chars)
action Set the action to apply to packets matching the static packet­forwarding rule
drop Drop packets that match the rule
in­if Set the inbound interface
<wifix.y> Enter the name of a Wi­Fi radio subinterface (Ranges: x: 0­1; y: 1­16)
Set the source OUI, apply the rule to any MAC address sharing the same OUI as the MAC
src­oui
address
Enter the OUI (Note: You can use colons, dashes, or periods to format the OUI. Examples:
<oui>
Apple iPhone=00:1b:63; D­Link Phone=00­17­9a; Vocera=00.09.ef.)
dst­mac Set the destination MAC address
Enter a MAC address (Note: You can use colons, dashes, or periods to format the address.
<mac_addr>
Examples: 1111:1111:1111, 11­11­11­11­11­11, 1111.1111.1111 ...)
Set the MAC address of the transmitter; that is the MAC address of the device on the
tx­mac
network that forwarded the frame to the HiveAP
Enter a MAC address (Note: You can use colons, dashes, or periods to format the address.
<mac_addr>
Examples: 1111:1111:1111, 11­11­11­11­11­11, 1111.1111.1111 ...)

forwarding­engine static­rule <string> action pass in­if <ethx|aggx|redx> dst­mac <mac_addr> out­if
<ethx|aggx|redx>
forwarding­engine Set parameters to shape the behavior of the forwarding engine
static­rule
Add a static packet­forwarding rule that preempts dynamic forwarding decisions

http://docs.aerohive.com/330000/docs/help/english/documentation/cli_guide_ap230_6­6r1.htm#cmd7 79/315
27/4/2016 Aerohive CLI Guide
<string> Enter the name of the packet­forwarding rule (1­32 chars)
action Set the action to apply to packets matching the static packet­forwarding rule
pass Pass packets that match the rule
in­if Set the inbound interface
<ethx> Enter the name of an Ethernet interface, where x = 0 or 1
<aggx> Enter the name of the aggregate interface, where x = 0
<redx> Enter the name of the redundant interface, where x = 0
dst­mac Set the destination MAC address
Enter a MAC address (Note: You can use colons, dashes, or periods to format the address.
<mac_addr>
Examples: 1111:1111:1111, 11­11­11­11­11­11, 1111.1111.1111 ...)
out­if Set the outbound interface
<ethx> Enter the name of an Ethernet interface, where x = 0 or 1
<aggx> Enter the name of the aggregate interface, where x = 0
<redx> Enter the name of the redundant interface, where x = 0

forwarding­engine static­rule <string> action pass in­if <ethx|aggx|redx> dst­mac <mac_addr> out­if
<wifix.y> rx­mac <mac_addr>
forwarding­engine Set parameters to shape the behavior of the forwarding engine
static­rule Add a static packet­forwarding rule that preempts dynamic forwarding decisions
<string> Enter the name of the packet­forwarding rule (1­32 chars)
action Set the action to apply to packets matching the static packet­forwarding rule
pass Pass packets that match the rule
in­if Set the inbound interface
<ethx> Enter the name of an Ethernet interface, where x = 0 or 1
<aggx> Enter the name of the aggregate interface, where x = 0
<redx> Enter the name of the redundant interface, where x = 0
dst­mac Set the destination MAC address
Enter a MAC address (Note: You can use colons, dashes, or periods to format the address.
<mac_addr>
Examples: 1111:1111:1111, 11­11­11­11­11­11, 1111.1111.1111 ...)
out­if Set the outbound interface
<wifix.y> Enter the name of a Wi­Fi radio subinterface (Ranges: x: 0­1; y: 1­16)
Set the MAC address of the receiver; that is the MAC address of the device on the
rx­mac
network to which the HiveAP forwards the frame
Enter a MAC address (Note: You can use colons, dashes, or periods to format the address.
<mac_addr>
Examples: 1111:1111:1111, 11­11­11­11­11­11, 1111.1111.1111 ...)

forwarding­engine static­rule <string> action pass in­if <ethx|aggx|redx> src­mac <mac_addr> dst­mac
<mac_addr> out­if <ethx|aggx|redx>
forwarding­engine Set parameters to shape the behavior of the forwarding engine
static­rule Add a static packet­forwarding rule that preempts dynamic forwarding decisions
<string> Enter the name of the packet­forwarding rule (1­32 chars)
action Set the action to apply to packets matching the static packet­forwarding rule
pass Pass packets that match the rule
in­if Set the inbound interface
<ethx> Enter the name of an Ethernet interface, where x = 0 or 1
<aggx> Enter the name of the aggregate interface, where x = 0
<redx> Enter the name of the redundant interface, where x = 0
src­mac Set the source MAC address
Enter a MAC address (Note: You can use colons, dashes, or periods to format the address.
<mac_addr>
Examples: 1111:1111:1111, 11­11­11­11­11­11, 1111.1111.1111 ...)

dst­mac Set the destination MAC address

Enter a MAC address (Note: You can use colons, dashes, or periods to format the address.
<mac_addr>

http://docs.aerohive.com/330000/docs/help/english/documentation/cli_guide_ap230_6­6r1.htm#cmd7 80/315
27/4/2016 Aerohive CLI Guide
Examples: 1111:1111:1111, 11­11­11­11­11­11, 1111.1111.1111 ...)
out­if Set the outbound interface
<ethx> Enter the name of an Ethernet interface, where x = 0 or 1
<aggx> Enter the name of the aggregate interface, where x = 0
<redx> Enter the name of the redundant interface, where x = 0

forwarding­engine static­rule <string> action pass in­if <ethx|aggx|redx> src­mac <mac_addr> dst­mac
<mac_addr> out­if <wifix.y> rx­mac <mac_addr>
forwarding­engine Set parameters to shape the behavior of the forwarding engine
static­rule Add a static packet­forwarding rule that preempts dynamic forwarding decisions
<string> Enter the name of the packet­forwarding rule (1­32 chars)
action Set the action to apply to packets matching the static packet­forwarding rule
pass Pass packets that match the rule
in­if Set the inbound interface
<ethx> Enter the name of an Ethernet interface, where x = 0 or 1
<aggx> Enter the name of the aggregate interface, where x = 0
<redx> Enter the name of the redundant interface, where x = 0
src­mac Set the source MAC address
Enter a MAC address (Note: You can use colons, dashes, or periods to format the address.
<mac_addr>
Examples: 1111:1111:1111, 11­11­11­11­11­11, 1111.1111.1111 ...)
dst­mac Set the destination MAC address
Enter a MAC address (Note: You can use colons, dashes, or periods to format the address.
<mac_addr>
Examples: 1111:1111:1111, 11­11­11­11­11­11, 1111.1111.1111 ...)
out­if Set the outbound interface
<wifix.y> Enter the name of a Wi­Fi radio subinterface (Ranges: x: 0­1; y: 1­16)
Set the MAC address of the receiver; that is the MAC address of the device on the
rx­mac
network to which the HiveAP forwards the frame
Enter a MAC address (Note: You can use colons, dashes, or periods to format the address.
<mac_addr>
Examples: 1111:1111:1111, 11­11­11­11­11­11, 1111.1111.1111 ...)

forwarding­engine static­rule <string> action pass in­if <ethx|aggx|redx> src­oui <oui> dst­mac
<mac_addr> out­if <ethx|aggx|redx>
forwarding­engine Set parameters to shape the behavior of the forwarding engine
static­rule Add a static packet­forwarding rule that preempts dynamic forwarding decisions
<string> Enter the name of the packet­forwarding rule (1­32 chars)
action Set the action to apply to packets matching the static packet­forwarding rule
pass Pass packets that match the rule
in­if Set the inbound interface
<ethx> Enter the name of an Ethernet interface, where x = 0 or 1
<aggx> Enter the name of the aggregate interface, where x = 0
<redx> Enter the name of the redundant interface, where x = 0
Set the source OUI, apply the rule to any MAC address sharing the same OUI as the MAC
src­oui
address
Enter the OUI (Note: You can use colons, dashes, or periods to format the OUI. Examples:
<oui>
Apple iPhone=00:1b:63; D­Link Phone=00­17­9a; Vocera=00.09.ef.)
dst­mac Set the destination MAC address
Enter a MAC address (Note: You can use colons, dashes, or periods to format the address.
<mac_addr>
Examples: 1111:1111:1111, 11­11­11­11­11­11, 1111.1111.1111 ...)
out­if Set the outbound interface

<ethx> Enter the name of an Ethernet interface, where x = 0 or 1

<aggx> Enter the name of the aggregate interface, where x = 0
<redx> Enter the name of the redundant interface, where x = 0

http://docs.aerohive.com/330000/docs/help/english/documentation/cli_guide_ap230_6­6r1.htm#cmd7 81/315
27/4/2016 Aerohive CLI Guide
forwarding­engine static­rule <string> action pass in­if <ethx|aggx|redx> src­oui <oui> dst­mac
<mac_addr> out­if <wifix.y> rx­mac <mac_addr>
forwarding­engine Set parameters to shape the behavior of the forwarding engine
static­rule Add a static packet­forwarding rule that preempts dynamic forwarding decisions
<string> Enter the name of the packet­forwarding rule (1­32 chars)
action Set the action to apply to packets matching the static packet­forwarding rule
pass Pass packets that match the rule
in­if Set the inbound interface
<ethx> Enter the name of an Ethernet interface, where x = 0 or 1
<aggx> Enter the name of the aggregate interface, where x = 0
<redx> Enter the name of the redundant interface, where x = 0
Set the source OUI, apply the rule to any MAC address sharing the same OUI as the MAC
src­oui
address
Enter the OUI (Note: You can use colons, dashes, or periods to format the OUI. Examples:
<oui>
Apple iPhone=00:1b:63; D­Link Phone=00­17­9a; Vocera=00.09.ef.)
dst­mac Set the destination MAC address
Enter a MAC address (Note: You can use colons, dashes, or periods to format the address.
<mac_addr>
Examples: 1111:1111:1111, 11­11­11­11­11­11, 1111.1111.1111 ...)
out­if Set the outbound interface
<wifix.y> Enter the name of a Wi­Fi radio subinterface (Ranges: x: 0­1; y: 1­16)
Set the MAC address of the receiver; that is the MAC address of the device on the
rx­mac
network to which the HiveAP forwards the frame
Enter a MAC address (Note: You can use colons, dashes, or periods to format the address.
<mac_addr>
Examples: 1111:1111:1111, 11­11­11­11­11­11, 1111.1111.1111 ...)

forwarding­engine static­rule <string> action pass in­if <wifix.y> dst­mac <mac_addr> tx­mac
<mac_addr> out­if <ethx|aggx|redx>
forwarding­engine Set parameters to shape the behavior of the forwarding engine
static­rule Add a static packet­forwarding rule that preempts dynamic forwarding decisions
<string> Enter the name of the packet­forwarding rule (1­32 chars)
action Set the action to apply to packets matching the static packet­forwarding rule
pass Pass packets that match the rule
in­if Set the inbound interface
<wifix.y> Enter the name of a Wi­Fi radio subinterface (Ranges: x: 0­1; y: 1­16)
dst­mac Set the destination MAC address
Enter a MAC address (Note: You can use colons, dashes, or periods to format the address.
<mac_addr>
Examples: 1111:1111:1111, 11­11­11­11­11­11, 1111.1111.1111 ...)
Set the MAC address of the transmitter; that is the MAC address of the device on the
tx­mac
network that forwarded the frame to the HiveAP
Enter a MAC address (Note: You can use colons, dashes, or periods to format the address.
<mac_addr>
Examples: 1111:1111:1111, 11­11­11­11­11­11, 1111.1111.1111 ...)
out­if Set the outbound interface
<ethx> Enter the name of an Ethernet interface, where x = 0 or 1
<aggx> Enter the name of the aggregate interface, where x = 0
<redx> Enter the name of the redundant interface, where x = 0

forwarding­engine static­rule <string> action pass in­if <wifix.y> dst­mac <mac_addr> tx­mac
<mac_addr> out­if <wifix.y> rx­mac <mac_addr>
forwarding­engine Set parameters to shape the behavior of the forwarding engine
static­rule Add a static packet­forwarding rule that preempts dynamic forwarding decisions
<string> Enter the name of the packet­forwarding rule (1­32 chars)
action Set the action to apply to packets matching the static packet­forwarding rule
pass Pass packets that match the rule
in­if Set the inbound interface

http://docs.aerohive.com/330000/docs/help/english/documentation/cli_guide_ap230_6­6r1.htm#cmd7 82/315
27/4/2016 Aerohive CLI Guide
<wifix.y> Enter the name of a Wi­Fi radio subinterface (Ranges: x: 0­1; y: 1­16)
dst­mac Set the destination MAC address
Enter a MAC address (Note: You can use colons, dashes, or periods to format the address.
<mac_addr>
Examples: 1111:1111:1111, 11­11­11­11­11­11, 1111.1111.1111 ...)
Set the MAC address of the transmitter; that is the MAC address of the device on the
tx­mac
network that forwarded the frame to the HiveAP
Enter a MAC address (Note: You can use colons, dashes, or periods to format the address.
<mac_addr>
Examples: 1111:1111:1111, 11­11­11­11­11­11, 1111.1111.1111 ...)
out­if Set the outbound interface
<wifix.y> Enter the name of a Wi­Fi radio subinterface (Ranges: x: 0­1; y: 1­16)
Set the MAC address of the receiver; that is the MAC address of the device on the
rx­mac
network to which the HiveAP forwards the frame
Enter a MAC address (Note: You can use colons, dashes, or periods to format the address.
<mac_addr>
Examples: 1111:1111:1111, 11­11­11­11­11­11, 1111.1111.1111 ...)

forwarding­engine static­rule <string> action pass in­if <wifix.y> src­mac <mac_addr> dst­mac
<mac_addr> tx­mac <mac_addr> out­if <ethx|aggx|redx>
forwarding­engine Set parameters to shape the behavior of the forwarding engine
static­rule Add a static packet­forwarding rule that preempts dynamic forwarding decisions
<string> Enter the name of the packet­forwarding rule (1­32 chars)
action Set the action to apply to packets matching the static packet­forwarding rule
pass Pass packets that match the rule
in­if Set the inbound interface
<wifix.y> Enter the name of a Wi­Fi radio subinterface (Ranges: x: 0­1; y: 1­16)
src­mac Set the source MAC address
Enter a MAC address (Note: You can use colons, dashes, or periods to format the address.
<mac_addr>
Examples: 1111:1111:1111, 11­11­11­11­11­11, 1111.1111.1111 ...)
dst­mac Set the destination MAC address
Enter a MAC address (Note: You can use colons, dashes, or periods to format the address.
<mac_addr>
Examples: 1111:1111:1111, 11­11­11­11­11­11, 1111.1111.1111 ...)
Set the MAC address of the transmitter; that is the MAC address of the device on the
tx­mac
network that forwarded the frame to the HiveAP
Enter a MAC address (Note: You can use colons, dashes, or periods to format the address.
<mac_addr>
Examples: 1111:1111:1111, 11­11­11­11­11­11, 1111.1111.1111 ...)
out­if Set the outbound interface
<ethx> Enter the name of an Ethernet interface, where x = 0 or 1
<aggx> Enter the name of the aggregate interface, where x = 0
<redx> Enter the name of the redundant interface, where x = 0

forwarding­engine static­rule <string> action pass in­if <wifix.y> src­mac <mac_addr> dst­mac
<mac_addr> tx­mac <mac_addr> out­if <wifix.y> rx­mac <mac_addr>
forwarding­engine Set parameters to shape the behavior of the forwarding engine
static­rule Add a static packet­forwarding rule that preempts dynamic forwarding decisions
<string> Enter the name of the packet­forwarding rule (1­32 chars)
action Set the action to apply to packets matching the static packet­forwarding rule
pass Pass packets that match the rule
in­if Set the inbound interface
<wifix.y> Enter the name of a Wi­Fi radio subinterface (Ranges: x: 0­1; y: 1­16)
src­mac Set the source MAC address
Enter a MAC address (Note: You can use colons, dashes, or periods to format the address.
<mac_addr>
Examples: 1111:1111:1111, 11­11­11­11­11­11, 1111.1111.1111 ...)
dst­mac Set the destination MAC address
Enter a MAC address (Note: You can use colons, dashes, or periods to format the address.
<mac_addr>
Examples: 1111:1111:1111, 11­11­11­11­11­11, 1111.1111.1111 ...)
Set the MAC address of the transmitter; that is the MAC address of the device on the
tx­mac
network that forwarded the frame to the HiveAP

http://docs.aerohive.com/330000/docs/help/english/documentation/cli_guide_ap230_6­6r1.htm#cmd7 83/315
27/4/2016 Aerohive CLI Guide

<mac_addr> Enter a MAC address (Note: You can use colons, dashes, or periods to format the address.
Examples: 1111:1111:1111, 11­11­11­11­11­11, 1111.1111.1111 ...)
out­if Set the outbound interface
<wifix.y> Enter the name of a Wi­Fi radio subinterface (Ranges: x: 0­1; y: 1­16)
Set the MAC address of the receiver; that is the MAC address of the device on the
rx­mac
network to which the HiveAP forwards the frame
Enter a MAC address (Note: You can use colons, dashes, or periods to format the address.
<mac_addr>
Examples: 1111:1111:1111, 11­11­11­11­11­11, 1111.1111.1111 ...)

forwarding­engine static­rule <string> action pass in­if <wifix.y> src­oui <oui> dst­mac <mac_addr>
tx­mac <mac_addr> out­if <ethx|aggx|redx>
forwarding­engine Set parameters to shape the behavior of the forwarding engine
static­rule Add a static packet­forwarding rule that preempts dynamic forwarding decisions
<string> Enter the name of the packet­forwarding rule (1­32 chars)
action Set the action to apply to packets matching the static packet­forwarding rule
pass Pass packets that match the rule
in­if Set the inbound interface
<wifix.y> Enter the name of a Wi­Fi radio subinterface (Ranges: x: 0­1; y: 1­16)
Set the source OUI, apply the rule to any MAC address sharing the same OUI as the MAC
src­oui
address
Enter the OUI (Note: You can use colons, dashes, or periods to format the OUI. Examples:
<oui>
Apple iPhone=00:1b:63; D­Link Phone=00­17­9a; Vocera=00.09.ef.)
dst­mac Set the destination MAC address
Enter a MAC address (Note: You can use colons, dashes, or periods to format the address.
<mac_addr>
Examples: 1111:1111:1111, 11­11­11­11­11­11, 1111.1111.1111 ...)
Set the MAC address of the transmitter; that is the MAC address of the device on the
tx­mac
network that forwarded the frame to the HiveAP
Enter a MAC address (Note: You can use colons, dashes, or periods to format the address.
<mac_addr>
Examples: 1111:1111:1111, 11­11­11­11­11­11, 1111.1111.1111 ...)
out­if Set the outbound interface
<ethx> Enter the name of an Ethernet interface, where x = 0 or 1
<aggx> Enter the name of the aggregate interface, where x = 0
<redx> Enter the name of the redundant interface, where x = 0

forwarding­engine static­rule <string> action pass in­if <wifix.y> src­oui <oui> dst­mac <mac_addr>
tx­mac <mac_addr> out­if <wifix.y> rx­mac <mac_addr>
forwarding­engine Set parameters to shape the behavior of the forwarding engine
static­rule Add a static packet­forwarding rule that preempts dynamic forwarding decisions
<string> Enter the name of the packet­forwarding rule (1­32 chars)
action Set the action to apply to packets matching the static packet­forwarding rule
pass Pass packets that match the rule
in­if Set the inbound interface
<wifix.y> Enter the name of a Wi­Fi radio subinterface (Ranges: x: 0­1; y: 1­16)
Set the source OUI, apply the rule to any MAC address sharing the same OUI as the MAC
src­oui
address
Enter the OUI (Note: You can use colons, dashes, or periods to format the OUI. Examples:
<oui>
Apple iPhone=00:1b:63; D­Link Phone=00­17­9a; Vocera=00.09.ef.)
dst­mac Set the destination MAC address
Enter a MAC address (Note: You can use colons, dashes, or periods to format the address.
<mac_addr>
Examples: 1111:1111:1111, 11­11­11­11­11­11, 1111.1111.1111 ...)
Set the MAC address of the transmitter; that is the MAC address of the device on the
tx­mac
network that forwarded the frame to the HiveAP
Enter a MAC address (Note: You can use colons, dashes, or periods to format the address.
<mac_addr>
Examples: 1111:1111:1111, 11­11­11­11­11­11, 1111.1111.1111 ...)
out­if Set the outbound interface
<wifix.y> Enter the name of a Wi­Fi radio subinterface (Ranges: x: 0­1; y: 1­16)

http://docs.aerohive.com/330000/docs/help/english/documentation/cli_guide_ap230_6­6r1.htm#cmd7 84/315
27/4/2016 Aerohive CLI Guide
rx­mac Set the MAC address of the receiver; that is the MAC address of the device on the
network to which the HiveAP forwards the frame
Enter a MAC address (Note: You can use colons, dashes, or periods to format the address.
<mac_addr>
Examples: 1111:1111:1111, 11­11­11­11­11­11, 1111.1111.1111 ...)

forwarding­engine tunnel selective­multicast­forward allow­all except <ip_addr|ip_addr/mask>

forwarding­engine Set parameters to shape the behavior of the forwarding engine
tunnel Set tunnel (GRE tunnel or GRE­over­IPsec tunnel) parameters
selective­multicast­
Selective multicast forwarding through GRE tunnels
forward
Allow the forwarding of all IP multicast traffic through tunnels except for specified IP
allow­all
multicast groups
except Block specific IP multicast traffic through tunnels
Enter the IP address and netmask of the multicast group to block (Example: 224.1.1.1 or
<ip_addr>
224.1.1.0/24)
Enter the IP address and netmask of the multicast group to block (Example: 224.1.1.1 or
<ip_addr/netmask>
224.1.1.0/24)

forwarding­engine tunnel selective­multicast­forward block­all

forwarding­engine Set parameters to shape the behavior of the forwarding engine
tunnel Set tunnel (GRE tunnel or GRE­over­IPsec tunnel) parameters
selective­multicast­
Selective multicast forwarding through GRE tunnels
forward
Block the forwarding of all IP multicast traffic through tunnels except for specified IP
block­all
multicast groups

forwarding­engine tunnel selective­multicast­forward block­all except <ip_addr|ip_addr/mask>

forwarding­engine Set parameters to shape the behavior of the forwarding engine
tunnel Set tunnel (GRE tunnel or GRE­over­IPsec tunnel) parameters
selective­multicast­
Selective multicast forwarding through GRE tunnels
forward
Block the forwarding of all IP multicast traffic through tunnels except for specified IP
block­all
multicast groups
except Allow specific IP multicast traffic through tunnels
Enter the IP address and netmask of the multicast group to allow (Example: 224.1.1.1 or
<ip_addr>
224.1.1.0/24)
Enter the IP address and netmask of the multicast group to allow (Example: 224.1.1.1 or
<ip_addr/netmask>
224.1.1.0/24)

forwarding­engine tunnel tcp­mss­threshold enable

forwarding­engine Set parameters to shape the behavior of the forwarding engine
tunnel Set tunnel (GRE tunnel or GRE­over­IPsec tunnel) parameters
tcp­mss­threshold Set TCP MSS (Maximum Segment Size) parameters
enable Enable the TCP MSS threshold feature

forwarding­engine tunnel tcp­mss­threshold threshold­size <number>

forwarding­engine Set parameters to shape the behavior of the forwarding engine
tunnel Set tunnel (GRE tunnel or GRE­over­IPsec tunnel) parameters
tcp­mss­threshold Set TCP MSS (Maximum Segment Size) parameters
threshold­size Set the TCP MSS threshold size
Enter the TCP MSS size in bytes(GRE Tunnel Range: 64­1414; GRE­over­IPSec Tunnel Range:
<number>
64­1336)

history <number>
history Set the capacity for command history
<number>

http://docs.aerohive.com/330000/docs/help/english/documentation/cli_guide_ap230_6­6r1.htm#cmd7 85/315
27/4/2016 Aerohive CLI Guide
Enter the max number of commands to store in command history (Default: 20; Range: 1­50)

hive <string>
hive Create a hive or set hive parameters
<string> Enter a hive profile name (1­32 chars)

hive <string> frag­threshold <number>

hive Create a hive or set hive parameters
<string> Enter a hive profile name (1­32 chars)
frag­threshold Set fragment threshold parameters for the hive
<number> Enter the fragment threshold in bytes for the hive (Default: 2346; Range: 256­2346)

hive <string> manage all

hive Create a hive or set hive parameters
<string> Enter a hive profile name (1­32 chars)
manage Set management service parameters
Enable all manageability options (ping, SNMP, SSH, and Telnet) for mgt0 through wireless
all backhaul interfaces in this hive (Defaults: ping enabled, SNMP disabled, SSH enabled,
Telnet disabled)

hive <string> manage {Telnet|SSH|SNMP|ping}

hive Create a hive or set hive parameters
<string> Enter a hive profile name (1­32 chars)
manage Set management service parameters
Enable Telnet manageability of mgt0 through wireless backhaul interfaces in this hive
Telnet
(Default: Disabled)
Enable SSH manageability of mgt0 through wireless backhaul interfaces in this hive
SSH
(Default: Enabled)
Enable SNMP manageability of mgt0 through wireless backhaul interfaces in this hive
SNMP
(Default: Disabled)
Enable mgt0 to respond to pings through subinterfaces bound to this SSID (Default:
ping
Enabled)

hive <string> neighbor connecting­threshold <number> polling­interval <number>

hive Create a hive or set hive parameters
<string> Enter a hive profile name (1­32 chars)
neighbor Set the threshold parameters for connecting wirelessly with neighboring hive members
Set the minimum signal strength threshold required for connecting with a neighboring
connecting­threshold
hive member
<number> Enter a minimum signal strength value in dBm (Default: ­80; Range: ­90~­55)
Set the time interval in minutes for polling the signal strength of neighboring hive
polling­interval
members
<number> Enter the polling time interval (Default: 1 minute; range: 1­60)

hive <string> neighbor connecting­threshold {low|medium|high} polling­interval <number>

hive Create a hive or set hive parameters
<string> Enter a hive profile name (1­32 chars)
neighbor Set the threshold parameters for connecting wirelessly with neighboring hive members
Set the minimum signal strength threshold required for connecting with a neighboring
connecting­threshold
hive member
low Set a relatively low minimum signal strength threshold (­85dBm)
medium Set a relatively moderate minimum signal strength threshold (­80dBm)
high Set a relatively high minimum signal strength threshold (­75dBm)

http://docs.aerohive.com/330000/docs/help/english/documentation/cli_guide_ap230_6­6r1.htm#cmd7 86/315
27/4/2016 Aerohive CLI Guide
polling­interval Set the time interval in minutes for polling the signal strength of neighboring hive
members
<number> Enter the polling time interval (Default: 1 minute; range: 1­60)

hive <string> password <string>

hive Create a hive or set hive parameters
<string> Enter a hive profile name (1­32 chars)
password Set a key for hive member authentication
Enter a string (8­63 chars) for hive member authentication (Default: a default password
<string>
is derived from the hive name)

hive <string> rts­threshold <number>

hive Create a hive or set hive parameters
<string> Enter a hive profile name (1­32 chars)
rts­threshold Set the RTS (request to send) threshold for the hive
Enter the packet size for the RTS threshold for the hive (Default: 2346 bytes; Range: 1­
<number>
2346)

hive <string> security mac­filter <string>

hive Create a hive or set hive parameters
<string> Enter a hive profile name (1­32 chars)
security Set hive security parameters
mac­filter Assign a filter for MAC addresses or OUIs (organizational unique identifiers)
<string> Enter the filter name for MAC addresses or OUIs (organizational unique identifiers)

hive <string> security wlan dos station­level frame­type {assoc­req|auth|eapol} ban <number>
hive Create a hive or set hive parameters
<string> Enter a hive profile name (1­32 chars)
security Set hive security parameters
wlan Set WLAN parameters
dos Set WLAN DoS (Denial of Service) parameters
station­level Set DoS parameters at station­level
frame­type Set WLAN DoS (Denial of Service) frame type
assoc­req Specify WLAN DoS frame type assoc­req
auth Specify WLAN DoS frame type auth
eapol Specify WLAN DoS frame type eapol
ban Set the period of time to ignore frames after a theshold has been crossed
Enter the period of time in seconds to ignore frames after a theshold has been crossed
<number>
(Default: 60; Min: 0 Max: None)

hive <string> security wlan dos station­level frame­type {assoc­req|auth|eapol} ban forever
hive Create a hive or set hive parameters
<string> Enter a hive profile name (1­32 chars)
security Set hive security parameters
wlan Set WLAN parameters
dos Set WLAN DoS (Denial of Service) parameters
station­level Set DoS parameters at station­level
frame­type Set WLAN DoS (Denial of Service) frame type
assoc­req Specify WLAN DoS frame type assoc­req
auth Specify WLAN DoS frame type auth
eapol Specify WLAN DoS frame type eapol

http://docs.aerohive.com/330000/docs/help/english/documentation/cli_guide_ap230_6­6r1.htm#cmd7 87/315
27/4/2016 Aerohive CLI Guide
ban Set the period of time to ignore frames after a theshold has been crossed
forever Set ban forever

hive <string> security wlan dos {hive­level|station­level} frame­type {probe­req|probe­resp|assoc­

req|assoc­resp|disassoc|auth|deauth|eapol|all}
hive Create a hive or set hive parameters
<string> Enter a hive profile name (1­32 chars)
security Set hive security parameters
wlan Set WLAN parameters
dos Set WLAN DoS (Denial of Service) parameters
hive­level Set DoS parameters at hive­level
station­level Set DoS parameters at station­level
frame­type Set WLAN DoS (Denial of Service) frame type
probe­req Specify WLAN DoS frame type probe­req
probe­resp Specify WLAN DoS frame type probe­resp
assoc­req Specify WLAN DoS frame type assoc­req
assoc­resp Specify WLAN DoS frame type assoc­resp
disassoc Specify WLAN DoS frame type disassoc
auth Specify WLAN DoS frame type auth
deauth Specify WLAN DoS frame type deauth
eapol Specify WLAN DoS frame type eapol
all Specify WLAN DoS frame type all

hive <string> security wlan dos {hive­level|station­level} frame­type {probe­req|probe­resp|assoc­

req|assoc­resp|disassoc|auth|deauth|eapol|all} alarm <number>
hive Create a hive or set hive parameters
<string> Enter a hive profile name (1­32 chars)
security Set hive security parameters
wlan Set WLAN parameters
dos Set WLAN DoS (Denial of Service) parameters
hive­level Set DoS parameters at hive­level
station­level Set DoS parameters at station­level
frame­type Set WLAN DoS (Denial of Service) frame type
probe­req Specify WLAN DoS frame type probe­req
probe­resp Specify WLAN DoS frame type probe­resp
assoc­req Specify WLAN DoS frame type assoc­req
assoc­resp Specify WLAN DoS frame type assoc­resp
disassoc Specify WLAN DoS frame type disassoc
auth Specify WLAN DoS frame type auth
deauth Specify WLAN DoS frame type deauth
eapol Specify WLAN DoS frame type eapol
all Specify WLAN DoS frame type all
alarm Set the interval in seconds between alarms to indicate continuous DoS conditions
Enter the interval in seconds between alarms to indicate continuous DoS conditions
<number>
(Default: 60 secs; Min: 0 Max: None)

hive <string> security wlan dos {hive­level|station­level} frame­type {probe­req|probe­resp|assoc­

req|assoc­resp|disassoc|auth|deauth|eapol|all} threshold <number>
hive Create a hive or set hive parameters
<string> Enter a hive profile name (1­32 chars)
security Set hive security parameters

http://docs.aerohive.com/330000/docs/help/english/documentation/cli_guide_ap230_6­6r1.htm#cmd7 88/315
27/4/2016 Aerohive CLI Guide
wlan Set WLAN parameters
dos Set WLAN DoS (Denial of Service) parameters
hive­level Set DoS parameters at hive­level
station­level Set DoS parameters at station­level
frame­type Set WLAN DoS (Denial of Service) frame type
probe­req Specify WLAN DoS frame type probe­req
probe­resp Specify WLAN DoS frame type probe­resp
assoc­req Specify WLAN DoS frame type assoc­req
assoc­resp Specify WLAN DoS frame type assoc­resp
disassoc Specify WLAN DoS frame type disassoc
auth Specify WLAN DoS frame type auth
deauth Specify WLAN DoS frame type deauth
eapol Specify WLAN DoS frame type eapol
all Specify WLAN DoS frame type all
Set the frame threshold in ppm (packets per minute) that must be crossed to trigger an
threshold
alarm
Enter threshold in ppm (Default: hive­level probe­req 12000, probe­resp 24000, eapol
6000, auth 6000, assoc­req 6000, assoc­resp 2400, all others 1200; sta­level probe­req
<number>
1200 ppm, probe­resp 2400, eapol 600, auth 600, assoc­req 600, assoc­resp 240, all
others 120; Min: 0 Max: None)

hive <string> wlan­idp in­net­ap

hive Create a hive or set hive parameters
<string> Enter a hive profile name (1­32 chars)
wlan­idp Set WLAN IDP (intrusion detection and prevention) parameters
Mitigate rogue APs and their clients only if the rogues are in the same backhaul network
in­net­ap
as the HiveAPs that detected them (Default: Mitigate all rogue APs and their clients)

hive <string> wlan­idp max­mitigator­num <number>

hive Create a hive or set hive parameters
<string> Enter a hive profile name (1­32 chars)
wlan­idp Set WLAN IDP (intrusion detection and prevention) parameters
Set the maximum number of detector APs that can be assigned as mitigator APs to perform
max­mitigator­num
mitigation on a rogue and its clients
Enter the maximum number of mitigator APs (Default: 1; Range: 0­1024; 0 means all
<number>
detector APs can be assigned to perform rogue mitigation))

hive <string> wlan­idp mitigation­mode {automatic|semi­automatic|manual}

hive Create a hive or set hive parameters
<string> Enter a hive profile name (1­32 chars)
wlan­idp Set WLAN IDP (intrusion detection and prevention) parameters
mitigation­mode Set the mode for mitigating rogue APs and their clients
Set the arbitrator AP to appoint a mitigator AP and start the mitigation process
automatic
automatically (Default: semi­automatic)
Set the arbitrator AP to appoint a mitigator AP automatically but start the mitigation
semi­automatic
process manually (Default: semi­automatic)
manual Set the mitigator AP and start the mitigation process manually (Default: semi­automatic)

hive <string> wlan­idp mitigation­mode {automatic|semi­automatic} action {mitigate|report}

hive Create a hive or set hive parameters
<string> Enter a hive profile name (1­32 chars)
wlan­idp Set WLAN IDP (intrusion detection and prevention) parameters
mitigation­mode Set the mode for mitigating rogue APs and their clients

http://docs.aerohive.com/330000/docs/help/english/documentation/cli_guide_ap230_6­6r1.htm#cmd7 89/315
27/4/2016 Aerohive CLI Guide

automatic Set the arbitrator AP to appoint a mitigator AP and start the mitigation process
automatically (Default: semi­automatic)
Set the arbitrator AP to appoint a mitigator AP automatically but start the mitigation
semi­automatic
process manually (Default: semi­automatic)
Set the action that you want detector APs to take after discovering rogue APs and their
action
clients
mitigate Mitigate rogue APs and their clients (Default: Rogue mitigation)
report Report rogue APs and their clients (Default: Rogue mitigation)

hive <string> wlan­idp mitigator­reeval­period <number>

hive Create a hive or set hive parameters
<string> Enter a hive profile name (1­32 chars)
wlan­idp Set WLAN IDP (intrusion detection and prevention) parameters
mitigator­reeval­ Set the recurring period of time after which the arbitrator AP reevaluates which HiveAPs
period to make mitigator APs
<number> Enter the period of time in minutes (Default: 5 mins; Range: 1­1440)

hive <string> wlan­idp query­interval <number>

hive Create a hive or set hive parameters
<string> Enter a hive profile name (1­32 chars)
wlan­idp Set WLAN IDP (intrusion detection and prevention) parameters
query­interval Set a period of time in minutes for DA to query ap­classify info from HiveManager
Enter the period of time in minutes (Default: 60 mins; Range: 60­43200; Note: 43200
<number>
minutes is 30 days)

hive <string> wlan­idp wait­interval <number>

hive Create a hive or set hive parameters
<string> Enter a hive profile name (1­32 chars)
wlan­idp Set WLAN IDP (intrusion detection and prevention) parameters
Set a time interval for a newly promoted arbitrator AP to wait for AP classification
wait­interval information from HiveManager or the previous arbitrator, or to wait for the previous
arbitrator to come back online, before taking over arbitration responsibilities
<number> Enter the time interval in minutes (Default: 1 minute; Range: 1­10)

hiveui cas client server name <string>

Enable the NetConfig UI for defining network settings, configuring settings to connect
hiveui
to HiveManager, and uploading a new HiveOS image
Set client and server parameters for CAS (Central Authentication Service) to
cas
authenticate users such as teachers accessing TeacherView
client Set parameters for the local AP to act as a CAS client
server Set parameters for communicating with the CAS server
name Set the IP address or resolvable domain name for the CAS server
<string> Enter the IP address or domain name (max 32 chars) of the CAS server

hiveui cas client server port <number>

Enable the NetConfig UI for defining network settings, configuring settings to connect
hiveui
to HiveManager, and uploading a new HiveOS image
Set client and server parameters for CAS (Central Authentication Service) to
cas
authenticate users such as teachers accessing TeacherView
client Set parameters for the local AP to act as a CAS client
server Set parameters for communicating with the CAS server
port Set the destination TCP port number for the CAS server
<number> [1~65535]Enter the TCP port number (Default: 443; Range: 1­65535)

hiveui enable
http://docs.aerohive.com/330000/docs/help/english/documentation/cli_guide_ap230_6­6r1.htm#cmd7 90/315
27/4/2016 Aerohive CLI Guide

Enable the NetConfig UI for defining network settings, configuring settings to connect
hiveui
to HiveManager, and uploading a new HiveOS image
enable Enable the HiveUI

hostname <string>
hostname Set the hostname of the AP
<string> Enter the hostname of the AP (1­32 chars)

interface <blex> ibeacon [ uuid <string> ] [ major <number> ] [ minor <number> ] [ measured­power
<number> ]
interface Set interface parameters
<blex> Enter the name of the iBeacon interface, where x = 0
ibeacon Select the Bluetooth iBeacon device
uuid Set the UUID (universally unique identifier) of the iBeacon
<string> Enter the uuid (32 chars) (Default: 4165726F686976654E6574776F726B73 (AerohiveNetworks))
major Set the major value of the iBeacon device
<number> Enter the major (Default: 1; Range: 0­65535)
minor Set the minor value of the iBeacon device
<number> Enter the minor (Default: 1; Range: 0­65535)
measured­power Set measured power of the iBeacon device
<number> Enter the measured power value in dBm (Default: ­59; Range: ­128~127)

interface <blex> ibeacon enable

interface Set interface parameters
<blex> Enter the name of the iBeacon interface, where x = 0
ibeacon Select the Bluetooth iBeacon device
enable Enable the iBeacon device

interface <blex> ibeacon­monitor enable

interface Set interface parameters
<blex> Enter the name of the iBeacon interface, where x = 0
ibeacon­monitor Bluetooth iBeacon device monitor
enable Enable the iBeacon Monitor

interface <ethx> bind <aggx>

interface Set interface parameters
<ethx> Enter the name of an Ethernet interface, where x = 0 or 1
bind Bind the Ethernet interface to a redundant or aggregate interface
<aggx> Enter the name of the aggregate interface, where x = 0

interface <ethx> bind <redx> [ primary ]

interface Set interface parameters
<ethx> Enter the name of an Ethernet interface, where x = 0 or 1
bind Bind the Ethernet interface to a redundant or aggregate interface
<redx> Enter the name of the redundant interface, where x = 0
Set the Ethernet interface as the primary interface of the redundant or aggregate
primary
interface (Default: eth0 is picked as the primary)

interface <ethx> client­monitor­policy <string>

interface Set interface parameters

http://docs.aerohive.com/330000/docs/help/english/documentation/cli_guide_ap230_6­6r1.htm#cmd7 91/315
27/4/2016 Aerohive CLI Guide
<ethx> Enter the name of an Ethernet interface, where x = 0 or 1
Assign a Client Monitor policy to automatically detect, analyze and report problems
client­monitor­policy
about the clients which access network through the specified Ethernet interface
<string> Enter the Client Monitor policy name (1­32 chars)

interface <ethx> duplex {full|half|auto}

interface Set interface parameters
<ethx> Enter the name of an Ethernet interface, where x = 0 or 1
duplex Set the duplex for the interface
full Set the duplex of ethernet interface to full (Default: auto)
half Set the duplex of ethernet interface to half (Default: auto)
auto Set the duplex of ethernet interface to auto (Default: auto)

interface <ethx> ip <ip_addr/netmask>

interface Set interface parameters
<ethx> Enter the name of an Ethernet interface, where x = 0 or 1
ip Set an IP address and netmask for the interface
<ip_addr/netmask> Enter the interface IP address and netmask

interface <ethx> mode wan

interface Set interface parameters
<ethx> Enter the name of an Ethernet interface, where x = 0 or 1
Set the operational mode for the interface (Default: backhaul except wan in case of
mode
usbnet)
Set the interface in WAN mode, making it a layer 3 interface through which the default
wan
IP route for traffic to and from the main LAN passes

interface <ethx> native­vlan <number>

interface Set interface parameters
<ethx> Enter the name of an Ethernet interface, where x = 0 or 1
Set the native (untagged) VLAN used by the switch infrastructure in the surrounding
native­vlan
Ethernet network
<number> Enter the native (untagged) VLAN (Range: 1­4094)

interface <ethx> pppoe auth­method {pap|chap|any}

interface Set interface parameters
<ethx> Enter the name of an Ethernet interface, where x = 0 or 1
Set PPPoE (Point­to­Point Protocol over Ethernet) parameters for the WAN interface
pppoe
(Note: This command only applies to a device functioning as a router.)
Set the type of authentication protocol that the ISP requires clients to use (Default:
auth­method
any)
Use PAP (Password Authentication Protocol) as the method for sending authentication
pap
requests between the device and ISP
Use CHAP (Challenge Handshake Authentication Protocol) as the method for sending
chap
authentication requests between the device and ISP
any Use either PAP or CHAP

interface <ethx> pppoe enable

interface Set interface parameters
<ethx> Enter the name of an Ethernet interface, where x = 0 or 1
Set PPPoE (Point­to­Point Protocol over Ethernet) parameters for the WAN interface
pppoe
(Note: This command only applies to a device functioning as a router.)
enable Enable PPPoE

http://docs.aerohive.com/330000/docs/help/english/documentation/cli_guide_ap230_6­6r1.htm#cmd7 92/315
27/4/2016 Aerohive CLI Guide
interface <ethx> pppoe username <string> password <string>
interface Set interface parameters
<ethx> Enter the name of an Ethernet interface, where x = 0 or 1
Set PPPoE (Point­to­Point Protocol over Ethernet) parameters for the WAN interface
pppoe
(Note: This command only applies to a device functioning as a router.)
Set the user name that the device sends to the ISP to authenticate itself when
username
establishing a PPPoE session with the access concentrator
<string> Enter the user name (1­64 chars)
password Set the password that the device uses to authenticate itself to the ISP
<string> Enter the password (1­64 chars)

interface <ethx> security­object <string>

interface Set interface parameters
<ethx> Enter the name of an Ethernet interface, where x = 0 or 1
security­object Assign a security object to control network access through this interface
<string> Enter the security object name (1­32 chars)

interface <ethx> speed {10|100|1000|auto}

interface Set interface parameters
<ethx> Enter the name of an Ethernet interface, where x = 0 or 1
speed Set the speed for the interface
10 Set the speed of ethernet interface to 10 Mbps (Default: auto)
100 Set the speed of ethernet interface to 100 Mbps (Default: auto)
1000 Set the speed of ethernet interface to 1000 Mbps (Default: auto)
auto Set the speed of ethernet interface to auto Mbps (Default: auto)

interface <ethx> supplicant <string>

interface Set interface parameters
<ethx> Enter the name of an Ethernet interface, where x = 0 or 1
supplicant Set parameters for 802.1x client on ethernet
<string> Enter the supplicant name (1­32 chars)

interface <ethx|aggx|redx> allowed­vlan <number> [ ­ <number> ]

interface Set interface parameters
<ethx> Enter the name of an Ethernet interface, where x = 0 or 1
<aggx> Enter the name of the aggregate interface, where x = 0
<redx> Enter the name of the redundant interface, where x = 0
allowed­vlan Set a list of VLAN IDs by which traffic allowed to cross the interface can be filtered
<number> Enter the VLAN ID to be allowed (Range: 1­4094)
­ Set a range of allowed VLAN IDs
Enter the last VLAN ID in the range (Range: 1­4094; Note: The end of the VLAN ID range
<number>
must be equal to or greater than the VLAN ID at the start.)

interface <ethx|aggx|redx> allowed­vlan {all|auto}

interface Set interface parameters
<ethx> Enter the name of an Ethernet interface, where x = 0 or 1
<aggx> Enter the name of the aggregate interface, where x = 0
<redx> Enter the name of the redundant interface, where x = 0
allowed­vlan Set a list of VLAN IDs by which traffic allowed to cross the interface can be filtered
all Allow traffic tagged with any VLAN ID

http://docs.aerohive.com/330000/docs/help/english/documentation/cli_guide_ap230_6­6r1.htm#cmd7 93/315
27/4/2016 Aerohive CLI Guide
auto Allow traffic whose VLAN ID matches that of the management interface, virtual management
interface, native VLAN, or the default VLAN configured in user profiles

interface <ethx|aggx|redx> inter­station­traffic

interface Set interface parameters
<ethx> Enter the name of an Ethernet interface, where x = 0 or 1
<aggx> Enter the name of the aggregate interface, where x = 0
<redx> Enter the name of the redundant interface, where x = 0
Set the HiveAP to permit traffic between stations connected to one or more of its access
inter­station­traffic
interfaces (Default: Enabled)

interface <ethx|aggx|redx> link­discovery {lldp|cdp}

interface Set interface parameters
<ethx> Enter the name of an Ethernet interface, where x = 0 or 1
<aggx> Enter the name of the aggregate interface, where x = 0
<redx> Enter the name of the redundant interface, where x = 0
Enable the communication of network­related information with neighboring network devices
link­discovery
through the interface (Default: LLDP enabled; CDP enabled)
lldp Set LLDP (Link Layer Discovery Protocol) parameters on the interface
cdp Set CDP (Cisco Discovery Protocol) parameters on the interface

interface <ethx|aggx|redx> mac­learning enable

interface Set interface parameters
<ethx> Enter the name of an Ethernet interface, where x = 0 or 1
<aggx> Enter the name of the aggregate interface, where x = 0
<redx> Enter the name of the redundant interface, where x = 0
mac­learning Set parameters for MAC address learning
enable Enable MAC address learning on the Ethernet interface

interface <ethx|aggx|redx> mac­learning idle­timeout <number>

interface Set interface parameters
<ethx> Enter the name of an Ethernet interface, where x = 0 or 1
<aggx> Enter the name of the aggregate interface, where x = 0
<redx> Enter the name of the redundant interface, where x = 0
mac­learning Set parameters for MAC address learning
Set the timeout for automatically clearing an inactive dynamically learned MAC address
idle­timeout
from the MAC learning table
<number> Enter the timeout value in seconds (Default: 180; Range: 10­3600)

interface <ethx|aggx|redx> mac­learning static <mac_addr>

interface Set interface parameters
<ethx> Enter the name of an Ethernet interface, where x = 0 or 1
<aggx> Enter the name of the aggregate interface, where x = 0
<redx> Enter the name of the redundant interface, where x = 0
mac­learning Set parameters for MAC address learning
static Set statically defined MAC address entries
Enter a MAC address (Note: You can use colons, dashes, or periods to format the address.
<mac_addr>
Examples: 1111:1111:1111, 11­11­11­11­11­11, 1111.1111.1111 ...)

interface <ethx|aggx|redx> manage {Telnet|SSH|SNMP|ping|all}

interface Set interface parameters
<ethx>

http://docs.aerohive.com/330000/docs/help/english/documentation/cli_guide_ap230_6­6r1.htm#cmd7 94/315
27/4/2016 Aerohive CLI Guide
Enter the name of an Ethernet interface, where x = 0 or 1

<aggx> Enter the name of the aggregate interface, where x = 0

<redx> Enter the name of the redundant interface, where x = 0
manage Set management service parameters
Telnet Enable Telnet manageability of mgt0 through this interface (Default: Disabled)
SSH Enable SSH manageability of mgt0 through this interface (Default: Enabled)
SNMP Enable SNMP manageability of mgt0 through this interface (Default: Disabled)
ping Enable mgt0 to respond to pings through this interface (Default: Enabled)
Enable all manageability options (ping, SNMP, SSH, and Telnet) for mgt0 through this
all
interface

interface <ethx|aggx|redx> mode bridge­802.1q user­profile­attribute <number>

interface Set interface parameters
<ethx> Enter the name of an Ethernet interface, where x = 0 or 1
<aggx> Enter the name of the aggregate interface, where x = 0
<redx> Enter the name of the redundant interface, where x = 0
Set the operational mode for the interface (Default: backhaul except wan in case of
mode
usbnet)
Set the interface in bridge­802.1Q mode, making it a VLAN­aware layer 2 interface to
enable the bridging of traffic between 802.1Q VLAN­capable devices in a wired LAN
bridge­802.1q
segment and the wireless LAN (Note: The default MAC route is never on an interface in
this mode.)
user­profile­attribute Map a RADIUS attribute to the user profile
<number> Enter a numeric value for a single RADIUS attribute (Default:0; Range: 0­4095)

interface <ethx|aggx|redx> mode {bridge­802.1q|backhaul}

interface Set interface parameters
<ethx> Enter the name of an Ethernet interface, where x = 0 or 1
<aggx> Enter the name of the aggregate interface, where x = 0
<redx> Enter the name of the redundant interface, where x = 0
Set the operational mode for the interface (Default: backhaul except wan in case of
mode
usbnet)
Set the interface in bridge­802.1Q mode, making it a VLAN­aware layer 2 interface to
enable the bridging of traffic between 802.1Q VLAN­capable devices in a wired LAN
bridge­802.1q
segment and the wireless LAN (Note: The default MAC route is never on an interface in
this mode.)
Set the interface in backhaul mode, making it a VLAN­aware layer 2 interface through
backhaul
which the default MAC route for traffic to and from the main LAN passes

interface <ethx|aggx|redx> qos­classifier <string>

interface Set interface parameters
<ethx> Enter the name of an Ethernet interface, where x = 0 or 1
<aggx> Enter the name of the aggregate interface, where x = 0
<redx> Enter the name of the redundant interface, where x = 0
qos­classifier Assign a QoS classification profile (classifier) to the interface
<string> Enter the QoS classifier profile name (1 to 32 chars)

interface <ethx|aggx|redx> qos­marker <string>

interface Set interface parameters
<ethx> Enter the name of an Ethernet interface, where x = 0 or 1
<aggx> Enter the name of the aggregate interface, where x = 0
<redx> Enter the name of the redundant interface, where x = 0
qos­marker Assign a QoS marker profile to the interface

http://docs.aerohive.com/330000/docs/help/english/documentation/cli_guide_ap230_6­6r1.htm#cmd7 95/315
27/4/2016 Aerohive CLI Guide
<string> Enter the QoS marker profile name (1 to 32 chars)

interface <ethx|aggx|redx> rate­limit broadcast <number>

interface Set interface parameters
<ethx> Enter the name of an Ethernet interface, where x = 0 or 1
<aggx> Enter the name of the aggregate interface, where x = 0
<redx> Enter the name of the redundant interface, where x = 0
rate­limit Set parameter for interface­based rate limiting
broadcast Set broadcast traffic rate limiting
Enter the maximum rate for incoming broadcast traffic for the interface (Default: 10000
<number>
Kbps; Range: 0­20000)

interface <ethx|aggx|redx> rate­limit multicast <number>

interface Set interface parameters
<ethx> Enter the name of an Ethernet interface, where x = 0 or 1
<aggx> Enter the name of the aggregate interface, where x = 0
<redx> Enter the name of the redundant interface, where x = 0
rate­limit Set parameter for interface­based rate limiting
multicast Set multicast traffic rate limiting
Enter the maximum rate for incoming multicast traffic for the interface (Default: 20000
<number>
Kbps; Range: 0­20000)

interface <ethx|aggx|redx> rate­limit unicast <number>

interface Set interface parameters
<ethx> Enter the name of an Ethernet interface, where x = 0 or 1
<aggx> Enter the name of the aggregate interface, where x = 0
<redx> Enter the name of the redundant interface, where x = 0
rate­limit Set parameter for interface­based rate limiting
unicast Set unicast traffic rate limiting
Enter the maximum rate for incoming unicast traffic for the interface (Default: 1000000
<number>
Kbps; Range: 0­1000000)

interface <ethx|aggx|redx> rate­limit {multicast|broadcast|unicast} enable

interface Set interface parameters
<ethx> Enter the name of an Ethernet interface, where x = 0 or 1
<aggx> Enter the name of the aggregate interface, where x = 0
<redx> Enter the name of the redundant interface, where x = 0
rate­limit Set parameter for interface­based rate limiting
multicast Set multicast traffic rate limiting
broadcast Set broadcast traffic rate limiting
unicast Set unicast traffic rate limiting
Enable rate limiting on the interface for this type of traffic (Default:
enable
multicast/broadcast Enable,unicast Disable)

interface <ethx|aggx|redx> shutdown

interface Set interface parameters
<ethx> Enter the name of an Ethernet interface, where x = 0 or 1
<aggx> Enter the name of the aggregate interface, where x = 0
<redx> Enter the name of the redundant interface, where x = 0
shutdown Disable the interface

http://docs.aerohive.com/330000/docs/help/english/documentation/cli_guide_ap230_6­6r1.htm#cmd7 96/315
27/4/2016 Aerohive CLI Guide
interface <ethx|redx|aggx> mode bridge­access [ user­profile­attribute <number> ]
interface Set interface parameters
<ethx> Enter the name of an Ethernet interface, where x = 0 or 1
<redx> Enter the name of the redundant interface, where x = 0
<aggx> Enter the name of the aggregate interface, where x = 0
Set the operational mode for the interface (Default: backhaul except wan in case of
mode
usbnet)
Set the interface in bridge­access mode, making it a layer 2 interface to enable the
bridge­access bridging of traffic between devices in a single VLAN in a wired LAN segment and the
wireless LAN (Note: The default MAC route is never on an interface in this mode.)
user­profile­attribute Map a RADIUS attribute to the user profile
<number> Enter a numeric value for a single RADIUS attribute (Default:0; Range: 0­4095)

interface <ethx|usbnetx> mode wan nat

interface Set interface parameters
<ethx> Enter the name of an Ethernet interface, where x = 0 or 1
<usbnetx> Enter the name of the wireless USB modem interface, where x = 0
Set the operational mode for the interface (Default: backhaul except wan in case of
mode
usbnet)
Set the interface in WAN mode, making it a layer 3 interface through which the default
wan
IP route for traffic to and from the main LAN passes
Enable NAT (network address translation) on the interface to translate the source IP
nat address and port number in from­access packets to the IP address of the Ethernet/USB
network interface and a randomly chosen port number (Default: Enabled)

interface <ethx|usbnetx> mode wan nat­policy <string>

interface Set interface parameters
<ethx> Enter the name of an Ethernet interface, where x = 0 or 1
<usbnetx> Enter the name of the wireless USB modem interface, where x = 0
Set the operational mode for the interface (Default: backhaul except wan in case of
mode
usbnet)
Set the interface in WAN mode, making it a layer 3 interface through which the default
wan
IP route for traffic to and from the main LAN passes
nat­policy Enable NAT (network address translation) policy on the interface
<string> Enter ip nat policy name (1­32 chars)

interface <ethx|usbnetx> mode wan priority <number>

interface Set interface parameters
<ethx> Enter the name of an Ethernet interface, where x = 0 or 1
<usbnetx> Enter the name of the wireless USB modem interface, where x = 0
Set the operational mode for the interface (Default: backhaul except wan in case of
mode
usbnet)
Set the interface in WAN mode, making it a layer 3 interface through which the default
wan
IP route for traffic to and from the main LAN passes
priority Set wan priority for the interface
Enter the priority, where a smaller number means a higher priority (Default: eth0 ­ 1 |
<number>
ethx ­ x * 10 | usbnet0 ­ 600 ; Range: 1 ­ 9999)

interface <mgtx.y> ip <ip_addr/netmask>

interface Set interface parameters
<mgtx.y> Enter the name of the virtual management interface (Ranges: x: 0; y: 1­16)
ip Set IP address for the virtual management interface
<ip_addr/netmask> Enter the virtual management interface IP address and netmask

interface <mgtx.y> manage ping

http://docs.aerohive.com/330000/docs/help/english/documentation/cli_guide_ap230_6­6r1.htm#cmd7 97/315
27/4/2016 Aerohive CLI Guide
interface Set interface parameters
<mgtx.y> Enter the name of the virtual management interface (Ranges: x: 0; y: 1­16)
manage Set management service parameters
ping Enable the virtual management interface to respond to pings (Default: Enabled)

interface <mgtx.y> vlan <number>

interface Set interface parameters
<mgtx.y> Enter the name of the virtual management interface (Ranges: x: 0; y: 1­16)
vlan Set the VLAN ID for the interface
<number> Enter the VLAN ID (Default: 1; Range: 1­4094)

interface <mgtx> default­ip­prefix <ip_addr/netmask>

interface Set interface parameters
<mgtx> Enter the name of the management interface, where x = 0
Set the network address to combine with the automatically generated host IP address to
default­ip­prefix
make a complete IP address (The netmask for the default IP address is 255.255.0.0)
Enter the network address/netmask (Default: 192.168.0.0/16; Note: Only 8, 16, and 24­bit
<ip_addr/netmask>
netmasks are supported.)

interface <mgtx> default­ip­prefix <ip_addr>

interface Set interface parameters
<mgtx> Enter the name of the management interface, where x = 0
Set the network address to combine with the automatically generated host IP address to
default­ip­prefix
make a complete IP address (The netmask for the default IP address is 255.255.0.0)
<ip_addr> Enter the network address (Default: 192.168.0.0)

interface <mgtx> dhcp client fallback­to­static­ip

interface Set interface parameters
<mgtx> Enter the name of the management interface, where x = 0
dhcp Set DHCP parameters
client Set DHCP client parameters
Assign the static IP address to mgt0 when it does not receive an address through DHCP by
fallback­to­static­ip
the end of the timeout interval

interface <mgtx> dhcp keepalive enable

interface Set interface parameters
<mgtx> Enter the name of the management interface, where x = 0
dhcp Set DHCP parameters
Set parameters for periodically checking network connectivity to DHCP servers on
keepalive
different VLANs
Enable the checking of network connectivity to DHCP servers in the specified VLAN range
enable and also in VLANs set in user profile definitions or assigned by RADIUS servers, the
native VLAN, and the management interface VLAN (Default: Disabled)

interface <mgtx> dhcp keepalive interval <number>

interface Set interface parameters
<mgtx> Enter the name of the management interface, where x = 0
dhcp Set DHCP parameters
Set parameters for periodically checking network connectivity to DHCP servers on
keepalive
different VLANs
interval Set the interval between periodic connectivity status checks
<number> Enter the interval in seconds (Range: 60­86400; Default: 3600)

http://docs.aerohive.com/330000/docs/help/english/documentation/cli_guide_ap230_6­6r1.htm#cmd7 98/315
27/4/2016 Aerohive CLI Guide
interface <mgtx> dhcp keepalive retry <number>
interface Set interface parameters
<mgtx> Enter the name of the management interface, where x = 0
dhcp Set DHCP parameters
Set parameters for periodically checking network connectivity to DHCP servers on
keepalive
different VLANs
Set the number of times to retry sending a probe that does not elicit a response from a
retry
DHCP server
<number> Enter the retry value (Range: 1­10; Default: 2)

interface <mgtx> dhcp keepalive timeout <number>

interface Set interface parameters
<mgtx> Enter the name of the management interface, where x = 0
dhcp Set DHCP parameters
Set parameters for periodically checking network connectivity to DHCP servers on
keepalive
different VLANs
timeout Set the timeout for waiting for a response to a DHCP probe
<number> Enter the timeout value in seconds (Range: 1­60; Default:10)

interface <mgtx> dhcp keepalive vlan <number> [ <number> ]

interface Set interface parameters
<mgtx> Enter the name of the management interface, where x = 0
dhcp Set DHCP parameters
Set parameters for periodically checking network connectivity to DHCP servers on
keepalive
different VLANs
vlan Set the range of VLANs in which to probe for DHCP servers
<number> Enter the start of the VLAN range (Range: 1­4094)
<number> Enter the end of the VLAN range (Range: 1­4094)

interface <mgtx> dhcp­probe vlan­range <number> <number> [ timeout <number> ] [ retries <number> ]
interface Set interface parameters
<mgtx> Enter the name of the management interface, where x = 0
dhcp­probe Probe for DHCP servers in one or more VLANs
vlan­range Set the range of VLANs in which to probe for a DHCP server
<number> Enter the start of the VLAN range (Range: 1­4094)
<number> Enter the end of the VLAN range (Range: 1­4094)
timeout Set the timeout for waiting for a response to a probe
<number> Enter the timeout value (Default: 10 secs; Range: 1­60)
Set the number of times to retry sending a probe that does not elicit a response from a
retries
DHCP server
<number> Enter the retry value (Default: 1; Range: 1­10)

interface <mgtx> hive <string>

interface Set interface parameters
<mgtx> Enter the name of the management interface, where x = 0
Set the hive profile to the mgt0 interface or enable/disable the wifi interface used for
hive
hive communications
<string> Enter a hive profile name (1­32 chars)

interface <mgtx> ip <ip_addr/netmask>

interface Set interface parameters
<mgtx> Enter the name of the management interface, where x = 0

http://docs.aerohive.com/330000/docs/help/english/documentation/cli_guide_ap230_6­6r1.htm#cmd7 99/315
27/4/2016 Aerohive CLI Guide
ip Set mgt0 IP address
<ip_addr/netmask> Enter mgt0 IP address/netmask

interface <mgtx> ip <ip_addr> <netmask>

interface Set interface parameters
<mgtx> Enter the name of the management interface, where x = 0
ip Set mgt0 IP address
<ip_addr> Enter mgt0 IP address
<netmask> Enter mgt0 netmask

interface <mgtx> ipv6 <ipv6_addr/mask> [ eui­64 ]

interface Set interface parameters
<mgtx> Enter the name of the management interface, where x = 0
ipv6 Set mgt0 IPv6 address
<ipv6_addr/mask> Enter mgt0 IPv6 address/netmask
eui­64 Use eui­64 interface identifier

interface <mgtx> ipv6 <ipv6_addr> link­local

interface Set interface parameters
<mgtx> Enter the name of the management interface, where x = 0
ipv6 Set mgt0 IPv6 address
<ipv6_addr> Enter mgt0 IPv6 link local address
link­local Set mgt0 ipv6 link­local address

interface <mgtx> ipv6 autoconfig

interface Set interface parameters
<mgtx> Enter the name of the management interface, where x = 0
ipv6 Set mgt0 IPv6 address
autoconfig Enable IPv6 autoconfig

interface <mgtx> ipv6 dhcp client

interface Set interface parameters
<mgtx> Enter the name of the management interface, where x = 0
ipv6 Set mgt0 IPv6 address
dhcp Set DHCP parameters
client Set DHCP client parameters

interface <mgtx> mtu <number>

interface Set interface parameters
<mgtx> Enter the name of the management interface, where x = 0
mtu Set the MTU (maximum transmission unit) to determine when to start fragmenting packets
<number> Enter the MTU value in bytes (Default: 1500; Range: 100­1500)

interface <mgtx> native­vlan <number>

interface Set interface parameters
<mgtx> Enter the name of the management interface, where x = 0
Set the native (untagged) VLAN that the switch infrastructure in the surrounding wired
native­vlan
and wireless backhaul network uses
<number> Enter the native (untagged) VLAN (Default: 1; Range: 1­4094)

http://docs.aerohive.com/330000/docs/help/english/documentation/cli_guide_ap230_6­6r1.htm#cmd7 100/315
27/4/2016 Aerohive CLI Guide
interface <mgtx> vlan <number>
interface Set interface parameters
<mgtx> Enter the name of the management interface, where x = 0
Set the VLAN for administrative access to the HiveAP, management traffic between HiveAPs
vlan
and HiveManager, and control traffic among hive members
<number> Enter the VLAN ID for the interface (Default: 1; Range: 1­4094)

interface <mgtx|ethx> dhcp client

interface Set interface parameters
<mgtx> Enter the name of the management interface, where x = 0
<ethx> Enter the name of an Ethernet interface, where x = 0 or 1
dhcp Set DHCP parameters
client Set DHCP client parameters

interface <mgtx|ethx> dhcp client address­only

interface Set interface parameters
<mgtx> Enter the name of the management interface, where x = 0
<ethx> Enter the name of an Ethernet interface, where x = 0 or 1
dhcp Set DHCP parameters
client Set DHCP client parameters
Set the AP to use only the IP address, netmask, and gateway received through DHCP
address­only
instead of all TCP/IP settings (Default: Use all TCP/IP settings received through DHCP)

interface <mgtx|ethx> dhcp client option custom ppsk­server­ip <number>

interface Set interface parameters
<mgtx> Enter the name of the management interface, where x = 0
<ethx> Enter the name of an Ethernet interface, where x = 0 or 1
dhcp Set DHCP parameters
client Set DHCP client parameters
option Set DHCP client options
custom Set DHCP client custom options
ppsk­server­ip Set a custom DHCP option ID for a private PSK server
<number> Enter the custom DHCP option ID (Range: 1­255; Suggested ID numbers: private PSK = 229)

interface <mgtx|ethx> dhcp client option custom radius­server­ip <number>

interface Set interface parameters
<mgtx> Enter the name of the management interface, where x = 0
<ethx> Enter the name of an Ethernet interface, where x = 0 or 1
dhcp Set DHCP parameters
client Set DHCP client parameters
option Set DHCP client options
custom Set DHCP client custom options
radius­server­ip Set a custom DHCP option ID for a RADIUS authentication or accounting server
Enter the custom DHCP option ID for a RADIUS authentication server (Range: 1­255;
<number>
Suggested ID numbers: RADIUS authentication = 230)

interface <mgtx|ethx> dhcp client option custom radius­server­ip accounting <number>

interface Set interface parameters
<mgtx> Enter the name of the management interface, where x = 0
<ethx> Enter the name of an Ethernet interface, where x = 0 or 1

http://docs.aerohive.com/330000/docs/help/english/documentation/cli_guide_ap230_6­6r1.htm#cmd7 101/315
27/4/2016 Aerohive CLI Guide
dhcp Set DHCP parameters
client Set DHCP client parameters
option Set DHCP client options
custom Set DHCP client custom options
radius­server­ip Set a custom DHCP option ID for a RADIUS authentication or accounting server
accounting Set a custom DHCP option ID for a RADIUS accounting server
Enter the custom DHCP option ID for a RADIUS accounting server (Range: 1­255; Suggested
<number>
ID numbers: RADIUS accounting = 231)

interface <mgtx|ethx> dhcp client option custom {syslog­server­ip|hivemanager­ip|backup­hivemanager­

ip} <number>
interface Set interface parameters
<mgtx> Enter the name of the management interface, where x = 0
<ethx> Enter the name of an Ethernet interface, where x = 0 or 1
dhcp Set DHCP parameters
client Set DHCP client parameters
option Set DHCP client options
custom Set DHCP client custom options
syslog­server­ip Set a custom DHCP option ID for a syslog server ip
hivemanager­ip Set a custom DHCP option ID for HiveManager ip
backup­hivemanager­ip Set a custom DHCP option ID for Backup HiveManager ip
Enter the custom DHCP option ID (Range: 1­255; Suggested ID numbers: HiveManager ip =
<number>
226; Syslog server ip = 228; Backup Hivemanager ip = 233)

interface <mgtx|ethx> dhcp client option custom {syslog­server|hivemanager|backup­hivemanager}

<number>
interface Set interface parameters
<mgtx> Enter the name of the management interface, where x = 0
<ethx> Enter the name of an Ethernet interface, where x = 0 or 1
dhcp Set DHCP parameters
client Set DHCP client parameters
option Set DHCP client options
custom Set DHCP client custom options
syslog­server Set a custom DHCP option ID for a syslog server name
hivemanager Set a custom DHCP option ID for HiveManager name
backup­hivemanager Set a custom DHCP option ID for Backup HiveManager name
Enter the custom DHCP option ID (Range: 1­255; Suggested ID numbers : HiveManager name=
<number>
225; Syslog server name= 227; Backup HiveManagername=232)

interface <mgtx|ethx> dhcp client prefer­subnet <ip_addr/netmask>

interface Set interface parameters
<mgtx> Enter the name of the management interface, where x = 0
<ethx> Enter the name of an Ethernet interface, where x = 0 or 1
dhcp Set DHCP parameters
client Set DHCP client parameters
prefer­subnet Set prefer subnet for DHCP client
<ip_addr/netmask> Enter prefer subnet for DHCP client

interface <mgtx|ethx> dhcp client timeout <number>

interface Set interface parameters
<mgtx> Enter the name of the management interface, where x = 0
Enter the name of an Ethernet interface, where x = 0 or 1

http://docs.aerohive.com/330000/docs/help/english/documentation/cli_guide_ap230_6­6r1.htm#cmd7 102/315
27/4/2016 Aerohive CLI Guide
<ethx>

dhcp Set DHCP parameters

client Set DHCP client parameters
Set the interval to wait for a response from the DHCP server before applying the admin­
timeout
defined or default network settings
<number> Enter the timeout value in seconds (Default: 20; Range: 0­3600)

interface <mgtx|mgtx.y> dhcp­server enable

interface Set interface parameters
<mgtx> Enter the name of the management interface, where x = 0
<mgtx.y> Enter the name of the virtual management interface (Ranges: x: 0; y: 1­16)
dhcp­server Set DHCP server parameters
enable Enable the DHCP server on the interface

interface <mgtx|mgtx.y> dhcp­server ip­binding <ip_addr> <mac_addr>

interface Set interface parameters
<mgtx> Enter the name of the management interface, where x = 0
<mgtx.y> Enter the name of the virtual management interface (Ranges: x: 0; y: 1­16)
dhcp­server Set DHCP server parameters
ip­binding Set binding parameters between the IP address and MAC address of a client
<ip_addr> Enter the IP address in the static lease
Enter a MAC address (Note: You can use colons, dashes, or periods to format the address.
<mac_addr>
Examples: 1111:1111:1111, 11­11­11­11­11­11, 1111.1111.1111 ...)

interface <mgtx|mgtx.y> dhcp­server ip­pool <ip_addr> <ip_addr>

interface Set interface parameters
<mgtx> Enter the name of the management interface, where x = 0
<mgtx.y> Enter the name of the virtual management interface (Ranges: x: 0; y: 1­16)
dhcp­server Set DHCP server parameters
Set the IP address pool from which the DHCP server draws addresses when making
ip­pool
assignments
<ip_addr> Enter the first address in the range that makes up the IP address pool
<ip_addr> Enter the last address in the range that makes up the IP address pool

interface <mgtx|mgtx.y> dhcp­server options custom <number> hex <string>

interface Set interface parameters
<mgtx> Enter the name of the management interface, where x = 0
<mgtx.y> Enter the name of the virtual management interface (Ranges: x: 0; y: 1­16)
dhcp­server Set DHCP server parameters
options Set the DHCP options to be included in DHCPOFFER and DHCPACK messages
custom Set a custom DHCP option
Enter the custom option number (Ranges: 1­224, 227­254; Note: Numbers 1­179 are standard
<number> DHCP options; use with caution. Number 43 is reserved for Vendor specific; Numbers 225
and 226 are reserved for HiveManager.)
hex Set the custom option data type as a hexadecimal digit
Enter the hexadecimal digit (1­254 chars; Note: For option 46, which sets the NetBIOS
<string>
over TCP/IP node type, the string must be 1, 2, 4, or 8.)

interface <mgtx|mgtx.y> dhcp­server options custom <number> integer <number>

interface Set interface parameters
<mgtx> Enter the name of the management interface, where x = 0
<mgtx.y> Enter the name of the virtual management interface (Ranges: x: 0; y: 1­16)

http://docs.aerohive.com/330000/docs/help/english/documentation/cli_guide_ap230_6­6r1.htm#cmd7 103/315
27/4/2016 Aerohive CLI Guide
dhcp­server Set DHCP server parameters
options Set the DHCP options to be included in DHCPOFFER and DHCPACK messages
custom Set a custom DHCP option
Enter the custom option number (Ranges: 1­224, 227­254; Note: Numbers 1­179 are standard
<number> DHCP options; use with caution. Number 43 is reserved for Vendor specific; Numbers 225
and 226 are reserved for HiveManager.)
integer Set the custom option data type as an integer
<number> Enter the integer (Range: 0­2147483647)

interface <mgtx|mgtx.y> dhcp­server options custom <number> ip <ip_addr>

interface Set interface parameters
<mgtx> Enter the name of the management interface, where x = 0
<mgtx.y> Enter the name of the virtual management interface (Ranges: x: 0; y: 1­16)
dhcp­server Set DHCP server parameters
options Set the DHCP options to be included in DHCPOFFER and DHCPACK messages
custom Set a custom DHCP option
Enter the custom option number (Ranges: 1­224, 227­254; Note: Numbers 1­179 are standard
<number> DHCP options; use with caution. Number 43 is reserved for Vendor specific; Numbers 225
and 226 are reserved for HiveManager.)
ip Set the custom option data type as an IP address
<ip_addr> Enter the IP address

interface <mgtx|mgtx.y> dhcp­server options custom <number> string <string>

interface Set interface parameters
<mgtx> Enter the name of the management interface, where x = 0
<mgtx.y> Enter the name of the virtual management interface (Ranges: x: 0; y: 1­16)
dhcp­server Set DHCP server parameters
options Set the DHCP options to be included in DHCPOFFER and DHCPACK messages
custom Set a custom DHCP option
Enter the custom option number (Ranges: 1­224, 227­254; Note: Numbers 1­179 are standard
<number> DHCP options; use with caution. Number 43 is reserved for Vendor specific; Numbers 225
and 226 are reserved for HiveManager.)
string Set the custom option data type as a string
<string> Enter the string (1­255 chars)

interface <mgtx|mgtx.y> dhcp­server options default­gateway <ip_addr> [ {nat­support} ]

interface Set interface parameters
<mgtx> Enter the name of the management interface, where x = 0
<mgtx.y> Enter the name of the virtual management interface (Ranges: x: 0; y: 1­16)
dhcp­server Set DHCP server parameters
options Set the DHCP options to be included in DHCPOFFER and DHCPACK messages
default­gateway Set the default gateway for DHCP clients
Enter the default gateway (Note: The gateway IP address cannot be the same as that of
<ip_addr>
the interface.)
Enable NAT support(Note: AP will automatically generates ARP response for default
nat­support
gateway specified in DHCP server options.)

interface <mgtx|mgtx.y> dhcp­server options domain­name <string>

interface Set interface parameters
<mgtx> Enter the name of the management interface, where x = 0
<mgtx.y> Enter the name of the virtual management interface (Ranges: x: 0; y: 1­16)
dhcp­server Set DHCP server parameters

http://docs.aerohive.com/330000/docs/help/english/documentation/cli_guide_ap230_6­6r1.htm#cmd7 104/315
27/4/2016 Aerohive CLI Guide
options Set the DHCP options to be included in DHCPOFFER and DHCPACK messages
domain­name Set the domain name for DHCP clients
<string> Enter the domain name (1­32 chars)

interface <mgtx|mgtx.y> dhcp­server options hivemanager <ip_addr>

interface Set interface parameters
<mgtx> Enter the name of the management interface, where x = 0
<mgtx.y> Enter the name of the virtual management interface (Ranges: x: 0; y: 1­16)
dhcp­server Set DHCP server parameters
options Set the DHCP options to be included in DHCPOFFER and DHCPACK messages
hivemanager Set the IP address or domain name of the HiveManager that you want APs to contact
<ip_addr> Enter the IP address (Note: Use DHCP option 226.)

interface <mgtx|mgtx.y> dhcp­server options hivemanager <string>

interface Set interface parameters
<mgtx> Enter the name of the management interface, where x = 0
<mgtx.y> Enter the name of the virtual management interface (Ranges: x: 0; y: 1­16)
dhcp­server Set DHCP server parameters
options Set the DHCP options to be included in DHCPOFFER and DHCPACK messages
hivemanager Set the IP address or domain name of the HiveManager that you want APs to contact
<string> Enter the domain name (Length: 1­64 chars; Note: Use DHCP option 225.)

interface <mgtx|mgtx.y> dhcp­server options lease­time <number>

interface Set interface parameters
<mgtx> Enter the name of the management interface, where x = 0
<mgtx.y> Enter the name of the virtual management interface (Ranges: x: 0; y: 1­16)
dhcp­server Set DHCP server parameters
options Set the DHCP options to be included in DHCPOFFER and DHCPACK messages
lease­time Set the length of the DHCP lease
<number> Enter the lease time in seconds (Default: 86400; Range: 60­86400000)

interface <mgtx|mgtx.y> dhcp­server options mtu <number>

interface Set interface parameters
<mgtx> Enter the name of the management interface, where x = 0
<mgtx.y> Enter the name of the virtual management interface (Ranges: x: 0; y: 1­16)
dhcp­server Set DHCP server parameters
options Set the DHCP options to be included in DHCPOFFER and DHCPACK messages
mtu Set the path MTU (maximum transmission unit)
<number> Enter the MTU value (Range: 68­8192)

interface <mgtx|mgtx.y> dhcp­server options netmask <netmask>

interface Set interface parameters
<mgtx> Enter the name of the management interface, where x = 0
<mgtx.y> Enter the name of the virtual management interface (Ranges: x: 0; y: 1­16)
dhcp­server Set DHCP server parameters
options Set the DHCP options to be included in DHCPOFFER and DHCPACK messages
netmask Set the netmask for DHCP clients
<netmask>
Enter the netmask (Default: The same as the interface netmask.)

http://docs.aerohive.com/330000/docs/help/english/documentation/cli_guide_ap230_6­6r1.htm#cmd7 105/315
27/4/2016 Aerohive CLI Guide
interface <mgtx|mgtx.y> dhcp­server options vendor­specific VCI <string>
interface Set interface parameters
<mgtx> Enter the name of the management interface, where x = 0
<mgtx.y> Enter the name of the virtual management interface (Ranges: x: 0; y: 1­16)
dhcp­server Set DHCP server parameters
options Set the DHCP options to be included in DHCPOFFER and DHCPACK messages
vendor­specific Set the vendor­specific parameter
VCI Set vendor class identifier
<string> Enter the VCI name (1­32 chars)(Note: VCI of aerohive is AEROHIVE)

interface <mgtx|mgtx.y> dhcp­server options vendor­specific VCI <string> <number> ip <ip_addr>

interface Set interface parameters
<mgtx> Enter the name of the management interface, where x = 0
<mgtx.y> Enter the name of the virtual management interface (Ranges: x: 0; y: 1­16)
dhcp­server Set DHCP server parameters
options Set the DHCP options to be included in DHCPOFFER and DHCPACK messages
vendor­specific Set the vendor­specific parameter
VCI Set vendor class identifier
<string> Enter the VCI name (1­32 chars)(Note: VCI of aerohive is AEROHIVE)
Enter the DHCP vendor­specific sub­option ID(Ranges: 1­255; Suggested ID numbers and
types: HiveManager: 225 string, 226 IP; syslog: 227 string, 228 IP; private PSK: 229 IP;
<number>
RADIUS authentication: 230 IP; RADIUS accounting: 231 IP; Backup HiveManager: 232
string, 233 IP)
ip Set the custom option data type as an IP address
<ip_addr> Enter the IP address

interface <mgtx|mgtx.y> dhcp­server options vendor­specific VCI <string> <number> string <string>
interface Set interface parameters
<mgtx> Enter the name of the management interface, where x = 0
<mgtx.y> Enter the name of the virtual management interface (Ranges: x: 0; y: 1­16)
dhcp­server Set DHCP server parameters
options Set the DHCP options to be included in DHCPOFFER and DHCPACK messages
vendor­specific Set the vendor­specific parameter
VCI Set vendor class identifier
<string> Enter the VCI name (1­32 chars)(Note: VCI of aerohive is AEROHIVE)
Enter the DHCP vendor­specific sub­option ID(Ranges: 1­255; Suggested ID numbers and
types: HiveManager: 225 string, 226 IP; syslog: 227 string, 228 IP; private PSK: 229 IP;
<number>
RADIUS authentication: 230 IP; RADIUS accounting: 231 IP; Backup HiveManager: 232
string, 233 IP)
string Set the vendor­specific sub­option data type as a string
<string> Enter the string (1­253 chars)

interface <mgtx|mgtx.y> dhcp­server options {dns1|dns2|dns3} <ip_addr>

interface Set interface parameters
<mgtx> Enter the name of the management interface, where x = 0
<mgtx.y> Enter the name of the virtual management interface (Ranges: x: 0; y: 1­16)
dhcp­server Set DHCP server parameters
options Set the DHCP options to be included in DHCPOFFER and DHCPACK messages
Set the IP address of the primary DNS (Domain Name System) server that you want DHCP
dns1
clients to use
dns2 Set the IP address of the secondary DNS server
dns3 Set the IP address of the tertiary DNS server

http://docs.aerohive.com/330000/docs/help/english/documentation/cli_guide_ap230_6­6r1.htm#cmd7 106/315
27/4/2016 Aerohive CLI Guide
Enter the IP address (Note: The DNS server IP address cannot be the same as that of the
<ip_addr>
interface.)

interface <mgtx|mgtx.y> dhcp­server options {logsrv|pop3|smtp} <ip_addr>

interface Set interface parameters
<mgtx> Enter the name of the management interface, where x = 0
<mgtx.y> Enter the name of the virtual management interface (Ranges: x: 0; y: 1­16)
dhcp­server Set DHCP server parameters
options Set the DHCP options to be included in DHCPOFFER and DHCPACK messages
logsrv Set the IP address of the log server that is available for DHCP clients
Set the IP address of the POP3 (Post Office Protocol v3) server that you want DHCP
pop3
clients to use
Set the IP address of the SMTP (Simple Mail Transfer Protocol) server that you want DHCP
smtp
clients to use
<ip_addr> Enter the IP address

interface <mgtx|mgtx.y> dhcp­server options {ntp1|ntp2} <ip_addr>

interface Set interface parameters
<mgtx> Enter the name of the management interface, where x = 0
<mgtx.y> Enter the name of the virtual management interface (Ranges: x: 0; y: 1­16)
dhcp­server Set DHCP server parameters
options Set the DHCP options to be included in DHCPOFFER and DHCPACK messages
Set the IP address of the primary NTP (Network Time Protocol) server with which DHCP
ntp1
clients can synchronize their clocks
Set the IP address of the secondary NTP (Network Time Protocol) server with which DHCP
ntp2
clients can synchronize their clocks
<ip_addr> Enter the IP address

interface <mgtx|mgtx.y> dhcp­server options {wins1|wins2} <ip_addr>

interface Set interface parameters
<mgtx> Enter the name of the management interface, where x = 0
<mgtx.y> Enter the name of the virtual management interface (Ranges: x: 0; y: 1­16)
dhcp­server Set DHCP server parameters
options Set the DHCP options to be included in DHCPOFFER and DHCPACK messages
Set the IP address of the primary WINS (Windows Internet Name Service) server for
wins1
NetBIOS name­to­address resolution
Set the IP address of the secondary WINS (Windows Internet Name Service) server for
wins2
NetBIOS name­to­address resolution
<ip_addr> Enter the IP address

interface <mgtx|mgtx.y> dhcp­server reserved­address <ip_addr> <ip_addr>

interface Set interface parameters
<mgtx> Enter the name of the management interface, where x = 0
<mgtx.y> Enter the name of the virtual management interface (Ranges: x: 0; y: 1­16)
dhcp­server Set DHCP server parameters
reserved­address Reserve a range of IP addresses for static allocations
<ip_addr> Enter the first IP address in the reserved range
<ip_addr> Enter the last IP address in the reserved range

interface <mgtx|mgtx.y> dhcp­server {arp­check|authoritative­flag}

interface Set interface parameters
<mgtx> Enter the name of the management interface, where x = 0

http://docs.aerohive.com/330000/docs/help/english/documentation/cli_guide_ap230_6­6r1.htm#cmd7 107/315
27/4/2016 Aerohive CLI Guide
<mgtx.y> Enter the name of the virtual management interface (Ranges: x: 0; y: 1­16)
dhcp­server Set DHCP server parameters
Use ARP to check that an IP address is not already in use on the network before
arp­check
assigning it to a DHCP client (Default: Enabled)
Set the DHCP server as authoritative (Default: Authoritative; Note: An authoritative
authoritative­flag DHCP server can send NAKs in response to DHCP requests for addresses in a different
subnet from those in the configured IP pool.)

interface <mgtx|mgtx.y> dns­server enable

interface Set interface parameters
<mgtx> Enter the name of the management interface, where x = 0
<mgtx.y> Enter the name of the virtual management interface (Ranges: x: 0; y: 1­16)
dns­server Set DNS server parameters
enable Enable the DNS server on the interface

interface <mgtx|mgtx.y> dns­server ext­resolve {dns1|dns2|dns3} <ip_addr>

interface Set interface parameters
<mgtx> Enter the name of the management interface, where x = 0
<mgtx.y> Enter the name of the virtual management interface (Ranges: x: 0; y: 1­16)
dns­server Set DNS server parameters
Set the external DNS servers used to resolve all domain names not specified for
ext­resolve
resolution by internal DNS servers
dns1 Set the IP address of the primary external DNS server
dns2 Set the IP address of the secondary external DNS server
dns3 Set the IP address of the tertiary external DNS server dns3
<ip_addr> Enter the IP address of the external DNS server

interface <mgtx|mgtx.y> dns­server int­domain­name <string> [ <ip_addr> ]

interface Set interface parameters
<mgtx> Enter the name of the management interface, where x = 0
<mgtx.y> Enter the name of the virtual management interface (Ranges: x: 0; y: 1­16)
dns­server Set DNS server parameters
int­domain­name Set a domain name for resolution by internal DNS servers
Enter the domain name (Max 32 chars; Note: Domain names are matched with implicit
<string> wildcards at the left end of the string; for example, both "www.aerohive.com" and
"www.my­hive.com" match the domain name string "hive.com".)
<ip_addr> Enter the IP address of the internal DNS server to use for this domain name

interface <mgtx|mgtx.y> dns­server int­resolve {dns1|dns2|dns3} <ip_addr>

interface Set interface parameters
<mgtx> Enter the name of the management interface, where x = 0
<mgtx.y> Enter the name of the virtual management interface (Ranges: x: 0; y: 1­16)
dns­server Set DNS server parameters
Set the DNS servers on the internal network used to resolve domain names in the match
int­resolve
list
dns1 Set the IP address of the primary internal DNS server
dns2 Set the IP address of the secondary internal DNS server
dns3 Set the IP address of the tertiary internal DNS server dns3
<ip_addr> Enter the IP address of the internal DNS server

interface <mgtx|mgtx.y> dns­server mode {split|nonsplit}

interface Set interface parameters

http://docs.aerohive.com/330000/docs/help/english/documentation/cli_guide_ap230_6­6r1.htm#cmd7 108/315
27/4/2016 Aerohive CLI Guide
<mgtx> Enter the name of the management interface, where x = 0
<mgtx.y> Enter the name of the virtual management interface (Ranges: x: 0; y: 1­16)
dns­server Set DNS server parameters
mode Set the mode for responding to domain name resolution queries (Default: split)
Forward queries only for domain names in a match list to internal DNS servers and
split
forward queries for everything else to external DNS servers
nonsplit Forward all queries to internal DNS servers

interface <mgtx|mgtx.y> dns­server opendns­device­id <string>

interface Set interface parameters
<mgtx> Enter the name of the management interface, where x = 0
<mgtx.y> Enter the name of the virtual management interface (Ranges: x: 0; y: 1­16)
dns­server Set DNS server parameters
opendns­device­id Set the device ID to use with OpenDNS
<string> Enter the device ID (16­char hex string)

interface <mgtx|mgtx.y> ip­helper address <ip_addr>

interface Set interface parameters
<mgtx> Enter the name of the management interface, where x = 0
<mgtx.y> Enter the name of the virtual management interface (Ranges: x: 0; y: 1­16)
ip­helper Forward DHCP broadcast packets to a DHCP server
address Set the DHCP server IP address
<ip_addr> Enter the IP address

interface <mgtx|mgtx.y> ip­helper max­hops <number>

interface Set interface parameters
<mgtx> Enter the name of the management interface, where x = 0
<mgtx.y> Enter the name of the virtual management interface (Ranges: x: 0; y: 1­16)
ip­helper Forward DHCP broadcast packets to a DHCP server
max­hops Set the DHCP relay max Hops, default hops is 4
<number> Enter the integer (Range: 1­16)

interface <mgtx|vlanx> dhcp­server options vendor­specific VCI <string> <number> hex <string>
interface Set interface parameters
<mgtx> Enter the name of the management interface, where x = 0
<vlanx> Dup
dhcp­server Set DHCP server parameters
options Set the DHCP options to be included in DHCPOFFER and DHCPACK messages
vendor­specific Set the vendor­specific parameter
VCI Set vendor class identifier
<string> Enter the VCI name (1­32 chars)(Note: VCI of aerohive is AEROHIVE)
Enter the DHCP vendor­specific sub­option ID(Ranges: 1­255; Suggested ID numbers and
types: HiveManager: 225 string, 226 IP; syslog: 227 string, 228 IP; private PSK: 229 IP;
<number>
RADIUS authentication: 230 IP; RADIUS accounting: 231 IP; Backup HiveManager: 232
string, 233 IP)
hex Set the custom option data type as a hexadecimal digit
Enter the hexadecimal digit (1­256 chars; Note: For option 46, which sets the NetBIOS
<string>
over TCP/IP node type, the string must be 1, 2, 4, or 8.)

interface <mgtx|vlanx> dhcp­server options vendor­specific VCI <string> <number> integer <number>
interface Set interface parameters

http://docs.aerohive.com/330000/docs/help/english/documentation/cli_guide_ap230_6­6r1.htm#cmd7 109/315
27/4/2016 Aerohive CLI Guide

<mgtx> Enter the name of the management interface, where x = 0

<vlanx> Dup
dhcp­server Set DHCP server parameters
options Set the DHCP options to be included in DHCPOFFER and DHCPACK messages
vendor­specific Set the vendor­specific parameter
VCI Set vendor class identifier
<string> Enter the VCI name (1­32 chars)(Note: VCI of aerohive is AEROHIVE)
Enter the DHCP vendor­specific sub­option ID(Ranges: 1­255; Suggested ID numbers and
types: HiveManager: 225 string, 226 IP; syslog: 227 string, 228 IP; private PSK: 229 IP;
<number>
RADIUS authentication: 230 IP; RADIUS accounting: 231 IP; Backup HiveManager: 232
string, 233 IP)
integer Set the custom option data type as an integer
<number> Enter the integer (Range: 0­2147483647)

interface <wifix> hive <string> shutdown

interface Set interface parameters
<wifix> Enter the name of a Wi­Fi radio interface, where x = 0 or 1
Set the hive profile to the mgt0 interface or enable/disable the wifi interface used for
hive
hive communications
<string> Enter a hive profile name (1­32 chars)
shutdown Disable the wifi subinterface used for hive communications

interface <wifix> link­discovery {lldp|cdp}

interface Set interface parameters
<wifix> Enter the name of a Wi­Fi radio interface, where x = 0 or 1
Enable the communication of network­related information with neighboring network devices
link­discovery
through the interface (Default: LLDP enabled; CDP enabled)
lldp Set LLDP (Link Layer Discovery Protocol) on the interface in backhaul mode
cdp Set CDP (Cisco Discovery Protocol) on the interface in backhaul mode

interface <wifix> mode {access|backhaul|dual|sensor}

interface Set interface parameters
<wifix> Enter the name of a Wi­Fi radio interface, where x = 0 or 1
mode Set the operational mode for the interface
Set the operational mode of the interface to access (Default: access (wifi0), dual
access
(wifi1))
Set the operational mode of the interface to backhaul (Default: access (wifi0), dual
backhaul
(wifi1))
Set the operational mode of the interface to dual so that it can provide both access and
dual
backhaul services (Default: access (wifi0), dual (wifi1))
Set the operational mode of the interface to sensor (Default: access (wifi0), dual
sensor
(wifi1))

interface <wifix> radio antenna diversity

interface Set interface parameters
<wifix> Enter the name of a Wi­Fi radio interface, where x = 0 or 1
radio Set parameters for the wifi radio interface
antenna Set the antenna parameters for the interface
diversity Set radio antenna diversity

interface <wifix> radio channel <string>

interface Set interface parameters
<wifix> Enter the name of a Wi­Fi radio interface, where x = 0 or 1

http://docs.aerohive.com/330000/docs/help/english/documentation/cli_guide_ap230_6­6r1.htm#cmd7 110/315
27/4/2016 Aerohive CLI Guide
radio Set parameters for the wifi radio interface
channel Set the radio channel for the interface
Enter the frequency with an optional suffix (G: GHz; M: MHz; K: KHz;), or the channel
<string> number, or "auto" to allow ACSP (Advanced Channel Selection Protocol) to select a
channel automatically (Default: auto)

interface <wifix> radio channel exclude <string>

interface Set interface parameters
<wifix> Enter the name of a Wi­Fi radio interface, where x = 0 or 1
radio Set parameters for the wifi radio interface
channel Set the radio channel for the interface
exclude Exclude a channel from the list of available ACSP channels
Enter the frequency with an optional suffix (G: GHz; M: MHz; K: KHz;), or the channel
<string>
number

interface <wifix> radio power <number>

interface Set interface parameters
<wifix> Enter the name of a Wi­Fi radio interface, where x = 0 or 1
radio Set parameters for the wifi radio interface
power Set the radio power for an interface
<number> Enter the radio power (in dBm) for an interface (Default: auto; Range: 1­20 dBm)

interface <wifix> radio power auto

interface Set interface parameters
<wifix> Enter the name of a Wi­Fi radio interface, where x = 0 or 1
radio Set parameters for the wifi radio interface
power Set the radio power for an interface
auto Set the radio power to be adjusted automatically

interface <wifix> radio power auto floor <number>

interface Set interface parameters
<wifix> Enter the name of a Wi­Fi radio interface, where x = 0 or 1
radio Set parameters for the wifi radio interface
power Set the radio power for an interface
auto Set the radio power to be adjusted automatically
floor Set the minimum radio power for automatic adjustment
<number> Enter the minimum radio power(Default: 5; Range: 2­20 dBm)

interface <wifix> radio power auto maxdrop <number>

interface Set interface parameters
<wifix> Enter the name of a Wi­Fi radio interface, where x = 0 or 1
radio Set parameters for the wifi radio interface
power Set the radio power for an interface
auto Set the radio power to be adjusted automatically
maxdrop Set the maximum drop in radio transmission power
<number> Enter the minimum radio power(Default: 9; Range: 0­20 dBm)

interface <wifix> radio profile <string>

interface Set interface parameters
<wifix> Enter the name of a Wi­Fi radio interface, where x = 0 or 1
radio Set parameters for the wifi radio interface

http://docs.aerohive.com/330000/docs/help/english/documentation/cli_guide_ap230_6­6r1.htm#cmd7 111/315
27/4/2016 Aerohive CLI Guide

profile Set radio profile parameters for an interface

<string> Enter a radio profile name (1­32 chars)

interface <wifix> radio range <number>

interface Set interface parameters
<wifix> Enter the name of a Wi­Fi radio interface, where x = 0 or 1
radio Set parameters for the wifi radio interface
range Set the transmission range for the radio linked to the interface
<number> Enter the range value in meters (Default: 300; Range: 300­10000)

interface <wifix> radio tx­power­control <number>

interface Set interface parameters
<wifix> Enter the name of a Wi­Fi radio interface, where x = 0 or 1
radio Set parameters for the wifi radio interface
tx­power­control Set the desired radio power for clients
<number> Enter the desired client radio power (in dBm) (Default: auto; Range: 1­20 dBm)

interface <wifix> radio tx­power­control auto

interface Set interface parameters
<wifix> Enter the name of a Wi­Fi radio interface, where x = 0 or 1
radio Set parameters for the wifi radio interface
tx­power­control Set the desired radio power for clients
auto Set the client radio power to be adjusted automatically based on ACSP (Default: auto)

interface <wifix> ssid <string>

interface Set interface parameters
<wifix> Enter the name of a Wi­Fi radio interface, where x = 0 or 1
ssid Set the SSID (Service Set Identifier) profile for the interface
<string> Enter an SSID profile name (1­32 chars)

interface <wifix> ssid <string> ip <ip_addr/netmask>

interface Set interface parameters
<wifix> Enter the name of a Wi­Fi radio interface, where x = 0 or 1
ssid Set the SSID (Service Set Identifier) profile for the interface
<string> Enter an SSID profile name (1­32 chars)
ip Set IP address for the SSID
<ip_addr/netmask> Enter the SSID IP address

interface <wifix> ssid <string> shutdown

interface Set interface parameters
<wifix> Enter the name of a Wi­Fi radio interface, where x = 0 or 1
ssid Set the SSID (Service Set Identifier) profile for the interface
<string> Enter an SSID profile name (1­32 chars)
shutdown Disable the subinterface to which the SSID is bound

interface <wifix> wlan­idp profile <string>

interface Set interface parameters
<wifix> Enter the name of a Wi­Fi radio interface, where x = 0 or 1
wlan­idp Set WLAN IDP (intrusion detection and prevention) parameters

http://docs.aerohive.com/330000/docs/help/english/documentation/cli_guide_ap230_6­6r1.htm#cmd7 112/315
27/4/2016 Aerohive CLI Guide
profile Bind an IDP profile to the interface
<string> Enter an IDP profile name (1­32 chars)

ip nat­policy <string>
ip Set IP parameters
nat­policy Set IP nat policy parameters
<string> Enter IP nat policy name (1­32 chars)

ip nat­policy <string> type match­net inside <ip_addr/netmask> outside <ip_addr/netmask>

ip Set IP parameters
nat­policy Set IP nat policy parameters
<string> Enter IP nat policy name (1­32 chars)
type Set the IP nat policy type
match­net Set the IP nat policy type match­net
inside Set the match­net inside subnet
<ip_addr/netmask> Enter the IP address and netmask for the match­net inside subnet
outside Set the match­net outside subnet
<ip_addr/netmask> Enter the IP address and netmask for the match­net outside subnet

ip nat­policy <string> type virtual­host inside­host <ip_addr> inside­port <port> outside­port <port>
protocol {tcp|udp}
ip Set IP parameters
nat­policy Set IP nat policy parameters
<string> Enter IP nat policy name (1­32 chars)
type Set the IP nat policy type
virtual­host Set the IP nat policy type virtual­host
inside­host Set the virtual­host inside host
<ip_addr> Enter the IP address for the virtual­host inside host
inside­port Set the virtual­host inside port
<port> [1~65535]Enter the port number
outside­port Set the virtual­host outside port
<port> [1~65535]Enter the port number
protocol Set the virtual­host service protocol
tcp Choose tcp protocol for virtual host
udp Choose udp protocol for virtual host

ip path­mtu­discovery enable
ip Set IP parameters
Set Path MTU (Maximum Transmission Unit) Discovery parameters on a device functioning as
path­mtu­discovery
a router or VPN gateway
Enable Path MTU Discovery to learn the maximum packet size that can be sent across the
enable
network between two hosts without fragmentation (Default: Enabled)

ip route default gateway <ip_addr> [ metric <number> ]

ip Set IP parameters
route Set a routing entry
default Set a default route entry
gateway Set the network gateway
<ip_addr> Enter the gateway IP address
metric Set metric parameter
Enter a metric for an IP route (Default: 0; Range: 0­32766)

http://docs.aerohive.com/330000/docs/help/english/documentation/cli_guide_ap230_6­6r1.htm#cmd7 113/315
27/4/2016 Aerohive CLI Guide
<number>

ip route host <ip_addr> [ gateway <ip_addr> ] [ metric <number> ]

ip Set IP parameters
route Set a routing entry
host Set a route to a host
<ip_addr> Enter target IP address
gateway Set the network gateway
<ip_addr> Enter the gateway IP address
metric Set metric parameter
<number> Enter a metric for an IP route (Default: 0; Range: 0­32766)

ip route net <ip_addr> <netmask> [ gateway <ip_addr> ] [ metric <number> ]

ip Set IP parameters
route Set a routing entry
net Set a route to a net
<ip_addr> Enter target IP address
<netmask> Enter target netmask
gateway Set the network gateway
<ip_addr> Enter the gateway IP address
metric Set metric parameter
<number> Enter a metric for an IP route (Default: 0; Range: 0­32766)

ip tcp­mss­threshold enable
ip Set IP parameters
Set TCP Maximum Segment Size parameters (Note: This setting only applies to a device
tcp­mss­threshold
functioning as a router or VPN gateway.)
Enable the monitoring of the MSS option in TCP SYN and SYN­ACK messagesand, if
necessary, reduce the MSS value as determined by the TCP MSS threshold (Default:
enable
Enabled; Note: If no TCP MSS threshold value is specified, TCP MSS clamping uses the
Path MTU­ 40 bytes for the IP and TCP headers.)

ip tcp­mss­threshold l3­vpn­threshold­size <number>

ip Set IP parameters
Set TCP Maximum Segment Size parameters (Note: This setting only applies to a device
tcp­mss­threshold
functioning as a router or VPN gateway.)
l3­vpn­threshold­size Set the TCP MSS threshold for TCP connections that pass through a Layer 3 VPN tunnel
Enter the TCP MSS threshold in bytes for tunneled traffic (Range: 64­1460; Note: If not
<number>
set, the device uses the TCP MSS threshold.)

ip tcp­mss­threshold threshold­size <number>

ip Set IP parameters
Set TCP Maximum Segment Size parameters (Note: This setting only applies to a device
tcp­mss­threshold
functioning as a router or VPN gateway.)
threshold­size Set the TCP MSS threshold for all TCP connections passing through the device
Enter the TCP MSS threshold in bytes (Range: 64­1460; Default: Path MTU ­ 40 bytes for
<number>
the IP and TCP headers)

ip version­preference {ipv4|ipv6}
ip Set IP parameter
version­preference Set IP version preference parameters
ipv4 Set version preference to ipv4 (Default: ipv4)
ipv6 Set version preference to ipv6 (Default: ipv4)

http://docs.aerohive.com/330000/docs/help/english/documentation/cli_guide_ap230_6­6r1.htm#cmd7 114/315
27/4/2016 Aerohive CLI Guide
ip­policy <string> [ id <number> ] [ {before|after} id <number> ] [ from <ip_addr|string_64> [ <mask>
] ] [ to <ip_addr|string_64> [ <mask> ] ] [ service <string> ] [ action {permit|deny|nat|inter­
station­traffic­drop|redirect} ]
ip­policy Set IP policy parameters
<string> Enter an IP policy name (1­32 chars)
id Assign an IP policy ID
<number> Enter the IP policy ID (Range: 1­1023)
before Set the before parameters for an IP policy
after Set the after parameters for an IP policy
id Assign an IP policy ID
<number> Enter the IP policy ID (Range: 1­1023)
from Set the source IP (Default: any)
<ip_addr> Enter an IP or domain name (1­64 chars)
<string> Enter an IP or domain name (1­64 chars)
Enter a netmask or IP wildcard mask in which 0 masks the octet where it appears (For
<mask> example, the 0s in '255.0.0.255' mask the second and third octets, applying the IP
policy to all addresses matching only the first and fourth octets.)
to Set the destination IP (Default: any)
<ip_addr> Enter an IP or domain name (1­64 chars)
<string> Enter an IP or domain name (1­64 chars)
Enter a netmask or IP wildcard mask in which 0 masks the octet where it appears (For
<mask> example, the 0s in '255.0.0.255' mask the second and third octets, applying the IP
policy to all addresses matching only the first and fourth octets.)
service Set the service (Default: any)
<string> Enter the service (1­32 chars)
action Set action for an IP policy (Default: deny)
permit Set the action to permit (Default: deny)
deny Set the action to deny (Default: deny)
Set the action to translate clients' source IP address to that of mgt0 and source port
nat number to a dynamically chosen number (Default: deny; Note: NAT is applied only to TCP
and UDP traffic.)
inter­station­traffic­ Set the action to drop traffic between stations if they are both associated with one or
drop more members of the same hive (Default: deny)
redirect redirect http traffic to specified url(Default: deny)

ip­policy <string> [ id <number> ] [ {before|after} id <number> ] [ from <ip_addr|string_64> [ <mask>

] ] [ to <ip_addr|string_64> [ <mask> ] ] [ service <string> ] action deny log packet­drop
ip­policy Set IP policy parameters
<string> Enter an IP policy name (1­32 chars)
id Assign an IP policy ID
<number> Enter the IP policy ID (Range: 1­1023)
before Set the before parameters for an IP policy
after Set the after parameters for an IP policy
id Assign an IP policy ID
<number> Enter the IP policy ID (Range: 1­1023)
from Set the source IP (Default: any)
<ip_addr> Enter an IP or domain name (1­64 chars)
<string> Enter an IP or domain name (1­64 chars)
Enter a netmask or IP wildcard mask in which 0 masks the octet where it appears (For
<mask> example, the 0s in '255.0.0.255' mask the second and third octets, applying the IP
policy to all addresses matching only the first and fourth octets.)
to Set the destination IP (Default: any)
<ip_addr> Enter an IP or domain name (1­64 chars)
<string> Enter an IP or domain name (1­64 chars)

http://docs.aerohive.com/330000/docs/help/english/documentation/cli_guide_ap230_6­6r1.htm#cmd7 115/315
27/4/2016 Aerohive CLI Guide
Enter a netmask or IP wildcard mask in which 0 masks the octet where it appears (For
<mask> example, the 0s in '255.0.0.255' mask the second and third octets, applying the IP
policy to all addresses matching only the first and fourth octets.)
service Set the service (Default: any)
<string> Enter the service (1­32 chars)
action Set action for an IP policy (Default: deny)
deny Set the action to deny (Default: deny)
log Set logging options for packets and sessions that match the IP firewall policy
packet­drop Log dropped packets that the IP firewall policy denies

ip­policy <string> [ id <number> ] [ {before|after} id <number> ] [ from <ip_addr|string_64> [ <mask>

] ] [ to <ip_addr|string_64> [ <mask> ] ] [ service <string> ] action inter­station­traffic­drop log [
{initiate­session|terminate­session|packet­drop} ]
ip­policy Set IP policy parameters
<string> Enter an IP policy name (1­32 chars)
id Assign an IP policy ID
<number> Enter the IP policy ID (Range: 1­1023)
before Set the before parameters for an IP policy
after Set the after parameters for an IP policy
id Assign an IP policy ID
<number> Enter the IP policy ID (Range: 1­1023)
from Set the source IP (Default: any)
<ip_addr> Enter an IP or domain name (1­64 chars)
<string> Enter an IP or domain name (1­64 chars)
Enter a netmask or IP wildcard mask in which 0 masks the octet where it appears (For
<mask> example, the 0s in '255.0.0.255' mask the second and third octets, applying the IP
policy to all addresses matching only the first and fourth octets.)
to Set the destination IP (Default: any)
<ip_addr> Enter an IP or domain name (1­64 chars)
<string> Enter an IP or domain name (1­64 chars)
Enter a netmask or IP wildcard mask in which 0 masks the octet where it appears (For
<mask> example, the 0s in '255.0.0.255' mask the second and third octets, applying the IP
policy to all addresses matching only the first and fourth octets.)
service Set the service (Default: any)
<string> Enter the service (1­32 chars)
action Set action for an IP policy (Default: deny)
inter­station­traffic­ Set the action to drop traffic between stations if they are both associated with one or
drop more members of the same hive (Default: deny)
log Set logging options for packets and sessions that match IP FW policy
initiate­session Log the creation of sessions that are permitted by the policy
terminate­session Log the termination of sessions that are permitted by the policy
packet­drop Log dropped packets that are denied by the policy

ip­policy <string> [ id <number> ] [ {before|after} id <number> ] [ from <ip_addr|string_64> [ <mask>

] ] [ to <ip_addr|string_64> [ <mask> ] ] [ service <string> ] action permit log [ {initiate­
session|terminate­session} ]
ip­policy Set IP policy parameters
<string> Enter an IP policy name (1­32 chars)
id Assign an IP policy ID
<number> Enter the IP policy ID (Range: 1­1023)
before Set the before parameters for an IP policy
after Set the after parameters for an IP policy
id Assign an IP policy ID

http://docs.aerohive.com/330000/docs/help/english/documentation/cli_guide_ap230_6­6r1.htm#cmd7 116/315
27/4/2016 Aerohive CLI Guide
<number> Enter the IP policy ID (Range: 1­1023)
from Set the source IP (Default: any)
<ip_addr> Enter an IP or domain name (1­64 chars)
<string> Enter an IP or domain name (1­64 chars)
Enter a netmask or IP wildcard mask in which 0 masks the octet where it appears (For
<mask> example, the 0s in '255.0.0.255' mask the second and third octets, applying the IP
policy to all addresses matching only the first and fourth octets.)
to Set the destination IP (Default: any)
<ip_addr> Enter an IP or domain name (1­64 chars)
<string> Enter an IP or domain name (1­64 chars)
Enter a netmask or IP wildcard mask in which 0 masks the octet where it appears (For
<mask> example, the 0s in '255.0.0.255' mask the second and third octets, applying the IP
policy to all addresses matching only the first and fourth octets.)
service Set the service (Default: any)
<string> Enter the service (1­32 chars)
action Set action for an IP policy (Default: deny)
permit Set the action to permit (Default: deny)
log Set logging options for packets and sessions that match the IP firewall policy
initiate­session Log session details when a session is created after passing a IP firewall policy lookup
terminate­session Log session details when a session matching a IP firewall policy is terminated

ip­policy <string> [ id <number> ] [ {before|after} id <number> ] [ from <ip_addr|string_64> [ <mask>

] ] to local­subnet [ service <string> ] [ action {permit|deny|nat|inter­station­traffic­
drop|redirect} ]
ip­policy Set IP policy parameters
<string> Enter an IP policy name (1­32 chars)
id Assign an IP policy ID
<number> Enter the IP policy ID (Range: 1­1023)
before Set the before parameters for an IP policy
after Set the after parameters for an IP policy
id Assign an IP policy ID
<number> Enter the IP policy ID (Range: 1­1023)
from Set the source IP (Default: any)
<ip_addr> Enter an IP or domain name (1­64 chars)
<string> Enter an IP or domain name (1­64 chars)
Enter a netmask or IP wildcard mask in which 0 masks the octet where it appears (For
<mask> example, the 0s in '255.0.0.255' mask the second and third octets, applying the IP
policy to all addresses matching only the first and fourth octets.)
to Set the destination IP (Default: any)
local­subnet Set the subnet of the mgt0 interface as the destination
service Set the service (Default: any)
<string> Enter the service (1­32 chars)
action Set action for an IP policy (Default: deny)
permit Set the action to permit (Default: deny)
deny Set the action to deny (Default: deny)
Set the action to translate clients' source IP address to that of mgt0 and source port
nat number to a dynamically chosen number (Default: deny; Note: NAT is applied only to TCP
and UDP traffic.)
inter­station­traffic­ Set the action to drop traffic between stations if they are both associated with one or
drop more members of the same hive (Default: deny)
redirect redirect http traffic to specified url(Default: deny)

iperf client <ip_addr> [ {port} <number> ] [ {udp} ] [ {interval} <number> ] [ {no­delay} ] [ {dual­
test} ] [ {tradeoff} ] [ {listen­port} <number> ] [ {window} <number> ] [ {mss} <number> ] [

http://docs.aerohive.com/330000/docs/help/english/documentation/cli_guide_ap230_6­6r1.htm#cmd7 117/315
27/4/2016 Aerohive CLI Guide
{bandwidth} <number> ] [ {time} <number> ] [ {parallel} <number> ]
iperf Set parameters for Iperf, a tool for testing and measuring network performance
client Set Iperf to run in client mode
<ip_addr> Enter the server IP address with which the HiveAP connects as an Iperf client
port Set the port on which the client connects to the server
<number> Enter the port number (Range: 1024­65535; Default: 5001)
udp Set the transport protocol as UDP (Default: TCP)
interval Set the interval between periodic bandwidth, jitter, and loss reports
Enter the interval in seconds (Range: 1­60; Default: 0, which means that the report is
<number>
not made periodically)
Transmit small logical packets individually without the delay incurred by putting them
no­delay in batches within a single larger physical packet (Default: Smaller packets are
transmitted without delay)
Set the Iperf tool to do bidirectional upstream and downstream performance testing
dual­test
between the client and server concurrently
Set the Iperf tool to do bidirectional upstream and downstream performance testing at
tradeoff
different times so downstream testing only begins after upstream testing is complete
listen­port Set the port on which the server connects to the client
Enter the port number (Range: 1024­65535; Default: The same port on which the client
<number>
connects to the server)
window Set the TCP window size (socket buffer size)
<number> Enter the TCP window size in kilobytes (Range: 2­65535; Default: 83.5)
mss Set the maximum TCP segment size (MTU: 40 bytes)
<number> Enter the maximum TCP segment size in bytes (Range: 40­65535; Default: 4160)
bandwidth Set the amount of UDP bandwidth to send
<number> Enter the bandwidth in megabits per second (Range: 1­1000; Default: 1)
time Set the length of transmission time
<number> Enter the time in seconds (Range: 1­65535; Default: 10)
Set the client to make multiple connections to the server concurrently (Note: This
parallel
option requires multiple thread support on both the client and server.)
<number> Enter the number of parallel client threads to run (Range: 1­10; Default: 1)

iperf server [ {port} <number> ] [ {udp} ] [ {single­udp} ] [ {interval} <number> ] [ {no­delay} ] [

{window} <number> ] [ {mss} <number> ] [ {bind} <ip_addr> ]
iperf Set parameters for Iperf, a tool for testing and measuring network performance
server Set Iperf to run in server mode
port Set the port on which the server listen on
<number> Enter the port number (Range: 1024­65535; Default: 5001)
udp Set the transport protocol as UDP (Default: TCP)
single­udp Set the Iperf tool to run in single­threaded UDP mode
interval Set the interval between periodic bandwidth, jitter, and loss reports
Enter the interval in seconds (Range: 1­60; Default: 0, which means that the report is
<number>
not made periodically)
Transmit small logical packets individually without the delay incurred by putting them
no­delay in batches within a single larger physical packet (Default: Smaller packets are
transmitted without delay)
window Set the TCP window size (socket buffer size)
<number> Enter the TCP window size in kilobytes (Range: 2­65535; Default: 83.5)
mss Set the maximum TCP segment size (MTU: 40 bytes)
<number> Enter the maximum TCP segment size in bytes (Range: 40­65535; Default: 4160)
bind Bind and join the HiveAP to a multicast group
<ip_addr> Enter the IP address of the multicast group (Range: 224.0.0.0­239.255.255.255)

ipv6 dhcpv6­shield enable

http://docs.aerohive.com/330000/docs/help/english/documentation/cli_guide_ap230_6­6r1.htm#cmd7 118/315
27/4/2016 Aerohive CLI Guide
ipv6 Set IPv6 parameters
Set the DHCPv6 shield to block the forwarding of DHCPv6 server messages received on any
dhcpv6­shield
access interface
enable Enable the DHCPv6 shield on access interfaces

ipv6 ra­guard stateless enable

ipv6 Set IPv6 parameters
Set the IPv6 RA guard (router advertisement guard) to block router advertisements on
ra­guard
access interfaces
Set the IPv6 RA guard as stateless, meaning that incoming router advertisements are
stateless examined and then either blocked or forwarded based only on the information of the
received frame; specifically, the port on which the frame was received
enable Enable the IPv6 RA guard on access interfaces

ipv6 route <ipv6_addr/mask> <mgtx> gateway <ipv6_addr> [ metric <number> ]

ipv6 Set IPV6 parameters
route Set a routing entry
<ipv6_addr/mask> Enter target IPv6 address/netmask
<mgtx> Enter the name of the management interface, where x = 0
gateway Set the network gateway
<ipv6_addr> Enter the gateway IP address
metric Set metric parameters
<number> Enter a metric for an IP route (Default: 1024; Range: 1­32766)

ipv6 route <ipv6_addr/mask> gateway <ipv6_addr> [ metric <number> ]

ipv6 Set IPV6 parameters
route Set a routing entry
<ipv6_addr/mask> Enter target IPv6 address/netmask
gateway Set the network gateway
<ipv6_addr> Enter the gateway IP address
metric Set metric parameters
<number> Enter a metric for an IP route (Default: 1024; Range: 1­32766)

ipv6 route default <mgtx> gateway <ipv6_addr> [ metric <number> ]

ipv6 Set IPV6 parameters
route Set a routing entry
default Set a default route entry
<mgtx> Enter the name of the management interface, where x = 0
gateway Set the network gateway
<ipv6_addr> Enter the gateway IP address
metric Set metric parameters
<number> Enter a metric for an IP route (Default: 1024; Range: 1­32766)

ipv6 route default gateway <ipv6_addr> [ metric <number> ]

ipv6 Set IPV6 parameters
route Set a routing entry
default Set a default route entry
gateway Set the network gateway
<ipv6_addr> Enter the gateway IP address
metric Set metric parameters
<number> Enter a metric for an IP route (Default: 1024; Range: 1­32766)

http://docs.aerohive.com/330000/docs/help/english/documentation/cli_guide_ap230_6­6r1.htm#cmd7 119/315
27/4/2016 Aerohive CLI Guide
kddr enable
kddr Enable/disable the kddr report to HM
enable Enable the kddr feature

library­sip­policy <string> default user­group <string> [ action {permit|restricted|deny} ] [

additional­display­message <string> ]
Set a SIP (Standard Interchange Protocol) policy to apply a user profile, VLAN, and
library­sip­policy session length to library patrons accessing the wireless network (Note: Set policies on
a AP RADIUS server. Max policies: 16; Max rules per policy: 64.)
<string> Enter a library SIP policy name (1­32 chars)
default Set the default rule to apply to unregistered library patrons
Set the user group to which the AP RADIUS authenticator assigns the user (Note: The user
user­group
group includes user profile, VLAN, and session timeout assignments.)
<string> Enter the user group name (1­32 chars)
action Set the action that the library SIP policy rule applies
permit Notify users assigned to the user group that they are permitted network access
restricted Notify users assigned to the user group that they are given restricted network access
Notify users assigned to the user group that they are denied network access except to
deny
websites defined in a walled garden
additional­display­
Set a message to display when a user attempts to access the network
message
<string> Enter a message string (up to 256 chars)

library­sip­policy <string> id <number> field <string> {equal|greater­than|less­than} <number> user­

group <string> [ action {permit|restricted|deny} ] [ additional­display­message <string> ]
Set a SIP (Standard Interchange Protocol) policy to apply a user profile, VLAN, and
library­sip­policy session length to library patrons accessing the wireless network (Note: Set policies on
a AP RADIUS server. Max policies: 16; Max rules per policy: 64.)
<string> Enter a library SIP policy name (1­32 chars)
id Set an ID number for a rule to add it to the library SIP policy
<number> Enter an ID number (Range: 1­64)
Set the two­letter character code that identifies the field name of a specific library
field
SIP value
<string> Enter the two­letter character code(2 char)
Check if the field value that the SIP server returns equals the number entered in the
equal
local AP RADIUS server
Check if the field value that the SIP server returns is greater than the number entered
greater­than
in the local AP RADIUS server
Check if the field value that the SIP server returns is less than the number entered in
less­than
the local AP RADIUS server
Enter the number that the AP RADIUS server uses when checking the field values that the
<number>
SIP server returns (Range: 0­65535)
Set the user group to which the AP RADIUS authenticator assigns the user (Note: The user
user­group
group includes user profile, VLAN, and session timeout assignments.)
<string> Enter the user group name (1­32 chars)
action Set the action that the library SIP policy rule applies
permit Notify users assigned to the user group that they are permitted network access
restricted Notify users assigned to the user group that they are given restricted network access
Notify users assigned to the user group that they are denied network access except to
deny
websites defined in a walled garden
additional­display­
Set a message to display when a user attempts to access the network
message
<string> Enter a message string (up to 256 chars)

library­sip­policy <string> id <number> field <string> {matches|differs­from|starts­with|occurs­

after|occurs­before|contains} <string> user­group <string> [ action {permit|restricted|deny} ] [
additional­display­message <string> ]
Set a SIP (Standard Interchange Protocol) policy to apply a user profile, VLAN, and

http://docs.aerohive.com/330000/docs/help/english/documentation/cli_guide_ap230_6­6r1.htm#cmd7 120/315
27/4/2016 Aerohive CLI Guide
library­sip­policy session length to library patrons accessing the wireless network (Note: Set policies on
a AP RADIUS server. Max policies: 16; Max rules per policy: 64.)
<string> Enter a library SIP policy name (1­32 chars)
id Set an ID number for a rule to add it to the library SIP policy
<number> Enter an ID number (Range: 1­64)
Set the two­letter character code that identifies the field name of a specific library
field
SIP value
<string> Enter the two­letter character code(2 char)
Check if the field value that the SIP server returns matches the string entered in the
matches
local AP RADIUS server
Check if the field value that the SIP server returns differs­from the string entered in
differs­from
the local AP RADIUS server
Check if the field value that the SIP server returns starts­with the string entered in
starts­with
the local AP RADIUS server
Check if the field value that the SIP server returns occurs­after the string entered in
occurs­after
the local AP RADIUS server
Check if the field value that the SIP server returns occurs­before the string entered in
occurs­before
the local AP RADIUS server
Check if the field value that the SIP server returns contains the string entered in the
contains
local AP RADIUS server
Enter the string that the AP RADIUS server uses when checking the field values that the
<string> SIP server returns (1­32 chars; Note: Date format must be YYYY­MM­DD; Example: 2010­01­
01.)
Set the user group to which the AP RADIUS authenticator assigns the user (Note: The user
user­group
group includes user profile, VLAN, and session timeout assignments.)
<string> Enter the user group name (1­32 chars)
action Set the action that the library SIP policy rule applies
permit Notify users assigned to the user group that they are permitted network access
restricted Notify users assigned to the user group that they are given restricted network access
Notify users assigned to the user group that they are denied network access except to
deny
websites defined in a walled garden
additional­display­
Set a message to display when a user attempts to access the network
message
<string> Enter a message string (up to 256 chars)

library­sip­policy <string> id <number> {after|before} id <number>

Set a SIP (Standard Interchange Protocol) policy to apply a user profile, VLAN, and
library­sip­policy session length to library patrons accessing the wireless network (Note: Set policies on
a AP RADIUS server. Max policies: 16; Max rules per policy: 64.)
<string> Enter a library SIP policy name (1­32 chars)
id Set an ID number for a rule to add it to the library SIP policy
<number> Enter an ID number (Range: 1­64)
after Move the library SIP rule after another rule in the policy
before Move the library SIP rule before another rule in the policy
id Set an ID number for a rule to add it to the library SIP policy
<number> Enter an ID number (Range: 1­64)

license <string> <string>

license Set license parameters
<string> Enter registration license
<string> Enter registration key

lldp [ {cdp|receive­only} ]
lldp Set LLDP (Link Layer Discovery Protocol) parameters
cdp Set CDP (Cisco Discovery Protocol) parameters
Enable the HiveAP to receive and cache LLDP advertisements from neighboring network
receive­only

http://docs.aerohive.com/330000/docs/help/english/documentation/cli_guide_ap230_6­6r1.htm#cmd7 121/315
27/4/2016 Aerohive CLI Guide
devices but not send them

lldp [ {cdp} ] max­entries <number>

lldp Set LLDP (Link Layer Discovery Protocol) parameters
cdp Set CDP (Cisco Discovery Protocol) parameters
max­entries Set the maximum number of entries to cache in the LLDP or CDP neighbor table
<number> Enter the maximum number of entries to cache (Default: 64; Range: 1­128)

lldp holdtime <number>

lldp Set LLDP (Link Layer Discovery Protocol) parameters
Set the length of time that the neighboring network devices to retain the LLDP
holdtime
advertisements that it sends to them
Enter the length of time in seconds that the neighboring network devices to hold LLDP
<number>
advertisements (Default: 90; Range: 0­65535)

lldp max­power <number>

lldp Set LLDP (Link Layer Discovery Protocol) parameters
max­power Set the maximum power that can be requested when transmitting LLDP advertisements
Enter the maximum power in watts to be requested (Default: 154; Range: 1­250; Note: 154
<number>
= 15.4 watts)

lldp timer <number>

lldp Set LLDP (Link Layer Discovery Protocol) parameters
timer Set the interval between LLDP advertisements to neighboring network device
<number> Enter the interval in seconds between LLDP advertisements (Default: 30; Range: 5­65534)

load config {current|backup|bootstrap|default}

load Load a configuration file
config Specify which configuration file to load after rebooting
current Load the current configuration file after rebooting
backup Load the backup configuration file after rebooting
bootstrap Load the bootstrap configuration file after rebooting
default Load the default configuration file after rebooting

location aerohive enable

location Set parameters for location tracking
aerohive Set parameters for the Aerohive location processing engine
enable Enable client location tracking (Default: Disabled)

location aerohive list­match enable

location Set parameters for location tracking
aerohive Set parameters for the Aerohive location processing engine
list­match Track a station if its MAC address is in the track list
enable Enable track list checking before tracking a station (Default: Enabled)

location aerohive mac <mac_addr>

location Set parameters for location tracking
aerohive Set parameters for the Aerohive location processing engine
mac Add a MAC entry to the track list
Enter a MAC address (Note: You can use colons, dashes, or periods to format the address.
<mac_addr>
Examples: 1111:1111:1111, 11­11­11­11­11­11, 1111.1111.1111 ...)

http://docs.aerohive.com/330000/docs/help/english/documentation/cli_guide_ap230_6­6r1.htm#cmd7 122/315
27/4/2016 Aerohive CLI Guide
location aerohive oui <oui>
location Set parameters for location tracking
aerohive Set parameters for the Aerohive location processing engine
oui Add an OUI (organizationally unique identifier) entry to the track list
Enter the OUI (Note: You can use colons, dashes, or periods to format the OUI. Examples:
<oui>
Apple iPhone=00:1b:63; D­Link Phone=00­17­9a; Vocera=00.09.ef.)

location aerohive report­interval <number>

location Set parameters for location tracking
aerohive Set parameters for the Aerohive location processing engine
report­interval Set the interval between reports of RSSI readings
<number> Enter the report interval in seconds (Default: 60; Range: 15­1200)

location aerohive rssi­hold­time <number>

location Set parameters for location tracking
aerohive Set parameters for the Aerohive location processing engine
Set the number of times that the local HiveAP, as an owner AP, can include the same
client RSSI report from another HiveAP in its aggregate report to HiveManager before
rssi­hold­time
determining the data to be stale and omitting it from future reports (Note: The owner AP
is the one to which the client is associated)
Enter the number of times to reuse a client RSSI report that has not been updated
<number>
(Default: 0; Range: 0­10)

location aerohive rssi­update­threshold <number>

location Set parameters for location tracking
aerohive Set parameters for the Aerohive location processing engine
rssi­update­threshold Set the change in RSSI required to trigger an update
<number> Enter the update threshold in dB (Default: 3; Range: 1­5)

location aerohive rssi­valid­period <number>

location Set parameters for location tracking
aerohive Set parameters for the Aerohive location processing engine
Set the period of time that an RSSI reading remains valid (Note: After this period
rssi­valid­period elapses, an updated report is generated even if the RSSI value has not crossed the
update threshold)
<number> Enter the validity period in seconds (Default: 60; Range: 15­1200)

location aerohive suppress­report <number>

location Set parameters for location tracking
aerohive Set parameters for the Aerohive location processing engine
Set the number of consecutive reports that can be suppressed when a client's RSSI has
suppress­report
not changed significantly
<number> Enter the number of consecutive RSSI reports to suppress (Default: 0; Range: 0­80)

location rate­threshold {tag|station|rogue­ap} <number>

location Set parameters for location tracking
rate­threshold Set the rate limit threshold for location tracking
tag Set the rate limit threshold for tags
station Set the rate limit threshold for stations
rogue­ap Set the rate limit threshold for rogue­aps
Enter the rate limit threshold in packets per second (Default: 1000 for tags, 200 for
<number>
stations, 50 for rogue APs; Range: 1­100000)

http://docs.aerohive.com/330000/docs/help/english/documentation/cli_guide_ap230_6­6r1.htm#cmd7 123/315
27/4/2016 Aerohive CLI Guide
location {aeroscout|tzsp} enable
location Set parameters for location tracking
aeroscout Set parameters for the aeroscout location processing engine
Set parameters for the location processing engine that supports TZSP (Tazmen Sniffer
tzsp
Protocol) for packet encapsulation
enable Enable location tracking and reporting to the location processing engine

location {aeroscout} server <string>

location Set parameters for location tracking
aeroscout Set parameters for the aeroscout location processing engine
Set the IP address or domain name of the location processing engine to which the HiveAP
server
sends tracking reports
<string> Enter the IP address or domain name of the location processing engine (1­64 chars)

location {aeroscout} {tag|station|rogue­ap}

location Set parameters for location tracking
aeroscout Set parameters for the aeroscout location processing engine
tag Track and report the location of tags to the location processing engine
station Track and report the location of stations to the location processing engine
rogue­ap Track and report the location of rogue APs to the location processing engine

location {tzsp} mcast­mac <mac_addr>

location Set parameters for location tracking
Set parameters for the location processing engine that supports TZSP (Tazmen Sniffer
tzsp
Protocol) for packet encapsulation
Set the multicast MAC address to which the HiveAP transmits captured multicast frames
mcast­mac
encapsulated with TZSP (Default: 01:18:8e:00:00:00)
Enter a MAC address (Note: You can use colons, dashes, or periods to format the address.
<mac_addr>
Examples: 1111:1111:1111, 11­11­11­11­11­11, 1111.1111.1111 ...)

location {tzsp} server­config server <string> port <number>

location Set parameters for location tracking
Set parameters for the location processing engine that supports TZSP (Tazmen Sniffer
tzsp
Protocol) for packet encapsulation
Set the IP address or domain name and port number of the location server to which the
server­config
HiveAP sends TZSP­encapsulated multicast frames captured from RFID tags
server Set the IP address or domain name of the location server
<string> Enter the IP address or domain name (1­64 chars)
port Set the port number on which the location server listens for tracking reports
<number> Enter the port number (Range: 1­65535)

logging buffered level {emergency|alert|critical|error|warning|notification|info|debug}

logging Set logging parameters
buffered Set logging buffer
level Set logging level
emergency Send emergency­level log entries (Default: debug)
alert Send log entries from alert to emergency levels (Default: debug)
critical Send log entries from critical to emergency levels (Default: debug)
error Send log entries from error to emergency levels (Default: debug)
warning Send log entries from warning to emergency levels (Default: debug)

notification Send log entries from notification to emergency levels (Default: debug)

info Send log entries from info to emergency levels (Default: debug)

http://docs.aerohive.com/330000/docs/help/english/documentation/cli_guide_ap230_6­6r1.htm#cmd7 124/315
27/4/2016 Aerohive CLI Guide
debug Send log entries for all severity levels (Default: debug)

logging debug
logging Set logging parameters
debug Enable debug messages

logging facility {local0|local1|local2|local3|local4|local5|local6|local7|auth|authpriv|security|user}

logging Set logging parameters
facility Set logging facility
local0 Set log facility to local0 (Default: local6)
local1 Set log facility to local1 (Default: local6)
local2 Set log facility to local2 (Default: local6)
local3 Set log facility to local3 (Default: local6)
local4 Set log facility to local4 (Default: local6)
local5 Set log facility to local5 (Default: local6)
local6 Set log facility to local6 (Default: local6)
local7 Set log facility to local7 (Default: local6)
auth Set log facility to auth (Default: local6)
authpriv Set log facility to authpriv (Default: local6)
security Set log facility to security (Default: local6)
user Set log facility to user (Default: local6)

logging flash level {emergency|alert|critical|error|warning|notification|info|debug}

logging Set logging parameters
flash Set logging flash
level Set logging level
emergency Send emergency­level log entries (Default: error)
alert Send log entries from alert to emergency levels (Default: error)
critical Send log entries from critical to emergency levels (Default: error)
error Send log entries from error to emergency levels (Default: error)
warning Send log entries from warning to emergency levels (Default: error)
notification Send log entries from notification to emergency levels (Default: error)
info Send log entries from info to emergency levels (Default: error)
debug Send log entries for all severity levels (Default: error)

logging server <string> [ level {emergency|alert|critical|error|warning|notification|info|debug} ] [

{via­vpn­tunnel} ]
logging Set logging parameters
server Set parameters for a syslog server
<string> Set the IP address or domain name (1­32 chars) for the syslog server
level Set the severity level for the log messages you want to send
emergency Send emergency­level log entries
alert Send log entries from alert to emergency levels
critical Send log entries from critical to emergency levels
error Send log entries from error to emergency levels
warning Send log entries from warning to emergency levels
notification Send log entries from notification to emergency levels
info Send log entries from info to emergency levels
debug Send log entries for all severity levels
Send all logging traffic through a VPN tunnel (Note: Set this option on VPN clients when

http://docs.aerohive.com/330000/docs/help/english/documentation/cli_guide_ap230_6­6r1.htm#cmd7 125/315
27/4/2016 Aerohive CLI Guide
via­vpn­tunnel the logging server is in a different subnet from the tunnel interface. When they are in
the same subnet, tunneling is automatic.)

logging trap level [ {emerg|alert|crit|err|warning|notice|info} ]

logging Set logging parameters
trap Set logging trap parameters
level Set logging trap level
emerg Set logging trap level to emerg (Default: info)
alert Set logging trap level to alert (Default: info)
crit Set logging trap level to crit (Default: info)
err Set logging trap level to err (Default: info)
warning Set logging trap level to warning (Default: info)
notice Set logging trap level to notice (Default: info)
info Set logging trap level to info (Default: info)

login banner <string>

login Set parameters fot the CLI login
banner Set the banner that appears after logging in to the CLI
Enter the banner text (Default: 'Aerohive Networks Inc.\n Copyright (C) 2006­2010\n';
<string>
Max: 256 chars; Notes: Use '\n' to indicate a line break.)

mac­object <string> mac­range <mac_addr> ­ <mac_addr>

Set parameters for an MAC object that the HiveAP can use to assign a client with a
mac­object
matching MAC address to a user profile (Max: 128 MAC objects per HiveAP.)
<string> Enter the MAC object name (1­32 chars)
Set a range of MAC addresses for the MAC object (Max: 255 MAC address ranges per MAC
mac­range
object)
Enter a MAC address (Note: You can use colons, dashes, or periods to format the address.
<mac_addr>
Examples: 1111:1111:1111, 11­11­11­11­11­11, 1111.1111.1111 ...)
­ Set a range of MAC addresses
Enter a MAC address (Note: You can use colons, dashes, or periods to format the address.
<mac_addr>
Examples: 1111:1111:1111, 11­11­11­11­11­11, 1111.1111.1111 ...)

mac­policy <string> [ id <number> ] [ {before|after} id <number> ] [ from <mac_addr> [ <number> ] ] [

to <mac_addr> [ <number> ] ] [ action {permit|deny} ]
mac­policy Set MAC policy parameters
<string> Enter a MAC policy name (1­32 chars)
id Assign a MAC policy ID
<number> Enter the MAC policy ID (Range: 1­1023)
before Set the before parameters for a MAC policy
after Set the after parameters for a MAC policy
id Assign a MAC policy ID
<number> Enter the MAC policy ID (Range: 1­1023)
from Set the source MAC (Default: any)
Enter a MAC address (Note: You can use colons, dashes, or periods to format the address.
<mac_addr>
Examples: 1111:1111:1111, 11­11­11­11­11­11, 1111.1111.1111 ...)
<number> Enter a MAC mask length (value: 0, 24, 48)
to Set the destination MAC (Default: any)
Enter a MAC address (Note: You can use colons, dashes, or periods to format the address.
<mac_addr>
Examples: 1111:1111:1111, 11­11­11­11­11­11, 1111.1111.1111 ...)
<number> Enter a MAC mask length (value: 0, 24, 48)
action Set action for a MAC policy (Default: deny)

permit Set the action to permit (Default: deny)

http://docs.aerohive.com/330000/docs/help/english/documentation/cli_guide_ap230_6­6r1.htm#cmd7 126/315
27/4/2016 Aerohive CLI Guide
deny Set the action to deny (Default: deny)

mac­policy <string> [ id <number> ] [ {before|after} id <number> ] [ from <mac_addr> [ <number> ] ] [

to <mac_addr> [ <number> ] ] action deny log packet­drop
mac­policy Set MAC policy parameters
<string> Enter a MAC policy name (1­32 chars)
id Assign a MAC policy ID
<number> Enter the MAC policy ID (Range: 1­1023)
before Set the before parameters for a MAC policy
after Set the after parameters for a MAC policy
id Assign a MAC policy ID
<number> Enter the MAC policy ID (Range: 1­1023)
from Set the source MAC (Default: any)
Enter a MAC address (Note: You can use colons, dashes, or periods to format the address.
<mac_addr>
Examples: 1111:1111:1111, 11­11­11­11­11­11, 1111.1111.1111 ...)
<number> Enter a MAC mask length (value: 0, 24, 48)
to Set the destination MAC (Default: any)
Enter a MAC address (Note: You can use colons, dashes, or periods to format the address.
<mac_addr>
Examples: 1111:1111:1111, 11­11­11­11­11­11, 1111.1111.1111 ...)
<number> Enter a MAC mask length (value: 0, 24, 48)
action Set action for a MAC policy (Default: deny)
deny Set the action to deny (Default: deny)
log Set logging options for packets and sessions that match the MAC firewall policy
packet­drop Log dropped packets that the MAC firewall policy denies

mac­policy <string> [ id <number> ] [ {before|after} id <number> ] [ from <mac_addr> [ <number> ] ] [

to <mac_addr> [ <number> ] ] action permit log [ {initiate­session|terminate­session} ]
mac­policy Set MAC policy parameters
<string> Enter a MAC policy name (1­32 chars)
id Assign a MAC policy ID
<number> Enter the MAC policy ID (Range: 1­1023)
before Set the before parameters for a MAC policy
after Set the after parameters for a MAC policy
id Assign a MAC policy ID
<number> Enter the MAC policy ID (Range: 1­1023)
from Set the source MAC (Default: any)
Enter a MAC address (Note: You can use colons, dashes, or periods to format the address.
<mac_addr>
Examples: 1111:1111:1111, 11­11­11­11­11­11, 1111.1111.1111 ...)
<number> Enter a MAC mask length (value: 0, 24, 48)
to Set the destination MAC (Default: any)
Enter a MAC address (Note: You can use colons, dashes, or periods to format the address.
<mac_addr>
Examples: 1111:1111:1111, 11­11­11­11­11­11, 1111.1111.1111 ...)
<number> Enter a MAC mask length (value: 0, 24, 48)
action Set action for a MAC policy (Default: deny)
permit Set the action to permit (Default: deny)
log Set logging options for packets and sessions that match the MAC firewall policy
initiate­session Log session details when a session is created after passing a MAC firewall policy lookup
terminate­session Log session details when a session matching a MAC firewall policy is terminated

mdm­object <string> [ enroll­status {enrolled|non­enrolled|unknown} ] [ compliance­status

{compliant|non­compliant|unknown} ] [ client­tag <string> ]
mdm­object Set the MDM (mobile device management) object

http://docs.aerohive.com/330000/docs/help/english/documentation/cli_guide_ap230_6­6r1.htm#cmd7 127/315
27/4/2016 Aerohive CLI Guide
<string> Enter an MDM object name (1­32 chars)
enroll­status Set the enrollment status of the managed mobile device
enrolled Set the MDM enrollment status of the device as enrolled
non­enrolled Set the MDM enrollment status of the device as non­enrolled
unknown Set the MDM enrollment status of the device as unknown
compliance­status Set a compliance status
compliant Set the compliance status as compliant
non­compliant Set the compliance status as non­compliant
unknown Set the compliance status as unknown
Set an MDM client tag name to indicate the ownership of the managed mobile device (Note:
client­tag BYOD and CID are common ownership tags that describe bring­your­own­device and
corporate­issues­device situations.)
<string> Enter a tag name (1­32 chars)

mobile­device­policy <string> [ rule <number> ] [ original­user­profile <string> ] device­group

<string> reassigned­user­profile­attr <number>
Set a policy that assigns a user profile to traffic from a client based on the
mobile­device­policy originally assigned user profile or the MAC address, device domain, and OS of the user's
client
<string> Enter the mobile device policy name (1­32 chars)
rule Add a rule to the mobile device policy
Enter a number for the rule ID (Range: 1­65535; Note: If you do not specify a rule ID,
<number>
the HiveAP automatically assigns one.)
Specify the user profile that the HiveAP first assigns to traffic before it completes
original­user­profile
the device classification process
<string> Enter the original user profile (1­32 chars)
Set the device group that the policy rule references to classify the type of client
device­group
device in use
<string> Enter a device group name (1­32 chars)
reassigned­user­ Reassign the client to a different user profile if it belongs to the specified device
profile­attr group or was initially assigned to the specified original user profile
Enter the attribute of the user profile to assign in place of the originally assigned
<number>
one (Range: 0­4095)

mobile­device­policy <string> apply {once|multiple­times}

Set a policy that assigns a user profile to traffic from a client based on the
mobile­device­policy originally assigned user profile or the MAC address, device domain, and OS of the user's
client
<string> Enter the mobile device policy name (1­32 chars)
apply Set the method for applying mobile device policy rules
Apply a policy rule once if a client match is found after finishing the complete device
once
type classification process(Default: Once)
Apply a policy rule if a client match is found at any point during the device type
multiple­times detection process (Default: Once)(Note: Different rules might be applied at different
times as the HiveAP collects more information about a client.)

mobile­device­policy <string> client­classification [ {mac} ] [ {domain} ] [ {os} ]

Set a policy that assigns a user profile to traffic from a client based on the
mobile­device­policy originally assigned user profile or the MAC address, device domain, and OS of the user's
client
<string> Enter the mobile device policy name (1­32 chars)
client­classification Set the client device classification methods that you want to use
mac Use the client classification method that is based on the MAC address of the device
Use the client classification method that is based on the computer domain to which a
domain
client belongs in the database
os Use the client classification method that is based on the OS running on the device

http://docs.aerohive.com/330000/docs/help/english/documentation/cli_guide_ap230_6­6r1.htm#cmd7 128/315
27/4/2016 Aerohive CLI Guide
mobile­device­policy <string> rule <number> {before|after} rule <number>
Set a policy that assigns a user profile to traffic from a client based on the
mobile­device­policy originally assigned user profile or the MAC address, device domain, and OS of the user's
client
<string> Enter the mobile device policy name (1­32 chars)
rule Add a rule to the mobile device policy
Enter a number for the rule ID (Range: 1­65535; Note: If you do not specify a rule ID,
<number>
the HiveAP automatically assigns one.)
before Move the mobile device policy rule before another rule in the policy
after Move the mobile device policy rule after another rule in the policy
rule Set a rule before or after another rule in the mobile device policy
<number> Enter a rule ID number (Range: 1­65535)

mobility­policy <string> dnxp

mobility­policy Set parameters for a mobility policy
<string> Enter a mobility policy name (1­32 chars)
Assign DNXP (Dynamic Network eXtension Protocol) for the mobility policy (Default:
dnxp
predictive roaming support among neighboring hive members)

mobility­policy <string> dnxp nomadic­roaming

mobility­policy Set parameters for a mobility policy
<string> Enter a mobility policy name (1­32 chars)
Assign DNXP (Dynamic Network eXtension Protocol) for the mobility policy (Default:
dnxp
predictive roaming support among neighboring hive members)
Enable fast roaming support on nonneighboring hive members in different subnets
nomadic­roaming
(Default: predictive­roaming)

mobility­policy <string> dnxp unroam­threshold <number> <number>

mobility­policy Set parameters for a mobility policy
<string> Enter a mobility policy name (1­32 chars)
Assign DNXP (Dynamic Network eXtension Protocol) for the mobility policy (Default:
dnxp
predictive roaming support among neighboring hive members)
Set the minimum traffic level required to continue tunneling traffic back to the
unroam­threshold original subnet of a L3 roaming client. (Note: If the volume of client traffic dips
below the threshold, it is disassociated.)
Enter the minimum number of packets/minute to and from the client required to continue
<number> tunneling its traffic back to its original subnet (Default: 0; Range: 0­2147483647;
Note: The value "0" disables the unroaming feature.)
Enter the interval in seconds for polling traffic statistics (Default: 60 seconds;
<number>
Range: 10­600)

mobility­policy <string> inxp gre­tunnel from <ip_addr/netmask> password <string>

mobility­policy Set parameters for a mobility policy
<string> Enter a mobility policy name (1­32 chars)
inxp Assign INXP (Identity Network eXtension Protocol) for the mobility policy
gre­tunnel Set the INXP gre­tunnel parameters
from Set the INXP gre­tunnel source parameters
<ip_addr/netmask> Enter subnet for INXP gre­tunnel source
password Set password for INXP gre­tunnel
<string> Enter password for INXP gre­tunnel (1­64 chars)

mobility­policy <string> inxp gre­tunnel to <ip_addr> <ip_addr> password <string>

mobility­policy Set parameters for a mobility policy
<string> Enter a mobility policy name (1­32 chars)
inxp Assign INXP (Identity Network eXtension Protocol) for the mobility policy

http://docs.aerohive.com/330000/docs/help/english/documentation/cli_guide_ap230_6­6r1.htm#cmd7 129/315
27/4/2016 Aerohive CLI Guide

gre­tunnel Set the INXP gre­tunnel parameters

to Set the INXP gre­tunnel destination parameters
<ip_addr> Enter start IP address for INXP gre­tunnel destination
<ip_addr> Enter end IP address for INXP gre­tunnel destination
password Set password for INXP gre­tunnel
<string> Enter password for INXP gre­tunnel (1­64 chars)

mobility­policy <string> inxp gre­tunnel to <ip_addr> password <string>

mobility­policy Set parameters for a mobility policy
<string> Enter a mobility policy name (1­32 chars)
inxp Assign INXP (Identity Network eXtension Protocol) for the mobility policy
gre­tunnel Set the INXP gre­tunnel parameters
to Set the INXP gre­tunnel destination parameters
<ip_addr> Enter start IP address for INXP gre­tunnel destination
password Set password for INXP gre­tunnel
<string> Enter password for INXP gre­tunnel (1­64 chars)

mobility­threshold gre­tunnel permitted­load {low|medium|high}

mobility­threshold Set parameters for tunneling mobile user traffic
Set the volume of traffic that the local AP will accept through GRE (Generic Routing
gre­tunnel
Encapsulation) tunnels (Note: Only set this option on portals.)
Set a level determining the amount of traffic the local AP will accept through GRE
permitted­load
tunnels
low Accept a relatively low number of tunnels (Default: high)
medium Accept a relatively moderate number of tunnels (Default: high)
high Accept a relatively high number of tunnels (Default: high)

network­firewall name <string> [ from {any|vpn} ] [ to {any|vpn} ] [ service <string> ] [ action

{permit|deny} ] logging {on|off}
network­firewall Set a Layer 3 firewall policy (Max: 1024 rules per Aerohive device)
name Assign a name to a Layer 3 firewall policy rule
<string> Enter the rule name (1­32 chars)
from Apply the rule based on the traffic source (Default: any)
any Apply the rule regardless of the traffic source
vpn Apply the rule if the traffic comes from a VPN tunnel
to Apply the rule based on the traffic destination (Default: any)
any Apply the rule regardless of the traffic destination
vpn Apply the rule if the traffic destination is a VPN tunnel
Apply the rule if the traffic uses a specific service (Default: any, which applies the
service
rule regardless of the service type)
<string> Enter the service name (1­32 chars)
Set the action the HiveAP takes when traffic matches the specified source, destination,
action
and service (Default: deny)
permit Permit traffic to cross the firewall
deny Do not allow traffic to cross the firewall
logging Set logging options for packets and sessions that match the firewall rule
Log all matching packets that are dropped or the first packet in a permitted session
on (Note: A session is defined by the 5­part tuple: source and destination IP address,
source and destination port number, and protocol)

off Do not log packets

network­firewall name <string> [ from {any|vpn} ] to hostname <string> [ service <string> ] [ action

http://docs.aerohive.com/330000/docs/help/english/documentation/cli_guide_ap230_6­6r1.htm#cmd7 130/315
27/4/2016 Aerohive CLI Guide
{permit|deny} ] logging {on|off}
network­firewall Set a Layer 3 firewall policy (Max: 1024 rules per Aerohive device)
name Assign a name to a Layer 3 firewall policy rule
<string> Enter the rule name (1­32 chars)
from Apply the rule based on the traffic source (Default: any)
any Apply the rule regardless of the traffic source
vpn Apply the rule if the traffic comes from a VPN tunnel
to Apply the rule based on the traffic destination (Default: any)
Set the domain name of a specific host as the traffic destination (Note: Wildcard domain
hostname
names are not supported.)
<string> Enter a host or domain name (1­32 chars)
Apply the rule if the traffic uses a specific service (Default: any, which applies the
service
rule regardless of the service type)
<string> Enter the service name (1­32 chars)
Set the action the HiveAP takes when traffic matches the specified source, destination,
action
and service (Default: deny)
permit Permit traffic to cross the firewall
deny Do not allow traffic to cross the firewall
logging Set logging options for packets and sessions that match the firewall rule
Log all matching packets that are dropped or the first packet in a permitted session
on (Note: A session is defined by the 5­part tuple: source and destination IP address,
source and destination port number, and protocol)
off Do not log packets

network­firewall name <string> [ from {any|vpn} ] to ip­range <ip_addr> <ip_addr> [ service <string> ]
[ action {permit|deny} ] logging {on|off}
network­firewall Set a Layer 3 firewall policy (Max: 1024 rules per Aerohive device)
name Assign a name to a Layer 3 firewall policy rule
<string> Enter the rule name (1­32 chars)
from Apply the rule based on the traffic source (Default: any)
any Apply the rule regardless of the traffic source
vpn Apply the rule if the traffic comes from a VPN tunnel
to Apply the rule based on the traffic destination (Default: any)
ip­range Set a range of IP addresses as the traffic destination
<ip_addr> Enter the first IP address in the range
<ip_addr> Enter the last IP address in the range
Apply the rule if the traffic uses a specific service (Default: any, which applies the
service
rule regardless of the service type)
<string> Enter the service name (1­32 chars)
Set the action the HiveAP takes when traffic matches the specified source, destination,
action
and service (Default: deny)
permit Permit traffic to cross the firewall
deny Do not allow traffic to cross the firewall
logging Set logging options for packets and sessions that match the firewall rule
Log all matching packets that are dropped or the first packet in a permitted session
on (Note: A session is defined by the 5­part tuple: source and destination IP address,
source and destination port number, and protocol)
off Do not log packets

network­firewall name <string> [ from {any|vpn} ] to network <ip_addr> <mask> [ service <string> ] [
action {permit|deny} ] logging {on|off}
network­firewall Set a Layer 3 firewall policy (Max: 1024 rules per Aerohive device)
name Assign a name to a Layer 3 firewall policy rule
<string> Enter the rule name (1­32 chars)

http://docs.aerohive.com/330000/docs/help/english/documentation/cli_guide_ap230_6­6r1.htm#cmd7 131/315
27/4/2016 Aerohive CLI Guide
from Apply the rule based on the traffic source (Default: any)
any Apply the rule regardless of the traffic source
vpn Apply the rule if the traffic comes from a VPN tunnel
to Apply the rule based on the traffic destination (Default: any)
network Set a network as the traffic destination
<ip_addr> Enter an IP address
<mask> Enter a netmask
Apply the rule if the traffic uses a specific service (Default: any, which applies the
service
rule regardless of the service type)
<string> Enter the service name (1­32 chars)
Set the action the HiveAP takes when traffic matches the specified source, destination,
action
and service (Default: deny)
permit Permit traffic to cross the firewall
deny Do not allow traffic to cross the firewall
logging Set logging options for packets and sessions that match the firewall rule
Log all matching packets that are dropped or the first packet in a permitted session
on (Note: A session is defined by the 5­part tuple: source and destination IP address,
source and destination port number, and protocol)
off Do not log packets

network­firewall name <string> [ from {any|vpn} ] to wildcard <ip_addr> <mask> [ service <string> ] [
action {permit|deny} ] logging {on|off}
network­firewall Set a Layer 3 firewall policy (Max: 1024 rules per Aerohive device)
name Assign a name to a Layer 3 firewall policy rule
<string> Enter the rule name (1­32 chars)
from Apply the rule based on the traffic source (Default: any)
any Apply the rule regardless of the traffic source
vpn Apply the rule if the traffic comes from a VPN tunnel
to Apply the rule based on the traffic destination (Default: any)
wildcard Set the destination address using an IP address and wildcard mask
<ip_addr> Enter an IP address
Enter an IP wildcard mask in which 0 masks the octet where it appears (For example, the
<mask> 0s in 255.0.0.255 mask the second and third octets, applying the firewall policy to all
addresses matching only the first and fourth octets.)
Apply the rule if the traffic uses a specific service (Default: any, which applies the
service
rule regardless of the service type)
<string> Enter the service name (1­32 chars)
Set the action the HiveAP takes when traffic matches the specified source, destination,
action
and service (Default: deny)
permit Permit traffic to cross the firewall
deny Do not allow traffic to cross the firewall
logging Set logging options for packets and sessions that match the firewall rule
Log all matching packets that are dropped or the first packet in a permitted session
on (Note: A session is defined by the 5­part tuple: source and destination IP address,
source and destination port number, and protocol)
off Do not log packets

network­firewall name <string> from ip­range <ip_addr> <ip_addr> [ to {any|vpn} ] [ service <string> ]
[ action {permit|deny} ] logging {on|off}
network­firewall Set a Layer 3 firewall policy (Max: 1024 rules per Aerohive device)
name Assign a name to a Layer 3 firewall policy rule
<string> Enter the rule name (1­32 chars)
from Apply the rule based on the traffic source (Default: any)
ip­range Set a range of IP addresses as the traffic source

http://docs.aerohive.com/330000/docs/help/english/documentation/cli_guide_ap230_6­6r1.htm#cmd7 132/315
27/4/2016 Aerohive CLI Guide
<ip_addr> Enter the first IP address in the range
<ip_addr> Enter the last IP address in the range
to Apply the rule based on the traffic destination (Default: any)
any Apply the rule regardless of the traffic destination
vpn Apply the rule if the traffic destination is a VPN tunnel
Apply the rule if the traffic uses a specific service (Default: any, which applies the
service
rule regardless of the service type)
<string> Enter the service name (1­32 chars)
Set the action the HiveAP takes when traffic matches the specified source, destination,
action
and service (Default: deny)
permit Permit traffic to cross the firewall
deny Do not allow traffic to cross the firewall
logging Set logging options for packets and sessions that match the firewall rule
Log all matching packets that are dropped or the first packet in a permitted session
on (Note: A session is defined by the 5­part tuple: source and destination IP address,
source and destination port number, and protocol)
off Do not log packets

network­firewall name <string> from ip­range <ip_addr> <ip_addr> to hostname <string> [ service
<string> ] [ action {permit|deny} ] logging {on|off}
network­firewall Set a Layer 3 firewall policy (Max: 1024 rules per Aerohive device)
name Assign a name to a Layer 3 firewall policy rule
<string> Enter the rule name (1­32 chars)
from Apply the rule based on the traffic source (Default: any)
ip­range Set a range of IP addresses as the traffic source
<ip_addr> Enter the first IP address in the range
<ip_addr> Enter the last IP address in the range
to Apply the rule based on the traffic destination (Default: any)
Set the domain name of a specific host as the traffic destination (Note: Wildcard domain
hostname
names are not supported.)
<string> Enter a host or domain name (1­32 chars)
Apply the rule if the traffic uses a specific service (Default: any, which applies the
service
rule regardless of the service type)
<string> Enter the service name (1­32 chars)
Set the action the HiveAP takes when traffic matches the specified source, destination,
action
and service (Default: deny)
permit Permit traffic to cross the firewall
deny Do not allow traffic to cross the firewall
logging Set logging options for packets and sessions that match the firewall rule
Log all matching packets that are dropped or the first packet in a permitted session
on (Note: A session is defined by the 5­part tuple: source and destination IP address,
source and destination port number, and protocol)
off Do not log packets

network­firewall name <string> from ip­range <ip_addr> <ip_addr> to ip­range <ip_addr> <ip_addr> [
service <string> ] [ action {permit|deny} ] logging {on|off}
network­firewall Set a Layer 3 firewall policy (Max: 1024 rules per Aerohive device)
name Assign a name to a Layer 3 firewall policy rule
<string> Enter the rule name (1­32 chars)
from Apply the rule based on the traffic source (Default: any)
ip­range Set a range of IP addresses as the traffic source
<ip_addr> Enter the first IP address in the range
<ip_addr> Enter the last IP address in the range

to Apply the rule based on the traffic destination (Default: any)

http://docs.aerohive.com/330000/docs/help/english/documentation/cli_guide_ap230_6­6r1.htm#cmd7 133/315
27/4/2016 Aerohive CLI Guide
ip­range Set a range of IP addresses as the traffic destination
<ip_addr> Enter the first IP address in the range
<ip_addr> Enter the last IP address in the range
Apply the rule if the traffic uses a specific service (Default: any, which applies the
service
rule regardless of the service type)
<string> Enter the service name (1­32 chars)
Set the action the HiveAP takes when traffic matches the specified source, destination,
action
and service (Default: deny)
permit Permit traffic to cross the firewall
deny Do not allow traffic to cross the firewall
logging Set logging options for packets and sessions that match the firewall rule
Log all matching packets that are dropped or the first packet in a permitted session
on (Note: A session is defined by the 5­part tuple: source and destination IP address,
source and destination port number, and protocol)
off Do not log packets

network­firewall name <string> from ip­range <ip_addr> <ip_addr> to network <ip_addr> <mask> [ service
<string> ] [ action {permit|deny} ] logging {on|off}
network­firewall Set a Layer 3 firewall policy (Max: 1024 rules per Aerohive device)
name Assign a name to a Layer 3 firewall policy rule
<string> Enter the rule name (1­32 chars)
from Apply the rule based on the traffic source (Default: any)
ip­range Set a range of IP addresses as the traffic source
<ip_addr> Enter the first IP address in the range
<ip_addr> Enter the last IP address in the range
to Apply the rule based on the traffic destination (Default: any)
network Set a network as the traffic destination
<ip_addr> Enter an IP address
<mask> Enter a netmask
Apply the rule if the traffic uses a specific service (Default: any, which applies the
service
rule regardless of the service type)
<string> Enter the service name (1­32 chars)
Set the action the HiveAP takes when traffic matches the specified source, destination,
action
and service (Default: deny)
permit Permit traffic to cross the firewall
deny Do not allow traffic to cross the firewall
logging Set logging options for packets and sessions that match the firewall rule
Log all matching packets that are dropped or the first packet in a permitted session
on (Note: A session is defined by the 5­part tuple: source and destination IP address,
source and destination port number, and protocol)
off Do not log packets

network­firewall name <string> from ip­range <ip_addr> <ip_addr> to wildcard <ip_addr> <mask> [
service <string> ] [ action {permit|deny} ] logging {on|off}
network­firewall Set a Layer 3 firewall policy (Max: 1024 rules per Aerohive device)
name Assign a name to a Layer 3 firewall policy rule
<string> Enter the rule name (1­32 chars)
from Apply the rule based on the traffic source (Default: any)
ip­range Set a range of IP addresses as the traffic source
<ip_addr> Enter the first IP address in the range
<ip_addr> Enter the last IP address in the range
to
Apply the rule based on the traffic destination (Default: any)

wildcard Set the destination address using an IP address and wildcard mask

http://docs.aerohive.com/330000/docs/help/english/documentation/cli_guide_ap230_6­6r1.htm#cmd7 134/315
27/4/2016 Aerohive CLI Guide
<ip_addr> Enter an IP address
Enter an IP wildcard mask in which 0 masks the octet where it appears (For example, the
<mask> 0s in 255.0.0.255 mask the second and third octets, applying the firewall policy to all
addresses matching only the first and fourth octets.)
Apply the rule if the traffic uses a specific service (Default: any, which applies the
service
rule regardless of the service type)
<string> Enter the service name (1­32 chars)
Set the action the HiveAP takes when traffic matches the specified source, destination,
action
and service (Default: deny)
permit Permit traffic to cross the firewall
deny Do not allow traffic to cross the firewall
logging Set logging options for packets and sessions that match the firewall rule
Log all matching packets that are dropped or the first packet in a permitted session
on (Note: A session is defined by the 5­part tuple: source and destination IP address,
source and destination port number, and protocol)
off Do not log packets

network­firewall name <string> from network <ip_addr> <mask> [ to {any|vpn} ] [ service <string> ] [
action {permit|deny} ] logging {on|off}
network­firewall Set a Layer 3 firewall policy (Max: 1024 rules per Aerohive device)
name Assign a name to a Layer 3 firewall policy rule
<string> Enter the rule name (1­32 chars)
from Apply the rule based on the traffic source (Default: any)
network Set a network as the traffic source
<ip_addr> Enter an IP address
<mask> Enter a netmask
to Apply the rule based on the traffic destination (Default: any)
any Apply the rule regardless of the traffic destination
vpn Apply the rule if the traffic destination is a VPN tunnel
Apply the rule if the traffic uses a specific service (Default: any, which applies the
service
rule regardless of the service type)
<string> Enter the service name (1­32 chars)
Set the action the HiveAP takes when traffic matches the specified source, destination,
action
and service (Default: deny)
permit Permit traffic to cross the firewall
deny Do not allow traffic to cross the firewall
logging Set logging options for packets and sessions that match the firewall rule
Log all matching packets that are dropped or the first packet in a permitted session
on (Note: A session is defined by the 5­part tuple: source and destination IP address,
source and destination port number, and protocol)
off Do not log packets

network­firewall name <string> from network <ip_addr> <mask> to hostname <string> [ service <string> ]
[ action {permit|deny} ] logging {on|off}
network­firewall Set a Layer 3 firewall policy (Max: 1024 rules per Aerohive device)
name Assign a name to a Layer 3 firewall policy rule
<string> Enter the rule name (1­32 chars)
from Apply the rule based on the traffic source (Default: any)
network Set a network as the traffic source
<ip_addr> Enter an IP address
<mask> Enter a netmask
to Apply the rule based on the traffic destination (Default: any)
Set the domain name of a specific host as the traffic destination (Note: Wildcard domain
hostname names are not supported.)

http://docs.aerohive.com/330000/docs/help/english/documentation/cli_guide_ap230_6­6r1.htm#cmd7 135/315
27/4/2016 Aerohive CLI Guide
<string> Enter a host or domain name (1­32 chars)
Apply the rule if the traffic uses a specific service (Default: any, which applies the
service
rule regardless of the service type)
<string> Enter the service name (1­32 chars)
Set the action the HiveAP takes when traffic matches the specified source, destination,
action
and service (Default: deny)
permit Permit traffic to cross the firewall
deny Do not allow traffic to cross the firewall
logging Set logging options for packets and sessions that match the firewall rule
Log all matching packets that are dropped or the first packet in a permitted session
on (Note: A session is defined by the 5­part tuple: source and destination IP address,
source and destination port number, and protocol)
off Do not log packets

network­firewall name <string> from network <ip_addr> <mask> to ip­range <ip_addr> <ip_addr> [ service
<string> ] [ action {permit|deny} ] logging {on|off}
network­firewall Set a Layer 3 firewall policy (Max: 1024 rules per Aerohive device)
name Assign a name to a Layer 3 firewall policy rule
<string> Enter the rule name (1­32 chars)
from Apply the rule based on the traffic source (Default: any)
network Set a network as the traffic source
<ip_addr> Enter an IP address
<mask> Enter a netmask
to Apply the rule based on the traffic destination (Default: any)
ip­range Set a range of IP addresses as the traffic destination
<ip_addr> Enter the first IP address in the range
<ip_addr> Enter the last IP address in the range
Apply the rule if the traffic uses a specific service (Default: any, which applies the
service
rule regardless of the service type)
<string> Enter the service name (1­32 chars)
Set the action the HiveAP takes when traffic matches the specified source, destination,
action
and service (Default: deny)
permit Permit traffic to cross the firewall
deny Do not allow traffic to cross the firewall
logging Set logging options for packets and sessions that match the firewall rule
Log all matching packets that are dropped or the first packet in a permitted session
on (Note: A session is defined by the 5­part tuple: source and destination IP address,
source and destination port number, and protocol)
off Do not log packets

network­firewall name <string> from network <ip_addr> <mask> to network <ip_addr> <mask> [ service
<string> ] [ action {permit|deny} ] logging {on|off}
network­firewall Set a Layer 3 firewall policy (Max: 1024 rules per Aerohive device)
name Assign a name to a Layer 3 firewall policy rule
<string> Enter the rule name (1­32 chars)
from Apply the rule based on the traffic source (Default: any)
network Set a network as the traffic source
<ip_addr> Enter an IP address
<mask> Enter a netmask
to Apply the rule based on the traffic destination (Default: any)
network Set a network as the traffic destination
<ip_addr> Enter an IP address

<mask> Enter a netmask

http://docs.aerohive.com/330000/docs/help/english/documentation/cli_guide_ap230_6­6r1.htm#cmd7 136/315
27/4/2016 Aerohive CLI Guide
service Apply the rule if the traffic uses a specific service (Default: any, which applies the
rule regardless of the service type)
<string> Enter the service name (1­32 chars)
Set the action the HiveAP takes when traffic matches the specified source, destination,
action
and service (Default: deny)
permit Permit traffic to cross the firewall
deny Do not allow traffic to cross the firewall
logging Set logging options for packets and sessions that match the firewall rule
Log all matching packets that are dropped or the first packet in a permitted session
on (Note: A session is defined by the 5­part tuple: source and destination IP address,
source and destination port number, and protocol)
off Do not log packets

network­firewall name <string> from network <ip_addr> <mask> to wildcard <ip_addr> <mask> [ service
<string> ] [ action {permit|deny} ] logging {on|off}
network­firewall Set a Layer 3 firewall policy (Max: 1024 rules per Aerohive device)
name Assign a name to a Layer 3 firewall policy rule
<string> Enter the rule name (1­32 chars)
from Apply the rule based on the traffic source (Default: any)
network Set a network as the traffic source
<ip_addr> Enter an IP address
<mask> Enter a netmask
to Apply the rule based on the traffic destination (Default: any)
wildcard Set the destination address using an IP address and wildcard mask
<ip_addr> Enter an IP address
Enter an IP wildcard mask in which 0 masks the octet where it appears (For example, the
<mask> 0s in 255.0.0.255 mask the second and third octets, applying the firewall policy to all
addresses matching only the first and fourth octets.)
Apply the rule if the traffic uses a specific service (Default: any, which applies the
service
rule regardless of the service type)
<string> Enter the service name (1­32 chars)
Set the action the HiveAP takes when traffic matches the specified source, destination,
action
and service (Default: deny)
permit Permit traffic to cross the firewall
deny Do not allow traffic to cross the firewall
logging Set logging options for packets and sessions that match the firewall rule
Log all matching packets that are dropped or the first packet in a permitted session
on (Note: A session is defined by the 5­part tuple: source and destination IP address,
source and destination port number, and protocol)
off Do not log packets

network­firewall name <string> from user­profile <string> [ to {any|vpn} ] [ service <string> ] [

action {permit|deny} ] logging {on|off}
network­firewall Set a Layer 3 firewall policy (Max: 1024 rules per Aerohive device)
name Assign a name to a Layer 3 firewall policy rule
<string> Enter the rule name (1­32 chars)
from Apply the rule based on the traffic source (Default: any)
user­profile Apply the rule if the HiveAP assigns a user profile to the traffic
<string> Enter the user profile name (1­32 chars)
to Apply the rule based on the traffic destination (Default: any)
any Apply the rule regardless of the traffic destination
vpn Apply the rule if the traffic destination is a VPN tunnel
Apply the rule if the traffic uses a specific service (Default: any, which applies the
service
rule regardless of the service type)

http://docs.aerohive.com/330000/docs/help/english/documentation/cli_guide_ap230_6­6r1.htm#cmd7 137/315
27/4/2016 Aerohive CLI Guide
<string> Enter the service name (1­32 chars)
Set the action the HiveAP takes when traffic matches the specified source, destination,
action
and service (Default: deny)
permit Permit traffic to cross the firewall
deny Do not allow traffic to cross the firewall
logging Set logging options for packets and sessions that match the firewall rule
Log all matching packets that are dropped or the first packet in a permitted session
on (Note: A session is defined by the 5­part tuple: source and destination IP address,
source and destination port number, and protocol)
off Do not log packets

network­firewall name <string> from user­profile <string> to hostname <string> [ service <string> ] [
action {permit|deny} ] logging {on|off}
network­firewall Set a Layer 3 firewall policy (Max: 1024 rules per Aerohive device)
name Assign a name to a Layer 3 firewall policy rule
<string> Enter the rule name (1­32 chars)
from Apply the rule based on the traffic source (Default: any)
user­profile Apply the rule if the HiveAP assigns a user profile to the traffic
<string> Enter the user profile name (1­32 chars)
to Apply the rule based on the traffic destination (Default: any)
Set the domain name of a specific host as the traffic destination (Note: Wildcard domain
hostname
names are not supported.)
<string> Enter a host or domain name (1­32 chars)
Apply the rule if the traffic uses a specific service (Default: any, which applies the
service
rule regardless of the service type)
<string> Enter the service name (1­32 chars)
Set the action the HiveAP takes when traffic matches the specified source, destination,
action
and service (Default: deny)
permit Permit traffic to cross the firewall
deny Do not allow traffic to cross the firewall
logging Set logging options for packets and sessions that match the firewall rule
Log all matching packets that are dropped or the first packet in a permitted session
on (Note: A session is defined by the 5­part tuple: source and destination IP address,
source and destination port number, and protocol)
off Do not log packets

network­firewall name <string> from user­profile <string> to ip­range <ip_addr> <ip_addr> [ service
<string> ] [ action {permit|deny} ] logging {on|off}
network­firewall Set a Layer 3 firewall policy (Max: 1024 rules per Aerohive device)
name Assign a name to a Layer 3 firewall policy rule
<string> Enter the rule name (1­32 chars)
from Apply the rule based on the traffic source (Default: any)
user­profile Apply the rule if the HiveAP assigns a user profile to the traffic
<string> Enter the user profile name (1­32 chars)
to Apply the rule based on the traffic destination (Default: any)
ip­range Set a range of IP addresses as the traffic destination
<ip_addr> Enter the first IP address in the range
<ip_addr> Enter the last IP address in the range
Apply the rule if the traffic uses a specific service (Default: any, which applies the
service
rule regardless of the service type)
<string> Enter the service name (1­32 chars)
Set the action the HiveAP takes when traffic matches the specified source, destination,
action
and service (Default: deny)
permit Permit traffic to cross the firewall

http://docs.aerohive.com/330000/docs/help/english/documentation/cli_guide_ap230_6­6r1.htm#cmd7 138/315
27/4/2016 Aerohive CLI Guide
deny Do not allow traffic to cross the firewall
logging Set logging options for packets and sessions that match the firewall rule
Log all matching packets that are dropped or the first packet in a permitted session
on (Note: A session is defined by the 5­part tuple: source and destination IP address,
source and destination port number, and protocol)
off Do not log packets

network­firewall name <string> from user­profile <string> to network <ip_addr> <mask> [ service
<string> ] [ action {permit|deny} ] logging {on|off}
network­firewall Set a Layer 3 firewall policy (Max: 1024 rules per Aerohive device)
name Assign a name to a Layer 3 firewall policy rule
<string> Enter the rule name (1­32 chars)
from Apply the rule based on the traffic source (Default: any)
user­profile Apply the rule if the HiveAP assigns a user profile to the traffic
<string> Enter the user profile name (1­32 chars)
to Apply the rule based on the traffic destination (Default: any)
network Set a network as the traffic destination
<ip_addr> Enter an IP address
<mask> Enter a netmask
Apply the rule if the traffic uses a specific service (Default: any, which applies the
service
rule regardless of the service type)
<string> Enter the service name (1­32 chars)
Set the action the HiveAP takes when traffic matches the specified source, destination,
action
and service (Default: deny)
permit Permit traffic to cross the firewall
deny Do not allow traffic to cross the firewall
logging Set logging options for packets and sessions that match the firewall rule
Log all matching packets that are dropped or the first packet in a permitted session
on (Note: A session is defined by the 5­part tuple: source and destination IP address,
source and destination port number, and protocol)
off Do not log packets

network­firewall name <string> from user­profile <string> to wildcard <ip_addr> <mask> [ service
<string> ] [ action {permit|deny} ] logging {on|off}
network­firewall Set a Layer 3 firewall policy (Max: 1024 rules per Aerohive device)
name Assign a name to a Layer 3 firewall policy rule
<string> Enter the rule name (1­32 chars)
from Apply the rule based on the traffic source (Default: any)
user­profile Apply the rule if the HiveAP assigns a user profile to the traffic
<string> Enter the user profile name (1­32 chars)
to Apply the rule based on the traffic destination (Default: any)
wildcard Set the destination address using an IP address and wildcard mask
<ip_addr> Enter an IP address
Enter an IP wildcard mask in which 0 masks the octet where it appears (For example, the
<mask> 0s in 255.0.0.255 mask the second and third octets, applying the firewall policy to all
addresses matching only the first and fourth octets.)
Apply the rule if the traffic uses a specific service (Default: any, which applies the
service
rule regardless of the service type)
<string> Enter the service name (1­32 chars)

Set the action the HiveAP takes when traffic matches the specified source, destination,
action
and service (Default: deny)
permit Permit traffic to cross the firewall
deny Do not allow traffic to cross the firewall
logging Set logging options for packets and sessions that match the firewall rule

http://docs.aerohive.com/330000/docs/help/english/documentation/cli_guide_ap230_6­6r1.htm#cmd7 139/315
27/4/2016 Aerohive CLI Guide
Log all matching packets that are dropped or the first packet in a permitted session
on (Note: A session is defined by the 5­part tuple: source and destination IP address,
source and destination port number, and protocol)
off Do not log packets

network­firewall name <string> from wildcard <ip_addr> <mask> [ to {any|vpn} ] [ service <string> ] [
action {permit|deny} ] logging {on|off}
network­firewall Set a Layer 3 firewall policy (Max: 1024 rules per Aerohive device)
name Assign a name to a Layer 3 firewall policy rule
<string> Enter the rule name (1­32 chars)
from Apply the rule based on the traffic source (Default: any)
wildcard Set the source address using an IP address and wildcard mask
<ip_addr> Enter an IP address
Enter an IP wildcard mask in which 0 masks the octet where it appears (For example, the
<mask> 0s in 255.0.0.255 mask the second and third octets, applying the firewall policy to all
addresses matching only the first and fourth octets.)
to Apply the rule based on the traffic destination (Default: any)
any Apply the rule regardless of the traffic destination
vpn Apply the rule if the traffic destination is a VPN tunnel
Apply the rule if the traffic uses a specific service (Default: any, which applies the
service
rule regardless of the service type)
<string> Enter the service name (1­32 chars)
Set the action the HiveAP takes when traffic matches the specified source, destination,
action
and service (Default: deny)
permit Permit traffic to cross the firewall
deny Do not allow traffic to cross the firewall
logging Set logging options for packets and sessions that match the firewall rule
Log all matching packets that are dropped or the first packet in a permitted session
on (Note: A session is defined by the 5­part tuple: source and destination IP address,
source and destination port number, and protocol)
off Do not log packets

network­firewall name <string> from wildcard <ip_addr> <mask> to hostname <string> [ service <string>
] [ action {permit|deny} ] logging {on|off}
network­firewall Set a Layer 3 firewall policy (Max: 1024 rules per Aerohive device)
name Assign a name to a Layer 3 firewall policy rule
<string> Enter the rule name (1­32 chars)
from Apply the rule based on the traffic source (Default: any)
wildcard Set the source address using an IP address and wildcard mask
<ip_addr> Enter an IP address
Enter an IP wildcard mask in which 0 masks the octet where it appears (For example, the
<mask> 0s in 255.0.0.255 mask the second and third octets, applying the firewall policy to all
addresses matching only the first and fourth octets.)
to Apply the rule based on the traffic destination (Default: any)
Set the domain name of a specific host as the traffic destination (Note: Wildcard domain
hostname
names are not supported.)
<string> Enter a host or domain name (1­32 chars)
Apply the rule if the traffic uses a specific service (Default: any, which applies the
service
rule regardless of the service type)
<string> Enter the service name (1­32 chars)

Set the action the HiveAP takes when traffic matches the specified source, destination,
action
and service (Default: deny)
permit Permit traffic to cross the firewall
deny Do not allow traffic to cross the firewall
logging Set logging options for packets and sessions that match the firewall rule

http://docs.aerohive.com/330000/docs/help/english/documentation/cli_guide_ap230_6­6r1.htm#cmd7 140/315
27/4/2016 Aerohive CLI Guide
Log all matching packets that are dropped or the first packet in a permitted session
on
(Note: A session is defined by the 5­part tuple: source and destination IP address,
source and destination port number, and protocol)
off Do not log packets

network­firewall name <string> from wildcard <ip_addr> <mask> to ip­range <ip_addr> <ip_addr> [
service <string> ] [ action {permit|deny} ] logging {on|off}
network­firewall Set a Layer 3 firewall policy (Max: 1024 rules per Aerohive device)
name Assign a name to a Layer 3 firewall policy rule
<string> Enter the rule name (1­32 chars)
from Apply the rule based on the traffic source (Default: any)
wildcard Set the source address using an IP address and wildcard mask
<ip_addr> Enter an IP address
Enter an IP wildcard mask in which 0 masks the octet where it appears (For example, the
<mask> 0s in 255.0.0.255 mask the second and third octets, applying the firewall policy to all
addresses matching only the first and fourth octets.)
to Apply the rule based on the traffic destination (Default: any)
ip­range Set a range of IP addresses as the traffic destination
<ip_addr> Enter the first IP address in the range
<ip_addr> Enter the last IP address in the range
Apply the rule if the traffic uses a specific service (Default: any, which applies the
service
rule regardless of the service type)
<string> Enter the service name (1­32 chars)
Set the action the HiveAP takes when traffic matches the specified source, destination,
action
and service (Default: deny)
permit Permit traffic to cross the firewall
deny Do not allow traffic to cross the firewall
logging Set logging options for packets and sessions that match the firewall rule
Log all matching packets that are dropped or the first packet in a permitted session
on (Note: A session is defined by the 5­part tuple: source and destination IP address,
source and destination port number, and protocol)
off Do not log packets

network­firewall name <string> from wildcard <ip_addr> <mask> to network <ip_addr> <mask> [ service
<string> ] [ action {permit|deny} ] logging {on|off}
network­firewall Set a Layer 3 firewall policy (Max: 1024 rules per Aerohive device)
name Assign a name to a Layer 3 firewall policy rule
<string> Enter the rule name (1­32 chars)
from Apply the rule based on the traffic source (Default: any)
wildcard Set the source address using an IP address and wildcard mask
<ip_addr> Enter an IP address
Enter an IP wildcard mask in which 0 masks the octet where it appears (For example, the
<mask> 0s in 255.0.0.255 mask the second and third octets, applying the firewall policy to all
addresses matching only the first and fourth octets.)
to Apply the rule based on the traffic destination (Default: any)
network Set a network as the traffic destination
<ip_addr> Enter an IP address
<mask> Enter a netmask
Apply the rule if the traffic uses a specific service (Default: any, which applies the
service
rule regardless of the service type)
<string> Enter the service name (1­32 chars)
Set the action the HiveAP takes when traffic matches the specified source, destination,
action
and service (Default: deny)
permit Permit traffic to cross the firewall
deny Do not allow traffic to cross the firewall

http://docs.aerohive.com/330000/docs/help/english/documentation/cli_guide_ap230_6­6r1.htm#cmd7 141/315
27/4/2016 Aerohive CLI Guide
logging Set logging options for packets and sessions that match the firewall rule
Log all matching packets that are dropped or the first packet in a permitted session
on (Note: A session is defined by the 5­part tuple: source and destination IP address,
source and destination port number, and protocol)
off Do not log packets

network­firewall name <string> from wildcard <ip_addr> <mask> to wildcard <ip_addr> <mask> [ service
<string> ] [ action {permit|deny} ] logging {on|off}
network­firewall Set a Layer 3 firewall policy (Max: 1024 rules per Aerohive device)
name Assign a name to a Layer 3 firewall policy rule
<string> Enter the rule name (1­32 chars)
from Apply the rule based on the traffic source (Default: any)
wildcard Set the source address using an IP address and wildcard mask
<ip_addr> Enter an IP address
Enter an IP wildcard mask in which 0 masks the octet where it appears (For example, the
<mask> 0s in 255.0.0.255 mask the second and third octets, applying the firewall policy to all
addresses matching only the first and fourth octets.)
to Apply the rule based on the traffic destination (Default: any)
wildcard Set the destination address using an IP address and wildcard mask
<ip_addr> Enter an IP address
Enter an IP wildcard mask in which 0 masks the octet where it appears (For example, the
<mask> 0s in 255.0.0.255 mask the second and third octets, applying the firewall policy to all
addresses matching only the first and fourth octets.)
Apply the rule if the traffic uses a specific service (Default: any, which applies the
service
rule regardless of the service type)
<string> Enter the service name (1­32 chars)
Set the action the HiveAP takes when traffic matches the specified source, destination,
action
and service (Default: deny)
permit Permit traffic to cross the firewall
deny Do not allow traffic to cross the firewall
logging Set logging options for packets and sessions that match the firewall rule
Log all matching packets that are dropped or the first packet in a permitted session
on (Note: A session is defined by the 5­part tuple: source and destination IP address,
source and destination port number, and protocol)
off Do not log packets

ntp enable
ntp Set NTP (Network Time Protocol) parameters
enable Enable the local AP to act as an NTP client

ntp interval <number>

ntp Set NTP (Network Time Protocol) parameters
interval Set the interval for synchronizing the internal clock with an NTP server
<number> Enter the interval in minutes (Default: 1440; Range: 60­10080)

ntp server <string> [ {second|third|fourth} ] [ {via­vpn­tunnel} ]

ntp Set NTP (Network Time Protocol) parameters
server Set NTP server parameters
<string> Enter the IP address or domain name of an NTP server (1­32 chars)
second Set the priority of the NTP server as second
third Set its priority as third
fourth Set its priority as fourth
Send all NTP traffic through a VPN tunnel (Note: Set this option on VPN clients when the
NTP server is in a different subnet from the tunnel interface. When they are in the same
via­vpn­tunnel

http://docs.aerohive.com/330000/docs/help/english/documentation/cli_guide_ap230_6­6r1.htm#cmd7 142/315
27/4/2016 Aerohive CLI Guide
subnet, tunneling is automatic.)

os­detection enable
os­detection Set the OS (Operating System) detection parameters
enable Enable OS detection to learn client station operating systems (Default: Enabled)

os­detection method dhcp­option55

os­detection Set the OS (Operating System) detection parameters
Set the OS detection method (Note: HiveAPs can detect the OS of client stations using
method option 55 in the DHCP packets or by parsing the HTTP headers to find the User­Agent
field.)
Detect client station operating systems by parsing option 55 in DHCP messages from
dhcp­option55
clients (Default: Enabled)

os­detection method user­agent

os­detection Set the OS (Operating System) detection parameters
Set the OS detection method (Note: HiveAPs can detect the OS of client stations using
method option 55 in the DHCP packets or by parsing the HTTP headers to find the User­Agent
field.)
Detect client station operating systems by parsing the User­Agent field in HTTP packets
user­agent
(Default: Disabled)

os­object <string> os­version <string>

Set parameters for an OS object that the HiveAP can use to assign a client running a
os­object
matching OS to a user profile (Max: 64 OS objects per HiveAP.)
Enter an OS object name (1­32 chars; Note: The object name is an admin­defined name and
<string>
does not have to be the name of an operating system.)
Set the name and version of an operating system version (Max: 32 OS versions per OS
os­version
object)
Enter the exact text string that identifies an operating system as it appears in the
<string> user agent ID field in HTTP headers (1­32 chars; Note: Use quotation marks if spaces are
required. Examples: "Windows NT 5.1", "Mac OS X", "Linux i686")

os­version <string> option55 <string>

os­version Set the OS (operating system) version you want to detect in the DHCP packets
Enter the OS version name (1­32 chars; Note: The OS version name can be in any form you
<string>
choose; for example, "Windows XP" or "WinXP".)
option55 Set the option 55 string for the type of operating system you want to detect
<string> Enter the DHCP option 55 string (1­256 chars)

performance­sentinel notification­interval <number>

performance­sentinel
notification­interval
<number>
Set performance sentinel parameters to moderate client throughput
Set the interval for sending SNMP traps to HiveManager to update the performance
sentinel log
Enter the performance sentinel log update interval in seconds (Default: 600; Range: 30­
1800)

ping <ip_addr> [ count <number> ] [ size <number> ] [ ttl <number> ] [ timeout <number> ]
ping Perform a ping
<ip_addr> Enter the destination IP address
count Stop pinging after sending the specified number of ICMP echo requests
Enter a number after sending the number of ICMP echo requests the pinging stop (Default:
<number>
5, Range: 1­65535)
size Set the size of the ICMP packets
<number> Enter the packet size in bytes (Default: 56, Range: 1­1024)
ttl Set the TTL (time to live)

http://docs.aerohive.com/330000/docs/help/english/documentation/cli_guide_ap230_6­6r1.htm#cmd7 143/315
27/4/2016 Aerohive CLI Guide
<number> Enter the TTL (Range: 1­255)
timeout Set the length of time to wait for a response
<number> Enter the timeout in seconds (Default: 10; Range: 1­60)

ping <string> [ count <number> ] [ size <number> ] [ ttl <number> ] [ timeout <number> ]
ping Perform a ping
<string> Enter the destination domain name (1­32 chars)
count Set the number of ICMP echo requests to send
<number> Enter the number of ICMP echo requests (Default: 5, Range: 1­65535)
size Set the size of the ICMP packets
<number> Enter the packet size in bytes (Default: 56, Range: 1­1024)
ttl Set the TTL (time to live)
<number> Enter the TTL (Range: 1­255)
timeout Set the length of time to wait for a response
<number> Enter the timeout in seconds (Default: 10; Range: 1­60)

ping6 <ipv6_addr> [ interface <string> ] [ count <number> ] [ size <number> ] [ ttl <number> ] [
timeout <number> ]
ping6 Perform a ping
<ipv6_addr> Enter the destination IPv6 address
The egress interface name, to be converted to IPv6 scope ID if pinging a link­local
interface
address
<string> Enter the interface name (1­32 chars)
count Stop pinging after sending the specified number of ICMP echo requests
Enter a number after sending the number of ICMP echo requests the pinging stop (Default:
<number>
5, Range: 1­65535)
size Set the size of the ICMP packets
<number> Enter the packet size in bytes (Default: 56, Range: 1­1024)
ttl Set the TTL (time to live)
<number> Enter the TTL (Range: 1­255)
timeout Set the length of time to wait for a response
<number> Enter the timeout in seconds (Default: 10; Range: 1­60)

ping6 <string> [ interface <string> ] [ count <number> ] [ size <number> ] [ ttl <number> ] [ timeout
<number> ]
ping6 Perform a ping
<string> Enter the destination domain name (1­32 chars)
The egress interface name, to be converted to IPv6 scope ID if pinging a link­local
interface
address
<string> Enter the interface name (1­32 chars)
count Stop pinging after sending the specified number of ICMP echo requests
Enter a number after sending the number of ICMP echo requests the pinging stop (Default:
<number>
5, Range: 1­65535)
size Set the size of the ICMP packets
<number> Enter the packet size in bytes (Default: 56, Range: 1­1024)
ttl Set the TTL (time to live)
<number> Enter the TTL (Range: 1­255)
timeout Set the length of time to wait for a response
<number> Enter the timeout in seconds (Default: 10; Range: 1­60)

probe <ip_addr|mac_addr> [ size <number> ] [ src­mac <mac_addr> ] [ wait­time <number> ] [ ttl

<number> ] [ count <number> ]
probe Set the probe parameters

http://docs.aerohive.com/330000/docs/help/english/documentation/cli_guide_ap230_6­6r1.htm#cmd7 144/315
27/4/2016 Aerohive CLI Guide

<ip_addr> Enter the target IP or MAC address

Enter a MAC address (Note: You can use colons, dashes, or periods to format the address.
<mac_addr>
Examples: 1111:1111:1111, 11­11­11­11­11­11, 1111.1111.1111 ...)
size Set the probe request packet size (default: 512 bytes)
<number> Enter a packet size (range: 256­1400 bytes)
src­mac Set the Source MAC address
Enter a MAC address (Note: You can use colons, dashes, or periods to format the address.
<mac_addr>
Examples: 1111:1111:1111, 11­11­11­11­11­11, 1111.1111.1111 ...)
wait­time Set the timeout value (default: 1 second)
<number> Enter an timeout value (range: 1­30 seconds)
ttl Set the TTL value (default 32)
<number> Enter an TTL value (range: 1­255)
count Set probe request count (default: 5)
<number> Enter the probe request count (range: 1­64)

probe portal [ size <number> ] [ src­mac <mac_addr> ] [ wait­time <number> ] [ ttl <number> ] [ count
<number> ]
probe Set the probe parameters
portal Set the target of the probe as the MAC address of the HiveAP acting as portal
size Set the probe request packet size (default: 512 bytes)
<number> Enter a packet size (range: 256­1400 bytes)
src­mac Set the Source MAC address
Enter a MAC address (Note: You can use colons, dashes, or periods to format the address.
<mac_addr>
Examples: 1111:1111:1111, 11­11­11­11­11­11, 1111.1111.1111 ...)
wait­time Set the timeout value (default: 1 second)
<number> Enter an timeout value (range: 1­30 seconds)
ttl Set the TTL value (default 32)
<number> Enter an TTL value (range: 1­255)
count Set probe request count (default: 5)
<number> Enter the probe request count (range: 1­64)

qos airtime enable

qos Set QoS (Quality of Service) parameters
airtime Set QoS parameters based on the amount of airtime that wireless client traffic uses
enable Enable dynamic airtime scheduling

qos airtime rate­preference­weight {none|moderate|high}

qos Set QoS (Quality of Service) parameters
airtime Set QoS parameters based on the amount of airtime that wireless client traffic uses
Set a preference for forwarding traffic to and from wireless clients that are capable of
rate­preference­weight
fast data transfer rates
none Set no preference for clients with a fast data rate (Default: high)
moderate Set a moderate preference for clients with a fast data rate (Default: high)
high Set a high preference for clients with a fast data rate (Default: high)

qos classifier­map 80211e <number> <number>

qos Set QoS (Quality of Service) parameters
classifier­map Map QoS priority markers on incoming packets to Aerohive QoS classes
80211e Map IEEE 802.11e user priority markers on incoming packets to Aerohive QoS classes
<number> Enter IEEE 802.11e user priority (Range: 0­7)
<number> Enter Aerohive QoS class (Range: 0­7)

http://docs.aerohive.com/330000/docs/help/english/documentation/cli_guide_ap230_6­6r1.htm#cmd7 145/315
27/4/2016 Aerohive CLI Guide
qos classifier­map 8021p <number> <number>
qos Set QoS (Quality of Service) parameters
classifier­map Map QoS priority markers on incoming packets to Aerohive QoS classes
8021p Map IEEE 802.1p priority markers on incoming packets to Aerohive QoS classes
<number> Enter IEEE 802.1p Priority (Range: 0­7)
<number> Enter Aerohive QoS class (Range: 0­7)

qos classifier­map diffserv <number> <number>

qos Set QoS (Quality of Service) parameters
classifier­map Map QoS priority markers on incoming packets to Aerohive QoS classes
Map diffserv DSCP (Differentiated Services Code Point) values on incoming packets to
diffserv
Aerohive QoS classes
<number> Enter the DSCP class (Range: 0­63)
<number> Enter the Aerohive QoS class (Range: 0­7)

qos classifier­map interface <ethx|aggx|redx> <number>

qos Set QoS (Quality of Service) parameters
classifier­map Map QoS priority markers on incoming packets to Aerohive QoS classes
interface Map incoming Ethernet traffic to Aerohive QoS classes by its ingress interface
<ethx> Enter the name of an Ethernet interface, where x = 0 or 1
<aggx> Enter the name of the aggregate interface, where x = 0
<redx> Enter the name of the redundant interface, where x = 0
<number> Enter the Aerohive QoS class (Range: 0­7)

qos classifier­map oui <oui> [ qos <number> ] [ action {permit|deny|log} ] [ comment <string> ]
qos Set QoS (Quality of Service) parameters
classifier­map Map QoS priority markers on incoming packets to Aerohive QoS classes
oui Set a MAC OUI (Organizational Unique Identifier) classification table
Enter the OUI (Note: You can use colons, dashes, or periods to format the OUI. Examples:
<oui>
Apple iPhone=00:1b:63; D­Link Phone=00­17­9a; Vocera=00.09.ef.)
qos Set an Aerohive QoS class to the MAC
<number> Enter Aerohive QoS class (Range: 0­7)
action Set an action to the MAC OUI
permit permit the packet
deny deny the packet
log log the packet
comment Add a comment to the MAC OUI
<string> Enter a comment (Maximum:32 chars) to the MAC

qos classifier­map service <string> [ qos <number> ] [ action {permit|deny|log} ]

qos Set QoS (Quality of Service) parameters
classifier­map Map QoS priority markers on incoming packets to Aerohive QoS classes
service Set service­based classification table
<string> Enter service name (1­32 chars)
qos Set an Aerohive QoS class to the service
<number> Enter the Aerohive QoS class (Range: 0­7)
action Set the action to take when receiving a packet for this service
permit permit the packet
deny deny the packet

log log the packet

http://docs.aerohive.com/330000/docs/help/english/documentation/cli_guide_ap230_6­6r1.htm#cmd7 146/315
27/4/2016 Aerohive CLI Guide

qos classifier­map ssid <string> <number>

qos Set QoS (Quality of Service) parameters
classifier­map Map QoS priority markers on incoming packets to Aerohive QoS classes
ssid Map incoming wireless traffic to Aerohive QoS classes by SSID
<string> Enter an SSID name
<number> Enter the Aerohive QoS class (Range: 0­7)

qos classifier­profile <string> [ {interface/ssid­

only|8021p|80211e|diffserv|interface/ssid|mac|service} ]
qos Set QoS (Quality of Service) parameters
classifier­profile Set a QoS classification profile
<string> Enter a classifier profile name (1­32 chars)
Classify all incoming and outgoing packets using the interface or SSID bound to this
classifier profile (Note: The interface/ssid­only method cannot be combined with other
interface/ssid­only
methods in the same classifier profile or applied to more than one profile. This profile
has precedence over all others.)
8021p Classify incoming packets by 802.1p priority markers present in Layer2 frame headers
80211e Classify incoming packets by 802.11e priority markers present in wireless frame headers
diffserv Classify incoming packets by DiffServ DSCP values present in Layer3 packet headers
Classify packets by the interface or SSID that they traverse (Note: If two
interface/ssid interface/SSID classifier profiles apply to the same session, the one providing better
QoS is used.)
Classify packets by the OUI (organizationally unique identifier) of the session
mac participants (Note: If two OUI classifier profiles apply to the same session, the one
providing better QoS is used.)
service Classify incoming packets by network service type

qos enable
qos Set QoS (Quality of Service) parameters
enable Enable QoS (Quality of Service)

qos l3­police interface <string> enable

qos Set QoS (Quality of Service) parameters
l3­police Set parameters for simplified Layer 3 (VoIP QoS) policing
interface Set simplified Layer 3 (VoIP QoS) parameters for the specified interface
<string> Interface name
enable Enable Layer 3 policing for the specified interface

qos l3­police interface <string> max­download­bw <number>

qos Set QoS (Quality of Service) parameters
l3­police Set parameters for simplified Layer 3 (VoIP QoS) policing
interface Set simplified Layer 3 (VoIP QoS) parameters for the specified interface
<string> Interface name
max­download­bw Set the maximum download bandwidth in Kbps
<number> The maximum download bandwidth in Kbps (Default: 100 Kbps; Range: 0~20000 Kbps)

qos l3­police interface <string> max­upload­bw <number>

qos Set QoS (Quality of Service) parameters
l3­police Set parameters for simplified Layer 3 (VoIP QoS) policing
interface Set simplified Layer 3 (VoIP QoS) parameters for the specified interface
<string> Interface name

http://docs.aerohive.com/330000/docs/help/english/documentation/cli_guide_ap230_6­6r1.htm#cmd7 147/315
27/4/2016 Aerohive CLI Guide
max­upload­bw Set the maximum upload bandwidth in Kbps
<number> The maximum upload bandwidth in Kbps (Default: 100 Kbps; Range: 0~20000 Kbps)

qos l3­police voip­detect­timeout <number>

qos Set QoS (Quality of Service) parameters
l3­police Set parameters for simplified Layer 3 (VoIP QoS) policing
voip­detect­timeout Sets timeout used to turn off VoIP QoS policing after VoIP media traffic detection stops
<number> The timeout duration in seconds (Default: 10 seconds; Range: 2~100 seconds)

qos marker­map 80211e <number> <number>

qos Set QoS (Quality of Service) parameters
marker­map Map Aerohive QoS classes to QoS priority markers on outgoing packets
80211e Map Aerohive QoS classes to IEEE 802.11e user priority markers on outgoing packets
<number> Enter the Aerohive QoS class (Range: 0­7)
<number> Enter the IEEE 802.11e user priority (Range: 0­7)

qos marker­map 8021p <number> <number>

qos Set QoS (Quality of Service) parameters
marker­map Map Aerohive QoS classes to QoS priority markers on outgoing packets
8021p Map Aerohive QoS classes to IEEE 802.1p priority markers on outgoing packets
<number> Enter Aerohive QoS class (Range: 0­7)
<number> Enter IEEE 802.1p Priority (Range: 0­7)

qos marker­map 8021p <string> [ <number> <number> ]

qos Set QoS (Quality of Service) parameters
marker­map Map Aerohive QoS classes to QoS priority markers on outgoing packets
8021p Map Aerohive QoS classes to IEEE 802.1p priority markers on outgoing packets
<string> Enter marker name (1­32 chars)
<number> Enter Aerohive QoS class (Range: 0­7)
<number> Enter IEEE 802.1p Priority (Range: 0­7)

qos marker­map diffserv <number> <number>

qos Set QoS (Quality of Service) parameters
marker­map Map Aerohive QoS classes to QoS priority markers on outgoing packets
Map Aerohive QoS classes to diffserv DSCP (Differentiated Services Code Point) values on
diffserv
outgoing packets
<number> Enter the Aerohive QoS class (Range: 0­7)
<number> Enter the DSCP class (Range: 0­63)

qos marker­map diffserv <string> [ <number> <number> ]

qos Set QoS (Quality of Service) parameters
marker­map Map Aerohive QoS classes to QoS priority markers on outgoing packets
Map Aerohive QoS classes to diffserv DSCP (Differentiated Services Code Point) values on
diffserv
outgoing packets
<string> Enter marker name (1­32 chars)
<number> Enter the Aerohive QoS class (Range: 0­7)
<number> Enter the DSCP class (Range: 0­63)

qos marker­profile <string> [ {8021p|80211e|diffserv} ]

qos Set QoS (Quality of Service) parameters

http://docs.aerohive.com/330000/docs/help/english/documentation/cli_guide_ap230_6­6r1.htm#cmd7 148/315
27/4/2016 Aerohive CLI Guide
marker­profile Set a QoS marker profile
<string> Enter the marker profile name (1­32 chars)
8021p Use 802.1p priority markers in Layer 2 frame headers as the marking method
80211e Use 802.11e priority markers in wireless frame headers as the marking method
diffserv Use DiffServ DSCP values in Layer 3 packet headers as the marking method

qos policy <string> [ user­profile <number> <number> ] [ user <number> ] [ qos <number> {strict|wrr}
<number> <number> ]
qos Set QoS (Quality of Service) parameters
policy Set a QoS policy to control traffic forwarding
<string> Enter the policy name (1­32 chars)
user­profile Set QoS policy parameters at the user profile level
<number> Enter the user profile rate limit in kbps (Range: 0­2000000)
<number> Enter the scheduling weight for the user profile (Range: 0­1000)
user Set QoS parameters at the user level
<number> Enter the user rate limit in kbps (Range: 0­2000000)
qos Set QoS parameters at the Aerohive QoS class level
<number> Enter the Aerohive QoS class (Range: 0­7)
strict Set the scheduling mode as strict to forward traffic without queuing it
Set the scheduling mode as WRR (weighted round robin) to queue traffic and use rate
wrr
limits and weights to prioritize forwarding
<number> Enter the class rate limit in kbps (Range: 0­2000000)
Enter the scheduling weight (Range: 0­1000; Note: If the scheduling mode is strict, its
<number>
weight must be zero.)

quit
quit Quit CLI (Command Line Interface)

radio profile <string>

radio Set radio profile parameters
profile Set radio profile parameters
<string> Enter a radio profile name (1­32 chars)

radio profile <string> acsp access channel­auto­select time­range <time> <time> [ station <number> ]
radio Set radio profile parameters
profile Set radio profile parameters
<string> Enter a radio profile name (1­32 chars)
acsp Set parameters for ACSP (Advanced Channel Selection Protocol)
access Set access point interface parameters
channel­auto­select Set conditions for automatically selecting radio channels
Set the time range when a new radio channel can be selected (Note: During this time, the
time­range radio re­evaluates the channel in use. It might switch to a different channel or
continue using the same channel.)
<time> Enter the start time (Format: hh:mm; Hour Range: 00­23; Minute Range: 00­59)
<time> Enter the end time (Format: hh:mm; Hour Range: 00­23; Minute Range: 00­59)
Set the maximum number of stations that can be connected to the HiveAP when selecting a
station
channel (If more are connected during the time range, no channel selection occurs.)
<number> Enter the station maximum (Range: 0­100; Default: 0)

radio profile <string> acsp all­channels­model enable

radio Set radio profile parameters
profile Set radio profile parameters

http://docs.aerohive.com/330000/docs/help/english/documentation/cli_guide_ap230_6­6r1.htm#cmd7 149/315
27/4/2016 Aerohive CLI Guide
<string> Enter a radio profile name (1­32 chars)
acsp Set parameters for ACSP (Advanced Channel Selection Protocol)
all­channels­model Set all channels from which the radio can select the optimal channel
enable Enable all channels selection

radio profile <string> acsp channel­model 4­channels [ <channel_g4> ]

radio Set radio profile parameters
profile Set radio profile parameters
<string> Enter a radio profile name (1­32 chars)
acsp Set parameters for ACSP (Advanced Channel Selection Protocol)
Set the pool of channels from which the radio can select the optimal channel(Default: 3­
channel­model
channel model)
4­channels Set a 4­channel model
Enter the pool of channels from which the radio can select one to use (Format: xx­xx­xx­
<channel_g4>
xx; Default for FCC: 01­04­08­11; Default for all other regions: 01­05­09­13)

radio profile <string> acsp channel­model {3­channels} [ <channel_g3> ]

radio Set radio profile parameters
profile Set radio profile parameters
<string> Enter a radio profile name (1­32 chars)
acsp Set parameters for ACSP (Advanced Channel Selection Protocol)
Set the pool of channels from which the radio can select the optimal channel(Default: 3­
channel­model
channel model)
3­channels Set a 3­channel model
Enter the pool of channels from which the radio can select one to use (Format: xx­xx­xx;
<channel_g3>
Default for all regions: 01­06­11)

radio profile <string> acsp interference­switch crc­err­threshold <number>

radio Set radio profile parameters
profile Set radio profile parameters
<string> Enter a radio profile name (1­32 chars)
acsp Set parameters for ACSP (Advanced Channel Selection Protocol)
Set parameters for the collection of RF interference­related data and switch channels if
interference­switch
the threshold is reached
Set an RF interference threshold based on the rate of CRC (cyclic redundancy check)
crc­err­threshold errors (Note: If the rate of CRC errors exceeds this threshold, the HiveAP switches
channels)
<number> Enter the threshold as a percent (Default: 25; Range: 10­80)

radio profile <string> acsp interference­switch iu­threshold <number>

radio Set radio profile parameters
profile Set radio profile parameters
<string> Enter a radio profile name (1­32 chars)
acsp Set parameters for ACSP (Advanced Channel Selection Protocol)
Set parameters for the collection of RF interference­related data and switch channels if
interference­switch
the threshold is reached
Set an RF interference threshold based on interference utilization (Note: If the percent
iu­threshold
of interference utilization exceeds this value, the HiveAP switches channels)
<number> Enter the threshold as a percent (Default: 25; Range: 10­80)

radio profile <string> acsp interference­switch {enable|no­station­enable|disable}

radio Set radio profile parameters
profile Set radio profile parameters

http://docs.aerohive.com/330000/docs/help/english/documentation/cli_guide_ap230_6­6r1.htm#cmd7 150/315
27/4/2016 Aerohive CLI Guide
<string> Enter a radio profile name (1­32 chars)
acsp Set parameters for ACSP (Advanced Channel Selection Protocol)
Set parameters for the collection of RF interference­related data and switch channels if
interference­switch
the threshold is reached
Enable the radio to switch channels if the RF interference threshold is reached (Default
enable
setting: no­station­enable)
Enable the radio to switch channels only if the RF interference threshold is reached and
no­station­enable
no stations are connected (Default setting: no­station­enable)
Disable the radio from switching channels because of RF interference­related data
disable
(Default setting: no­station­enable)

radio profile <string> acsp max­tx­power <number>

radio Set radio profile parameters
profile Set radio profile parameters
<string> Enter a radio profile name (1­32 chars)
acsp Set parameters for ACSP (Advanced Channel Selection Protocol)
max­tx­power Set radio max transmit power
<number> Enter the max transmit power (Default: 20 dBm; Range: 10­20 dBm)

radio profile <string> ampdu

radio Set radio profile parameters
profile Set radio profile parameters
<string> Enter a radio profile name (1­32 chars)
Enable AMPDU (Aggregate MAC Protocol Data Unit) transmissions to reduce overhead when
ampdu
the transmission channel is busy

radio profile <string> amsdu

radio Set radio profile parameters
profile Set radio profile parameters
<string> Enter a radio profile name (1­32 chars)
Enable AMSDU (Aggregate MAC Service Data Unit) transmissions to reduce overhead when the
amsdu
transmission channel is busy

radio profile <string> backhaul failover [ trigger­time <number> ] [ hold­time <number> ]

radio Set radio profile parameters
profile Set radio profile parameters
<string> Enter a radio profile name (1­32 chars)
Set parameters for failing over the backhaul link from Ethernet to wireless (Note: Only
backhaul
set this command on a HiveAP that acts as a portal.)
Enable backhaul communications to fail over to the wireless link if the Ethernet link
failover
goes down (Default: enabled)
trigger­time Set how long the Ethernet link must be down to trigger a failover to the wireless link
<number> Enter the failover trigger time in seconds (Default: 2; Range: 1­5)
Set how long the Ethernet link must be up to revert backhaul communications from
hold­time
wireless to Ethernet
<number> Enter the hold time in seconds (Default: 30; Range: 1­300)

radio profile <string> band­steering balance­band threshold <number>

radio Set radio profile parameters
profile Set radio profile parameters
<string> Enter a radio profile name (1­32 chars)
Distribute wireless clients that support both 2.4 and 5 GHz bands evenly across the two
band­steering
bands when an SSID is available on both bands
Balance clients according to an approximate ratio between 2.4 GHz and 5 GHz channels
balance­band
(Default: Allow four 5 GHz clients for every one 2.4 GHz client, or 80%.)

http://docs.aerohive.com/330000/docs/help/english/documentation/cli_guide_ap230_6­6r1.htm#cmd7 151/315
27/4/2016 Aerohive CLI Guide
Set the minimum ratio of 5 GHz clients to 2.4 GHz clients, expressed as a percentage
threshold
(Example: Four 5­GHz stations to five total stations is 80%.)
Enter the threshold to begin balancing band usage as a percentage (Range: 0­100;
<number>
Default: 80)

radio profile <string> band­steering enable

radio Set radio profile parameters
profile Set radio profile parameters
<string> Enter a radio profile name (1­32 chars)
Distribute wireless clients that support both 2.4 and 5 GHz bands evenly across the two
band­steering
bands when an SSID is available on both bands
enable Enable band steering (Default: Disabled)

radio profile <string> band­steering mode {balance­band|prefer­5g|force­5g}

radio Set radio profile parameters
profile Set radio profile parameters
<string> Enter a radio profile name (1­32 chars)
Distribute wireless clients that support both 2.4 and 5 GHz bands evenly across the two
band­steering
bands when an SSID is available on both bands
mode Set the mode for band steering (Default: balance­band)
Balance clients according to an approximate ratio between 2.4 GHz and 5 GHz channels
balance­band
(Default: Allow four 5 GHz clients for every one 2.4 GHz client, or 80%.)
Encourage clients that are 5­GHz capable to move to the 5 GHz band by ignoring requests
from them on the 2.4 GHz band (Note: If a client continues to attempt using 2.4 GHz even
prefer­5g
when offered a 5 GHz connection, the system allows it to connect at 2.4 GHz after a
specified number of attempts. The default is 5.)
force­5g Answer probe requests from 5 GHz­capable clients only on 5 GHz interfaces

radio profile <string> band­steering prefer­5g suppression­limit <number>

radio Set radio profile parameters
profile Set radio profile parameters
<string> Enter a radio profile name (1­32 chars)
Distribute wireless clients that support both 2.4 and 5 GHz bands evenly across the two
band­steering
bands when an SSID is available on both bands
Encourage clients that are 5­GHz capable to move to the 5 GHz band by ignoring requests
from them on the 2.4 GHz band (Note: If a client continues to attempt using 2.4 GHz even
prefer­5g
when offered a 5 GHz connection, the system allows it to connect at 2.4 GHz after a
specified number of attempts. The default is 5.)
Set a limit number to the number of probe responses the system suppresses before
suppression­limit
accepting a client on the 2.4 GHz band
Enter the number of probe responses the system suppresses before accepting client in the
<number>
2.4 GHz band (Default: 5; Range: 1­100)

radio profile <string> beacon­period <number>

radio Set radio profile parameters
profile Set radio profile parameters
<string> Enter a radio profile name (1­32 chars)
beacon­period Set the period of time between beacon broadcasts
Enter the beacon period in TUs (time units, a measurement of time equal to 1024
<number>
microseconds) for the radio profile (Default: 100, Range: 40­3500)

radio profile <string> benchmark phymode 11a rate {6|9|12|18|24|36|48|54} success <number> usage
<number>
radio Set radio profile parameters
profile Set radio profile parameters
<string> Enter a radio profile name (1­32 chars)

http://docs.aerohive.com/330000/docs/help/english/documentation/cli_guide_ap230_6­6r1.htm#cmd7 152/315
27/4/2016 Aerohive CLI Guide
benchmark Set benchmark parameters for gauging the health of client connectivity
phymode Set the physical mode for which you want to measure client connectivity
11a Set benchmark parameters for 11a mode
Set the transmission rate that you expect clients with healthy connectivity to use
rate
(Note: You can set up to 3 rates for the same phymode)
6 Enter the transmission rate
9 Enter the transmission rate
12 Enter the transmission rate
18 Enter the transmission rate
24 Enter the transmission rate
36 Enter the transmission rate
48 Enter the transmission rate
54 Enter the transmission rate
Set the percent of packets that you expect clients with healthy connectivity to transmit
success
successfully
<number> Enter the percent for successfully transmitted packets (Range: 1­100)
Set the percent of time that you expect clients with healthy connectivity to transmit at
usage
the defined rate
<number> Enter the percent of time that clients transmit at the defined rate (Range: 1­100)

radio profile <string> benchmark phymode 11ac rate

{6|9|12|18|24|36|48|54|mcs0/1|mcs1/1|mcs2/1|mcs3/1|mcs4/1|mcs5/1|mcs6/1|mcs7/1|mcs8/1|mcs9/1|mcs0/2|mcs1/2|mcs
success <number> usage <number>
radio Set radio profile parameters
profile Set radio profile parameters
<string> Enter a radio profile name (1­32 chars)
benchmark Set benchmark parameters for gauging the health of client connectivit
phymode Set the physical mode for which you want to measure client connectivi
11ac Set benchmark parameters for 11ac mode
rate Set the transmission rate that you expect clients with healthy connec
6 Enter the transmission rate
9 Enter the transmission rate
12 Enter the transmission rate
18 Enter the transmission rate
24 Enter the transmission rate
36 Enter the transmission rate
48 Enter the transmission rate
54 Enter the transmission rate
mcs0/1 Enter the transmission rate
mcs1/1 Enter the transmission rate
mcs2/1 Enter the transmission rate
mcs3/1 Enter the transmission rate
mcs4/1 Enter the transmission rate
mcs5/1 Enter the transmission rate
mcs6/1 Enter the transmission rate
mcs7/1 Enter the transmission rate
mcs8/1 Enter the transmission rate
mcs9/1 Enter the transmission rate
mcs0/2 Enter the transmission rate
mcs1/2 Enter the transmission rate
mcs2/2 Enter the transmission rate

http://docs.aerohive.com/330000/docs/help/english/documentation/cli_guide_ap230_6­6r1.htm#cmd7 153/315
27/4/2016 Aerohive CLI Guide
mcs3/2 Enter the transmission rate
mcs4/2 Enter the transmission rate
mcs5/2 Enter the transmission rate
mcs6/2 Enter the transmission rate
mcs7/2 Enter the transmission rate
mcs8/2 Enter the transmission rate
mcs9/2 Enter the transmission rate
mcs0/3 Enter the transmission rate
mcs1/3 Enter the transmission rate
mcs2/3 Enter the transmission rate
mcs3/3 Enter the transmission rate
mcs4/3 Enter the transmission rate
mcs5/3 Enter the transmission rate
mcs6/3 Enter the transmission rate
mcs7/3 Enter the transmission rate
mcs8/3 Enter the transmission rate
mcs9/3 Enter the transmission rate
success Set the percent of packets that you expect clients with healthy conne
<number> Enter the percent for successfully transmitted packets (Range: 1­100)
usage Set the percent of time that you expect clients with healthy connecti
<number> Enter the percent of time that clients transmit at the defined rate (

radio profile <string> benchmark phymode 11b rate {1|2|5.5|11} success <number> usage <number>
radio Set radio profile parameters
profile Set radio profile parameters
<string> Enter a radio profile name (1­32 chars)
benchmark Set benchmark parameters for gauging the health of client connectivity
phymode Set the physical mode for which you want to measure client connectivity
11b Set benchmark parameters for 11b mode
Set the transmission rate that you expect clients with healthy connectivity to use
rate
(Note: You can set up to 3 rates for the same phymode)
1 Enter the transmission rate
2 Enter the transmission rate
5.5 Enter the transmission rate
11 Enter the transmission rate
Set the percent of packets that you expect clients with healthy connectivity to transmit
success
successfully
<number> Enter the percent for successfully transmitted packets (Range: 1­100)
Set the percent of time that you expect clients with healthy connectivity to transmit at
usage
the defined rate
<number> Enter the percent of time that clients transmit at the defined rate (Range: 1­100)

radio profile <string> benchmark phymode 11g rate {1|2|5.5|11|6|9|12|18|24|36|48|54} success <number>
usage <number>
radio Set radio profile parameters
profile Set radio profile parameters
<string> Enter a radio profile name (1­32 chars)
benchmark Set benchmark parameters for gauging the health of client connectivity
phymode Set the physical mode for which you want to measure client connectivity
11g Set benchmark parameters for 11g mode

Set the transmission rate that you expect clients with healthy connectivity to use

http://docs.aerohive.com/330000/docs/help/english/documentation/cli_guide_ap230_6­6r1.htm#cmd7 154/315
27/4/2016 Aerohive CLI Guide
rate (Note: You can set up to 3 rates for the same phymode)

1 Enter the transmission rate

2 Enter the transmission rate
5.5 Enter the transmission rate
11 Enter the transmission rate
6 Enter the transmission rate
9 Enter the transmission rate
12 Enter the transmission rate
18 Enter the transmission rate
24 Enter the transmission rate
36 Enter the transmission rate
48 Enter the transmission rate
54 Enter the transmission rate
Set the percent of packets that you expect clients with healthy connectivity to transmit
success
successfully
<number> Enter the percent for successfully transmitted packets (Range: 1­100)
Set the percent of time that you expect clients with healthy connectivity to transmit at
usage
the defined rate
<number> Enter the percent of time that clients transmit at the defined rate (Range: 1­100)

radio profile <string> benchmark phymode 11n rate

{6|9|12|18|24|36|48|54|mcs0|mcs1|mcs2|mcs3|mcs4|mcs5|mcs6|mcs7|mcs8|mcs9|mcs10|mcs11|mcs12|mcs13|mcs14|mcs15|m
success <number> usage <number>
radio Set radio profile parameters
profile Set radio profile parameters
<string> Enter a radio profile name (1­32 chars)
benchmark Set benchmark parameters for gauging the health o
phymode Set the physical mode for which you want to measu
11n Set benchmark parameters for 11n mode
rate Set the transmission rate that you expect clients
6 Enter the transmission rate
9 Enter the transmission rate
12 Enter the transmission rate
18 Enter the transmission rate
24 Enter the transmission rate
36 Enter the transmission rate
48 Enter the transmission rate
54 Enter the transmission rate
mcs0 Enter the transmission rate
mcs1 Enter the transmission rate
mcs2 Enter the transmission rate
mcs3 Enter the transmission rate
mcs4 Enter the transmission rate
mcs5 Enter the transmission rate
mcs6 Enter the transmission rate
mcs7 Enter the transmission rate
mcs8 Enter the transmission rate
mcs9 Enter the transmission rate
mcs10 Enter the transmission rate
mcs11 Enter the transmission rate

http://docs.aerohive.com/330000/docs/help/english/documentation/cli_guide_ap230_6­6r1.htm#cmd7 155/315
27/4/2016 Aerohive CLI Guide
mcs12 Enter the transmission rate
mcs13 Enter the transmission rate
mcs14 Enter the transmission rate
mcs15 Enter the transmission rate
mcs16 Enter the transmission rate
mcs17 Enter the transmission rate
mcs18 Enter the transmission rate
mcs19 Enter the transmission rate
mcs20 Enter the transmission rate
mcs21 Enter the transmission rate
mcs22 Enter the transmission rate
mcs23 Enter the transmission rate
mcs0/1 Enter the transmission rate
mcs1/1 Enter the transmission rate
mcs2/1 Enter the transmission rate
mcs3/1 Enter the transmission rate
mcs4/1 Enter the transmission rate
mcs5/1 Enter the transmission rate
mcs6/1 Enter the transmission rate
mcs7/1 Enter the transmission rate
mcs0/2 Enter the transmission rate
mcs1/2 Enter the transmission rate
mcs2/2 Enter the transmission rate
mcs3/2 Enter the transmission rate
mcs4/2 Enter the transmission rate
mcs5/2 Enter the transmission rate
mcs6/2 Enter the transmission rate
mcs7/2 Enter the transmission rate
mcs0/3 Enter the transmission rate
mcs1/3 Enter the transmission rate
mcs2/3 Enter the transmission rate
mcs3/3 Enter the transmission rate
mcs4/3 Enter the transmission rate
mcs5/3 Enter the transmission rate
mcs6/3 Enter the transmission rate
mcs7/3 Enter the transmission rate
success Set the percent of packets that you expect client
<number> Enter the percent for successfully transmitted pa
usage Set the percent of time that you expect clients w
<number> Enter the percent of time that clients transmit a

radio profile <string> channel­width {20|40|40­above|40­below|80}

radio Set radio profile parameters
profile Set radio profile parameters
<string> Enter a radio profile name (1­32 chars)
channel­width Set the channel width or the extensive channel offset when channel width is 40 MHz
20 Enter the channel width and extensive channel offset (Default: 20 Mhz)

40 Enter the channel width and extensive channel offset (Default: 20 Mhz)

40­above Enter the channel width and extensive channel offset (Default: 20 Mhz)

http://docs.aerohive.com/330000/docs/help/english/documentation/cli_guide_ap230_6­6r1.htm#cmd7 156/315
27/4/2016 Aerohive CLI Guide
40­below Enter the channel width and extensive channel offset (Default: 20 Mhz)
80 Enter the channel width and extensive channel offset (Default: 20 Mhz)

radio profile <string> client­load­balance crc­error­limit <number>

radio Set radio profile parameters
profile Set radio profile parameters
<string> Enter a radio profile name (1­32 chars)
Enable the HiveAP to engage in client load balancing with neighboring hive members and
client­load­balance
set client load balancing parameters
Set the maximum CRC (cyclic redundancy check) error rate that the HiveAP will tolerate
crc­error­limit
before ignoring probes and association requests
<number> Enter the maximum CRC error rate as a percent (Default: 30; Range: 1­99)

radio profile <string> client­load­balance enable

radio Set radio profile parameters
profile Set radio profile parameters
<string> Enter a radio profile name (1­32 chars)
Enable the HiveAP to engage in client load balancing with neighboring hive members and
client­load­balance
set client load balancing parameters
enable Enable client load balancing (Default: Disabled)

radio profile <string> client­load­balance hold­time <number>

radio Set radio profile parameters
profile Set radio profile parameters
<string> Enter a radio profile name (1­32 chars)
Enable the HiveAP to engage in client load balancing with neighboring hive members and
client­load­balance
set client load balancing parameters
Set the amount of time that a client must be associated with a HiveAP before it can roam
(Note: Roaming before the hold time elapses is allowed if the client SNR is below the
hold­time
SNR threshold, the owner HiveAP is overloaded, or the client is experiencing a high
level of interference.)
<number> Enter the hold time for clients in seconds (Default: 60; Range: 10­600)

radio profile <string> client­load­balance interference­limit <number>

radio Set radio profile parameters
profile Set radio profile parameters
<string> Enter a radio profile name (1­32 chars)
Enable the HiveAP to engage in client load balancing with neighboring hive members and
client­load­balance
set client load balancing parameters
Set the maximum amount of RF interference that the HiveAP will tolerate before ignoring
interference­limit
probes and association requests
<number> Enter the maximum interference limit as a percent (Default: 40; Range: 1­99)

radio profile <string> client­load­balance mode {airtime|sta­num}

radio Set radio profile parameters
profile Set radio profile parameters
<string> Enter a radio profile name (1­32 chars)
Enable the HiveAP to engage in client load balancing with neighboring hive members and
client­load­balance
set client load balancing parameters
mode Set the mode for balancing client load with neighboring hive members (Default: airtime)
Enable load balancing based on airtime; that is, on the amount of the wireless medium
airtime
being used
sta­num Enable load balancing based on the total number of clients associated with the device

http://docs.aerohive.com/330000/docs/help/english/documentation/cli_guide_ap230_6­6r1.htm#cmd7 157/315
27/4/2016 Aerohive CLI Guide
radio profile <string> client­load­balance neighbor­load­query­interval <number>
radio Set radio profile parameters
profile Set radio profile parameters
<string> Enter a radio profile name (1­32 chars)
Enable the HiveAP to engage in client load balancing with neighboring hive members and
client­load­balance
set client load balancing parameters
neighbor­load­query­
Set the time interval to query neighboring HiveAPs for load information
interval
<number> Enter the load query time interval in seconds (Range: 1­600; Default: 60)

radio profile <string> client­load­balance sta­mini­airtime <number>

radio Set radio profile parameters
profile Set radio profile parameters
<string> Enter a radio profile name (1­32 chars)
Enable the HiveAP to engage in client load balancing with neighboring hive members and
client­load­balance
set client load balancing parameters
Set the minimum average percent of airtime consumed by all clients associated with the
sta­mini­airtime
HiveAP before it begins ignoring probes and association requests from new client
<number> Enter the minimum station airtime as a percent (Default: 4; Range: 1­5)

radio profile <string> deny­client {11b|11abg}

radio Set radio profile parameters
profile Set radio profile parameters
<string> Enter a radio profile name (1­32 chars)
deny­client Deny connections from wireless clients using the specified standards
Deny connections from wireless clients using the 802.11b standard (Default: All
11b
connections are accepted)
Deny connections from wireless clients using the 802.11a/b/g standard (Default: All
11abg connections are accepted; Note: This option is only allowed for radio profiles
supporting 802.11n)

radio profile <string> detect­bssid­spoofing

radio Set radio profile parameters
profile Set radio profile parameters
<string> Enter a radio profile name (1­32 chars)
detect­bssid­spoofing Enable the detection of spoofed BSSIDs (Default: Disabled)

radio profile <string> dfs

radio Set radio profile parameters
profile Set radio profile parameters
<string> Enter a radio profile name (1­32 chars)
Enable DFS (Dynamic Frequency Selection) so the radio can switch channels automatically
dfs
when detecting a radar signal (Default: Disabled)

radio profile <string> dfs radar­detect­only

radio Set radio profile parameters
profile Set radio profile parameters
<string> Enter a radio profile name (1­32 chars)
Enable DFS (Dynamic Frequency Selection) so the radio can switch channels automatically
dfs
when detecting a radar signal (Default: Disabled)
Enable radar signal detection but do not change channels if it is detected (Default:
radar­detect­only
Disabled)

radio profile <string> frameburst

http://docs.aerohive.com/330000/docs/help/english/documentation/cli_guide_ap230_6­6r1.htm#cmd7 158/315
27/4/2016 Aerohive CLI Guide
radio Set radio profile parameters
profile Set radio profile parameters
<string> Enter a radio profile name (1­32 chars)
Enable frame bursting, which allows the device to send a series of frames in succession
frameburst
without having to give up contorl of the medium(Default: Disabled)

radio profile <string> high­density broadcast­probe­suppress oui <oui>

radio Set radio profile parameters
profile Set radio profile parameters
<string> Enter a radio profile name (1­32 chars)
Set parameters to reduce management traffic and improve the processing of client traffic
high­density
in a high­density RF environment
broadcast­probe­
Suppress responses to broadcast probe requests that are broadcast by specified clients
suppress
Set the OUI (Organizationally Unique Identifier) portion of client MAC addresses to
oui
which you want to suppress probe responses
Enter the OUI (Note: You can use colons, dashes, or periods to format the OUI. Examples:
<oui>
Apple iPhone=00:1b:63; D­Link Phone=00­17­9a; Vocera=00.09.ef.)

radio profile <string> high­density continuous­probe­suppress enable

radio Set radio profile parameters
profile Set radio profile parameters
<string> Enter a radio profile name (1­32 chars)
Set parameters to reduce management traffic and improve the processing of client traffic
high­density
in a high­density RF environment
continuous­probe­ Suppress subsequent transmissions of probe responses to clients that send multiple probe
suppress requests within the same beacon interval
enable Enable the suppression of subsequent probe responses (Default: Disabled)

radio profile <string> high­density enable

radio Set radio profile parameters
profile Set radio profile parameters
<string> Enter a radio profile name (1­32 chars)
Set parameters to reduce management traffic and improve the processing of client traffic
high­density
in a high­density RF environment
enable Enable high­density settings (Default: Disabled)

radio profile <string> high­density mgmt­frame­tx­rate {low|high}

radio Set radio profile parameters
profile Set radio profile parameters
<string> Enter a radio profile name (1­32 chars)
Set parameters to reduce management traffic and improve the processing of client traffic
high­density
in a high­density RF environment
Set the management frame transmit bit rate as low or high (Note: This setting also
mgmt­frame­tx­rate applies to broadcast and multicast data frame bit rates and unicast data frame retry bit
rates.)
low Set the basic transmit rate for a high density deployment as low (Default: Low)
high Set the basic transmit rate for a high density deployment as high (Default: Low)

radio profile <string> interference­map crc­err­threshold <number>

radio Set radio profile parameters
profile Set radio profile parameters
<string> Enter a radio profile name (1­32 chars)
Set parameters for the collection of RF interference­related data and the reporting of
interference­map this data to HiveManager

http://docs.aerohive.com/330000/docs/help/english/documentation/cli_guide_ap230_6­6r1.htm#cmd7 159/315
27/4/2016 Aerohive CLI Guide

Set an RF interference threshold based on the rate of CRC (cyclic redundancy check)
crc­err­threshold errors (Note: If the rate of CRC errors exceeds this threshold, the HiveAP alerts
HiveManager to switch from its regular polling interval to a shorter one)
<number> Enter the threshold as a percent (Default: 20; Range: 15­60)

radio profile <string> interference­map cu­threshold <number>

radio Set radio profile parameters
profile Set radio profile parameters
<string> Enter a radio profile name (1­32 chars)
Set parameters for the collection of RF interference­related data and the reporting of
interference­map
this data to HiveManager
Set an RF interference threshold based on channel utilization (Note: If the percent of
cu­threshold channel utilization exceeds this value, the HiveAP alerts HiveManager to switch from its
regular polling interval to a shorter one)
<number> Enter the threshold as a percent (Default: 20; Range: 15­60)

radio profile <string> interference­map enable

radio Set radio profile parameters
profile Set radio profile parameters
<string> Enter a radio profile name (1­32 chars)
Set parameters for the collection of RF interference­related data and the reporting of
interference­map
this data to HiveManager
enable Enable the collection and reporting of RF interference­related data to HiveManager

radio profile <string> interference­map short­term­interval <number>

radio Set radio profile parameters
profile Set radio profile parameters
<string> Enter a radio profile name (1­32 chars)
Set parameters for the collection of RF interference­related data and the reporting of
interference­map
this data to HiveManager
Set the interval during which the HiveAP calculates a short­term average of channel
short­term­interval utilization and CRC errors (Note: The HiveAP calculates three averages: a running
average, a configurable short­term average, and a 60­second snapshot average)
<number> Enter the short­term interval in minutes (Default: 5; Range: 5­30)

radio profile <string> max­client <number>

radio Set radio profile parameters
profile Set radio profile parameters
<string> Enter a radio profile name (1­32 chars)
max­client Set radio profile's max number of clients/neighbors
<number> Enter the maximum number of clients (Range: 1­100)

radio profile <string> phymode {11a|11b/g|11na|11ng|11ac}

radio Set radio profile parameters
profile Set radio profile parameters
<string> Enter a radio profile name (1­32 chars)
phymode Set the physical mode of the radio profile
11a Set the physical mode to 11a (Default: 11b/g)
11b/g Set the physical mode to 11b/g (Default: 11b/g)
11na Set the physical mode to 11na (Default: 11b/g)
11ng Set the physical mode to 11ng (Default: 11b/g)
11ac Set the physical mode to 11ac (Default: 11b/g)

http://docs.aerohive.com/330000/docs/help/english/documentation/cli_guide_ap230_6­6r1.htm#cmd7 160/315
27/4/2016 Aerohive CLI Guide
radio profile <string> presence aggr­interval <number>
radio Set radio profile parameters
profile Set radio profile parameters
<string> Enter a radio profile name (1­32 chars)
presence Set precense parameters for the radio profile
aggr­interval Set the precense aggr interval of the radio profile
Enter a interval number to which the aggregation will be done (Default: 120 sec;Range:
<number>
15 ­ 600)

radio profile <string> presence aging­time <number>

radio Set radio profile parameters
profile Set radio profile parameters
<string> Enter a radio profile name (1­32 chars)
presence Set precense parameters for the radio profile
aging­time Set the precense aging time of the radio profile
<number> Enter an aging time for presence client (Default: 120 sec; Range: 15 ­ 600)

radio profile <string> presence enable

radio Set radio profile parameters
profile Set radio profile parameters
<string> Enter a radio profile name (1­32 chars)
presence Set precense parameters for the radio profile
enable Enable presence setting (Default: Disabled)

radio profile <string> presence trap­interval <number>

radio Set radio profile parameters
profile Set radio profile parameters
<string> Enter a radio profile name (1­32 chars)
presence Set precense parameters for the radio profile
trap­interval Set the precense trap interval of the radio profile
<number> Enter a interval number to which the trap was sent (Default: 120 sec;Range: 15 ­ 600)

radio profile <string> primary­channel­offset {auto|0|1|2|3}

radio Set radio profile parameters
profile Set radio profile parameters
<string> Enter a radio profile name (1­32 chars)
primary­channel­offset Set the primary channel offset of the radio profile
auto Set primary channel offset to auto (Default: auto)
0 Set primary channel offset to 0 (Default: auto)
1 Set primary channel offset to 1 (Default: auto)
2 Set primary channel offset to 2 (Default: auto)
3 Set primary channel offset to 3 (Default: auto)

radio profile <string> receive­chain <number>

radio Set radio profile parameters
profile Set radio profile parameters
<string> Enter a radio profile name (1­32 chars)
receive­chain Set the number of receive chains for frame reception
<number> Enter the number of receive chains (Default: 3; Range: 1­3)

http://docs.aerohive.com/330000/docs/help/english/documentation/cli_guide_ap230_6­6r1.htm#cmd7 161/315
27/4/2016 Aerohive CLI Guide
radio profile <string> safety­net enable
radio Set radio profile parameters
profile Set radio profile parameters
<string> Enter a radio profile name (1­32 chars)
Enable the HiveAP, when it is in an overloaded state or if the client's SNR is low, to
safety­net
respond to a client making association requests after the timeout period elapses
enable Enable safety net checking (Default: Enabled)

radio profile <string> safety­net timeout <number>

radio Set radio profile parameters
profile Set radio profile parameters
<string> Enter a radio profile name (1­32 chars)
Enable the HiveAP, when it is in an overloaded state or if the client's SNR is low, to
safety­net
respond to a client making association requests after the timeout period elapses
Set the maximum length of time to ignore association requests from a client when the
timeout
HiveAP is in an overloaded state or if the client's SNR is low
<number> Enter the timeout in seconds (Default: 15; Range: 5­300)

radio profile <string> scan access

radio Set radio profile parameters
profile Set radio profile parameters
<string> Enter a radio profile name (1­32 chars)
scan Enable scanning to detect neighboring APs
access Enable scanning for interfaces in access mode (Default: Enabled)

radio profile <string> scan access client

radio Set radio profile parameters
profile Set radio profile parameters
<string> Enter a radio profile name (1­32 chars)
scan Enable scanning to detect neighboring APs
access Enable scanning for interfaces in access mode (Default: Enabled)
client Allow scanning to occur when clients are connected (Default: Allowed)

radio profile <string> scan access client power­save

radio Set radio profile parameters
profile Set radio profile parameters
<string> Enter a radio profile name (1­32 chars)
scan Enable scanning to detect neighboring APs
access Enable scanning for interfaces in access mode (Default: Enabled)
client Allow scanning to occur when clients are connected (Default: Allowed)
Allow scanning to occur when connected clients are in a power save state (Default:
power­save
Disallowed)

radio profile <string> scan access interval <number>

radio Set radio profile parameters
profile Set radio profile parameters
<string> Enter a radio profile name (1­32 chars)
scan Enable scanning to detect neighboring APs
access Enable scanning for interfaces in access mode (Default: Enabled)
interval Set the scan interval
<number> Enter the scan interval in minutes (Default: 10 minutes; Range: 1­1440)

http://docs.aerohive.com/330000/docs/help/english/documentation/cli_guide_ap230_6­6r1.htm#cmd7 162/315
27/4/2016 Aerohive CLI Guide
radio profile <string> scan access voice
radio Set radio profile parameters
profile Set radio profile parameters
<string> Enter a radio profile name (1­32 chars)
scan Enable scanning to detect neighboring APs
access Enable scanning for interfaces in access mode (Default: Enabled)
voice Allow scanning to occur while processing voice traffic (Default: Disallowed)

radio profile <string> sensor channel­list <string>

radio Set radio profile parameters
profile Set radio profile parameters
<string> Enter a radio profile name (1­32 chars)
sensor Set sensor parameters for the radio profile
channel­list Set the channel list to sensor mode of the radio profile
Enter a string comprised of channel list. channel number and separated by ','(e.g.
<string>
1,6,11).or "all" (Default: all)(1­64 chars)

radio profile <string> sensor dwell­time <number>

radio Set radio profile parameters
profile Set radio profile parameters
<string> Enter a radio profile name (1­32 chars)
sensor Set sensor parameters for the radio profile
dwell­time Set the dwell time to sensor mode of the radio profile
<number> Enter a numeric value for sensor dwell time (Default:1200 millisecond; Range: 250­30000)

radio profile <string> short­guard­interval

radio Set radio profile parameters
profile Set radio profile parameters
<string> Enter a radio profile name (1­32 chars)
Enable the short guard interval option (400ns) to avoid inter­symbol interference and
short­guard­interval
improve media throughput (Note: This is only valid in 40­MHz channel mode.)

radio profile <string> short­preamble

radio Set radio profile parameters
profile Set radio profile parameters
<string> Enter a radio profile name (1­32 chars)
short­preamble Set short preamble mode of radio profile

radio profile <string> transmit­chain <number>

radio Set radio profile parameters
profile Set radio profile parameters
<string> Enter a radio profile name (1­32 chars)
Set the number of transmit chains for frame transmission or configure the HiveAP to
transmit­chain
determine them automatically
<number> Enter the number of transmit chains (Default: 3; Range: 1­3)

radio profile <string> tx­beamforming [ {explicit­only|auto} ]

radio Set radio profile parameters
profile Set radio profile parameters
<string> Enter a radio profile name (1­32 chars)
tx­beamforming Enable beamforming on the transmit antennas (Default: Disabled)
http://docs.aerohive.com/330000/docs/help/english/documentation/cli_guide_ap230_6­6r1.htm#cmd7 163/315
27/4/2016 Aerohive CLI Guide

Use explicit transmit beamforming, in which the transmitter uses a steering matrix
explicit­only
calculated by the receiver as a basis for calculating its own steering matrix
Allow the transmitter to choose whether it uses implicit or explicit beamforming rules
auto to calculate its steering matrix based on whether it receives explicit feedback from the
receiver(default)

radio profile <string> tx­rate vht­mcs

{MCS0/1|MCS1/1|MCS2/1|MCS3/1|MCS4/1|MCS5/1|MCS6/1|MCS7/1|MCS8/1|MCS9/1|MCS0/2|MCS1/2|MCS2/2|MCS3/2|MCS4/2|MCS5
radio Set radio profile parameters
profile Set radio profile parameters
<string> Enter a radio profile name (1­32 chars)
tx­rate Set the Tx (transmission) rate for the radio profile
vht­mcs Set the 802.11ac Tx(transmission) rate
MCS0/1 Set the transmit rate as MCS0/1
MCS1/1 Set the transmit rate as MCS1/1
MCS2/1 Set the transmit rate as MCS2/1
MCS3/1 Set the transmit rate as MCS3/1
MCS4/1 Set the transmit rate as MCS4/1
MCS5/1 Set the transmit rate as MCS5/1
MCS6/1 Set the transmit rate as MCS6/1
MCS7/1 Set the transmit rate as MCS7/1
MCS8/1 Set the transmit rate as MCS8/1
MCS9/1 Set the transmit rate as MCS9/1
MCS0/2 Set the transmit rate as MCS0/2
MCS1/2 Set the transmit rate as MCS1/2
MCS2/2 Set the transmit rate as MCS2/2
MCS3/2 Set the transmit rate as MCS3/2
MCS4/2 Set the transmit rate as MCS4/2
MCS5/2 Set the transmit rate as MCS5/2
MCS6/2 Set the transmit rate as MCS6/2
MCS7/2 Set the transmit rate as MCS7/2
MCS8/2 Set the transmit rate as MCS8/2
MCS9/2 Set the transmit rate as MCS9/2
MCS0/3 Set the transmit rate as MCS0/3
MCS1/3 Set the transmit rate as MCS1/3
MCS2/3 Set the transmit rate as MCS2/3
MCS3/3 Set the transmit rate as MCS3/3
MCS4/3 Set the transmit rate as MCS4/3
MCS5/3 Set the transmit rate as MCS5/3
MCS6/3 Set the transmit rate as MCS6/3
MCS7/3 Set the transmit rate as MCS7/3
MCS8/3 Set the transmit rate as MCS8/3
MCS9/3 Set the transmit rate as MCS9/3

radio profile <string> tx­rate

{auto|1Mbps|2Mbps|5.5Mbps|6Mbps|9Mbps|11Mbps|12Mbps|18Mbps|24Mbps|36Mbps|48Mbps|54Mbps|MCS0|MCS1|MCS2|MCS3|
MCS4|MCS5|MCS6|MCS7|MCS8|MCS9|MCS10|MCS11|MCS12|MCS13|MCS14|MCS15|MCS16|MCS17|MCS18|MCS19|MCS20|MCS21|MCS22|MC
radio Set radio profile parameters
profile Set radio profile parameters
<string> Enter a radio profile name (1­32 chars)
tx­rate Set the Tx (transmission) rate for the radio profile

http://docs.aerohive.com/330000/docs/help/english/documentation/cli_guide_ap230_6­6r1.htm#cmd7 164/315
27/4/2016 Aerohive CLI Guide
auto Set the radio to determine its transmission rate automatically (Default: auto; Range: 1­54 Mbps
1Mbps Set the transmit rate as 1Mbps (Only for 802.11bg and 802.11ng)
2Mbps Set the transmit rate as 2Mbps (Only for 802.11bg and 802.11ng)
5.5Mbps Set the transmit rate as 5.5Mbps (Only for 802.11bg and 802.11ng)
6Mbps Set the transmit rate as 6Mbps
9Mbps Set the transmit rate as 9Mbps
11Mbps Set the transmit rate as 11Mbps (Only for 802.11bg and 802.11ng)
12Mbps Set the transmit rate as 12Mbps
18Mbps Set the transmit rate as 18Mbps
24Mbps Set the transmit rate as 24Mbps
36Mbps Set the transmit rate as 36Mbps
48Mbps Set the transmit rate as 48Mbps
54Mbps Set the transmit rate as 54Mbps
MCS0 Set the transmit rate as MCS0
MCS1 Set the transmit rate as MCS1
MCS2 Set the transmit rate as MCS2
MCS3 Set the transmit rate as MCS3
MCS4 Set the transmit rate as MCS4
MCS5 Set the transmit rate as MCS5
MCS6 Set the transmit rate as MCS6
MCS7 Set the transmit rate as MCS7
MCS8 Set the transmit rate as MCS8
MCS9 Set the transmit rate as MCS9
MCS10 Set the transmit rate as MCS10
MCS11 Set the transmit rate as MCS11
MCS12 Set the transmit rate as MCS12
MCS13 Set the transmit rate as MCS13
MCS14 Set the transmit rate as MCS14
MCS15 Set the transmit rate as MCS15
MCS16 Set the transmit rate as MCS16 (Only for the HiveAP 330, 350, 370 and 390)
MCS17 Set the transmit rate as MCS17 (Only for the HiveAP 330, 350, 370 and 390)
MCS18 Set the transmit rate as MCS18 (Only for the HiveAP 330, 350, 370 and 390)
MCS19 Set the transmit rate as MCS19 (Only for the HiveAP 330, 350, 370 and 390)
MCS20 Set the transmit rate as MCS20 (Only for the HiveAP 330, 350, 370 and 390)
MCS21 Set the transmit rate as MCS21 (Only for the HiveAP 330, 350, 370 and 390)
MCS22 Set the transmit rate as MCS22 (Only for the HiveAP 330, 350, 370 and 390)
MCS23 Set the transmit rate as MCS23 (Only for the HiveAP 330, 350, 370 and 390)

radio profile <string> vht­2g

radio Set radio profile parameters
profile Set radio profile parameters
<string> Enter a radio profile name (1­32 chars)
Set VHT (802.11ac) support mode on 2.4GHz interface or configure the AP to determine it
vht­2g
automatically(Default: Disabled)

radio profile <string> weak­snr­suppress enable

radio Set radio profile parameters
profile Set radio profile parameters
<string> Enter a radio profile name (1­32 chars)
Set parameters to determine when the SNR (signal­to­noise ratio) for a client is weak,
http://docs.aerohive.com/330000/docs/help/english/documentation/cli_guide_ap230_6­6r1.htm#cmd7 165/315
27/4/2016 Aerohive CLI Guide
weak­snr­suppress and enable the HiveAP to ignore probes and association requests from clients with weak
SNRs
Enable the suppression of probe responses when the client SNR is weak (Default:
enable
Disabled)

radio profile <string> weak­snr­suppress threshold <number>

radio Set radio profile parameters
profile Set radio profile parameters
<string> Enter a radio profile name (1­32 chars)
Set parameters to determine when the SNR (signal­to­noise ratio) for a client is weak,
weak­snr­suppress and enable the HiveAP to ignore probes and association requests from clients with weak
SNRs
Set the minium amount of SNR(signal­to­noise ratio) that the HiveAP will accepting
threshold
probes and association requests
<number> Enter threshold of weak snr suppress in dB (Default: 15, Range: 1­100)

radio profile <string> wmm ac {background|best­effort|video|voice} aifs <number>

radio Set radio profile parameters
profile Set radio profile parameters
<string> Enter a radio profile name (1­32 chars)
wmm Set Wi­Fi Multimedia parameters
ac Set Access Category parameters
background Set background access category parameters
best­effort Set best­effort access category parameters
video Set video access category parameters
voice Set voice access category parameters
aifs Set AIFS (arbitration interframe space) parameters
<number> Set the AIFS value (Range: 0­15)

radio profile <string> wmm ac {background|best­effort|video|voice} cwmax <number>

radio Set radio profile parameters
profile Set radio profile parameters
<string> Enter a radio profile name (1­32 chars)
wmm Set Wi­Fi Multimedia parameters
ac Set Access Category parameters
background Set background access category parameters
best­effort Set best­effort access category parameters
video Set video access category parameters
voice Set voice access category parameters
cwmax Set maximal contention window parameters
<number> contention window maximal value (Range: 1­15)

radio profile <string> wmm ac {background|best­effort|video|voice} cwmin <number>

radio Set radio profile parameters
profile Set radio profile parameters
<string> Enter a radio profile name (1­32 chars)
wmm Set Wi­Fi Multimedia parameters
ac Set Access Category parameters
background Set background access category parameters
best­effort Set best­effort access category parameters
video Set video access category parameters

http://docs.aerohive.com/330000/docs/help/english/documentation/cli_guide_ap230_6­6r1.htm#cmd7 166/315
27/4/2016 Aerohive CLI Guide
voice Set voice access category parameters
cwmin Set minimal contention window parameters
<number> Set contention window minimal value (Range: 1­15)

radio profile <string> wmm ac {background|best­effort|video|voice} noack

radio Set radio profile parameters
profile Set radio profile parameters
<string> Enter a radio profile name (1­32 chars)
wmm Set Wi­Fi Multimedia parameters
ac Set Access Category parameters
background Set background access category parameters
best­effort Set best­effort access category parameters
video Set video access category parameters
voice Set voice access category parameters
noack Set no acknowledgments

radio profile <string> wmm ac {background|best­effort|video|voice} txoplimit <number>

radio Set radio profile parameters
profile Set radio profile parameters
<string> Enter a radio profile name (1­32 chars)
wmm Set Wi­Fi Multimedia parameters
ac Set Access Category parameters
background Set background access category parameters
best­effort Set best­effort access category parameters
video Set video access category parameters
voice Set voice access category parameters
txoplimit Set transmission opportunity limit parameters
Set transmission opportunity limit value (Range: 0­8192; Note: Your input must be
<number>
multiples of 32)

reboot
reboot Reboot the system

reboot date <date> time <time>

reboot Reboot the system
date Schedule the system to reboot at a specific date and time
Enter the date when you want the system to reboot (Format: yyyy­mm­dd; Default: The
<date>
current date provided by HiveOS)
time Set the time when you want the system to reboot
<time> Enter the time (Format: hh:mm:ss; Default: 00:00:00)

reboot offset <time>

reboot Reboot the system
offset Schedule the system to reboot at a time relative to the moment you enter the command
Enter the length of time after which the system will reboot (Maximum: 24 hours from the
<time>
time you enter the command; Format: hh:mm:ss; Default:00:00:00)

reboot {backup|current}
reboot Reboot the system
Load the backup HiveOS image when rebooting (Default image to load when rebooting after
saving a new image: backup; Default image to load when rebooting at all other times:
backup

http://docs.aerohive.com/330000/docs/help/english/documentation/cli_guide_ap230_6­6r1.htm#cmd7 167/315
27/4/2016 Aerohive CLI Guide
current)
current Load the currently running HiveOS image when rebooting

reboot {backup|current} date <date> time <time>

reboot Reboot the system
Load the backup HiveOS image when rebooting (Default image to load when rebooting after
backup saving a new image: backup; Default image to load when rebooting at all other times:
current)
current Load the currently running HiveOS image when rebooting
date Schedule the system to reboot at a specific date and time
Enter the date when you want the system to reboot (Format: yyyy­mm­dd; Default: The
<date>
current date provided by HiveOS)
time Set the time when you want the system to reboot
<time> Enter the time (Format: hh:mm:ss; Default: 00:00:00)

reboot {backup|current} offset <time>

reboot Reboot the system
Load the backup HiveOS image when rebooting (Default image to load when rebooting after
backup saving a new image: backup; Default image to load when rebooting at all other times:
current)
current Load the currently running HiveOS image when rebooting
offset Schedule the system to reboot at a time relative to the moment you enter the command
Enter the length of time after which the system will reboot (Maximum: 24 hours from the
<time>
time you enter the command; Format: hh:mm:ss; Default:00:00:00)

report statistic alarm­threshold client {tx­drop­rate|rx­drop­rate|tx­retry­rate|airtime­consumption}

<number>
report Set the parameters for gathering traffic statistics and reporting them to HiveManager
statistic Set the periodic reporting of interface­level and client­level traffic statistics
Set the alarm threshold for the CRC error rate, Tx/Rx drop rate, and Tx retry rate(Note:
alarm­threshold
If the rate exceeds the threshold, the HiveAP sends an alarm to HiveManager.)
Set the Tx/Rx drop rate, Tx retry rate, and airtime consumption alarm threshold of
client
clients
tx­drop­rate Set the Tx drop rate alarm threshold for clients (Default: 40%)
rx­drop­rate Set the Rx drop rate alarm threshold for clients (Default: 40%)
tx­retry­rate Set the Tx retry rate alarm threshold for clients (Default: 40%)
Set the airtime consumption (Tx airtime percentage + Rx airtime percentage) alarm
airtime­consumption
threshold for clients (Default: 30%)
<number> Enter the alarm threshold (Range: 1­100)

report statistic alarm­threshold interface {crc­error­rate|tx­drop­rate|rx­drop­rate|tx­retry­

rate|airtime­consumption} <number>
report Set the parameters for gathering traffic statistics and reporting them to HiveManager
statistic Set the periodic reporting of interface­level and client­level traffic statistics
Set the alarm threshold for the CRC error rate, Tx/Rx drop rate, and Tx retry rate(Note:
alarm­threshold
If the rate exceeds the threshold, the HiveAP sends an alarm to HiveManager.)
Set the CRC error rate, Tx/Rx drop rate, Tx retry rate, and airtime consumption alarm
interface
threshold of wifi interfaces
crc­error­rate Set CRC error rate alarm threshold for the wifi interfaces (Default: 30%)
tx­drop­rate Set the Tx drop rate alarm threshold for the wifi interfaces (Default: 40%)
rx­drop­rate Set the Rx drop rate alarm threshold for the wifi interfaces (Default: 40%)
tx­retry­rate Set the Tx retry rate alarm threshold for the wifi interfaces (Default: 40%)
Set the airtime consumption (Tx airtime percentage + Rx airtime percentage) alarm
airtime­consumption
threshold for the wifi interfaces (Default: 50%)
<number> Enter the alarm threshold (Range: 1­100)

http://docs.aerohive.com/330000/docs/help/english/documentation/cli_guide_ap230_6­6r1.htm#cmd7 168/315
27/4/2016 Aerohive CLI Guide
report statistic enable
report Set the parameters for gathering traffic statistics and reporting them to HiveManager
statistic Set the periodic reporting of interface­level and client­level traffic statistics
enable Enable the creation of traffic statistics reports

report statistic period <number>

report Set the parameters for gathering traffic statistics and reporting them to HiveManager
statistic Set the periodic reporting of interface­level and client­level traffic statistics
period Set the time interval for gathering traffic statistics and calculating percentages
<number> Enter the time interval (Default: 10 minutes; Supported: 1, 5, 10, 30 or 60 minutes)

reset config [ {bootstrap} ]

Return the configuration to its default settings or the files in a web directory to the
reset
default file set
config Reset the configuration to the factory default settings and reboot
bootstrap Clear bootstrap configuration

reset web­directory [ <string> [ {save­to­flash} ] ]

Return the configuration to its default settings or the files in a web directory to the
reset
default file set
Reset the files in all web directories, in a specific directory, or in directories
web­directory
referenced by SSIDs to the default file set
Enter the web directory name to reset files in the directory to the default file set (1­
<string>
32 chars)
save­to­flash Save the default set of files in the specified directory to flash memory

reset web­directory all­running­ssid

Return the configuration to its default settings or the files in a web directory to the
reset
default file set
Reset the files in all web directories, in a specific directory, or in directories
web­directory
referenced by SSIDs to the default file set
all­running­ssid Reset the web directories for all SSIDs to the default file set

reset­button reset­config­enable
reset­button Enable the reset button on the AP chassis to reset the AP config
Enable the reset button to reset the AP to its factory default settings or, if set, to a
reset­config­enable
bootstrap config (Default: enabled)

roaming cache update­interval <number> ageout <number>

roaming Set roaming parameter
Set the interval between updates and the number of times to update station's roaming
cache
cache
update­interval Set the interval for sending roaming cache updates to neighbors
<number> Enter the roaming cache update interval in seconds (Default: 60; Range: 10­36000)
Set how many times an entry must be absent from a neighbors updates before removing it
ageout
from the roaming cache
<number> Enter the number of absences required to remove an entry (Default:60; Range: 1­1000)

roaming cache­broadcast neighbor­type access enable

roaming Set roaming parameter
cache­broadcast Set parameters for broadcasting roaming cache data to hive neighbors
neighbor­type Set the type of neighbor to which you want to broadcast roaming cache data
access Broadcast roaming cache data to hive neighbors discovered through wireless access links

Enable the broadcasting of roaming cache data to hive neighbors over wireless access
http://docs.aerohive.com/330000/docs/help/english/documentation/cli_guide_ap230_6­6r1.htm#cmd7 169/315
27/4/2016 Aerohive CLI Guide
enable links (Default: Enabled)

roaming cache­broadcast neighbor­type backhaul enable

roaming Set roaming parameter
cache­broadcast Set parameters for broadcasting roaming cache data to hive neighbors
neighbor­type Set the type of neighbor to which you want to broadcast roaming cache data
Broadcast roaming cache data to hive neighbors discovered through Ethernet and wireless
backhaul
backhaul links
Enable the broadcasting of roaming cache data to hive neighbors over backhaul links
enable
(Default: Enabled)

roaming hop <number>

roaming Set roaming parameter
Set the number of HiveAPs away from the source HiveAP to which it sends station
hop
authentication information
<number> Set roaming hop value (Defaule: 1, Range: 0­16)

roaming neighbor exclude ip <ip_addr>

roaming Set roaming parameter
Set which HiveAPs to include or exclude as neighbors (Maximum number of neighbors is 32)
neighbor
or roaming neighbor querying parameters
exclude Exclude dynamic roaming neighbor
ip Set IP address parameter for static roaming neighbor
<ip_addr> Enter IP address for static roaming neighbor

roaming neighbor include ip <ip_addr> <netmask>

roaming Set roaming parameter
Set which HiveAPs to include or exclude as neighbors (Maximum number of neighbors is 32)
neighbor
or roaming neighbor querying parameters
include Include dynamic roaming neighbor
ip Set IP address parameter for static roaming neighbor
<ip_addr> Enter IP address for static roaming neighbor
<netmask> Enter netmask for static roaming neighbor

roaming neighbor query­interval <number> query­times <number>

roaming Set roaming parameter
Set which HiveAPs to include or exclude as neighbors (Maximum number of neighbors is 32)
neighbor
or roaming neighbor querying parameters
query­interval Set roaming neighbor query interval
<number> Enter roaming neighbor query interval (Default: 10 secs; Min: 5; Max: 360000)
query­times Set roaming neighbor query times
<number> Enter roaming neighbor query times (Default: 5; Min: 2; Max: 1000)

roaming port <number>

roaming Set roaming parameter
Set the port number that hive members use when sending roaming control data to each
port
other
Enter the port number for L3 roaming control traffic (Default: 3000; Range: 1500­65000;
<number>
Note: The new setting must be at least 50 more or 50 less than the current setting.)

route <mac_addr> outgoing­interface <string> next­hop <mac_addr>

route Set a MAC address route
Enter a MAC address (Note: You can use colons, dashes, or periods to format the address.
<mac_addr>

http://docs.aerohive.com/330000/docs/help/english/documentation/cli_guide_ap230_6­6r1.htm#cmd7 170/315
27/4/2016 Aerohive CLI Guide
Examples: 1111:1111:1111, 11­11­11­11­11­11, 1111.1111.1111 ...)
outgoing­interface Set outgoing interface
<string> Enter interface name
next­hop Set the MAC address of the next hop in the L2 forwarding route
Enter a MAC address (Note: You can use colons, dashes, or periods to format the address.
<mac_addr>
Examples: 1111:1111:1111, 11­11­11­11­11­11, 1111.1111.1111 ...)

routing internal­sub­network <ip_addr/netmask> [ {tunnel­dist­only} ]

routing Set routing parameters
internal­sub­network Set an internal subnetwork to be used in branch offices
<ip_addr/netmask> Enter the IP address and netmask for the internal subnetwork
tunnel­dist­only Do not advertise the route to the internal subnetwork via dynamic routing protocols

routing match­map <string> from {any} to {any|private}

routing Set routing parameters
match­map Set match­map parameters for a routing policy
<string> Enter match map name (1­32 chars)
from Apply the policy based on the traffic source prefix
any Apply the policy regardless of the traffic source
to Apply the policy based on the traffic destination prefix
any Apply the policy regardless of the traffic destination
private Private internet

routing match­map <string> from {any} to {hostname} <string>

routing Set routing parameters
match­map Set match­map parameters for a routing policy
<string> Enter match map name (1­32 chars)
from Apply the policy based on the traffic source prefix
any Apply the policy regardless of the traffic source
to Apply the policy based on the traffic destination prefix
Set the domain name of a specific host as the traffic destination (Note: Wildcard domain
hostname
names are not supported.)
<string> Enter an destination hostname

routing match­map <string> from {any} to {iprange} <ip_addr> <ip_addr>

routing Set routing parameters
match­map Set match­map parameters for a routing policy
<string> Enter match map name (1­32 chars)
from Apply the policy based on the traffic source prefix
any Apply the policy regardless of the traffic source
to Apply the policy based on the traffic destination prefix
iprange Set a range of IP addresses as the traffic destination
<ip_addr> Enter a start IP address
<ip_addr> Enter an end IP address

routing match­map <string> from {any} to {network} <ip_addr/netmask>

routing Set routing parameters
match­map Set match­map parameters for a routing policy
<string> Enter match map name (1­32 chars)
from
Apply the policy based on the traffic source prefix

http://docs.aerohive.com/330000/docs/help/english/documentation/cli_guide_ap230_6­6r1.htm#cmd7 171/315
27/4/2016 Aerohive CLI Guide
any Apply the policy regardless of the traffic source
to Apply the policy based on the traffic destination prefix
network Set a network as the traffic destination
<ip_addr/netmask> Enter an destination IP address

routing match­map <string> from {iprange} <ip_addr> <ip_addr> to {any|private}

routing Set routing parameters
match­map Set match­map parameters for a routing policy
<string> Enter match map name (1­32 chars)
from Apply the policy based on the traffic source prefix
iprange Set a range of IP addresses as the traffic source
<ip_addr> Entry start source IP address
<ip_addr> Entry end source IP address
to Apply the policy based on the traffic destination prefix
any Apply the policy regardless of the traffic destination
private Private internet

routing match­map <string> from {iprange} <ip_addr> <ip_addr> to {hostname} <string>

routing Set routing parameters
match­map Set match­map parameters for a routing policy
<string> Enter match map name (1­32 chars)
from Apply the policy based on the traffic source prefix
iprange Set a range of IP addresses as the traffic source
<ip_addr> Entry start source IP address
<ip_addr> Entry end source IP address
to Apply the policy based on the traffic destination prefix
Set the domain name of a specific host as the traffic destination (Note: Wildcard domain
hostname
names are not supported.)
<string> Enter an destination hostname

routing match­map <string> from {iprange} <ip_addr> <ip_addr> to {iprange} <ip_addr> <ip_addr>
routing Set routing parameters
match­map Set match­map parameters for a routing policy
<string> Enter match map name (1­32 chars)
from Apply the policy based on the traffic source prefix
iprange Set a range of IP addresses as the traffic source
<ip_addr> Entry start source IP address
<ip_addr> Entry end source IP address
to Apply the policy based on the traffic destination prefix
iprange Set a range of IP addresses as the traffic destination
<ip_addr> Enter a start IP address
<ip_addr> Enter an end IP address

routing match­map <string> from {iprange} <ip_addr> <ip_addr> to {network} <ip_addr/netmask>

routing Set routing parameters
match­map Set match­map parameters for a routing policy
<string> Enter match map name (1­32 chars)
from Apply the policy based on the traffic source prefix
iprange Set a range of IP addresses as the traffic source

http://docs.aerohive.com/330000/docs/help/english/documentation/cli_guide_ap230_6­6r1.htm#cmd7 172/315
27/4/2016 Aerohive CLI Guide
<ip_addr> Entry start source IP address
<ip_addr> Entry end source IP address
to Apply the policy based on the traffic destination prefix
network Set a network as the traffic destination
<ip_addr/netmask> Enter an destination IP address

routing match­map <string> from {network} <ip_addr/netmask> to {any|private}

routing Set routing parameters
match­map Set match­map parameters for a routing policy
<string> Enter match map name (1­32 chars)
from Apply the policy based on the traffic source prefix
network Set a network as the traffic source
<ip_addr/netmask> Entry source IP address
to Apply the policy based on the traffic destination prefix
any Apply the policy regardless of the traffic destination
private Private internet

routing match­map <string> from {network} <ip_addr/netmask> to {hostname} <string>

routing Set routing parameters
match­map Set match­map parameters for a routing policy
<string> Enter match map name (1­32 chars)
from Apply the policy based on the traffic source prefix
network Set a network as the traffic source
<ip_addr/netmask> Entry source IP address
to Apply the policy based on the traffic destination prefix
Set the domain name of a specific host as the traffic destination (Note: Wildcard domain
hostname
names are not supported.)
<string> Enter an destination hostname

routing match­map <string> from {network} <ip_addr/netmask> to {iprange} <ip_addr> <ip_addr>

routing Set routing parameters
match­map Set match­map parameters for a routing policy
<string> Enter match map name (1­32 chars)
from Apply the policy based on the traffic source prefix
network Set a network as the traffic source
<ip_addr/netmask> Entry source IP address
to Apply the policy based on the traffic destination prefix
iprange Set a range of IP addresses as the traffic destination
<ip_addr> Enter a start IP address
<ip_addr> Enter an end IP address

routing match­map <string> from {network} <ip_addr/netmask> to {network} <ip_addr/netmask>

routing Set routing parameters
match­map Set match­map parameters for a routing policy
<string> Enter match map name (1­32 chars)
from Apply the policy based on the traffic source prefix
network Set a network as the traffic source
<ip_addr/netmask> Entry source IP address
to Apply the policy based on the traffic destination prefix

http://docs.aerohive.com/330000/docs/help/english/documentation/cli_guide_ap230_6­6r1.htm#cmd7 173/315
27/4/2016 Aerohive CLI Guide
network Set a network as the traffic destination
<ip_addr/netmask> Enter an destination IP address

routing match­map <string> {iif} <ethx> to {any|private}

routing Set routing parameters
match­map Set match­map parameters for a routing policy
<string> Enter match map name (1­32 chars)
iif Apply the policy based on the traffic incoming LAN interface
<ethx> Enter the name of an Ethernet interface, where x = 0 or 1
to Apply the policy based on the traffic destination prefix
any Apply the policy regardless of the traffic destination
private Private internet

routing match­map <string> {iif} <ethx> to {hostname} <string>

routing Set routing parameters
match­map Set match­map parameters for a routing policy
<string> Enter match map name (1­32 chars)
iif Apply the policy based on the traffic incoming LAN interface
<ethx> Enter the name of an Ethernet interface, where x = 0 or 1
to Apply the policy based on the traffic destination prefix
Set the domain name of a specific host as the traffic destination (Note: Wildcard domain
hostname
names are not supported.)
<string> Enter an destination hostname

routing match­map <string> {iif} <ethx> to {iprange} <ip_addr> <ip_addr>

routing Set routing parameters
match­map Set match­map parameters for a routing policy
<string> Enter match map name (1­32 chars)
iif Apply the policy based on the traffic incoming LAN interface
<ethx> Enter the name of an Ethernet interface, where x = 0 or 1
to Apply the policy based on the traffic destination prefix
iprange Set a range of IP addresses as the traffic destination
<ip_addr> Enter a start IP address
<ip_addr> Enter an end IP address

routing match­map <string> {iif} <ethx> to {network} <ip_addr/netmask>

routing Set routing parameters
match­map Set match­map parameters for a routing policy
<string> Enter match map name (1­32 chars)
iif Apply the policy based on the traffic incoming LAN interface
<ethx> Enter the name of an Ethernet interface, where x = 0 or 1
to Apply the policy based on the traffic destination prefix
network Set a network as the traffic destination
<ip_addr/netmask> Enter an destination IP address

routing match­map <string> {user­profile} <string> to {any|private}

routing Set routing parameters
match­map Set match­map parameters for a routing policy
<string> Enter match map name (1­32 chars)

user­profile Apply the policy if the HiveAP assigns a user profile to the traffic

http://docs.aerohive.com/330000/docs/help/english/documentation/cli_guide_ap230_6­6r1.htm#cmd7 174/315
27/4/2016 Aerohive CLI Guide

<string> Set user­profile name (1­32 chars)

to Apply the policy based on the traffic destination prefix
any Apply the policy regardless of the traffic destination
private Private internet

routing match­map <string> {user­profile} <string> to {hostname} <string>

routing Set routing parameters
match­map Set match­map parameters for a routing policy
<string> Enter match map name (1­32 chars)
user­profile Apply the policy if the HiveAP assigns a user profile to the traffic
<string> Set user­profile name (1­32 chars)
to Apply the policy based on the traffic destination prefix
Set the domain name of a specific host as the traffic destination (Note: Wildcard domain
hostname
names are not supported.)
<string> Enter an destination hostname

routing match­map <string> {user­profile} <string> to {iprange} <ip_addr> <ip_addr>

routing Set routing parameters
match­map Set match­map parameters for a routing policy
<string> Enter match map name (1­32 chars)
user­profile Apply the policy if the HiveAP assigns a user profile to the traffic
<string> Set user­profile name (1­32 chars)
to Apply the policy based on the traffic destination prefix
iprange Set a range of IP addresses as the traffic destination
<ip_addr> Enter a start IP address
<ip_addr> Enter an end IP address

routing match­map <string> {user­profile} <string> to {network} <ip_addr/netmask>

routing Set routing parameters
match­map Set match­map parameters for a routing policy
<string> Enter match map name (1­32 chars)
user­profile Apply the policy if the HiveAP assigns a user profile to the traffic
<string> Set user­profile name (1­32 chars)
to Apply the policy based on the traffic destination prefix
network Set a network as the traffic destination
<ip_addr/netmask> Enter an destination IP address

routing policy <string> id <number> match­map <string> route­map <string>

routing Set routing parameters
policy Set parameters for a routing policy
<string> Enter routing policy name (1­32 chars)
id Assign a routing policy ID (range: 1 ­ 128)
<number> Enter a routing policy ID (range: 1 ­ 128)
match­map Set match­map parameters for a routing policy
<string> Enter match map name (1­32 chars)
route­map Set route­map parameters for a routing policy
<string> Enter route map name (1­32 chars)

routing route­map <string> via <ethx|usbnetx|wifix>

http://docs.aerohive.com/330000/docs/help/english/documentation/cli_guide_ap230_6­6r1.htm#cmd7 175/315
27/4/2016 Aerohive CLI Guide
routing Set routing parameters
route­map Set route­map parameters for a routing policy
<string> Enter route map name (1­32 chars)
via Specify the nexthop of traffic
<ethx> Enter the name of an Ethernet interface, where x = 0 or 1
<usbnetx> Enter the name of the wireless USB modem interface, where x = 0
<wifix> Enter the name of a Wi­Fi radio interface, where x = 0 or 1

routing route­map <string> via {encrypted|blackhole}

routing Set routing parameters
route­map Set route­map parameters for a routing policy
<string> Enter route map name (1­32 chars)
via Specify the nexthop of traffic
encrypted encryped
blackhole via blackhole

routing route­request enable

routing Set routing parameters
route­request Set parameters for requesting routing information from route authorities
enable Enable the device to request routing information (Default: disabled)

routing route­request interval <number>

routing Set routing parameters
route­request Set parameters for requesting routing information from route authorities
interval Set the time interval for requesting routing information
<number> Enter the interval in seconds (Default: 60; Range: 30­600)

save ble ibeacon firmware

Save a configuration, HiveOS image, RADIUS database, or files used by the internal web,
save
RADIUS servers, or packet capture tool
ble Select the Bluetooth low energy device
ibeacon Select a Bluetooth iBeacon device
firmware Save a Aerohive firmware, included in the HiveOS image, to the iBeacon Bluetooth device

save config <location> bootstrap

Save a configuration, HiveOS image, RADIUS database, or files used by the internal web,
save
RADIUS servers, or packet capture tool
Save a configuration from the HiveAP to a remote server, from a remote server to the
config
HiveAP, or from DRAM to flash as the current or bootstrap config
Enter the protocol, SCP user name, location, path, file name, and SCP port number
<location> (Range: 1­256 chars; Default SCP port number: 22; Format: tftp://location:path/filename,
scp://username@location:path/filename or scp://username@location:port:path/filename)
bootstrap Save a configuration to the bootstrap configuration

save config <location> current

Save a configuration, HiveOS image, RADIUS database, or files used by the internal web,
save
RADIUS servers, or packet capture tool
Save a configuration from the HiveAP to a remote server, from a remote server to the
config
HiveAP, or from DRAM to flash as the current or bootstrap config
Enter the protocol, SCP user name, location, path, file name, and SCP port number
<location> (Range: 1­256 chars; Default SCP port number: 22; Format: tftp://location:path/filename,
scp://username@location:path/filename or scp://username@location:port:path/filename)
current Save a configuration to the current configuration

http://docs.aerohive.com/330000/docs/help/english/documentation/cli_guide_ap230_6­6r1.htm#cmd7 176/315
27/4/2016 Aerohive CLI Guide
save config <location> current <time> [ <date> ]
Save a configuration, HiveOS image, RADIUS database, or files used by the internal web,
save
RADIUS servers, or packet capture tool
Save a configuration from the HiveAP to a remote server, from a remote server to the
config
HiveAP, or from DRAM to flash as the current or bootstrap config
Enter the protocol, SCP user name, location, path, file name, and SCP port number
<location> (Range: 1­256 chars; Default SCP port number: 22; Format: tftp://location:path/filename,
scp://username@location:path/filename or scp://username@location:port:path/filename)
current Save a configuration to the current configuration
<time> Enter the time that you want the system to reboot (Format: hh:mm:ss)
<date> Enter the date that you want the system to reboot (Format: yyyy­mm­dd)

save config <location> current now

Save a configuration, HiveOS image, RADIUS database, or files used by the internal web,
save
RADIUS servers, or packet capture tool
Save a configuration from the HiveAP to a remote server, from a remote server to the
config
HiveAP, or from DRAM to flash as the current or bootstrap config
Enter the protocol, SCP user name, location, path, file name, and SCP port number
<location> (Range: 1­256 chars; Default SCP port number: 22; Format: tftp://location:path/filename,
scp://username@location:path/filename or scp://username@location:port:path/filename)
current Save a configuration to the current configuration
now Save the configuration and reboot the system immediately

save config <location> current offset <time>

Save a configuration, HiveOS image, RADIUS database, or files used by the internal web,
save
RADIUS servers, or packet capture tool
Save a configuration from the HiveAP to a remote server, from a remote server to the
config
HiveAP, or from DRAM to flash as the current or bootstrap config
Enter the protocol, SCP user name, location, path, file name, and SCP port number
<location> (Range: 1­256 chars; Default SCP port number: 22; Format: tftp://location:path/filename,
scp://username@location:path/filename or scp://username@location:port:path/filename)
current Save a configuration to the current configuration
offset Set a relative time for the system to reboot
Schedule the system to reboot at a relative time (Maximum: 24 hours from the time you
<time>
enter the command; Format: hh:mm:ss)

save config <url> bootstrap [ admin <string> password <string> {basic|digest} ] [ proxy <string> [
proxy­admin <string> password <string> ] ]
Save a configuration, HiveOS image, RADIUS database, or files used by the internal web,
save
RADIUS servers, or packet capture tool
Save a configuration from the HiveAP to a remote server, from a remote server to the
config
HiveAP, or from DRAM to flash as the current or bootstrap config
Enter the HTTP protocol, remote server domain name, port, directory path, and file name
<url> (Default port: 80; 1­256 chars; Format: http://domain/path/file,
http://domain:port/path/file; Note: You can substitute 'https' for 'http'.)
Save the config file for the HiveAP to use as its bootstrap configuration, which is the
bootstrap one it loads if it fails to load the current and backup config files or if you enter the
'reset config' command
admin Set the name of the server administrator
<string> Enter the administrator name (1­32 chars)
password Set the password for the server administrator
<string> Enter the server password (1­64 chars)
Set the access authentication scheme as basic, which appends a user name and password
basic
encoded with the Base64 algorithm to the authorization header in HTTP requests
Set the access authentication scheme as digest, which appends an MD5 checksum of the
digest
username, password, and other values to the authorization header in HTTP requests
proxy Set parameters for the HTTP proxy server
Enter the domain name or IP address and, optionally, the port number for the HTTP proxy
<string> server (Max length: 64 chars; Format: domainname, ip_addr, domainname:port, or

http://docs.aerohive.com/330000/docs/help/english/documentation/cli_guide_ap230_6­6r1.htm#cmd7 177/315
27/4/2016 Aerohive CLI Guide
ip_addr:port)
proxy­admin Set the name of the proxy administrator
<string> Enter the proxy administrator name (1­32 chars)
password Set the password for the proxy administrator
<string> Enter the proxy password (1­64 chars)

save config <url> current <time> [ <date> ] [ admin <string> password <string> {basic|digest} ] [
proxy <string> [ proxy­admin <string> password <string> ] ]
Save a configuration, HiveOS image, RADIUS database, or files used by the internal web,
save
RADIUS servers, or packet capture tool
Save a configuration from the HiveAP to a remote server, from a remote server to the
config
HiveAP, or from DRAM to flash as the current or bootstrap config
Enter the HTTP protocol, remote server domain name, port, directory path, and file name
<url> (Default port: 80; 1­256 chars; Format: http://domain/path/file,
http://domain:port/path/file; Note: You can substitute 'https' for 'http'.)
Save the config file for the HiveAP to use as its current configuration, which is the
current
one it loads when booting u
<time> Enter the time that you want the system to reboot (Format: hh:mm:ss)
<date> Enter the date that you want the system to reboot (Format: yyyy­mm­dd)
admin Set the name of the server administrator
<string> Enter the administrator name (1­32 chars)
password Set the password for the server administrator
<string> Enter the server password (1­64 chars)
Set the access authentication scheme as basic, which appends a user name and password
basic
encoded with the Base64 algorithm to the authorization header in HTTP requests
Set the access authentication scheme as digest, which appends an MD5 checksum of the
digest
username, password, and other values to the authorization header in HTTP requests
proxy Set parameters for the HTTP proxy server
Enter the domain name or IP address and, optionally, the port number for the HTTP proxy
<string> server (Max length: 64 chars; Format: domainname, ip_addr, domainname:port, or
ip_addr:port)
proxy­admin Set the name of the proxy administrator
<string> Enter the proxy administrator name (1­32 chars)
password Set the password for the proxy administrator
<string> Enter the proxy password (1­64 chars)

save config <url> current [ {now} ] [ admin <string> password <string> {basic|digest} ] [ proxy
<string> [ proxy­admin <string> password <string> ] ]
Save a configuration, HiveOS image, RADIUS database, or files used by the internal web,
save
RADIUS servers, or packet capture tool
Save a configuration from the HiveAP to a remote server, from a remote server to the
config
HiveAP, or from DRAM to flash as the current or bootstrap config
Enter the HTTP protocol, remote server domain name, port, directory path, and file name
<url> (Default port: 80; 1­256 chars; Format: http://domain/path/file,
http://domain:port/path/file; Note: You can substitute 'https' for 'http'.)
Save the config file for the HiveAP to use as its current configuration, which is the
current
one it loads when booting u
now Save the configuration and reboot the system immediately
admin Set the name of the server administrator
<string> Enter the administrator name (1­32 chars)
password Set the password for the server administrator
<string> Enter the server password (1­64 chars)

Set the access authentication scheme as basic, which appends a user name and password
basic
encoded with the Base64 algorithm to the authorization header in HTTP requests
Set the access authentication scheme as digest, which appends an MD5 checksum of the
digest
username, password, and other values to the authorization header in HTTP requests
proxy Set parameters for the HTTP proxy server

http://docs.aerohive.com/330000/docs/help/english/documentation/cli_guide_ap230_6­6r1.htm#cmd7 178/315
27/4/2016 Aerohive CLI Guide
Enter the domain name or IP address and, optionally, the port number for the HTTP proxy
<string>
server (Max length: 64 chars; Format: domainname, ip_addr, domainname:port, or
ip_addr:port)
proxy­admin Set the name of the proxy administrator
<string> Enter the proxy administrator name (1­32 chars)
password Set the password for the proxy administrator
<string> Enter the proxy password (1­64 chars)

save config <url> current offset <time> [ admin <string> password <string> {basic|digest} ] [ proxy
<string> [ proxy­admin <string> password <string> ] ]
Save a configuration, HiveOS image, RADIUS database, or files used by the internal web,
save
RADIUS servers, or packet capture tool
Save a configuration from the HiveAP to a remote server, from a remote server to the
config
HiveAP, or from DRAM to flash as the current or bootstrap config
Enter the HTTP protocol, remote server domain name, port, directory path, and file name
<url> (Default port: 80; 1­256 chars; Format: http://domain/path/file,
http://domain:port/path/file; Note: You can substitute 'https' for 'http'.)
Save the config file for the HiveAP to use as its current configuration, which is the
current
one it loads when booting u
offset Set a relative time for the system to reboot
Schedule the system to reboot at a relative time (Maximum: 24 hours from the time you
<time>
enter the command; Format: hh:mm:ss)
admin Set the name of the server administrator
<string> Enter the administrator name (1­32 chars)
password Set the password for the server administrator
<string> Enter the server password (1­64 chars)
Set the access authentication scheme as basic, which appends a user name and password
basic
encoded with the Base64 algorithm to the authorization header in HTTP requests
Set the access authentication scheme as digest, which appends an MD5 checksum of the
digest
username, password, and other values to the authorization header in HTTP requests
proxy Set parameters for the HTTP proxy server
Enter the domain name or IP address and, optionally, the port number for the HTTP proxy
<string> server (Max length: 64 chars; Format: domainname, ip_addr, domainname:port, or
ip_addr:port)
proxy­admin Set the name of the proxy administrator
<string> Enter the proxy administrator name (1­32 chars)
password Set the password for the proxy administrator
<string> Enter the proxy password (1­64 chars)

save config [ running current ]

Save a configuration, HiveOS image, RADIUS database, or files used by the internal web,
save
RADIUS servers, or packet capture tool
Save a configuration from the HiveAP to a remote server, from a remote server to the
config
HiveAP, or from DRAM to flash as the current or bootstrap config
running Save a configuration from the running configuration
current Save a configuration to the current configuration

save config bootstrap <location>

Save a configuration, HiveOS image, RADIUS database, or files used by the internal web,
save
RADIUS servers, or packet capture tool
Save a configuration from the HiveAP to a remote server, from a remote server to the
config
HiveAP, or from DRAM to flash as the current or bootstrap config
bootstrap Save the bootstrap configuration to a remote server
Enter the protocol, SCP user name, location, path, file name, and SCP port number
<location> (Range: 1­256 chars; Default SCP port number: 22; Format: tftp://location:path/filename,
scp://username@location:path/filename or scp://username@location:port:path/filename)

save config current <location>

http://docs.aerohive.com/330000/docs/help/english/documentation/cli_guide_ap230_6­6r1.htm#cmd7 179/315
27/4/2016 Aerohive CLI Guide
Save a configuration, HiveOS image, RADIUS database, or files used by the internal web,
save
RADIUS servers, or packet capture tool
Save a configuration from the HiveAP to a remote server, from a remote server to the
config
HiveAP, or from DRAM to flash as the current or bootstrap config
current Save the current configuration to a remote server or to the bootstrap config
Enter the protocol, SCP user name, location, path, file name, and SCP port number
<location> (Range: 1­256 chars; Default SCP port number: 22; Format: tftp://location:path/filename,
scp://username@location:path/filename or scp://username@location:port:path/filename)

save config current bootstrap

Save a configuration, HiveOS image, RADIUS database, or files used by the internal web,
save
RADIUS servers, or packet capture tool
Save a configuration from the HiveAP to a remote server, from a remote server to the
config
HiveAP, or from DRAM to flash as the current or bootstrap config
current Save the current configuration to a remote server or to the bootstrap config
bootstrap Save a configuration to the bootstrap configuration

save config running bootstrap

Save a configuration, HiveOS image, RADIUS database, or files used by the internal web,
save
RADIUS servers, or packet capture tool
Save a configuration from the HiveAP to a remote server, from a remote server to the
config
HiveAP, or from DRAM to flash as the current or bootstrap config
running Save a configuration from the running configuration
bootstrap Save a configuration to the bootstrap configuration

save config users [ bootstrap ]

Save a configuration, HiveOS image, RADIUS database, or files used by the internal web,
save
RADIUS servers, or packet capture tool
Save a configuration from the HiveAP to a remote server, from a remote server to the
config
HiveAP, or from DRAM to flash as the current or bootstrap config
users Save private PSK user accounts to the current or bootstrap configuration
bootstrap Save private PSK user accounts to the bootstrap configuration

save config {current|bootstrap} <url> [ admin <string> password <string> {basic|digest} ] [ proxy
<string> [ proxy­admin <string> password <string> ] ]
Save a configuration, HiveOS image, RADIUS database, or files used by the internal web,
save
RADIUS servers, or packet capture tool
Save a configuration from the HiveAP to a remote server, from a remote server to the
config
HiveAP, or from DRAM to flash as the current or bootstrap config
current Save the current configuration to a remote server or to the bootstrap config
bootstrap Save the bootstrap configuration to a remote server
Enter the HTTP protocol, remote server domain name, port, directory path, and file name
<url> (Default port: 80; 1­256 chars; Format: http://domain/path/file,
http://domain:port/path/file; Note: You can substitute 'https' for 'http'.)
admin Set the name of the server administrator
<string> Enter the administrator name (1­32 chars)
password Set the password for the server administrator
<string> Enter the server password (1­64 chars)
Set the access authentication scheme as basic, which appends a user name and password
basic
encoded with the Base64 algorithm to the authorization header in HTTP requests
Set the access authentication scheme as digest, which appends an MD5 checksum of the
digest username, password, and other values to the authorization header in HTTP requests

proxy Set parameters for the HTTP proxy server

Enter the domain name or IP address and, optionally, the port number for the HTTP proxy
<string> server (Max length: 64 chars; Format: domainname, ip_addr, domainname:port, or
ip_addr:port)
proxy­admin Set the name of the proxy administrator

http://docs.aerohive.com/330000/docs/help/english/documentation/cli_guide_ap230_6­6r1.htm#cmd7 180/315
27/4/2016 Aerohive CLI Guide
<string> Enter the proxy administrator name (1­32 chars)
password Set the password for the proxy administrator
<string> Enter the proxy password (1­64 chars)

save dhcp­fingerprint {option55} <location>

Save a configuration, HiveOS image, RADIUS database, or files used by the internal web,
save
RADIUS servers, or packet capture tool
dhcp­fingerprint Save a fingerprint file of DHCP options for client OS detection
Save a fingerprint file of various parameter request lists mapped to client operating
systems (Note: DHCP clients include unique lists in DHCP option 55 when sending
option55
DHCPDISCOVER messages. By comparing those lists with the fingerprints in the file,
client operating systems can be detected.)
Enter the protocol, SCP user name, location, path, file name, and SCP port number
<location> (Range: 1­256 chars; Default SCP port number: 22; Format: tftp://location:path/filename,
scp://username@location:path/filename or scp://username@location:port:path/filename)

save dhcp­fingerprint {option55} <url> [ admin <string> password <string> {basic|digest} ] [ proxy
<string> [ proxy­admin <string> password <string> ] ]
Save a configuration, HiveOS image, RADIUS database, or files used by the internal web,
save
RADIUS servers, or packet capture tool
dhcp­fingerprint Save a fingerprint file of DHCP options for client OS detection
Save a fingerprint file of various parameter request lists mapped to client operating
systems (Note: DHCP clients include unique lists in DHCP option 55 when sending
option55
DHCPDISCOVER messages. By comparing those lists with the fingerprints in the file,
client operating systems can be detected.)
Enter the HTTP protocol, remote server domain name, port, directory path, and file name
<url> (Default port: 80; 1­256 chars; Format: http://domain/path/file,
http://domain:port/path/file; Note: You can substitute 'https' for 'http'.)
admin Set the name of the server administrator
<string> Enter the administrator name (1­32 chars)
password Set the password for the server administrator
<string> Enter the server password (1­64 chars)
Set the access authentication scheme as basic, which appends a user name and password
basic
encoded with the Base64 algorithm to the authorization header in HTTP requests
Set the access authentication scheme as digest, which appends an MD5 checksum of the
digest
username, password, and other values to the authorization header in HTTP requests
proxy Set parameters for the HTTP proxy server
Enter the domain name or IP address and, optionally, the port number for the HTTP proxy
<string> server (Max length: 64 chars; Format: domainname, ip_addr, domainname:port, or
ip_addr:port)
proxy­admin Set the name of the proxy administrator
<string> Enter the proxy administrator name (1­32 chars)
password Set the password for the proxy administrator
<string> Enter the proxy password (1­64 chars)

save image <location> <time> [ <date> ] [ limit <number> ]

Save a configuration, HiveOS image, RADIUS database, or files used by the internal web,
save
RADIUS servers, or packet capture tool
image Save a HiveOS image to the HiveAP
Enter the protocol, SCP user name, location, path, file name, and SCP port number
<location> (Range: 1­256 chars; Default SCP port number: 22; Format: tftp://location:path/filename,
scp://username@location:path/filename or scp://username@location:port:path/filename)
<time> Enter the time that you want the system to reboot (Format: hh:mm:ss)
<date> Enter the date that you want the system to reboot (Format: yyyy­mm­dd)
limit Limit the amount of bandwidth used for uploading the image file
Enter the bandwidth limit in Kbps (Range:10­1000000; Default: Maximum available
<number>
bandwidth)

http://docs.aerohive.com/330000/docs/help/english/documentation/cli_guide_ap230_6­6r1.htm#cmd7 181/315
27/4/2016 Aerohive CLI Guide
save image <location> [ {now} ] [ limit <number> ]
Save a configuration, HiveOS image, RADIUS database, or files used by the internal web,
save
RADIUS servers, or packet capture tool
image Save a HiveOS image to the HiveAP
Enter the protocol, SCP user name, location, path, file name, and SCP port number
<location> (Range: 1­256 chars; Default SCP port number: 22; Format: tftp://location:path/filename,
scp://username@location:path/filename or scp://username@location:port:path/filename)
now Save the image and reboot the system immediately
limit Limit the amount of bandwidth used for uploading the image file
Enter the bandwidth limit in Kbps (Range:10­1000000; Default: Maximum available
<number>
bandwidth)

save image <location> offset <time> [ limit <number> ]

Save a configuration, HiveOS image, RADIUS database, or files used by the internal web,
save
RADIUS servers, or packet capture tool
image Save a HiveOS image to the HiveAP
Enter the protocol, SCP user name, location, path, file name, and SCP port number
<location> (Range: 1­256 chars; Default SCP port number: 22; Format: tftp://location:path/filename,
scp://username@location:path/filename or scp://username@location:port:path/filename)
offset Set a relative time for the system to reboot
Schedule the system to reboot at a relative time (Maximum: 24 hours from the time you
<time>
enter the command; Format: hh:mm:ss)
limit Limit the amount of bandwidth used for uploading the image file
Enter the bandwidth limit in Kbps (Range:10­1000000; Default: Maximum available
<number>
bandwidth)

save image <url> <time> [ <date> ] [ admin <string> password <string> {basic|digest} ] [ proxy
<string> [ proxy­admin <string> password <string> ] ]
Save a configuration, HiveOS image, RADIUS database, or files used by the internal web,
save
RADIUS servers, or packet capture tool
image Save a HiveOS image to the HiveAP
Enter the HTTP protocol, remote server domain name, port, directory path, and file name
<url> (Default port: 80; 1­256 chars; Format: http://domain/path/file,
http://domain:port/path/file; Note: You can substitute 'https' for 'http'.)
<time> Enter the time that you want the system to reboot (Format: hh:mm:ss)
<date> Enter the date that you want the system to reboot (Format: yyyy­mm­dd)
admin Set the name of the server administrator
<string> Enter the administrator name (1­32 chars)
password Set the password for the server administrator
<string> Enter the server password (1­64 chars)
Set the access authentication scheme as basic, which appends a user name and password
basic
encoded with the Base64 algorithm to the authorization header in HTTP requests
Set the access authentication scheme as digest, which appends an MD5 checksum of the
digest
username, password, and other values to the authorization header in HTTP requests
proxy Set parameters for the HTTP proxy server
Enter the domain name or IP address and, optionally, the port number for the HTTP proxy
<string> server (Max length: 64 chars; Format: domainname, ip_addr, domainname:port, or
ip_addr:port)
proxy­admin Set the name of the proxy administrator
<string> Enter the proxy administrator name (1­32 chars)

password Set the password for the proxy administrator

<string> Enter the proxy password (1­64 chars)

save image <url> [ {now} ] [ admin <string> password <string> {basic|digest} ] [ proxy <string> [
proxy­admin <string> password <string> ] ]
Save a configuration, HiveOS image, RADIUS database, or files used by the internal web,
save
RADIUS servers, or packet capture tool
image Save a HiveOS image to the HiveAP

http://docs.aerohive.com/330000/docs/help/english/documentation/cli_guide_ap230_6­6r1.htm#cmd7 182/315
27/4/2016 Aerohive CLI Guide
Enter the HTTP protocol, remote server domain name, port, directory path, and file name
<url> (Default port: 80; 1­256 chars; Format: http://domain/path/file,
http://domain:port/path/file; Note: You can substitute 'https' for 'http'.)
now Save the image and reboot the system immediately
admin Set the name of the server administrator
<string> Enter the administrator name (1­32 chars)
password Set the password for the server administrator
<string> Enter the server password (1­64 chars)
Set the access authentication scheme as basic, which appends a user name and password
basic
encoded with the Base64 algorithm to the authorization header in HTTP requests
Set the access authentication scheme as digest, which appends an MD5 checksum of the
digest
username, password, and other values to the authorization header in HTTP requests
proxy Set parameters for the HTTP proxy server
Enter the domain name or IP address and, optionally, the port number for the HTTP proxy
<string> server (Max length: 64 chars; Format: domainname, ip_addr, domainname:port, or
ip_addr:port)
proxy­admin Set the name of the proxy administrator
<string> Enter the proxy administrator name (1­32 chars)
password Set the password for the proxy administrator
<string> Enter the proxy password (1­64 chars)

save image <url> offset <time> [ admin <string> password <string> {basic|digest} ] [ proxy <string> [
proxy­admin <string> password <string> ] ]
Save a configuration, HiveOS image, RADIUS database, or files used by the internal web,
save
RADIUS servers, or packet capture tool
image Save a HiveOS image to the HiveAP
Enter the HTTP protocol, remote server domain name, port, directory path, and file name
<url> (Default port: 80; 1­256 chars; Format: http://domain/path/file,
http://domain:port/path/file; Note: You can substitute 'https' for 'http'.)
offset Set a relative time for the system to reboot
Schedule the system to reboot at a relative time (Maximum: 24 hours from the time you
<time>
enter the command; Format: hh:mm:ss)
admin Set the name of the server administrator
<string> Enter the administrator name (1­32 chars)
password Set the password for the server administrator
<string> Enter the server password (1­64 chars)
Set the access authentication scheme as basic, which appends a user name and password
basic
encoded with the Base64 algorithm to the authorization header in HTTP requests
Set the access authentication scheme as digest, which appends an MD5 checksum of the
digest
username, password, and other values to the authorization header in HTTP requests
proxy Set parameters for the HTTP proxy server
Enter the domain name or IP address and, optionally, the port number for the HTTP proxy
<string> server (Max length: 64 chars; Format: domainname, ip_addr, domainname:port, or
ip_addr:port)
proxy­admin Set the name of the proxy administrator
<string> Enter the proxy administrator name (1­32 chars)
password Set the password for the proxy administrator
<string> Enter the proxy password (1­64 chars)

save radius­server­key radsec {cert|ca} <location>

Save a configuration, HiveOS image, RADIUS database, or files used by the internal web,
save
RADIUS servers, or packet capture tool
radius­server­key Save certificate files for the local Aerohive RADIUS server to use
Save certificates that the local Aerohive device uses when functioning as a RadSec proxy
server (Note: A RadSec proxy server can forward RADIUS requests over a secure TLS tunnel
radsec
between RadSec peers.)

http://docs.aerohive.com/330000/docs/help/english/documentation/cli_guide_ap230_6­6r1.htm#cmd7 183/315
27/4/2016 Aerohive CLI Guide
cert Save an end­entity certificate for the Aerohive device to use when authenticating itself
to a RadSec peer
Save a CA (certificate authority) certificate for the Aerohive device to verify the
ca
certificate of its RadSec peer
Enter the protocol, SCP user name, location, path, file name, and SCP port number
<location> (Range: 1­256 chars; Default SCP port number: 22; Format: tftp://location:path/filename,
scp://username@location:path/filename or scp://username@location:port:path/filename)

save radius­server­key radsec {cert|ca} <url> [ admin <string> password <string> {basic|digest} ] [
proxy <string> [ proxy­admin <string> password <string> ] ]
Save a configuration, HiveOS image, RADIUS database, or files used by the internal web,
save
RADIUS servers, or packet capture tool
radius­server­key Save certificate files for the local Aerohive RADIUS server to use
Save certificates that the local Aerohive device uses when functioning as a RadSec proxy
radsec server (Note: A RadSec proxy server can forward RADIUS requests over a secure TLS tunnel
between RadSec peers.)
Save an end­entity certificate for the Aerohive device to use when authenticating itself
cert
to a RadSec peer
Save a CA (certificate authority) certificate for the Aerohive device to verify the
ca
certificate of its RadSec peer
Enter the HTTP protocol, remote server domain name, port, directory path, and file name
<url> (Default port: 80; 1­256 chars; Format: http://domain/path/file,
http://domain:port/path/file; Note: You can substitute 'https' for 'http'.)
admin Set the name that the local device uses to log in to the HTTP server
<string> Enter the login name (1­32 chars)
password Set the password to enter during the login process
<string> Enter the password (1­64 chars)
Set the access authentication scheme as basic, which appends a user name and password
basic
encoded with the Base64 algorithm to the authorization header in HTTP requests
Set the access authentication scheme as digest, which appends an MD5 checksum of the
digest
username, password, and other values to the authorization header in HTTP requests
proxy Set parameters for connecting to an HTTP proxy server
Enter the domain name or IP address and, optionally, the port number for the HTTP proxy
<string> server (Max length: 64 chars; Format: domain_name, ip_addr, domain_name:port, or
ip_addr:port)
proxy­admin Set the name that the local device uses to log in to the HTTP proxy server
<string> Enter the login name (1­32 chars)
password Set the password to enter during the login process
<string> Enter the password (1­64 chars)

save radius­server­key {radius­server|ldap­client} <location>

Save a configuration, HiveOS image, RADIUS database, or files used by the internal web,
save
RADIUS servers, or packet capture tool
radius­server­key Save certificate files for the local Aerohive RADIUS server to use
radius­server Save certificates that the local HiveAP uses when functioning as a RADIUS server
ldap­client Save certificates that the local HiveAP uses when functioning as an LDAP client
Enter the protocol, SCP user name, location, path, file name, and SCP port number
<location> (Range: 1­256 chars; Default SCP port number: 22; Format: tftp://location:path/filename,
scp://username@location:path/filename or scp://username@location:port:path/filename)

save radius­server­key {radius­server|ldap­client} <url> [ admin <string> password <string>

{basic|digest} ] [ proxy <string> [ proxy­admin <string> password <string> ] ]
Save a configuration, HiveOS image, RADIUS database, or files used by the internal web,
save
RADIUS servers, or packet capture tool
radius­server­key Save certificate files for the local Aerohive RADIUS server to use
radius­server Save certificates that the local HiveAP uses when functioning as a RADIUS server
ldap­client Save certificates that the local HiveAP uses when functioning as an LDAP client

Enter the HTTP protocol, remote server domain name, port, directory path, and file name
<url> (Default port: 80; 1­256 chars; Format: http://domain/path/file,

http://docs.aerohive.com/330000/docs/help/english/documentation/cli_guide_ap230_6­6r1.htm#cmd7 184/315
27/4/2016 Aerohive CLI Guide
http://domain:port/path/file; Note: You can substitute 'https' for 'http'.)
admin Set the name of the server administrator
<string> Enter the administrator name (1­32 chars)
password Set the password for the server administrator
<string> Enter the server password (1­64 chars)
Set the access authentication scheme as basic, which appends a user name and password
basic
encoded with the Base64 algorithm to the authorization header in HTTP requests
Set the access authentication scheme as digest, which appends an MD5 checksum of the
digest
username, password, and other values to the authorization header in HTTP requests
proxy Set parameters for the HTTP proxy server
Enter the domain name or IP address and, optionally, the port number for the HTTP proxy
<string> server (Max length: 64 chars; Format: domainname, ip_addr, domainname:port, or
ip_addr:port)
proxy­admin Set the name of the proxy administrator
<string> Enter the proxy administrator name (1­32 chars)
password Set the password for the proxy administrator
<string> Enter the proxy password (1­64 chars)

save server­files
Save a configuration, HiveOS image, RADIUS database, or files used by the internal web,
save
RADIUS servers, or packet capture tool
Save certificate and private key files used by the internal web and RADIUS servers and
server­files VPN from DRAM to flash memory for persistent storage after reboots (Note: For security
reasons, these files are saved only in DRAM by default.)

save signature­file <location> [ limit <number> ]

Save a configuration, HiveOS image, RADIUS database, or files used by the internal web,
save
RADIUS servers, or packet capture tool
signature­file Remote image used for L7 application
Enter the protocol, SCP user name, location, path, file name, and SCP port number
<location> (Range: 1­256 chars; Default SCP port number: 22; Format: tftp://location:path/filename,
scp://username@location:path/filename or scp://username@location:port:path/filename)
limit Limit the amount of bandwidth used for uploading the image file
Enter the bandwidth limit in Kbps (Range:10­1000000; Default: Maximum available
<number>
bandwidth)

save signature­file <url> [ admin <string> password <string> {basic|digest} ] [ proxy <string> [
proxy­admin <string> password <string> ] ]
Save a configuration, HiveOS image, RADIUS database, or files used by the internal web,
save
RADIUS servers, or packet capture tool
signature­file Remote image used for L7 application
Enter the HTTP protocol, remote server domain name, port, directory path, and file name
<url> (Default port: 80; 1­256 chars; Format: http://domain/path/file,
http://domain:port/path/file; Note: You can substitute 'https' for 'http'.)
admin Set the name of the server administrator
<string> Enter the administrator name (1­32 chars)
password Set the password for the server administrator
<string> Enter the server password (1­64 chars)
Set the access authentication scheme as basic, which appends a user name and password
basic
encoded with the Base64 algorithm to the authorization header in HTTP requests
Set the access authentication scheme as digest, which appends an MD5 checksum of the
digest username, password, and other values to the authorization header in HTTP requests

proxy Set parameters for the HTTP proxy server

Enter the domain name or IP address and, optionally, the port number for the HTTP proxy
<string> server (Max length: 64 chars; Format: domainname, ip_addr, domainname:port, or
ip_addr:port)
proxy­admin Set the name of the proxy administrator

http://docs.aerohive.com/330000/docs/help/english/documentation/cli_guide_ap230_6­6r1.htm#cmd7 185/315
27/4/2016 Aerohive CLI Guide
<string> Enter the proxy administrator name (1­32 chars)
password Set the password for the proxy administrator
<string> Enter the proxy password (1­64 chars)

save ssid <string> mac­bind <location>

Save a configuration, HiveOS image, RADIUS database, or files used by the internal web,
save
RADIUS servers, or packet capture tool
ssid Save a locally stored file to a remote server
<string> Enter the file name to upload to a remote server
mac­bind Save auth­ppsk mac­binding file
Enter the protocol, SCP user name, location, path, file name, and SCP port number
<location> (Range: 1­256 chars; Default SCP port number: 22; Format: tftp://location:path/filename,
scp://username@location:path/filename or scp://username@location:port:path/filename)

save supplicant cert­file <location>

Save a configuration, HiveOS image, RADIUS database, or files used by the internal web,
save
RADIUS servers, or packet capture tool
supplicant Save files for wpa supplicant
cert­file Save certificate files for the wpa supplicant
Enter the protocol, SCP user name, location, path, file name, and SCP port number
<location> (Range: 1­256 chars; Default SCP port number: 22; Format: tftp://location:path/filename,
scp://username@location:path/filename or scp://username@location:port:path/filename)

save supplicant cert­file <url> [ admin <string> password <string> {basic|digest} ] [ proxy <string> [
proxy­admin <string> password <string> ] ]
Save a configuration, HiveOS image, RADIUS database, or files used by the internal web,
save
RADIUS servers, or packet capture tool
supplicant Save files for wpa supplicant
cert­file Save certificate files for the wpa supplicant
Enter the HTTP protocol, remote server domain name, port, directory path, and file name
<url> (Default port: 80; 1­256 chars; Format: http://domain/path/file,
http://domain:port/path/file; Note: You can substitute 'https' for 'http'.)
admin Set the name of the server administrator
<string> Enter the administrator name (1­32 chars)
password Set the password for the server administrator
<string> Enter the server password (1­64 chars)
Set the access authentication scheme as basic, which appends a user name and password
basic
encoded with the Base64 algorithm to the authorization header in HTTP requests
Set the access authentication scheme as digest, which appends an MD5 checksum of the
digest
username, password, and other values to the authorization header in HTTP requests
proxy Set parameters for the HTTP proxy server
Enter the domain name or IP address and, optionally, the port number for the HTTP proxy
<string> server (Max length: 64 chars; Format: domainname, ip_addr, domainname:port, or
ip_addr:port)
proxy­admin Set the name of the proxy administrator
<string> Enter the proxy administrator name (1­32 chars)
password Set the password for the proxy administrator
<string> Enter the proxy password (1­64 chars)

save users <location>

Save a configuration, HiveOS image, RADIUS database, or files used by the internal web,
save
RADIUS servers, or packet capture tool
users Save private PSK (preshared key) configurations
Enter the protocol, SCP user name, location, path, file name, and SCP port number
<location>
(Range: 1­256 chars; Default SCP port number: 22; Format: tftp://location:path/filename,
scp://username@location:path/filename or scp://username@location:port:path/filename)

http://docs.aerohive.com/330000/docs/help/english/documentation/cli_guide_ap230_6­6r1.htm#cmd7 186/315
27/4/2016 Aerohive CLI Guide
save users <url> [ admin <string> password <string> {basic|digest} ] [ proxy <string> [ proxy­admin
<string> password <string> ] ]
Save a configuration, HiveOS image, RADIUS database, or files used by the internal web,
save
RADIUS servers, or packet capture tool
users Save private PSK (preshared key) configurations
Enter the HTTP protocol, remote server domain name, port, directory path, and file name
<url> (Default port: 80; 1­256 chars; Format: http://domain/path/file,
http://domain:port/path/file; Note: You can substitute 'https' for 'http'.)
admin Set the name of the server administrator
<string> Enter the administrator name (1­32 chars)
password Set the password for the server administrator
<string> Enter the server password (1­64 chars)
Set the access authentication scheme as basic, which appends a user name and password
basic
encoded with the Base64 algorithm to the authorization header in HTTP requests
Set the access authentication scheme as digest, which appends an MD5 checksum of the
digest
username, password, and other values to the authorization header in HTTP requests
proxy Set parameters for the HTTP proxy server
Enter the domain name or IP address and, optionally, the port number for the HTTP proxy
<string> server (Max length: 64 chars; Format: domainname, ip_addr, domainname:port, or
ip_addr:port)
proxy­admin Set the name of the proxy administrator
<string> Enter the proxy administrator name (1­32 chars)
password Set the password for the proxy administrator
<string> Enter the proxy password (1­64 chars)

save vpn {ca­cert|ee­cert|private­key} <url> [ admin <string> password <string> {basic|digest} ] [

proxy <string> [ proxy­admin <string> password <string> ] ]
Save a configuration, HiveOS image, RADIUS database, or files used by the internal web,
save
RADIUS servers, or packet capture tool
vpn Save a VPN certificate or private key file
Save a CA (certificate authority) certificate for the HiveAP to verify its IKE peer's
ca­cert
certificate
Save an end­entity certificate for the HiveAP to use when authenticating itself to an
ee­cert
IKE peer
private­key Save the private key for the HiveAP to use when creating its RSA signature
Enter the HTTP protocol, remote server domain name, port, directory path, and file name
<url> (Default port: 80; 1­256 chars; Format: http://domain/path/file,
http://domain:port/path/file; Note: You can substitute 'https' for 'http'.)
admin Set the name of the server administrator
<string> Enter the administrator name (1­32 chars)
password Set the password for the server administrator
<string> Enter the server password (1­64 chars)
Set the access authentication scheme as basic, which appends a user name and password
basic
encoded with the Base64 algorithm to the authorization header in HTTP requests
Set the access authentication scheme as digest, which appends an MD5 checksum of the
digest
username, password, and other values to the authorization header in HTTP requests
proxy Set parameters for the HTTP proxy server
Enter the domain name or IP address and, optionally, the port number for the HTTP proxy
<string> server (Max length: 64 chars; Format: domainname, ip_addr, domainname:port, or
ip_addr:port)
proxy­admin Set the name of the proxy administrator
<string> Enter the proxy administrator name (1­32 chars)
password Set the password for the proxy administrator
<string> Enter the proxy password (1­64 chars)

save vpn {ee­cert|private­key|ca­cert} <location>

Save a configuration, HiveOS image, RADIUS database, or files used by the internal web,
save

http://docs.aerohive.com/330000/docs/help/english/documentation/cli_guide_ap230_6­6r1.htm#cmd7 187/315
27/4/2016 Aerohive CLI Guide
RADIUS servers, or packet capture tool
vpn Save a VPN certificate or private key file
Save an end­entity certificate for the HiveAP to use when authenticating itself to an
ee­cert
IKE peer
private­key Save the private key for the HiveAP to use when creating its RSA signature
Save a CA (certificate authority) certificate for the HiveAP to verify its IKE peer's
ca­cert
certificate
Enter the protocol, SCP user name, location, path, file name, and SCP port number
<location> (Range: 1­256 chars; Default SCP port number: 22; Format: tftp://location:path/filename,
scp://username@location:path/filename or scp://username@location:port:path/filename)

save web­page [ ppsk­self­reg ] web­directory <string> <location>

Save a configuration, HiveOS image, RADIUS database, or files used by the internal web,
save
RADIUS servers, or packet capture tool
web­page Save a file for use with the internal web server
Save a file to the private PSK self­registration web directory (Note: The HiveAP, as a
ppsk­self­reg
private PSK server, uses these files to respond to self­registration requests.)
web­directory Save a file to a specific web directory
<string> Enter the web directory name
Enter the protocol, SCP user name, location, path, file name, and SCP port number
<location> (Range: 1­256 chars; Default SCP port number: 22; Format: tftp://location:path/filename,
scp://username@location:path/filename or scp://username@location:port:path/filename)

save web­page [ ppsk­self­reg ] web­directory <string> <url> [ admin <string> password <string>
{basic|digest} ] [ proxy <string> [ proxy­admin <string> password <string> ] ]
Save a configuration, HiveOS image, RADIUS database, or files used by the internal web,
save
RADIUS servers, or packet capture tool
web­page Save a file for use with the internal web server
Save a file to the private PSK self­registration web directory (Note: The HiveAP, as a
ppsk­self­reg
private PSK server, uses these files to respond to self­registration requests.)
web­directory Save a file to a specific web directory
<string> Enter the web directory name
Enter the HTTP protocol, remote server domain name, port, directory path, and file name
<url> (Default port: 80; 1­256 chars; Format: http://domain/path/file,
http://domain:port/path/file; Note: You can substitute 'https' for 'http'.)
admin Set the name of the server administrator
<string> Enter the administrator name (1­32 chars)
password Set the password for the server administrator
<string> Enter the server password (1­64 chars)
Set the access authentication scheme as basic, which appends a user name and password
basic
encoded with the Base64 algorithm to the authorization header in HTTP requests
Set the access authentication scheme as digest, which appends an MD5 checksum of the
digest
username, password, and other values to the authorization header in HTTP requests
proxy Set parameters for the HTTP proxy server
Enter the domain name or IP address and, optionally, the port number for the HTTP proxy
<string> server (Max length: 64 chars; Format: domainname, ip_addr, domainname:port, or
ip_addr:port)
proxy­admin Set the name of the proxy administrator

<string> Enter the proxy administrator name (1­32 chars)

password Set the password for the proxy administrator

<string> Enter the proxy password (1­64 chars)

save web­server­key <number> <location> [ comment <string> ]

Save a configuration, HiveOS image, RADIUS database, or files used by the internal web,
save
RADIUS servers, or packet capture tool
web­server­key Save certificate files for the internal web server to use
<number> Enter key file index for the internal web server (Range : 0­15)

http://docs.aerohive.com/330000/docs/help/english/documentation/cli_guide_ap230_6­6r1.htm#cmd7 188/315
27/4/2016 Aerohive CLI Guide
Enter the protocol, SCP user name, location, path, file name, and SCP port number
<location>
(Range: 1­256 chars; Default SCP port number: 22; Format: tftp://location:path/filename,
scp://username@location:path/filename or scp://username@location:port:path/filename)
comment Enter a comment
<string> Enter a comment (max 64 chars)

save web­server­key <number> <url> [ comment <string> ] [ admin <string> password <string>
{basic|digest} ] [ proxy <string> [ proxy­admin <string> password <string> ] ]
Save a configuration, HiveOS image, RADIUS database, or files used by the internal web,
save
RADIUS servers, or packet capture tool
web­server­key Save certificate files for the internal web server to use
<number> Enter key file index for the internal web server (Range : 0­15)
Enter the HTTP protocol, remote server domain name, port, directory path, and file name
<url> (Default port: 80; 1­256 chars; Format: http://domain/path/file,
http://domain:port/path/file; Note: You can substitute 'https' for 'http'.)
comment Set a comment about the certificate file
<string> Enter the comment (1­64 chars)
admin Set the name of the server administrator
<string> Enter the administrator name (1­32 chars)
password Set the password for the server administrator
<string> Enter the server password (1­64 chars)
Set the access authentication scheme as basic, which appends a user name and password
basic
encoded with the Base64 algorithm to the authorization header in HTTP requests
Set the access authentication scheme as digest, which appends an MD5 checksum of the
digest
username, password, and other values to the authorization header in HTTP requests
proxy Set parameters for the HTTP proxy server
Enter the domain name or IP address and, optionally, the port number for the HTTP proxy
<string> server (Max length: 64 chars; Format: domainname, ip_addr, domainname:port, or
ip_addr:port)
proxy­admin Set the name of the proxy administrator
<string> Enter the proxy administrator name (1­32 chars)
password Set the password for the proxy administrator
<string> Enter the proxy password (1­64 chars)

save {capture} local <string> <location>

Save a configuration, HiveOS image, RADIUS database, or files used by the internal web,
save
RADIUS servers, or packet capture tool
capture Save a packet capture file stored locally to a remote server
local Save a locally stored packet capture file to a remote server
<string> Enter the file name to upload to a remote server
Enter the protocol, SCP user name, location, path, file name, and SCP port number
<location> (Range: 1­256 chars; Default SCP port number: 22; Format: tftp://location:path/filename,
scp://username@location:path/filename or scp://username@location:port:path/filename)

save {capture} local <string> <url> [ admin <string> password <string> {basic|digest} ] [ proxy
<string> [ proxy­admin <string> password <string> ] ]
Save a configuration, HiveOS image, RADIUS database, or files used by the internal web,
save
RADIUS servers, or packet capture tool
capture Save a packet capture file stored locally to a remote server
local Save a locally stored packet capture file to a remote server
<string> Enter the file name to upload to a remote server
Enter the HTTP protocol, remote server domain name, port, directory path, and file name
<url> (Default port: 80; 1­256 chars; Format: http://domain/path/file,
http://domain:port/path/file; Note: You can substitute 'https' for 'http'.)

admin Set the name of the server administrator

<string> Enter the administrator name (1­32 chars)

http://docs.aerohive.com/330000/docs/help/english/documentation/cli_guide_ap230_6­6r1.htm#cmd7 189/315
27/4/2016 Aerohive CLI Guide
password Set the password for the server administrator
<string> Enter the server password (1­64 chars)
Set the access authentication scheme as basic, which appends a user name and password
basic
encoded with the Base64 algorithm to the authorization header in HTTP requests
Set the access authentication scheme as digest, which appends an MD5 checksum of the
digest
username, password, and other values to the authorization header in HTTP requests
proxy Set parameters for the HTTP proxy server
Enter the domain name or IP address and, optionally, the port number for the HTTP proxy
<string> server (Max length: 64 chars; Format: domainname, ip_addr, domainname:port, or
ip_addr:port)
proxy­admin Set the name of the proxy administrator
<string> Enter the proxy administrator name (1­32 chars)
password Set the password for the proxy administrator
<string> Enter the proxy password (1­64 chars)

schedule <string> once <date> <time> to <date> <time> [ time­zone <number> ] [ comment <string> ]
schedule Set a schedule to control the application of user profiles and the availability of SSIDs
<string> Enter a schedule name (1­32 chars)
once Set a one­time schedule
Enter a start date for the schedule (Format: yyyy­mm­dd; Range: 1970­01­01 to 2035­12­
<date>
31)
Enter a start time for the schedule (Format: hh:mm; Hour Range: 00­23; Minute Range: 00­
<time>
59)
to Set a date and time range
<date> Enter an end date for the schedule (Format: yyyy­mm­dd; Range: 1970­01­01 to 2035­12­31)
Enter an end time for the schedule (Format: hh:mm; Hour Range: 00­23; Minute Range: 00­
<time>
59)
Set the time zone for the schedule (Note: If you do not specify a time zone, the time
time­zone
zone for the local system will be used.)
<number> Enter the time zone for the schedule (Default: 0; Range: ­12 to 12)
comment Write a comment about the schedule for future reference
<string> Enter a comment about the schedule (max 128 chars)

schedule <string> ppsk once <date> <time> to <date> <time> [ time­zone <number> ] [ comment <string> ]
schedule Set a schedule to control the application of user profiles and the availability of SSIDs
<string> Enter a schedule name (1­32 chars)
Set a schedule to determine the validity period for the private PSK users to which the
ppsk
schedule is applied
once Set a one­time schedule
Enter a start date for the schedule (Format: yyyy­mm­dd; Range: 1970­01­01 to 2035­12­
<date>
31)
Enter a start time for the schedule (Format: hh:mm; Hour Range: 00­23; Minute Range: 00­
<time>
59)
to Set a date and time range
<date> Enter an end date for the schedule (Format: yyyy­mm­dd; Range: 1970­01­01 to 2035­12­31)
Enter an end time for the schedule (Format: hh:mm; Hour Range: 00­23; Minute Range: 00­
<time>
59)
Set the time zone for the schedule (Note: If you do not specify a time zone, the time
time­zone
zone for the local system will be used.)
<number> Enter the time zone for the schedule (Default: 0; Range: ­12 to 12)
comment Write a comment about the schedule for future reference
<string> Enter a comment about the schedule (max 128 chars)

schedule <string> ppsk recurrent [ date­range <date> [ to <date> ] ] [ weekday <string> ] time­range
<time> to <time> [ time­range <time> to <time> ] [ time­zone <number> ] [ comment <string> ]

http://docs.aerohive.com/330000/docs/help/english/documentation/cli_guide_ap230_6­6r1.htm#cmd7 190/315
27/4/2016 Aerohive CLI Guide
schedule Set a schedule to control the application of user profiles and the availability of SSIDs
<string> Enter a schedule name (1­32 chars)
Set a schedule to determine the validity period for the private PSK users to which the
ppsk
schedule is applied
recurrent Set a recurrent schedule
Set dates to mark the start and end of the schedule (If you do not want to set start and
date­range
end dates, do not use this option.)
Enter a start date for the schedule (Format: yyyy­mm­dd; Range: 1970­01­01 to 2035­12­
<date>
31)
to Set a date range (If you do not want to set an end date, do not use this option.)
<date> Enter a end date for the schedule (Format: yyyy­mm­dd; Range: 1970­01­01 to 2035­12­31)
weekday Set the weekdays during which private PSK users are valid
Enter one or more numbers to indicate which days the schedule is applied (1=Sunday,
<string> 2=Monday, ... 7=Saturday; Examples: 246=Monday, Wednesday, Friday; 23456=Monday­Friday;
1234567=everyday)
time­range Set a time range during which the schedule will be applied on each scheduled day
Enter a start time for the schedule (Format: hh:mm; Hour Range: 00­23; Minute Range: 00­
<time>
59)
to Set a time range
Enter a end time for the schedule,(Format: hh:mm; Hour Range: 00­23; Minute Range: 00­
<time>
59)
time­range Set a second time range for the schedule
Enter a second start time for the schedule (Format: hh:mm; Hour Range: 00­23; Minute
<time>
Range: 00­59)
to Set a time range
Enter a second end time for the schedule,(Format: hh:mm; Hour Range: 00­23; Minute
<time>
Range: 00­59)
Set the time zone for the schedule (Note: If you do not specify a time zone, the time
time­zone
zone for the local system will be used.)
<number> Enter the time zone for the schedule (Default: 0; Range: ­12 to 12)
comment Write a comment about the schedule for future reference
<string> Enter a comment about the schedule (max 128 chars)

schedule <string> recurrent [ date­range <date> [ to <date> ] ] [ weekday­range

{Monday|Tuesday|Wednesday|Thursday|Friday|Saturday|Sunday} [ to
{Monday|Tuesday|Wednesday|Thursday|Friday|Saturday|Sunday} ] ] time­range <time> to <time> [ time­
range <time> to <time> ] [ time­zone <number> ] [ comment <string> ]
schedule Set a schedule to control the application of user profiles and the availability of SSIDs
<string> Enter a schedule name (1­32 chars)
recurrent Set a recurrent schedule
Set dates to mark the start and end of the schedule (If you do not want to set start and
date­range
end dates, do not use this option.)
Enter a start date for the schedule (Format: yyyy­mm­dd; Range: 1970­01­01 to 2035­12­
<date>
31)
to Set a date range (If you do not want to set an end date, do not use this option.)
<date> Enter a end date for the schedule (Format: yyyy­mm­dd; Range: 1970­01­01 to 2035­12­31)
Apply the schedule on specific days of the week (To apply the schedule everyday, do not
weekday­range
use this option.)
Monday Apply the schedule on every Monday within the date range
Tuesday Apply the schedule on every Tuesday within the date range
Wednesday Apply the schedule on every Wednesday within the date range

Thursday Apply the schedule on every Thursday within the date range
Friday Apply the schedule on every Friday within the date range
Saturday Apply the schedule on every Saturday within the date range
Sunday Apply the schedule on every Sunday within the date range
Set a range of weekdays during which the schedule will be applied (Example: monday to
to

http://docs.aerohive.com/330000/docs/help/english/documentation/cli_guide_ap230_6­6r1.htm#cmd7 191/315
27/4/2016 Aerohive CLI Guide
friday)
Monday Apply the schedule on every Monday within the date range
Tuesday Apply the schedule on every Tuesday within the date range
Wednesday Apply the schedule on every Wednesday within the date range
Thursday Apply the schedule on every Thursday within the date range
Friday Apply the schedule on every Friday within the date range
Saturday Apply the schedule on every Saturday within the date range
Sunday Apply the schedule on every Sunday within the date range
time­range Set a time range during which the schedule will be applied on each scheduled day
Enter a start time for the schedule (Format: hh:mm; Hour Range: 00­23; Minute Range: 00­
<time>
59)
to Set a time range
Enter a end time for the schedule,(Format: hh:mm; Hour Range: 00­23; Minute Range: 00­
<time>
59)
time­range Set a second time range for the schedule
Enter a second start time for the schedule (Format: hh:mm; Hour Range: 00­23; Minute
<time>
Range: 00­59)
to Set a time range
Enter a second end time for the schedule,(Format: hh:mm; Hour Range: 00­23; Minute
<time>
Range: 00­59)
Set the time zone for the schedule (Note: If you do not specify a time zone, the time
time­zone
zone for the local system will be used.)
<number> Enter the time zone for the schedule (Default: 0; Range: ­12 to 12)
comment Write a comment about the schedule for future reference
<string> Enter a comment about the schedule (max 128 chars)

security mac­filter <string> address <mac_addr> {permit|deny} [ comment <string> ]

security Set the security parameters
mac­filter Set a filter for MAC addresses or OUIs (organizationally unique identifiers)
<string> Enter the filter name for MAC addresses or OUIs (1­32 chars)
address Set MAC address
Enter a MAC address (Note: You can use colons, dashes, or periods to format the address.
<mac_addr>
Examples: 1111:1111:1111, 11­11­11­11­11­11, 1111.1111.1111 ...)
permit Set the action of the specified MAC to permit
deny Set the action of the specified MAC to deny
comment Enter a comment
<string> Enter a comment (max 64 chars)

security mac­filter <string> default {permit|deny}

security Set the security parameters
mac­filter Set a filter for MAC addresses or OUIs (organizationally unique identifiers)
<string> Enter the filter name for MAC addresses or OUIs (1­32 chars)
default Set MAC­filter default action
permit Set MAC­filter default action to permit (Default: permit)
deny Set MAC­filter default action to deny (Default: permit)

security mac­filter <string> oui <oui> {permit|deny} [ comment <string> ]

security Set the security parameters
mac­filter Set a filter for MAC addresses or OUIs (organizationally unique identifiers)
<string> Enter the filter name for MAC addresses or OUIs (1­32 chars)
oui Set the OUI used to identify a vendor
Enter the OUI (Note: You can use colons, dashes, or periods to format the OUI. Examples:
<oui>

http://docs.aerohive.com/330000/docs/help/english/documentation/cli_guide_ap230_6­6r1.htm#cmd7 192/315
27/4/2016 Aerohive CLI Guide
Apple iPhone=00:1b:63; D­Link Phone=00­17­9a; Vocera=00.09.ef.)
permit Set the action of the specified OUI to permit
deny Set the action of the specified OUI to deny
comment Enter a comment
<string> Enter a comment (max 64 chars)

security wlan­idp profile <string>

security Set the security parameters
wlan­idp Set WLAN IDP (intrusion detection and prevention) parameters
profile Set an IDP profile
<string> Enter an IDP profile name (1­32 chars)

security wlan­idp profile <string> adhoc

security Set the security parameters
wlan­idp Set WLAN IDP (intrusion detection and prevention) parameters
profile Set an IDP profile
<string> Enter an IDP profile name (1­32 chars)
adhoc Detect adhoc networks

security wlan­idp profile <string> ap­detection client­mac­in­net

security Set the security parameters
wlan­idp Set WLAN IDP (intrusion detection and prevention) parameters
profile Set an IDP profile
<string> Enter an IDP profile name (1­32 chars)
ap­detection Set attributes to note when detecting APs
Determine that a detected rogue AP is in the same backhaul network as the local device
client­mac­in­net
if any of its client MAC addresses appear in the MAC learning table

security wlan­idp profile <string> ap­detection connected

security Set the security parameters
wlan­idp Set WLAN IDP (intrusion detection and prevention) parameters
profile Set an IDP profile
<string> Enter an IDP profile name (1­32 chars)
ap­detection Set attributes to note when detecting APs
Determine that a rogue AP is in the same backhaul network as the local device if any MAC
connected address within a 64­address range of the BSSID used by the detected rogue AP appears in
the MAC learning table

security wlan­idp profile <string> ap­policy

security Set the security parameters
wlan­idp Set WLAN IDP (intrusion detection and prevention) parameters
profile Set an IDP profile
<string> Enter an IDP profile name (1­32 chars)
ap­policy Set an AP policy for the IDP profile

security wlan­idp profile <string> ap­policy ap­oui

security Set the security parameters
wlan­idp Set WLAN IDP (intrusion detection and prevention) parameters
profile Set an IDP profile
<string> Enter an IDP profile name (1­32 chars)

http://docs.aerohive.com/330000/docs/help/english/documentation/cli_guide_ap230_6­6r1.htm#cmd7 193/315
27/4/2016 Aerohive CLI Guide
ap­policy Set an AP policy for the IDP profile
ap­oui Categorize neighboring APs as compliant by OUI (organizationally unique identifier)

security wlan­idp profile <string> ap­policy ap­oui entry <oui>

security Set the security parameters
wlan­idp Set WLAN IDP (intrusion detection and prevention) parameters
profile Set an IDP profile
<string> Enter an IDP profile name (1­32 chars)
ap­policy Set an AP policy for the IDP profile
ap­oui Categorize neighboring APs as compliant by OUI (organizationally unique identifier)
entry Add an OUI entry
Enter the OUI (Note: You can use colons, dashes, or periods to format the OUI. Examples:
<oui>
Apple iPhone=00:1b:63; D­Link Phone=00­17­9a; Vocera=00.09.ef.)

security wlan­idp profile <string> ap­policy short­beacon

security Set the security parameters
wlan­idp Set WLAN IDP (intrusion detection and prevention) parameters
profile Set an IDP profile
<string> Enter an IDP profile name (1­32 chars)
ap­policy Set an AP policy for the IDP profile
Categorize neighboring APs as non­compliant if their beacon transmissions are at shorter
short­beacon
intervals than stated in their beacon frames

security wlan­idp profile <string> ap­policy short­preamble

security Set the security parameters
wlan­idp Set WLAN IDP (intrusion detection and prevention) parameters
profile Set an IDP profile
<string> Enter an IDP profile name (1­32 chars)
ap­policy Set an AP policy for the IDP profile
short­preamble Categorize neighboring APs as compliant if they use short preambles

security wlan­idp profile <string> ap­policy ssid

security Set the security parameters
wlan­idp Set WLAN IDP (intrusion detection and prevention) parameters
profile Set an IDP profile
<string> Enter an IDP profile name (1­32 chars)
ap­policy Set an AP policy for the IDP profile
ssid Categorize neighboring APs as compliant by SSID (service set identifier)

security wlan­idp profile <string> ap­policy ssid entry <string>

security Set the security parameters
wlan­idp Set WLAN IDP (intrusion detection and prevention) parameters
profile Set an IDP profile
<string> Enter an IDP profile name (1­32 chars)
ap­policy Set an AP policy for the IDP profile
ssid Categorize neighboring APs as compliant by SSID (service set identifier)
entry Add an SSID entry
<string> Enter an SSID name

security wlan­idp profile <string> ap­policy ssid entry <string> encryption

http://docs.aerohive.com/330000/docs/help/english/documentation/cli_guide_ap230_6­6r1.htm#cmd7 194/315
27/4/2016 Aerohive CLI Guide
security Set the security parameters
wlan­idp Set WLAN IDP (intrusion detection and prevention) parameters
profile Set an IDP profile
<string> Enter an IDP profile name (1­32 chars)
ap­policy Set an AP policy for the IDP profile
ssid Categorize neighboring APs as compliant by SSID (service set identifier)
entry Add an SSID entry
<string> Enter an SSID name
encryption Set approved encryption types for the SSID

security wlan­idp profile <string> ap­policy ssid entry <string> encryption {open|wep|wpa}
security Set the security parameters
wlan­idp Set WLAN IDP (intrusion detection and prevention) parameters
profile Set an IDP profile
<string> Enter an IDP profile name (1­32 chars)
ap­policy Set an AP policy for the IDP profile
ssid Categorize neighboring APs as compliant by SSID (service set identifier)
entry Add an SSID entry
<string> Enter an SSID name
encryption Set approved encryption types for the SSID
open Categorize a neighboring AP as compliant if its SSID uses open (Default: open)
wep Categorize a neighboring AP as compliant if its SSID uses wep (Default: open)
wpa Categorize a neighboring AP as compliant if its SSID uses wpa (Default: open)

security wlan­idp profile <string> ap­policy wmm

security Set the security parameters
wlan­idp Set WLAN IDP (intrusion detection and prevention) parameters
profile Set an IDP profile
<string> Enter an IDP profile name (1­32 chars)
ap­policy Set an AP policy for the IDP profile
Categorize neighboring APs as compliant if they apply WMM (Wi­Fi Multimedia)
wmm
classifications

security wlan­idp profile <string> mitigate deauth­time <number>

security Set the security parameters
wlan­idp Set WLAN IDP (intrusion detection and prevention) parameters
profile Set an IDP profile
<string> Enter an IDP profile name (1­32 chars)
mitigate Set rogue AP and client mitigation parameters for the IDP profile
Set the number of consecutive periods that the HiveAP sends deauth frames to mitigate
deauth­time
clients of a rogue AP after detecting client activity
Enter the number of consecutive rogue AP and client mitigation periods (Default: 60;
<number>
Range: 0­65535; 0 means to send deauth frames for the entire mitigation duration)

security wlan­idp profile <string> mitigate duration <number> quiet­time <number>

security Set the security parameters
wlan­idp Set WLAN IDP (intrusion detection and prevention) parameters
profile Set an IDP profile
<string> Enter an IDP profile name (1­32 chars)
mitigate Set rogue AP and client mitigation parameters for the IDP profile

http://docs.aerohive.com/330000/docs/help/english/documentation/cli_guide_ap230_6­6r1.htm#cmd7 195/315
27/4/2016 Aerohive CLI Guide
duration Set the overall duration for detecting clients of a rogue AP and performing deauth DoS
attacks against the AP and its clients
Enter the duration in seconds (Default: 14400 secs; Range: 0 or 60­2592000; 0 secs means
<number>
infinite)
Set the period of time after which the mitigation process stops if no clients are
quiet­time
connected to the rogue AP
Enter the quiet time in seconds (Default: 3600 secs; Range: 0 or 60­2592000; 0 means
<number>
that the quiet time is the same length as the mitigation duration)

security wlan­idp profile <string> mitigate period <number>

security Set the security parameters
wlan­idp Set WLAN IDP (intrusion detection and prevention) parameters
profile Set an IDP profile
<string> Enter an IDP profile name (1­32 chars)
mitigate Set rogue AP and client mitigation parameters for the IDP profile
Set the interval to check periodically for clients of a rogue AP and­­if found­­send
period
deauth DoS attacks against the AP and clients
<number> Enter the period in seconds (Default: 1 secs; Range: 1­600)

security wlan­idp profile <string> sta­report

security Set the security parameters
wlan­idp Set WLAN IDP (intrusion detection and prevention) parameters
profile Set an IDP profile
<string> Enter an IDP profile name (1­32 chars)
sta­report Set rogue client report parameters for the IDP profile (Default: Disabled)

security wlan­idp profile <string> sta­report age­time <number>

security Set the security parameters
wlan­idp Set WLAN IDP (intrusion detection and prevention) parameters
profile Set an IDP profile
<string> Enter an IDP profile name (1­32 chars)
sta­report Set rogue client report parameters for the IDP profile (Default: Disabled)
Set age time a rogue client must be disconnected from a rogue AP before removing it from
age­time
the report
<number> Enter the age time in seconds (Default: 3600 secs; Range: 60­86400)

security­object <string>
security­object
<string>
Set parameters for a security object controlling network access through the SSIDs and
Ethernet interfaces to which it is applied
Enter the security object name (1­32 chars)

security­object <string> default­user­profile­attr <number>

Set parameters for a security object controlling network access through the SSIDs and
security­object
Ethernet interfaces to which it is applied
<string> Enter the security object name (1­32 chars)
default­user­profile­
Set the attribute of the user profile to apply to user traffic by default
attr
Enter the default user profile attribute for the security object (Default: 0; Range: 0­
<number>
4095)

security­object <string> dhcp­server lease­time <number>

Set parameters for a security object controlling network access through the SSIDs and
security­object
Ethernet interfaces to which it is applied
<string> Enter the security object name (1­32 chars)
dhcp­server Set DHCP­server parameters

http://docs.aerohive.com/330000/docs/help/english/documentation/cli_guide_ap230_6­6r1.htm#cmd7 196/315
27/4/2016 Aerohive CLI Guide

lease­time Set the lease time

<number> Enter the lease time in seconds (Default: 10; Range: 5­36000)

security­object <string> dhcp­server renewal­response {renew­nak­unicast|keep­silent}

Set parameters for a security object controlling network access through the SSIDs and
security­object
Ethernet interfaces to which it is applied
<string> Enter the security object name (1­32 chars)
dhcp­server Set DHCP­server parameters
renewal­response Set the response to a DHCP lease renewal request for a nonexistent lease
Respond to a DHCP lease renewal request for a nonexistent lease with a unicast DHCP­NAK
renew­nak­unicast
message (Default: Broadcast a DHCP­NAK message)
Do not respond to a DHCP lease renewal request for a nonexistent lease (Default:
keep­silent
Broadcast a DHCP­NAK message)

security­object <string> mobile­device­policy <string>

Set parameters for a security object controlling network access through the SSIDs and
security­object
Ethernet interfaces to which it is applied
<string> Enter the security object name (1­32 chars)
Set a policy that assigns a user profile to traffic from a client based on the
mobile­device­policy
originally assigned user profile and the MAC OUI, domain, and OS of the user's client
<string> Enter a mobile device policy name (1­32 chars)

security­object <string> ppsk­web­server auth­user

Set parameters for a security object controlling network access through the SSIDs and
security­object
Ethernet interfaces to which it is applied
<string> Enter the security object name (1­32 chars)
Set parameters for redirecting HTTP or HTTPS traffic to the HiveAP hosting a private PSK
ppsk­web­server
web server
Send credentials submitted by users during private PSK self­registration to a RADIUS
auth­user
server for authentication before issuing private PSKs to them

security­object <string> ppsk­web­server bind­to­ppsk­ssid <string>

security­object
<string>
ppsk­web­server
bind­to­ppsk­ssid
<string>
Set parameters for a security object controlling network access through the SSIDs and
Ethernet interfaces to which it is applied
Enter the security object name (1­32 chars)
Set parameters for redirecting HTTP or HTTPS traffic to the HiveAP hosting a private PSK
web server
Bind the SSID referencing this security object, which must be set with open
authentication and an external captive web portal, to an SSID using private PSKs so the
PSKs can be assigned to users automatically
Enter the name of the SSID using private PSK authentication (1­32 chars)

security­object <string> ppsk­web­server https

Set parameters for a security object controlling network access through the SSIDs and
security­object
Ethernet interfaces to which it is applied
<string> Enter the security object name (1­32 chars)
Set parameters for redirecting HTTP or HTTPS traffic to the HiveAP hosting a private PSK
ppsk­web­server
web server
Use HTTPS for redirection from the private PSK authenticator to the private PSK server
https
(Default: HTTP)

security­object <string> ppsk­web­server login­page <string>

security­object
<string>
ppsk­web­server
Set parameters for a security object controlling network access through the SSIDs and
Ethernet interfaces to which it is applied
Enter the security object name (1­32 chars)
Set parameters for redirecting HTTP or HTTPS traffic to the HiveAP hosting a private PSK
web server

http://docs.aerohive.com/330000/docs/help/english/documentation/cli_guide_ap230_6­6r1.htm#cmd7 197/315
27/4/2016 Aerohive CLI Guide
Specify the .cgi file on the private PSK web server through which the user registers
login­page
(Default: ppsk­index.cgi)
Enter the .cgi file name for the registration page (1­32 chars; Note: The file name
<string>
cannot be index.cgi.)

security­object <string> ppsk­web­server login­script <string>

Set parameters for a security object controlling network access through the SSIDs and
security­object
Ethernet interfaces to which it is applied
<string> Enter the security object name (1­32 chars)
Set parameters for redirecting HTTP or HTTPS traffic to the HiveAP hosting a private PSK
ppsk­web­server
web server
Specify the .cgi file that the private PSK web server uses for processing user
login­script
registration requests (Default: ppsk­login.cgi)
<string> Enter the script name (1­32 chars)

security­object <string> ppsk­web­server web­directory <string>

Set parameters for a security object controlling network access through the SSIDs and
security­object
Ethernet interfaces to which it is applied
<string> Enter the security object name (1­32 chars)
Set parameters for redirecting HTTP or HTTPS traffic to the HiveAP hosting a private PSK
ppsk­web­server
web server
Set the name of the web directory containing the login page and script files that the
web­directory
private PSK web server uses
<string> Enter the web directory name (1­32 chars)

security­object <string> security aaa radius­server [ first­retry­interval <number> ] [ max­retries

<number> ]
Set parameters for a security object controlling network access through the SSIDs and
security­object
Ethernet interfaces to which it is applied
<string> Enter the security object name (1­32 chars)
security Set security parameters for the security object
aaa Set parameters for AAA (authentication, authorization, accounting)
radius­server Set parameters for a RADIUS (Remote Authentication Dial In User Service) server
Set the initial interval to wait for a RADIUS auth or accounting server to reply before
resending a request(Note: A NAS makes repeated requests before failing over to a backup
first­retry­interval
server, and the interval for each successive attempt is double that of the previous one.
Example: If an initial interval is 3 secs, 3 retry intervals are 3­6­12.)
<number> Enter the initial retry interval in seconds (Range: 1­5; Default: 3)
Set the maximum number of retries to elicit a response from the RADIUS server before
max­retries
failing over to a backup RADIUS server (if a backup server is configured)
<number> Enter the maximum number of retries (Range: 1­5; Default: 3)

security­object <string> security aaa radius­server account­interim­interval <number>

Set parameters for a security object controlling network access through the SSIDs and
security­object
Ethernet interfaces to which it is applied
<string> Enter the security object name (1­32 chars)
security Set security parameters for the security object
aaa Set parameters for AAA (authentication, authorization, accounting)
radius­server Set parameters for a RADIUS (Remote Authentication Dial In User Service) server
account­interim­
Set the interval in seconds for sending RADIUS accounting updates
interval
Enter the interval in seconds for sending RADIUS accounting updates (Default: 600 secs;
<number>
Range: 10­100000000)

security­object <string> security aaa radius­server accounting {primary|backup1|backup2|backup3}

<ip_addr|string> [ shared­secret <string> ] [ acct­port <number> ] [ via­vpn­tunnel ]
Set parameters for a security object controlling network access through the SSIDs and
security­object Ethernet interfaces to which it is applied

http://docs.aerohive.com/330000/docs/help/english/documentation/cli_guide_ap230_6­6r1.htm#cmd7 198/315
27/4/2016 Aerohive CLI Guide

<string> Enter the security object name (1­32 chars)

security Set security parameters for the security object
aaa Set parameters for AAA (authentication, authorization, accounting)
radius­server Set parameters for a RADIUS (Remote Authentication Dial In User Service) server
accounting Set parameters for a RADIUS accounting server
Set the RADIUS accounting server to which the HiveAP sends Accounting­Request packets
primary
first
Set the RADIUS accounting server to which the HiveAP sends Accounting­Request packets if
backup1
the primary server does not respond
Set the RADIUS accounting server to which the HiveAP sends Accounting­Request packets if
backup2
the backup1 server does not respond
Set the RADIUS accounting server to which the HiveAP sends Accounting­Request packets if
backup3
the backup2 server does not respond
<ip_addr> Enter the IP address or domain name for the RADIUS accounting server (max 32 chars)
<string> Enter the IP address or domain name for the RADIUS accounting server (max 32 chars)
shared­secret Set the shared secret for securing communications with RADIUS accounting servers
<string> Enter the shared secret (1­64 chars)
acct­port Set the RADIUS accounting port number
<number> Enter the RADIUS accounting port number (Default: 1813; Range: 1­65535)
Send all RADIUS traffic through a VPN tunnel (Note: Set this option on VPN clients when
via­vpn­tunnel the RADIUS server is in a different subnet from the tunnel interface. When they are in
the same subnet, tunneling is automatic.)

security­object <string> security aaa radius­server dynamic­auth­extension

Set parameters for a security object controlling network access through the SSIDs and
security­object
Ethernet interfaces to which it is applied
<string> Enter the security object name (1­32 chars)
security Set security parameters for the security object
aaa Set parameters for AAA (authentication, authorization, accounting)
radius­server Set parameters for a RADIUS (Remote Authentication Dial In User Service) server
Enable the HiveAP acting as a NAS to accept unsolicited messages from the RADIUS
dynamic­auth­extension
authentication server (Default: Disabled)

security­object <string> security aaa radius­server idm [ pri ]

Set parameters for a security object controlling network access through the SSIDs and
security­object
Ethernet interfaces to which it is applied
<string> Enter the security object name (1­32 chars)
security Set security parameters for the security object
aaa Set parameters for AAA (authentication, authorization, accounting)
radius­server Set parameters for a RADIUS (Remote Authentication Dial In User Service) server
idm Set ID Manager as RADIUS server
pri Set the ID Manager RADIUS server to have the highest priority

security­object <string> security aaa radius­server inject Operator­Name

Set parameters for a security object controlling network access through the SSIDs and
security­object
Ethernet interfaces to which it is applied
<string> Enter the security object name (1­32 chars)
security Set security parameters for the security object
aaa Set parameters for AAA (authentication, authorization, accounting)
radius­server Set parameters for a RADIUS (Remote Authentication Dial In User Service) server
inject Set injection parameters for RADIUS Access­Request and Accounting­Request packets
Set the operator name of the RADIUS Access­Request and Accounting­Request packets (Note:
The operator name contains the operator namespace ID and the operator name. The operator
Operator­Name
name is combined with the namespace ID to uniquely identify the owner of the access
network.)
http://docs.aerohive.com/330000/docs/help/english/documentation/cli_guide_ap230_6­6r1.htm#cmd7 199/315
27/4/2016 Aerohive CLI Guide

security­object <string> security aaa radius­server msg­auth­all­messages

Set parameters for a security object controlling network access through the SSIDs and
security­object
Ethernet interfaces to which it is applied
<string> Enter the security object name (1­32 chars)
security Set security parameters for the security object
aaa Set parameters for AAA (authentication, authorization, accounting)
radius­server Set parameters for a RADIUS (Remote Authentication Dial In User Service) server
Include the Message­Authenticator attribute in all RADIUS messages to protect against
msg­auth­all­messages spoofing (Default: The attribute is only included in RADIUS messages for 802.1X/EAP
authentication but not when using captive web portals and MAC authentication.)

security­object <string> security aaa radius­server retry­interval <number>

Set parameters for a security object controlling network access through the SSIDs and
security­object
Ethernet interfaces to which it is applied
<string> Enter the security object name (1­32 chars)
security Set security parameters for the security object
aaa Set parameters for AAA (authentication, authorization, accounting)
radius­server Set parameters for a RADIUS (Remote Authentication Dial In User Service) server
retry­interval Set RADIUS server retry interval
<number> Enter RADIUS server retry interval (Default: 600 secs; Range: 60­100000000)

security­object <string> security aaa radius­server {primary|backup1|backup2|backup3} <ip_addr|string>

[ shared­secret <string> ] [ auth­port <number> ] [ acct­port <number> ] [ via­vpn­tunnel ]
Set parameters for a security object controlling network access through the SSIDs and
security­object
Ethernet interfaces to which it is applied
<string> Enter the security object name (1­32 chars)
security Set security parameters for the security object
aaa Set parameters for AAA (authentication, authorization, accounting)
radius­server Set parameters for a RADIUS (Remote Authentication Dial In User Service) server
primary Set the RADIUS server that is first queried when authenticating users
backup1 Set the RADIUS server that is queried if the primary server stops responding
backup2 Set the RADIUS server that is queried if the backup1 server stops responding
backup3 Set the RADIUS server that is queried if the backup2 server stops responding
<ip_addr> Enter an IP address or a domain name for the RADIUS server (max 32 chars)
<string> Enter an IP address or a domain name for the RADIUS server (max 32 chars)
shared­secret Set the shared secret for authenticating communications with a RADIUS server
Enter the shared secret for authenticating communications with a RADIUS server (1­64
<string>
chars)
auth­port Set the RADIUS authentication port number
<number> Enter the RADIUS authentication port number (Default: 1812; Range: 1­65535)
acct­port Set the RADIUS accounting port number
<number> Enter the RADIUS accounting port number (Default: 0; Range: 0­65535)
Send all RADIUS traffic through a VPN tunnel (Note: Set this option on VPN clients when
via­vpn­tunnel the RADIUS server is in a different subnet from the tunnel interface. When they are in
the same subnet, tunneling is automatic.)

security­object <string> security aaa user­profile­mapping attribute­id <number>

Set parameters for a security object controlling network access through the SSIDs and
security­object
Ethernet interfaces to which it is applied
<string> Enter the security object name (1­32 chars)
security Set security parameters for the security object
aaa Set parameters for AAA (authentication, authorization, accounting)

http://docs.aerohive.com/330000/docs/help/english/documentation/cli_guide_ap230_6­6r1.htm#cmd7 200/315
27/4/2016 Aerohive CLI Guide
user­profile­mapping Map an attribute value returned in RADIUS­Accept messages to a user profile attribute
Set an ID for a RADIUS attribute that contains the text that maps to the user profile
attribute­id
(Default: 11; Note: Attribute ID 11 corresponds to the Filter­ID RADIUS attribute.)
<number> Enter the RADIUS attribute ID number (Range: 1­255)

security­object <string> security aaa user­profile­mapping enable

Set parameters for a security object controlling network access through the SSIDs and
security­object
Ethernet interfaces to which it is applied
<string> Enter the security object name (1­32 chars)
security Set security parameters for the security object
aaa Set parameters for AAA (authentication, authorization, accounting)
user­profile­mapping Map an attribute value returned in RADIUS­Accept messages to a user profile attribute
enable Enable the mapping of attribute values to user profile attributes (Default: Disabled)

security­object <string> security aaa user­profile­mapping vendor­id <number> attribute­id <number>

Set parameters for a security object controlling network access through the SSIDs and
security­object
Ethernet interfaces to which it is applied
<string> Enter the security object name (1­32 chars)
security Set security parameters for the security object
aaa Set parameters for AAA (authentication, authorization, accounting)
user­profile­mapping Map an attribute value returned in RADIUS­Accept messages to a user profile attribute
vendor­id Set a vendor ID RADIUS attribute
<number> Enter the vendor ID number (Range: 1­65535)
attribute­id Set an ID for a private RADIUS attribute
Enter the private RADIUS attribute ID number to be combined with the vendor ID number
<number>
(Range: 1­255)

security­object <string> security additional­auth­method captive­web­portal [ reg­user­profile­attr

<number> ] [ auth­user­profile­attr <number> ] [ timeout <number> ] [ timer­display ]
Set parameters for a security object controlling network access through the SSIDs and
security­object
Ethernet interfaces to which it is applied
<string> Enter the security object name (1­32 chars)
security Set security parameters for the security object
Set an additional authentication method in addition to the one in the security protocol
additional­auth­method
suite
captive­web­portal Set a captive web portal for additional user authentication or registration
reg­user­profile­attr Set the registered user profile attribute
<number> Enter the registered user profile attribute (Default: 0; Range: 0­4095)
auth­user­profile­attr Set the default authenticated user profile
<number> Enter the default authenticated user profile (Default: 0; Range: 0­4095)
Set the default timeout for a registered user's session (Note: A timeout provided by an
timeout
external authentication server overrides this setting.)
<number> Enter the timeout in minutes (Default: 720 mins; Range: 1­120960)
timer­display Enable timer­display windows to communicate login and session information

security­object <string> security additional­auth­method captive­web­portal anonymous­access

security­object
<string>
security
additional­auth­method
captive­web­portal
anonymous­access
Set parameters for a security object controlling network access through the SSIDs and
Ethernet interfaces to which it is applied
Enter the security object name (1­32 chars)
Set security parameters for the security object
Set an additional authentication method in addition to the one in the security protocol
suite
Set a captive web portal for additional user authentication or registration
Enable anonymous access which will indicate users to read and accept the network use

http://docs.aerohive.com/330000/docs/help/english/documentation/cli_guide_ap230_6­6r1.htm#cmd7 201/315
27/4/2016 Aerohive CLI Guide
policy and apply a time and data usage limit to the client (Default: Disabled)

security­object <string> security additional­auth­method captive­web­portal auth­method [

{pap|chap|ms­chap­v2} ]
Set parameters for a security object controlling network access through the SSIDs and
security­object
Ethernet interfaces to which it is applied
<string> Enter the security object name (1­32 chars)
security Set security parameters for the security object
Set an additional authentication method in addition to the one in the security protocol
additional­auth­method
suite
captive­web­portal Set a captive web portal for additional user authentication or registration
auth­method Set the CWP (captive web portal) user authentication method
Set PAP (Password Authentication Protocol) as the method for sending authentication
pap
requests between the HiveAP and RADIUS server (Default: PAP)
Set CHAP (Challenge­Handshake Authentication Protocol) as the method for sending
chap
authentication requests between the HiveAP and RADIUS server (Default: PAP)
Set MS­CHAP­v2 (Microsoft CHAP Version 2) as the method for sending authentication
ms­chap­v2
requests between the HiveAP and RADIUS server (Default: PAP)

security­object <string> security additional­auth­method captive­web­portal check­use­policy

security­object
<string>
security
additional­auth­method
captive­web­portal
check­use­policy
Set parameters for a security object controlling network access through the SSIDs and
Ethernet interfaces to which it is applied
Enter the security object name (1­32 chars)
Set security parameters for the security object
Set an additional authentication method in addition to the one in the security protocol
suite
Set a captive web portal for additional user authentication or registration
Check if users select the check box on the login page to indicate they have read and
accepted the network use policy (Note: This option only applies to captive web portals
that require user authentication and use policy acceptance.)

security­object <string> security additional­auth­method captive­web­portal cloud­cwp api­key <string>

api­nonce <string>
Set parameters for a security object controlling network access through the SSIDs and
security­object
Ethernet interfaces to which it is applied
<string> Enter the security object name (1­32 chars)
security Set security parameters for the security object
Set an additional authentication method in addition to the one in the security protocol
additional­auth­method
suite
captive­web­portal Set a captive web portal for additional user authentication or registration
cloud­cwp Set a cloud captive web portal for additional user authentication or registration
Set the API key used to encrypt traffic between the Aerohive device and the cloud
api­key
services
<string> Enter the API key (16 chars)
api­nonce Set the API nonce
<string> Enter the API nonce (1­64 chars)

security­object <string> security additional­auth­method captive­web­portal cloud­cwp customer­id

<string>
Set parameters for a security object controlling network access through the SSIDs and
security­object
Ethernet interfaces to which it is applied
<string> Enter the security object name (1­32 chars)
security Set security parameters for the security object
Set an additional authentication method in addition to the one in the security protocol
additional­auth­method
suite
captive­web­portal Set a captive web portal for additional user authentication or registration

cloud­cwp Set a cloud captive web portal for additional user authentication or registration

http://docs.aerohive.com/330000/docs/help/english/documentation/cli_guide_ap230_6­6r1.htm#cmd7 202/315
27/4/2016 Aerohive CLI Guide
customer­id Set customer ID for cloud captive web portal
<string> Enter the customer ID (1­16 chars)

security­object <string> security additional­auth­method captive­web­portal cloud­cwp enable

Set parameters for a security object controlling network access through the SSIDs and
security­object
Ethernet interfaces to which it is applied
<string> Enter the security object name (1­32 chars)
security Set security parameters for the security object
Set an additional authentication method in addition to the one in the security protocol
additional­auth­method
suite
captive­web­portal Set a captive web portal for additional user authentication or registration
cloud­cwp Set a cloud captive web portal for additional user authentication or registration
enable Enable cloud captive web portal

security­object <string> security additional­auth­method captive­web­portal cloud­cwp service­id

<number>
Set parameters for a security object controlling network access through the SSIDs and
security­object
Ethernet interfaces to which it is applied
<string> Enter the security object name (1­32 chars)
security Set security parameters for the security object
Set an additional authentication method in addition to the one in the security protocol
additional­auth­method
suite
captive­web­portal Set a captive web portal for additional user authentication or registration
cloud­cwp Set a cloud captive web portal for additional user authentication or registration
service­id Set the service ID for cloud captive web portal
<number> Enter service ID number(Range: 1­255)

security­object <string> security additional­auth­method captive­web­portal cloud­cwp url­root­path

<string>
Set parameters for a security object controlling network access through the SSIDs and
security­object
Ethernet interfaces to which it is applied
<string> Enter the security object name (1­32 chars)
security Set security parameters for the security object
Set an additional authentication method in addition to the one in the security protocol
additional­auth­method
suite
captive­web­portal Set a captive web portal for additional user authentication or registration
cloud­cwp Set a cloud captive web portal for additional user authentication or registration
url­root­path Set the root URL path to register CWP portal service
Enter the HTTP protocol, remote server domain name, port, directory path(Range: 1­256
<string>
chars, Format: https://domain/path)

security­object <string> security additional­auth­method captive­web­portal default­language {chinese­

simple|chinese­traditional|dutch|english|french|german|italian|korean|spanish}
Set parameters for a security object controlling network access through the SSIDs and
security­object
Ethernet interfaces to which it is applied
<string> Enter the security object name (1­32 chars)
security Set security parameters for the security object
Set an additional authentication method in addition to the one in the security protocol
additional­auth­method
suite
captive­web­portal Set a captive web portal for additional user authentication or registration
default­language Set the default language for the captive web portal web pages
chinese­simple Set Simple Chinese as the default language
chinese­traditional Set Traditional Chinese as the default language
dutch Set Dutch as the default language
english Set English as the default language

http://docs.aerohive.com/330000/docs/help/english/documentation/cli_guide_ap230_6­6r1.htm#cmd7 203/315
27/4/2016 Aerohive CLI Guide
french Set French as default language
german Set German as the default language
italian Set Italian as the default language
korean Set Korean as the default language
spanish Set Spanish as the default language

security­object <string> security additional­auth­method captive­web­portal external­server {primary}

login­page <string>
Set parameters for a security object controlling network access through the SSIDs and
security­object
Ethernet interfaces to which it is applied
<string> Enter the security object name (1­32 chars)
security Set security parameters for the security object
Set an additional authentication method in addition to the one in the security protocol
additional­auth­method
suite
captive­web­portal Set a captive web portal for additional user authentication or registration
external­server Set parameters for the primary or backup external captive web portal server
primary Set parameters for the primary external captive web portal server
login­page Set the login page to which the HiveAP redirects traffic from unregistered users
Enter the login page URL (1­256 chars; Format: http:///.php/; Example:
<string>
http://10.1.1.20/weblogin.php/5)

security­object <string> security additional­auth­method captive­web­portal external­server {primary}

password­encryption uam­basic
security­object
<string>
security
additional­auth­method
captive­web­portal
external­server
primary
password­encryption
uam­basic
Set parameters for a security object controlling network access through the SSIDs and
Ethernet interfaces to which it is applied
Enter the security object name (1­32 chars)
Set security parameters for the security object
Set an additional authentication method in addition to the one in the security protocol
suite
Set a captive web portal for additional user authentication or registration
Set parameters for the primary or backup external captive web portal server
Set parameters for the primary external captive web portal server
Set the method for encrypting the user password that the HiveAP forwards to the RADIUS
server
Set the encryption method as UAM (User Authentication Module)­Basic (Note: The HiveAP
uses XOR to recover the password encrypted by the external CWP and sends it to the
RADIUS server. PAP, CHAP, or MSCHAPv2 can be used. Default: No encryption)

security­object <string> security additional­auth­method captive­web­portal external­server {primary}

password­encryption uam­shared <string>
security­object
<string>
security
additional­auth­method
captive­web­portal
external­server
primary
password­encryption
uam­shared
Set parameters for a security object controlling network access through the SSIDs and
Ethernet interfaces to which it is applied
Enter the security object name (1­32 chars)
Set security parameters for the security object
Set an additional authentication method in addition to the one in the security protocol
suite
Set a captive web portal for additional user authentication or registration
Set parameters for the primary or backup external captive web portal server
Set parameters for the primary external captive web portal server
Set the method for encrypting the user password that the HiveAP forwards to the RADIUS
server
Set the encryption method as UAM­Shared (Note: The HiveAP sends the user password
encrypted by the external CWP and the means for the RADIUS server to perform the same
operation and validate the user's password by comparing results. CHAP must be used.
Default: No encryption)

<string> Enter the shared secret (1­128 chars)

http://docs.aerohive.com/330000/docs/help/english/documentation/cli_guide_ap230_6­6r1.htm#cmd7 204/315
27/4/2016
security­object <string> security additional­auth­method captive­web­portal external­server {primary}
{success­register|no­roaming­at­login|no­radius­auth}
security­object
<string>
security
additional­auth­method
captive­web­portal
external­server
primary
success­register
no­roaming­at­login
no­radius­auth
Aerohive CLI Guide
Set parameters for a security object controlling network access through the SSIDs and
Ethernet interfaces to which it is applied
Enter the security object name (1­32 chars)
Set security parameters for the security object
Set an additional authentication method in addition to the one in the security protocol
suite
Set a captive web portal for additional user authentication or registration
Set parameters for the primary or backup external captive web portal server
Set parameters for the primary external captive web portal server
Permit network access without first disconnecting the client after it registers on the
external captive web portal (Default: Permit network access only after an initial client
disconnection)
Disable roaming support for clients while they log in (Default: Enabled)
Disable RADIUS authentication when the external captive web portal returns an attribute
indicating that the user has already been authenticated

security­object <string> security additional­auth­method captive­web­portal failure­redirect external­

page <string> [ delay <number> ]
Set parameters for a security object controlling network access through the SSIDs and
security­object
Ethernet interfaces to which it is applied
<string> Enter the security object name (1­32 chars)
security Set security parameters for the security object
Set an additional authentication method in addition to the one in the security protocol
additional­auth­method
suite
captive­web­portal Set a captive web portal for additional user authentication or registration
failure­redirect Set options for the page shown to a user after an unsuccessful registration attempt
Display a page stored on an external web server that indicates the login attempt was
external­page
unsuccessful
Enter the URL for the page on the external web server (1­256 chars; Format:
<string>
http:///.html or https: ///.html)
Set the length of time to display a message that the registration succeeded before
delay
redirecting the user to an external web page
Enter the length of time in seconds that the HiveAP displays the message (Default: 5;
<number>
Range: 5­60)

security­object <string> security additional­auth­method captive­web­portal failure­redirect login­

page [ delay <number> ]
Set parameters for a security object controlling network access through the SSIDs and
security­object
Ethernet interfaces to which it is applied
<string> Enter the security object name (1­32 chars)
security Set security parameters for the security object
Set an additional authentication method in addition to the one in the security protocol
additional­auth­method
suite
captive­web­portal Set a captive web portal for additional user authentication or registration
failure­redirect Set options for the page shown to a user after an unsuccessful registration attempt
login­page Display the login page again
Set the length of time to display a message that the registration succeeded before
delay
redirecting the user to an external web page
Enter the length of time that the HiveAP displays the message (Default: 5 seconds;
<number>
Range: 5­60 seconds)

security­object <string> security additional­auth­method captive­web­portal internal­pages {no­

success­page|no­failure­page}
security­object
<string>
Set parameters for a security object controlling network access through the SSIDs and
Ethernet interfaces to which it is applied
Enter the security object name (1­32 chars)

http://docs.aerohive.com/330000/docs/help/english/documentation/cli_guide_ap230_6­6r1.htm#cmd7 205/315
27/4/2016
security
additional­auth­method
captive­web­portal
internal­pages
no­success­page
no­failure­page
security­object <string> security additional­auth­method captive­web­portal internal­servers
security­object
<string>
security
additional­auth­method
captive­web­portal
internal­servers
security­object <string> security additional­auth­method captive­web­portal login­page­method http302
security­object
<string>
security
additional­auth­method
captive­web­portal
login­page­method
http302
security­object <string> security additional­auth­method captive­web­portal pass­through vlan <number>
security­object
<string>
security
additional­auth­method
captive­web­portal
pass­through
vlan
<number>
security­object <string> security additional­auth­method captive­web­portal process­sip­info
security­object
<string>
security
additional­auth­method
captive­web­portal
process­sip­info
security­object <string> security additional­auth­method captive­web­portal process­sip­info block­
http://docs.aerohive.com/330000/docs/help/english/documentation/cli_guide_ap230_6­6r1.htm#cmd7
Aerohive CLI Guide
Set security parameters for the security object
Set an additional authentication method in addition to the one in the security protocol
suite
Set a captive web portal for additional user authentication or registration
Set options for showing pages stored internally on the HiveAP
Do not display the success page stored on the HiveAP when a registration attempt is
successful (Default: Display)
Do not display the failure page stored on the HiveAP when a registration attempt is
unsuccessful (Default: Display)
Set parameters for a security object controlling network access through the SSIDs and
Ethernet interfaces to which it is applied
Enter the security object name (1­32 chars)
Set security parameters for the security object
Set an additional authentication method in addition to the one in the security protocol
suite
Set a captive web portal for additional user authentication or registration
Enable internal servers to process unregistered users' DHCP and DNS traffic
Set parameters for a security object controlling network access through the SSIDs and
Ethernet interfaces to which it is applied
Enter the security object name (1­32 chars)
Set security parameters for the security object
Set an additional authentication method in addition to the one in the security protocol
suite
Set a captive web portal for additional user authentication or registration
Set the method to redirect the user to the login page
Use HTTP 302 redirect code as the redirection method (Default: JavaScript)
Set parameters for a security object controlling network access through the SSIDs and
Ethernet interfaces to which it is applied
Enter the security object name (1­32 chars)
Set security parameters for the security object
Set an additional authentication method in addition to the one in the security protocol
suite
Set a captive web portal for additional user authentication or registration
Set the captive web portal to pass DHCP, DNS, and ICMP traffic from unregistered users
to external servers
Set the VLAN ID to assign users before and after registration (Note: This setting
overrides any VLAN ID set locally or received from a RADIUS server.)
Enter a CWP VLAN ID (Range: 1­4094)
Set parameters for a security object controlling network access through the SSIDs and
Ethernet interfaces to which it is applied
Enter the security object name (1­32 chars)
Set security parameters for the security object
Set an additional authentication method in addition to the one in the security protocol
suite
Set a captive web portal for additional user authentication or registration
Enable the captive web portal to process library SIP information (Default: Enabled)
206/315
27/4/2016
redirect <string>
security­object
<string>
security
additional­auth­method
captive­web­portal
process­sip­info
block­redirect
<string>
security­object <string> security additional­auth­method captive­web­portal report­guest­info
security­object
<string>
security
additional­auth­method
captive­web­portal
report­guest­info
security­object <string> security additional­auth­method captive­web­portal self­reg­via­idm
security­object
<string>
security
additional­auth­method
captive­web­portal
self­reg­via­idm
security­object <string> security additional­auth­method captive­web­portal self­reg­via­idm api
<string>
security­object
<string>
security
additional­auth­method
captive­web­portal
self­reg­via­idm
api
<string>
security­object <string> security additional­auth­method captive­web­portal self­reg­via­idm crl­file
<string>
security­object
<string>
security
Set an additional authentication method in addition to the one in the security protocol
additional­auth­method suite
http://docs.aerohive.com/330000/docs/help/english/documentation/cli_guide_ap230_6­6r1.htm#cmd7
Aerohive CLI Guide
Set parameters for a security object controlling network access through the SSIDs and
Ethernet interfaces to which it is applied
Enter the security object name (1­32 chars)
Set security parameters for the security object
Set an additional authentication method in addition to the one in the security protocol
suite
Set a captive web portal for additional user authentication or registration
Enable the captive web portal to process library SIP information (Default: Enabled)
Set the page that appears when a library patron logs in but is denied network access
because of overdue fines
Enter the URL for the page to which the patron is redirected to submit payment (Max 256
chars; Format: http:///.html or https: ///.html)
Set parameters for a security object controlling network access through the SSIDs and
Ethernet interfaces to which it is applied
Enter the security object name (1­32 chars)
Set security parameters for the security object
Set an additional authentication method in addition to the one in the security protocol
suite
Set a captive web portal for additional user authentication or registration
Enable the reporting to HiveManager of information that guests enter during
registration, such as their first and last names, email address, the person they are
visiting, and so on (Default: Disabled)
Set parameters for a security object controlling network access through the SSIDs and
Ethernet interfaces to which it is applied
Enter the security object name (1­32 chars)
Set security parameters for the security object
Set an additional authentication method in addition to the one in the security protocol
suite
Set a captive web portal for additional user authentication or registration
Enable self register via ID Mananger (Default: Disabled)
Set parameters for a security object controlling network access through the SSIDs and
Ethernet interfaces to which it is applied
Enter the security object name (1­32 chars)
Set security parameters for the security object
Set an additional authentication method in addition to the one in the security protocol
suite
Set a captive web portal for additional user authentication or registration
Enable self register via ID Mananger (Default: Disabled)
Set the URL of the API for register via ID Mananger
Enter the URL of API (1­256 chars)
Set parameters for a security object controlling network access through the SSIDs and
Ethernet interfaces to which it is applied
Enter the security object name (1­32 chars)
Set security parameters for the security object
207/315
27/4/2016 Aerohive CLI Guide
captive­web­portal Set a captive web portal for additional user authentication or registration
self­reg­via­idm Enable self register via ID Mananger (Default: Disabled)
crl­file Set the URL of the CRL file for validate the ID Manager server certificate
<string> Enter the URL of CRL file (1­256 chars)

security­object <string> security additional­auth­method captive­web­portal server­name <string>

Set parameters for a security object controlling network access through the SSIDs and
security­object
Ethernet interfaces to which it is applied
<string> Enter the security object name (1­32 chars)
security Set security parameters for the security object
Set an additional authentication method in addition to the one in the security protocol
additional­auth­method
suite
captive­web­portal Set a captive web portal for additional user authentication or registration
Set a domain name for the local web server (Default server name: IP address of the
server­name interface on which the captive web portal will operate; Note: The authoritative DNS
server must be configured to resolve this domain name to the interface IP address.)
<string> Enter the domain name for the web server (1­32 chars)

security­object <string> security additional­auth­method captive­web­portal server­name cert­dn

Set parameters for a security object controlling network access through the SSIDs and
security­object
Ethernet interfaces to which it is applied
<string> Enter the security object name (1­32 chars)
security Set security parameters for the security object
Set an additional authentication method in addition to the one in the security protocol
additional­auth­method
suite
captive­web­portal Set a captive web portal for additional user authentication or registration
Set a domain name for the local web server (Default server name: IP address of the
server­name interface on which the captive web portal will operate; Note: The authoritative DNS
server must be configured to resolve this domain name to the interface IP address.)
Set the same domain name as the CN value in the certificate that the captive web portal
cert­dn uses for HTTPS (Note: The CN must be a valid domain name that can be resolved to the IP
address of the interface hosting the portal. The CN max length is 32 chars.)

security­object <string> security additional­auth­method captive­web­portal success­redirect external­

page <string> [ delay <number> ]
Set parameters for a security object controlling network access through the SSIDs and
security­object
Ethernet interfaces to which it is applied
<string> Enter the security object name (1­32 chars)
security Set security parameters for the security object
Set an additional authentication method in addition to the one in the security protocol
additional­auth­method
suite
captive­web­portal Set a captive web portal for additional user authentication or registration
success­redirect Set options for displaying the page shown to a user after a successful registration
external­page Display a page stored on an external web server
Enter the URL for the page on the external web server (1­256 chars; Format:
<string>
http:///.html or https: ///.html)
Set the length of time to display a message that the registration succeeded before
delay
redirecting the user to an external web page
Enter the length of time in seconds that the HiveAP displays the message (Default: 5;
<number>
Range: 5­60)

security­object <string> security additional­auth­method captive­web­portal success­redirect original­

page [ delay <number> ]
Set parameters for a security object controlling network access through the SSIDs and
security­object
Ethernet interfaces to which it is applied
<string> Enter the security object name (1­32 chars)
security Set security parameters for the security object

http://docs.aerohive.com/330000/docs/help/english/documentation/cli_guide_ap230_6­6r1.htm#cmd7 208/315
27/4/2016 Aerohive CLI Guide
additional­auth­method Set an additional authentication method in addition to the one in the security protocol
suite
captive­web­portal Set a captive web portal for additional user authentication or registration
success­redirect Set options for displaying the page shown to a user after a successful registration
original­page Display the original page that the user requested
Set the length of time to display a message that the registration succeeded before
delay
redirecting the user to an external web page
Enter the length of time that the HiveAP displays the message (Default: 5 seconds;
<number>
Range: 5­60 seconds)

security­object <string> security additional­auth­method captive­web­portal timer­display alert

<number>
Set parameters for a security object controlling network access through the SSIDs and
security­object
Ethernet interfaces to which it is applied
<string> Enter the security object name (1­32 chars)
security Set security parameters for the security object
Set an additional authentication method in addition to the one in the security protocol
additional­auth­method
suite
captive­web­portal Set a captive web portal for additional user authentication or registration
timer­display Enable timer­display windows to communicate login and session information
alert Notify users when their session is about to expire
<number> Enter the interval before the session expires in minutes (Default: 5 mins; Range: 1­30)

security­object <string> security additional­auth­method mac­based­auth [ {auth­method} {pap|chap|ms­

chap­v2} ]
Set parameters for a security object controlling network access through the SSIDs and
security­object
Ethernet interfaces to which it is applied
<string> Enter the security object name (1­32 chars)
security Set security parameters for the security object
Set an additional authentication method in addition to the one in the security protocol
additional­auth­method
suite
Use client MAC addresses as user names and passwords for RADIUS authentication (Default:
mac­based­auth
Disabled)
auth­method Set user authentication method
Set PAP (Password Authentication Protocol) as the method for sending authentication
pap
requests between the HiveAP and RADIUS server (Default: PAP)
Set CHAP (Challenge­Handshake Authentication Protocol) as the method for sending
chap
authentication requests between the HiveAP and RADIUS server (Default: PAP)
Set MS­CHAP­v2 (Microsoft CHAP Version 2) as the method for sending authentication
ms­chap­v2
requests between the HiveAP and RADIUS server (Default: PAP)

security­object <string> security additional­auth­method mac­based­auth call­check

Set parameters for a security object controlling network access through the SSIDs and
security­object
Ethernet interfaces to which it is applied
<string> Enter the security object name (1­32 chars)
security Set security parameters for the security object
Set an additional authentication method in addition to the one in the security protocol
additional­auth­method
suite
Use client MAC addresses as user names and passwords for RADIUS authentication (Default:
mac­based­auth
Disabled)
call­check Enable mac auth call­check(Default: Disabled)

security­object <string> security additional­auth­method mac­based­auth fallback­to­ecwp

Set parameters for a security object controlling network access through the SSIDs and
security­object
Ethernet interfaces to which it is applied
<string> Enter the security object name (1­32 chars)
security Set security parameters for the security object

http://docs.aerohive.com/330000/docs/help/english/documentation/cli_guide_ap230_6­6r1.htm#cmd7 209/315
27/4/2016 Aerohive CLI Guide
additional­auth­method Set an additional authentication method in addition to the one in the security protocol
suite
Use client MAC addresses as user names and passwords for RADIUS authentication (Default:
mac­based­auth
Disabled)
Redirect HTTP/HTTPS traffic to an external captive web portal if MAC­based
fallback­to­ecwp
authentication fails on the RADIUS server

security­object <string> security additional­auth­method mobile­device­manager aerohive api­key

<string> api­instance­id <string>
Set parameters for a security object controlling network access through the SSIDs and
security­object
Ethernet interfaces to which it is applied
<string> Enter the security object name (1­32 chars)
security Set security parameters for the security object
Set an additional authentication method in addition to the one in the security protocol
additional­auth­method
suite
mobile­device­manager Set the mobile device manager parameters
Set connection and access parameters for the aerohive MDM (Aerohive MDM server) to
aerohive
enforce client management such as mobile device enrollment
api­key Set the API key for location group to enable API access on the aerohive MDM
<string> Enter the API key (16 chars)
api­instance­id Set the API instance ID
<string> Enter the instance ID (1­64 chars)

security­object <string> security additional­auth­method mobile­device­manager aerohive onboard

access­ssid <string>
Set parameters for a security object controlling network access through the SSIDs and
security­object
Ethernet interfaces to which it is applied
<string> Enter the security object name (1­32 chars)
security Set security parameters for the security object
Set an additional authentication method in addition to the one in the security protocol
additional­auth­method
suite
mobile­device­manager Set the mobile device manager parameters
Set connection and access parameters for the aerohive MDM (Aerohive MDM server) to
aerohive
enforce client management such as mobile device enrollment
onboard Enable onboard procedures
access­ssid Set SSID for onboard accessing
<string> Enter an SSID profile name (1­32 chars)

security­object <string> security additional­auth­method mobile­device­manager airwatch api­key

<string>
Set parameters for a security object controlling network access through the SSIDs and
security­object
Ethernet interfaces to which it is applied
<string> Enter the security object name (1­32 chars)
security Set security parameters for the security object
Set an additional authentication method in addition to the one in the security protocol
additional­auth­method
suite
mobile­device­manager Set the mobile device manager parameters
Set connection and access parameters for the AirWatch (AirWatch MDM server) to enforce
airwatch
client management such as mobile device enrollment
api­key Set the API key for location group to enable API access on the AirWatch
<string> Enter the API key for location group

security­object <string> security additional­auth­method mobile­device­manager airwatch non­compliant

disconnect­for­vlan­change
security­object
<string>
Set parameters for a security object controlling network access through the SSIDs and
Ethernet interfaces to which it is applied
Enter the security object name (1­32 chars)

http://docs.aerohive.com/330000/docs/help/english/documentation/cli_guide_ap230_6­6r1.htm#cmd7 210/315
27/4/2016 Aerohive CLI Guide
security Set security parameters for the security object
Set an additional authentication method in addition to the one in the security protocol
additional­auth­method
suite
mobile­device­manager Set the mobile device manager parameters
Set connection and access parameters for the AirWatch (AirWatch MDM server) to enforce
airwatch
client management such as mobile device enrollment
non­compliant Set the non­compliant parameters
disconnect­for­vlan­
Disconnect the station when the VLAN is changed
change

security­object <string> security additional­auth­method mobile­device­manager airwatch non­compliant

guest­upid <number>
Set parameters for a security object controlling network access through the SSIDs and
security­object
Ethernet interfaces to which it is applied
<string> Enter the security object name (1­32 chars)
security Set security parameters for the security object
Set an additional authentication method in addition to the one in the security protocol
additional­auth­method
suite
mobile­device­manager Set the mobile device manager parameters
Set connection and access parameters for the AirWatch (AirWatch MDM server) to enforce
airwatch
client management such as mobile device enrollment
non­compliant Set the non­compliant parameters
guest­upid Set the user profile attribute number for non­compliant device
<number> Enter the default user profile attribute number (Range: 0­4095)

security­object <string> security additional­auth­method mobile­device­manager airwatch non­compliant

send­message content <string>
Set parameters for a security object controlling network access through the SSIDs and
security­object
Ethernet interfaces to which it is applied
<string> Enter the security object name (1­32 chars)
security Set security parameters for the security object
Set an additional authentication method in addition to the one in the security protocol
additional­auth­method
suite
mobile­device­manager Set the mobile device manager parameters
Set connection and access parameters for the AirWatch (AirWatch MDM server) to enforce
airwatch
client management such as mobile device enrollment
non­compliant Set the non­compliant parameters
send­message Set the send message parameters
content Set the content of message
<string> Enter the content of the message (1­140 chars)

security­object <string> security additional­auth­method mobile­device­manager airwatch non­compliant

send­message title <string>
Set parameters for a security object controlling network access through the SSIDs and
security­object
Ethernet interfaces to which it is applied
<string> Enter the security object name (1­32 chars)
security Set security parameters for the security object
Set an additional authentication method in addition to the one in the security protocol
additional­auth­method
suite
mobile­device­manager Set the mobile device manager parameters
Set connection and access parameters for the AirWatch (AirWatch MDM server) to enforce
airwatch
client management such as mobile device enrollment
non­compliant Set the non­compliant parameters
send­message Set the send message parameters
Set Set the subject of the message (Note: The title only takes effect when message type
title
is email.)
<string> Enter the subject of the message (1­32 chars)

http://docs.aerohive.com/330000/docs/help/english/documentation/cli_guide_ap230_6­6r1.htm#cmd7 211/315
27/4/2016 Aerohive CLI Guide
security­object <string> security additional­auth­method mobile­device­manager airwatch non­compliant
send­message type {email|sms|push|all}
Set parameters for a security object controlling network access through the SSIDs and
security­object
Ethernet interfaces to which it is applied
<string> Enter the security object name (1­32 chars)
security Set security parameters for the security object
Set an additional authentication method in addition to the one in the security protocol
additional­auth­method
suite
mobile­device­manager Set the mobile device manager parameters
Set connection and access parameters for the AirWatch (AirWatch MDM server) to enforce
airwatch
client management such as mobile device enrollment
non­compliant Set the non­compliant parameters
send­message Set the send message parameters
type Set the message type
email Send message using email
sms Send message using SMS (Short Message Service)
push Send message using push
all Send message using all of push, email and SMS

security­object <string> security additional­auth­method mobile­device­manager airwatch url­enrollment

<url>
Set parameters for a security object controlling network access through the SSIDs and
security­object
Ethernet interfaces to which it is applied
<string> Enter the security object name (1­32 chars)
security Set security parameters for the security object
Set an additional authentication method in addition to the one in the security protocol
additional­auth­method
suite
mobile­device­manager Set the mobile device manager parameters
Set connection and access parameters for the AirWatch (AirWatch MDM server) to enforce
airwatch
client management such as mobile device enrollment
url­enrollment Set the enrollment URL path on the AirWatch
Enter the HTTP protocol, remote server domain name, port, directory path, and file name
<url> (Default port: 80; 1­256 chars; Format: http://domain/path or http://domain:port/path;
Note: You can substitute "https" for "http".)

security­object <string> security additional­auth­method mobile­device­manager airwatch url­rest­api

<url>
Set parameters for a security object controlling network access through the SSIDs and
security­object
Ethernet interfaces to which it is applied
<string> Enter the security object name (1­32 chars)
security Set security parameters for the security object
Set an additional authentication method in addition to the one in the security protocol
additional­auth­method
suite
mobile­device­manager Set the mobile device manager parameters
Set connection and access parameters for the AirWatch (AirWatch MDM server) to enforce
airwatch
client management such as mobile device enrollment
url­rest­api Set the REST API URL path on the AirWatch
Enter the HTTP protocol, remote server domain name, port, directory path, and file name
<url> (Default port: 80; 1­256 chars; Format: http://domain/path or http://domain:port/path;
Note: You can substitute "https" for "http".)

security­object <string> security additional­auth­method mobile­device­manager {jss|aerohive} url­

root­path <url>
Set parameters for a security object controlling network access through the SSIDs and
security­object
Ethernet interfaces to which it is applied
<string> Enter the security object name (1­32 chars)
security Set security parameters for the security object

http://docs.aerohive.com/330000/docs/help/english/documentation/cli_guide_ap230_6­6r1.htm#cmd7 212/315
27/4/2016 Aerohive CLI Guide
additional­auth­method Set an additional authentication method in addition to the one in the security protocol
suite
mobile­device­manager Set the mobile device manager parameters
Set connection and access parameters for the JSS (JAMF software server) to enforce
jss
client management such as mobile device enrollment
Set connection and access parameters for the aerohive MDM (Aerohive MDM server) to
aerohive
enforce client management such as mobile device enrollment
Set the root URL path to the "/enroll" page on the JSS (Note: A JSS always displays the
url­root­path device enrollment page at "/enroll", so enter just the root URL path that precedes
"/enroll".)
Enter the HTTP protocol, remote server domain name, port, directory path, and file name
<url> (Default port: 80; 1­256 chars; Format: http://domain/path or http://domain:port/path;
Note: You can substitute "https" for "http".)

security­object <string> security additional­auth­method mobile­device­manager {jss|airwatch|aerohive}

enable
Set parameters for a security object controlling network access through the SSIDs and
security­object
Ethernet interfaces to which it is applied
<string> Enter the security object name (1­32 chars)
security Set security parameters for the security object
Set an additional authentication method in addition to the one in the security protocol
additional­auth­method
suite
mobile­device­manager Set the mobile device manager parameters
Set connection and access parameters for the JSS (JAMF software server) to enforce
jss
client management such as mobile device enrollment
Set connection and access parameters for the AirWatch (AirWatch MDM server) to enforce
airwatch
client management such as mobile device enrollment
Set connection and access parameters for the aerohive MDM (Aerohive MDM server) to
aerohive
enforce client management such as mobile device enrollment
enable Enable client management through MDM

security­object <string> security additional­auth­method mobile­device­manager {jss|airwatch|aerohive}

os­object <string> [ {ios|mac­os} ]
Set parameters for a security object controlling network access through the SSIDs and
security­object
Ethernet interfaces to which it is applied
<string> Enter the security object name (1­32 chars)
security Set security parameters for the security object
Set an additional authentication method in addition to the one in the security protocol
additional­auth­method
suite
mobile­device­manager Set the mobile device manager parameters
Set connection and access parameters for the JSS (JAMF software server) to enforce
jss
client management such as mobile device enrollment
Set connection and access parameters for the AirWatch (AirWatch MDM server) to enforce
airwatch
client management such as mobile device enrollment
Set connection and access parameters for the aerohive MDM (Aerohive MDM server) to
aerohive
enforce client management such as mobile device enrollment
Set the name of an OS of clients whose network traffic you want the Aerohive device to
os­object
redirect to the MDM server for enrollment
<string> Enter the OS object name (1­32 chars)
Define the type of OS object as Apple iOS (Default client OS type: iOS; Note: JSS only
ios
supports iOSv4 or later.)
mac­os Define the type of OS object as Apple Mac OS (Default client OS type: iOS)

security­object <string> security additional­auth­method mobile­device­manager {jss|airwatch} http­

auth user <string> password <string>
Set parameters for a security object controlling network access through the SSIDs and
security­object
Ethernet interfaces to which it is applied
<string> Enter the security object name (1­32 chars)
security Set security parameters for the security object
Set an additional authentication method in addition to the one in the security protocol
additional­auth­method

http://docs.aerohive.com/330000/docs/help/english/documentation/cli_guide_ap230_6­6r1.htm#cmd7 213/315
27/4/2016 Aerohive CLI Guide
suite
mobile­device­manager Set the mobile device manager parameters
Set connection and access parameters for the JSS (JAMF software server) to enforce
jss
client management such as mobile device enrollment
Set connection and access parameters for the AirWatch (AirWatch MDM server) to enforce
airwatch
client management such as mobile device enrollment
http­auth Set parameters for HTTP authentication when the HiveAP connects to the MDM server
user Set the user name for HTTP authentication
<string> Enter the user name (1­32 chars)
password Set the password for HTTP authentication
<string> Enter the password (1­32 chars)

security­object <string> security additional­auth­method mobile­device­manager {jss|airwatch} poll­

status [ interval <number> ]
Set parameters for a security object controlling network access through the SSIDs and
security­object
Ethernet interfaces to which it is applied
<string> Enter the security object name (1­32 chars)
security Set security parameters for the security object
Set an additional authentication method in addition to the one in the security protocol
additional­auth­method
suite
mobile­device­manager Set the mobile device manager parameters
Set connection and access parameters for the JSS (JAMF software server) to enforce
jss
client management such as mobile device enrollment
Set connection and access parameters for the AirWatch (AirWatch MDM server) to enforce
airwatch
client management such as mobile device enrollment
poll­status Query the station for enrollment and compliance status periodically
interval Set the query interval
<number> Enter the query interval in seconds (Default: 60; Range: 30­600)

security­object <string> security auth­mode host­based

Set parameters for a security object controlling network access through the SSIDs and
security­object
Ethernet interfaces to which it is applied
<string> Enter the security object name (1­32 chars)
security Set security parameters for the security object
auth­mode Set the authentication mode (Default: host based)
Permit 802.1X authentication for multiple hosts on the same port (Note: For a single
host­based domain, the RADIUS server must assign all hosts to the same VLAN. Traffic from an
authenticated host assigned to a different VLAN is dropped.)

security­object <string> security auth­mode {port­based} [ failure­user­profile­attr <number> ]

Set parameters for a security object controlling network access through the SSIDs and
security­object
Ethernet interfaces to which it is applied
<string> Enter the security object name (1­32 chars)
security Set security parameters for the security object
auth­mode Set the authentication mode (Default: host based)
port­based Limit 802.1X authentication to a single host per port
failure­user­profile­
Set the user profile attribute to assign users who do not pass the authentication check
attr
<number> Enter the failure user profile attribute (Range: 0­4095)

security­object <string> security eap retries <number>

Set parameters for a security object controlling network access through the SSIDs and
security­object
Ethernet interfaces to which it is applied
<string> Enter the security object name (1­32 chars)
security Set security parameters for the security object

http://docs.aerohive.com/330000/docs/help/english/documentation/cli_guide_ap230_6­6r1.htm#cmd7 214/315
27/4/2016 Aerohive CLI Guide
eap Set parameters for exchanging EAP packets during 802.1X authentication
Set the number of times that the HiveAP will resend an EAP packet when it receives no
retries
response from a client
<number> Enter the number of retries (Default: 3; Range: 1­5)

security­object <string> security eap timeout <number>

Set parameters for a security object controlling network access through the SSIDs and
security­object
Ethernet interfaces to which it is applied
<string> Enter the security object name (1­32 chars)
security Set security parameters for the security object
eap Set parameters for exchanging EAP packets during 802.1X authentication
Set the interval that the HiveAP waits for a client to respond before resending an EAP
timeout
packet
<number> Enter the EAP timeout in seconds (Default: 30; Range: 5­300)

security­object <string> security ft

Set parameters for a security object controlling network access through the SSIDs and
security­object
Ethernet interfaces to which it is applied
<string> Enter the security object name (1­32 chars)
security Set security parameters for the security object
ft Enable 802.11r fast BSS (basic service sets) transition

security­object <string> security ft mobility­domain­id <number>

Set parameters for a security object controlling network access through the SSIDs and
security­object
Ethernet interfaces to which it is applied
<string> Enter the security object name (1­32 chars)
security Set security parameters for the security object
ft Enable 802.11r fast BSS (basic service sets) transition
Set the mobility domain identifier which is used to indicate a group of BSSs (within the
mobility­domain­id
same ESS) between which a station can use 802.11r fast BSS transition
<number> Enter the mobility domain identifier (Default: 19771; Range: 0­65535)

security­object <string> security initial­auth­method mac­based­auth

Set parameters for a security object controlling network access through the SSIDs and
security­object
Ethernet interfaces to which it is applied
<string> Enter the security object name (1­32 chars)
security Set security parameters for the security object
initial­auth­method Set the user authentication method to apply first
Apply MAC­based authentcation first (Note: By default, 802.1X authentication is applied
mac­based­auth
first.)

security­object <string> security local­cache timeout <number>

Set parameters for a security object controlling network access through the SSIDs and
security­object
Ethernet interfaces to which it is applied
<string> Enter the security object name (1­32 chars)
security Set security parameters for the security object
local­cache Set parameters for storing PMK (pairwise master key) entries in the local cache
timeout Set the length of time to keep PMK entries before deleting them
Enter the timeout in seconds (Default: 86400; that is, 1 day; Range: 60­604800; that is,
<number>
1 minute to 7 days)

security­object <string> security mac­white­list bypass­cwp

Set parameters for a security object controlling network access through the SSIDs and
security­object
Ethernet interfaces to which it is applied
<string> Enter the security object name (1­32 chars)

http://docs.aerohive.com/330000/docs/help/english/documentation/cli_guide_ap230_6­6r1.htm#cmd7 215/315
27/4/2016 Aerohive CLI Guide
security Set security parameters for the security object
Set parameters for a list of MAC addresses, in which the login station would have some
mac­white­list special liberty once its MAC address exists (Note: The whitelist can have up to 8
entries.)
Enable bypassing CWP(captive web portal) authentication process for the stations which
bypass­cwp
MAC addresses exist in current security object's MAC white list (Default: Disabled)

security­object <string> security mac­white­list mac­object <string>

Set parameters for a security object controlling network access through the SSIDs and
security­object
Ethernet interfaces to which it is applied
<string> Enter the security object name (1­32 chars)
security Set security parameters for the security object
Set parameters for a list of MAC addresses, in which the login station would have some
mac­white­list special liberty once its MAC address exists (Note: The whitelist can have up to 8
entries.)
mac­object Add a MAC object to current MAC white list
<string> Enter the MAC object name (1­32 chars)

security­object <string> security preauth [ interface <ethx|wifix.y|redx|aggx> ]

Set parameters for a security object controlling network access through the SSIDs and
security­object
Ethernet interfaces to which it is applied
<string> Enter the security object name (1­32 chars)
security Set security parameters for the security object
preauth Set an interface to accept pre­authenticated 802.1X frames for fast roaming
interface Set an interface to accept pre­authenticated 802.1X frames for fast roaming
<ethx> Enter the name of an Ethernet interface, where x = 0 or 1
<wifix.y> Enter the name of a Wi­Fi radio subinterface (Ranges: x: 0­1; y: 1­16)
<redx> Enter the name of the redundant interface, where x = 0
<aggx> Enter the name of the aggregate interface, where x = 0

security­object <string> security private­psk

Set parameters for a security object controlling network access through the SSIDs and
security­object
Ethernet interfaces to which it is applied
<string> Enter the security object name (1­32 chars)
security Set security parameters for the security object
private­psk Set the parameters for creating individual user PSKs (preshared keys)

security­object <string> security private­psk default­psk­disabled

Set parameters for a security object controlling network access through the SSIDs and
security­object
Ethernet interfaces to which it is applied
<string> Enter the security object name (1­32 chars)
security Set security parameters for the security object
private­psk Set the parameters for creating individual user PSKs (preshared keys)
default­psk­disabled Disable the default PSK (Default: Enabled)

security­object <string> security private­psk external­server [ {web­portal} ]

Set parameters for a security object controlling network access through the SSIDs and
security­object
Ethernet interfaces to which it is applied
<string> Enter the security object name (1­32 chars)
security Set security parameters for the security object
private­psk Set the parameters for creating individual user PSKs (preshared keys)
external­server Look up private PSKs that users submit on an external private PSK server
Enable the creation of a new private PSK when the current PSK expires (Default:
web­portal
disabled)

http://docs.aerohive.com/330000/docs/help/english/documentation/cli_guide_ap230_6­6r1.htm#cmd7 216/315
27/4/2016 Aerohive CLI Guide
security­object <string> security private­psk mac­binding­enable
Set parameters for a security object controlling network access through the SSIDs and
security­object
Ethernet interfaces to which it is applied
<string> Enter the security object name (1­32 chars)
security Set security parameters for the security object
private­psk Set the parameters for creating individual user PSKs (preshared keys)
mac­binding­enable Enable the automatic binding of a private PSK to a MAC address (Default: Disabled)

security­object <string> security private­psk mac­binding­keys­per­mac <number>

Set parameters for a security object controlling network access through the SSIDs and
security­object
Ethernet interfaces to which it is applied
<string> Enter the security object name (1­32 chars)
security Set security parameters for the security object
private­psk Set the parameters for creating individual user PSKs (preshared keys)
mac­binding­keys­per­
Set the number of PPSKs that are permitted to bind to the same MAC address
mac
<number> Enter the number of PPSKs (Default: 1; Range: 1­5)

security­object <string> security private­psk mac­binding­macs­per­key <number>

Set parameters for a security object controlling network access through the SSIDs and
security­object
Ethernet interfaces to which it is applied
<string> Enter the security object name (1­32 chars)
security Set security parameters for the security object
private­psk Set the parameters for creating individual user PSKs (preshared keys)
mac­binding­macs­per­
Set the number of MAC addresses that are permitted to bind one PPSK
key
<number> Enter the number of MAC addresses (Default: 1; Range: 1­5)

security­object <string> security private­psk ppsk­server <ip_addr>

Set parameters for a security object controlling network access through the SSIDs and
security­object
Ethernet interfaces to which it is applied
<string> Enter the security object name (1­32 chars)
security Set security parameters for the security object
private­psk Set the parameters for creating individual user PSKs (preshared keys)
Set the HiveAP private PSK server to which other hive members redirect users to self­
ppsk­server
register and receive private PSK assignments automatically
<ip_addr> Enter the mgt0 IP address of the HiveAP private PSK server

security­object <string> security private­psk radius­auth [ {pap|chap|ms­chap­v2} ]

Set parameters for a security object controlling network access through the SSIDs and
security­object
Ethernet interfaces to which it is applied
<string> Enter the security object name (1­32 chars)
security Set security parameters for the security object
private­psk Set the parameters for creating individual user PSKs (preshared keys)
Enable the HiveAP to forward authentication checks for private PSKs to an external
radius­auth RADIUS server and set the method for authenticating communications with it (Default:
disabled)
Set PAP (Password Authentication Protocol) as the method for sending authentication
pap
requests between the HiveAP and RADIUS server (Default: PAP)
Set CHAP (Challenge­Handshake Authentication Protocol) as the method for sending
chap
authentication requests between the HiveAP and RADIUS server (Default: PAP)
Set MS­CHAP­v2 (Microsoft CHAP Version 2) as the method for sending authentication
ms­chap­v2
requests between the HiveAP and RADIUS server (Default: PAP)

security­object <string> security private­psk same­user­limit <number>

http://docs.aerohive.com/330000/docs/help/english/documentation/cli_guide_ap230_6­6r1.htm#cmd7 217/315
27/4/2016 Aerohive CLI Guide
security­object Set parameters for a security object controlling network access through the SSIDs and
Ethernet interfaces to which it is applied
<string> Enter the security object name (1­32 chars)
security Set security parameters for the security object
private­psk Set the parameters for creating individual user PSKs (preshared keys)
Set a limit for the number of private PSK users that can be authenticated with the same
same­user­limit
user name and PSK concurrently
Enter the maximum number of private PSK users that can use the same user name and PSK
<number>
concurrently (Default: 0, which means there is no limit; Range: 0­15)

security­object <string> security private­psk self­reg­enable

Set parameters for a security object controlling network access through the SSIDs and
security­object
Ethernet interfaces to which it is applied
<string> Enter the security object name (1­32 chars)
security Set security parameters for the security object
private­psk Set the parameters for creating individual user PSKs (preshared keys)
self­reg­enable Enable support of user self­registration (Default: Enabled)

security­object <string> security protocol­suite 802.1x

Set parameters for a security object controlling network access through the SSIDs and
security­object
Ethernet interfaces to which it is applied
<string> Enter the security object name (1­32 chars)
security Set security parameters for the security object
protocol­suite Set the security protocol suite for the security object
802.1x Set the security protocol suite as 802.1X authentication

security­object <string> security protocol­suite open

Set parameters for a security object controlling network access through the SSIDs and
security­object
Ethernet interfaces to which it is applied
<string> Enter the security object name (1­32 chars)
security Set security parameters for the security object
protocol­suite Set the security protocol suite for the security object
Set network access as 'open', meaning that user traffic is neither authenticated nor
open
encrypted

security­object <string> security protocol­suite wep­open <number> {hex­key|ascii­key} <string> [

default ]
Set parameters for a security object controlling network access through the SSIDs and
security­object
Ethernet interfaces to which it is applied
<string> Enter the security object name (1­32 chars)
security Set security parameters for the security object
protocol­suite Set the security protocol suite for the security object
Set the security protocol suite as preshared­key key management, WEP40/WEP104
wep­open
encryption, and open authentication
<number> Enter the index to identify one of 4 possible WEP keys (Default: 0; Range: 0­3)
hex­key Set key type as hexadecimal
ascii­key Set key type as ASCII (American Standard Code for Information Interchange)
Enter key value (ascii­key: a 5(WEP40)/13(WEP104) characters key; hex­key: a
<string>
10(WEP40)/26(WEP104) digit hex key)
default Set the current key as the default WEP key

security­object <string> security protocol­suite wep­shared <number> {hex­key|ascii­key} <string> [

default ]
Set parameters for a security object controlling network access through the SSIDs and
security­object
Ethernet interfaces to which it is applied
<string> Enter the security object name (1­32 chars)
http://docs.aerohive.com/330000/docs/help/english/documentation/cli_guide_ap230_6­6r1.htm#cmd7 218/315
27/4/2016 Aerohive CLI Guide

security Set security parameters for the security object

protocol­suite Set the security protocol suite for the security object
Set the security protocol suite as preshared­key key management, WEP40/WEP104
wep­shared
encryption, and preshared­key authentication
<number> Enter the index to identify one of 4 possible WEP keys (Range: 0­3)
hex­key Set key type as hexadecimal
ascii­key Set key type as ASCII (American Standard Code for Information Interchange)
Enter key value (ascii­key: a 5(WEP40)/13(WEP104) characters key; hex­key: a
<string>
10(WEP40)/26(WEP104) digit hex key)
default Set the current key as the default WEP key

security­object <string> security protocol­suite wep104­8021x [ rekey­period <number> ]

Set parameters for a security object controlling network access through the SSIDs and
security­object
Ethernet interfaces to which it is applied
<string> Enter the security object name (1­32 chars)
security Set security parameters for the security object
protocol­suite Set the security protocol suite for the security object
Set the security protocol suite as 104­bit WEP encryption and EAP (802.1x)
wep104­8021x
authentication
rekey­period Set the period after which a new group temporal key replaces the current one
Enter the period after which a new group temporal key replaces current one (Default:
<number>
600secs; Min: 600; Max: 50000000)

security­object <string> security protocol­suite wep40­8021x [ rekey­period <number> ]

Set parameters for a security object controlling network access through the SSIDs and
security­object
Ethernet interfaces to which it is applied
<string> Enter the security object name (1­32 chars)
security Set security parameters for the security object
protocol­suite Set the security protocol suite for the security object
wep40­8021x Set the security protocol suite as 40­bit WEP encryption and EAP (802.1x) authentication
rekey­period Set the period after which a new group temporal key replaces the current one
Enter the period after which a new group temporal key replaces current one (Default:
<number>
600secs; Min: 600; Max: 50000000)

security­object <string> security protocol­suite wpa­auto­8021x [ rekey­period <number> ] [ {non­

strict|strict} ] [ gmk­rekey­period <number> ] [ ptk­timeout <number> ] [ ptk­retry <number> ] [ gtk­
timeout <number> ] [ gtk­retry <number> ] [ roaming proactive­pmkid­response ] [ ptk­rekey­period
<number> ]
Set parameters for a security object controlling network access through the SSIDs and
security­object
Ethernet interfaces to which it is applied
<string> Enter the security object name (1­32 chars)
security Set security parameters for the security object
protocol­suite Set the security protocol suite for the security object
Set security protocol suite as WPA­/WPA2­EAP (802.1X) key management, TKIP/AES­CCMP
wpa­auto­8021x
encryption, and EAP (802.1X) authentication
rekey­period Set the period after which a new group temporal key replaces the current one
Enter the period in seconds after which a new group temporal key replaces the current
<number>
one (Range: 0 or 600­50000000, where 0 means disabled; Default: 0)
Refresh the GTK (group temporal key) whenever the rekey period elapses, regardless of
non­strict
whether any clients disassociate (Default: non­strict)
Refresh the GTK whenever a client to which the security object settings are applied
strict disconnects from the HiveAP (Default: non­strict)

gmk­rekey­period Set the GMK (group master key) rekey periodDefault: 0)

Enter the interval in seconds for rekeying the GMK (Range: 0 or 600­50000000, where 0
<number>
means disabled; Default: 0)
Set the interval that the HiveAP waits for client replies during the 4­way handshake in

http://docs.aerohive.com/330000/docs/help/english/documentation/cli_guide_ap230_6­6r1.htm#cmd7 219/315
27/4/2016 Aerohive CLI Guide
ptk­timeout which they derive a PTK (pairwise transient key) for encrypting and decrypting unicast
traffic
<number> Enter the timeout in milliseconds (Range: 100­8000; Default: 4000 milliseconds)
ptk­retry Set the maximum number of times the HiveAP will retry sending PTK messages
<number> Enter the maximum number of retries (Range: 1­10; Default: 3)
Set the interval that the HiveAP waits for client replies during the 2­way handshake in
gtk­timeout which the HiveAP sends a GTK (group temporal key) to the client for encrypting and
decrypting multicast traffic
<number> Enter the timeout in milliseconds (Range: 100­8000; Default: 4000 milliseconds)
gtk­retry Set the maximum number of times the HiveAP will retry sending GTK messages
<number> Enter the maximum number of retries (Range: 1­10; Default: 3)
roaming Set roaming parameters for the protocol suite
proactive­pmkid­ Respond to a client sending an empty PMK (pairwise master key) ID list with a cached PMK
response ID (Default: Disabled)
ptk­rekey­period Set the period after which a new PTK (pairwise transient key) replaces the current one
Enter the period in seconds after which a new PTK replaces the current one (Range: 0 or
<number>
10­50000000, where 0 means disabled; Default: 0)

security­object <string> security protocol­suite wpa­auto­psk {hex­key|ascii­key} <string> [ rekey­

period <number> ] [ {non­strict|strict} ] [ gmk­rekey­period <number> ] [ ptk­timeout <number> ] [
ptk­retry <number> ] [ gtk­timeout <number> ] [ gtk­retry <number> ] [ ptk­rekey­period <number> ]
Set parameters for a security object controlling network access through the SSIDs and
security­object
Ethernet interfaces to which it is applied
<string> Enter the security object name (1­32 chars)
security Set security parameters for the security object
protocol­suite Set the security protocol suite for the security object
Set security protocol suite as WPA­/WPA2­PSK (preshared key) key management, TKIP or
wpa­auto­psk
AES­CCMP encryption, open authentication
hex­key Set key type as hexadecimal
ascii­key Set key type as ASCII (American Standard Code for Information Interchange)
<string> Enter key value (ASCII key length: 8­63 chars; hexadecimal key length: 64 hex digits)
rekey­period Set the period after which a new group temporal key replaces the current one
Enter the period in seconds after which a new group temporal key replaces the current
<number>
one (Range: 0 or 600­50000000, where 0 means disabled; Default: 0)
Refresh the GTK (group temporal key) whenever the rekey period elapses, regardless of
non­strict
whether any clients disassociate (Default: non­strict)
Refresh the GTK whenever a client to which the security object settings are applied
strict
disconnects from the HiveAP (Default: non­strict)
gmk­rekey­period Set the GMK (group master key) rekey periodDefault: 0)
Enter the interval for rekeying GMK (Group Master Key; Default: 0; Range: 0 or 600­
<number>
50000000 Seconds, where 0 means disabled)
Set the interval that the HiveAP waits for client replies during the 4­way handshake in
ptk­timeout which they derive a PTK (pairwise transient key) for encrypting and decrypting unicast
traffic
<number> Enter the timeout in milliseconds (Range: 100­8000; Default: 4000 milliseconds)
ptk­retry Set the maximum number of times the HiveAP will retry sending PTK messages
<number> Enter the maximum number of retries (Range: 1­10; Default: 3)
Set the interval that the HiveAP waits for client replies during the 2­way handshake in
gtk­timeout which the HiveAP sends a GTK (group temporal key) to the client for encrypting and
decrypting multicast traffic
<number> Enter the timeout in milliseconds (Range: 100­8000; Default: 4000 milliseconds)
gtk­retry Set the maximum number of times the HiveAP will retry sending GTK messages
<number> Enter the maximum number of retries (Range: 1­10; Default: 3)
ptk­rekey­period Set the period after which a new PTK (pairwise transient key) replaces the current one
Enter the period in seconds after which a new PTK replaces the current one (Range: 0 or
<number>
10­50000000, where 0 means disabled; Default: 0)

http://docs.aerohive.com/330000/docs/help/english/documentation/cli_guide_ap230_6­6r1.htm#cmd7 220/315
27/4/2016 Aerohive CLI Guide
security­object <string> security protocol­suite wpa2­aes­8021x [ rekey­period <number> ] [ {non­
strict|strict} ] [ gmk­rekey­period <number> ] [ ptk­timeout <number> ] [ ptk­retry <number> ] [ gtk­
timeout <number> ] [ gtk­retry <number> ] [ roaming proactive­pmkid­response ] [ ptk­rekey­period
<number> ]
Set parameters for a security object controlling network access through the SSIDs and
security­object
Ethernet interfaces to which it is applied
<string> Enter the security object name (1­32 chars)
security Set security parameters for the security object
protocol­suite Set the security protocol suite for the security object
Set the security protocol suite as WPA2­EAP (802.1X) key management, AES­CCMP
wpa2­aes­8021x
encryption, and EAP (802.1X) authentication
rekey­period Set the period after which a new group temporal key replaces the current one
Enter the period in seconds after which a new group temporal key replaces the current
<number>
one (Range: 0 or 600­50000000, where 0 means disabled; Default: 0)
Refresh the GTK (group temporal key) whenever the rekey period elapses, regardless of
non­strict
whether any clients disassociate (Default: non­strict)
Refresh the GTK whenever a client to which the security object settings are applied
strict
disconnects from the HiveAP (Default: non­strict)
gmk­rekey­period Set the GMK (group master key) rekey periodDefault: 0)
Enter the interval in seconds for rekeying GMK (Group Master Key; Default: 0; Range: 0
<number>
or 600­Seconds, where 0 means disabled)
Set the interval that the HiveAP waits for client replies during the 4­way handshake in
ptk­timeout which they derive a PTK (pairwise transient key) for encrypting and decrypting unicast
traffic
<number> Enter the timeout in milliseconds (Range: 100­8000; Default: 4000 milliseconds)
ptk­retry Set the maximum number of times the HiveAP will retry sending PTK messages
<number> Enter the maximum number of retries (Range: 1­10; Default: 3)
Set the interval that the HiveAP waits for client replies during the 2­way handshake in
gtk­timeout which the HiveAP sends a GTK (group temporal key) to the client for encrypting and
decrypting multicast traffic
<number> Enter the timeout in milliseconds (Range: 100­8000; Default: 4000 milliseconds)
gtk­retry Set the maximum number of times the HiveAP will retry sending GTK messages
<number> Enter the maximum number of retries (Range: 1­10; Default: 3)
roaming Set roaming parameters for the protocol suite
proactive­pmkid­ Respond to a client sending an empty PMK (Pairwise Master Key) ID list with a cached PMK
response ID (Default: disabled)
ptk­rekey­period Set the period after which a new PTK (pairwise transient key) replaces the current one
Enter the period in seconds after which a new PTK replaces the current one (Range: 0 or
<number>
10­50000000, where 0 means disabled; Default: 0)

security­object <string> security protocol­suite wpa2­aes­psk {hex­key|ascii­key} <string> [ rekey­

period <number> ] [ {non­strict|strict} ] [ gmk­rekey­period <number> ] [ ptk­timeout <number> ] [
ptk­retry <number> ] [ gtk­timeout <number> ] [ gtk­retry <number> ] [ ptk­rekey­period <number> ]
Set parameters for a security object controlling network access through the SSIDs and
security­object
Ethernet interfaces to which it is applied
<string> Enter the security object name (1­32 chars)
security Set security parameters for the security object
protocol­suite Set the security protocol suite for the security object
Set the security protocol suite as WPA2­PSK (preshared key) key management, AES­CCMP
wpa2­aes­psk
encryption, and open authentication
hex­key Set key type as hexadecimal
ascii­key Set key type as ASCII (American Standard Code for Information Interchange)
<string> Enter key value (ASCII key length: 8­63 chars; hexadecimal key length: 64 hex digits)
rekey­period Set the period after which a new group temporal key replaces the current one
Enter the period after which a new group temporal key replaces the current one (Default:
<number>
0; Range: 0 or 600­50000000 Seconds, where 0 means disabled)
Refresh the GTK (group temporal key) whenever the rekey period elapses, regardless of
non­strict
whether any clients disassociate (Default: non­strict)

http://docs.aerohive.com/330000/docs/help/english/documentation/cli_guide_ap230_6­6r1.htm#cmd7 221/315
27/4/2016 Aerohive CLI Guide
strict Refresh the GTK whenever a client to which the security object settings are applied
disconnects from the HiveAP (Default: non­strict)
gmk­rekey­period Set the GMK (group master key) rekey periodDefault: 0)
Enter the interval for rekeying GMK (Group Master Key; Default: 0; Range: 0 or 600­
<number>
50000000 Seconds, where 0 means disabled)
Set the interval that the HiveAP waits for client replies during the 4­way handshake in
ptk­timeout which they derive a PTK (pairwise transient key) for encrypting and decrypting unicast
traffic
<number> Enter the timeout in milliseconds (Range: 100­8000; Default: 4000 milliseconds)
ptk­retry Set the maximum number of times the HiveAP will retry sending PTK messages
<number> Enter the maximum number of retries (Range: 1­10; Default: 3)
Set the interval that the HiveAP waits for client replies during the 2­way handshake in
gtk­timeout which the HiveAP sends a GTK (group temporal key) to the client for encrypting and
decrypting multicast traffic
<number> Enter the timeout in milliseconds (Range: 100­8000; Default: 4000 milliseconds)
gtk­retry Set the maximum number of times the HiveAP will retry sending GTK messages
<number> Enter the maximum number of retries (Range: 1­10; Default: 3)
ptk­rekey­period Set the period after which a new PTK (pairwise transient key) replaces the current one
Enter the period in seconds after which a new PTK replaces the current one (Range: 0 or
<number>
10­50000000, where 0 means disabled; Default: 0)

security­object <string> security protocol­suite wpa2­tkip­8021x [ rekey­period <number> ] [ {non­

strict|strict} ] [ gmk­rekey­period <number> ] [ ptk­timeout <number> ] [ ptk­retry <number> ] [ gtk­
timeout <number> ] [ gtk­retry <number> ] [ roaming proactive­pmkid­response ] [ ptk­rekey­period
<number> ]
Set parameters for a security object controlling network access through the SSIDs and
security­object
Ethernet interfaces to which it is applied
<string> Enter the security object name (1­32 chars)
security Set security parameters for the security object
protocol­suite Set the security protocol suite for the security object
Set the security protocol suite as WPA2­EAP (802.1X) key management, TKIP encryption,
wpa2­tkip­8021x
and EAP (802.1X) authentication
rekey­period Set the period after which a new group temporal key replaces the current one
Enter the period in seconds after which a new group temporal key replaces the current
<number>
one (Range: 0 or 600­50000000, where 0 means disabled; Default: 0)
Refresh the GTK (group temporal key) whenever the rekey period elapses, regardless of
non­strict
whether any clients disassociate (Default: non­strict)
Refresh the GTK whenever a client to which the security object settings are applied
strict
disconnects from the HiveAP (Default: non­strict)
gmk­rekey­period Set the GMK (group master key) rekey periodDefault: 0)
Enter the interval for rekeying GMK (Group Master Key; Default: 0; Range: 0 or 600­
<number>
50000000 Seconds, where 0 means disabled)
Set the interval that the HiveAP waits for client replies during the 4­way handshake in
ptk­timeout which they derive a PTK (pairwise transient key) for encrypting and decrypting unicast
traffic
<number> Enter the timeout in milliseconds (Range: 100­8000; Default: 4000 milliseconds)
ptk­retry Set the maximum number of times the HiveAP will retry sending PTK messages

<number> Enter the maximum number of retries (Range: 1­10; Default: 3)

Set the interval that the HiveAP waits for client replies during the 2­way handshake in
gtk­timeout which the HiveAP sends a GTK (group temporal key) to the client for encrypting and
decrypting multicast traffic
<number> Enter the timeout in milliseconds (Range: 100­8000; Default: 4000 milliseconds)
gtk­retry Set the maximum number of times the HiveAP will retry sending GTK messages
<number> Enter the maximum number of retries (Range: 1­10; Default: 3)
roaming Set roaming parameters for the protocol suite
proactive­pmkid­ Respond to a client sending an empty PMK (pairwise master key) ID list with a cached PMK
response ID (Default: Disabled)
ptk­rekey­period Set the period after which a new PTK (pairwise transient key) replaces the current one

http://docs.aerohive.com/330000/docs/help/english/documentation/cli_guide_ap230_6­6r1.htm#cmd7 222/315
27/4/2016 Aerohive CLI Guide

<number> Enter the period in seconds after which a new PTK replaces the current one (Range: 0 or
10­50000000, where 0 means disabled; Default: 0)

security­object <string> security protocol­suite wpa2­tkip­psk {hex­key|ascii­key} <string> [ rekey­

period <number> ] [ {non­strict|strict} ] [ gmk­rekey­period <number> ] [ ptk­timeout <number> ] [
ptk­retry <number> ] [ gtk­timeout <number> ] [ gtk­retry <number> ] [ ptk­rekey­period <number> ]
Set parameters for a security object controlling network access through the SSIDs and
security­object
Ethernet interfaces to which it is applied
<string> Enter the security object name (1­32 chars)
security Set security parameters for the security object
protocol­suite Set the security protocol suite for the security object
Set the security protocol suite as WPA2­PSK (preshared key) key management, TKIP
wpa2­tkip­psk
encryption, and open authentication
hex­key Set key type as hexadecimal
ascii­key Set key type as ASCII (American Standard Code for Information Interchange)
<string> Enter key value (ASCII key length: 8­63 chars; hexadecimal key length: 64 hex digits)
rekey­period Set the period after which a new group temporal key replaces the current one
Enter the period in seconds after which a new group temporal key replaces the current
<number>
one (Range: 0 or 600­50000000, where 0 means disabled; Default: 0)
Refresh the GTK (group temporal key) whenever the rekey period elapses, regardless of
non­strict
whether any clients disassociate (Default: non­strict)
Refresh the GTK whenever a client to which the security object settings are applied
strict
disconnects from the HiveAP (Default: non­strict)
gmk­rekey­period Set the GMK (group master key) rekey periodDefault: 0)
Enter the interval for rekeying GMK (Group Master Key; Default: 0; Range: 0 or 600­
<number>
50000000 Seconds, where 0 means disabled)
Set the interval that the HiveAP waits for client replies during the 4­way handshake in
ptk­timeout which they derive a PTK (pairwise transient key) for encrypting and decrypting unicast
traffic
<number> Enter the timeout in milliseconds (Range: 100­8000; Default: 4000 milliseconds)
ptk­retry Set the maximum number of times the HiveAP will retry sending PTK messages
<number> Enter the maximum number of retries (Range: 1­10; Default: 3)
Set the interval that the HiveAP waits for client replies during the 2­way handshake in
gtk­timeout which the HiveAP sends a GTK (group temporal key) to the client for encrypting and
decrypting multicast traffic
<number> Enter the timeout in milliseconds (Range: 100­8000; Default: 4000 milliseconds)
gtk­retry Set the maximum number of times the HiveAP will retry sending GTK messages
<number> Enter the maximum number of retries (Range: 1­10; Default: 3)
ptk­rekey­period Set the period after which a new PTK (pairwise transient key) replaces the current one
Enter the period in seconds after which a new PTK replaces the current one (Range: 0 or
<number>
10­50000000, where 0 means disabled; Default: 0)

security­object <string> security protocol­suite {wpa­auto­8021x[wpa2­tkip­8021x[wpa2­aes­8021x}

reauth­interval <number>
Set parameters for a security object controlling network access through the SSIDs and
security­object
Ethernet interfaces to which it is applied
<string> Enter the security object name (1­32 chars)
security Set security parameters for the security object
protocol­suite Set the security protocol suite for the security object
wpa­auto­8021x[wpa2­
pa2­aes­8021x Set the default interval for reauthenticating users (no)
tkip­8021x[w
itv::[600~86400]Enter
t reauth interval in seconds (Range: 600­86400; Default: Disabled)
the defaul
reauth­interval Set the default interval for reauthenticating users
<number> Enter the default reauth interval in seconds (Range: 600­86400; Default: Disabled)

security­object <string> security protocol­suite {wpa­auto­8021x[wpa2­tkip­8021x|wpa­auto­psk[wpa2­

http://docs.aerohive.com/330000/docs/help/english/documentation/cli_guide_ap230_6­6r1.htm#cmd7 223/315
27/4/2016 Aerohive CLI Guide
tkip­psk[wpa2­aes­psk[wpa2­aes­8021x} replay­window <number>
Set parameters for a security object controlling network access through the SSIDs and
security­object
Ethernet interfaces to which it is applied
<string> Enter the security object name (1­32 chars)
security Set security parameters for the security object
protocol­suite Set the security protocol suite for the security object
wpa­auto­8021x[wpa2­ Set a window size within which the HiveAP accepts replies to previously sent messages
tkip­8021x during 4­way handshakes (no)
wnd::[0~10]Enter the ackets prior to the one most recently sent to which the HiveAP will accept a reply
number of p (Default: 0; Range: 0­10)
wpa­auto­psk[wpa2­ aes­psk[wpa2­aes­8021x Set a window size within which the HiveAP accepts replies to
tkip­psk[wpa2­ previously sent messages during 4­way handshakes (no)
wnd::[0~10]Enter the ackets prior to the one most recently sent to which the HiveAP will accept a reply
number of p (Default: 0; Range: 0­10)
Set a window size within which the HiveAP accepts replies to previously sent messages
replay­window
during 4­way handshakes
Enter the number of packets prior to the one most recently sent to which the HiveAP will
<number>
accept a reply (Default: 0; Range: 0­10)

security­object <string> security protocol­suite {wpa­auto­8021x[wpa2­tkip­8021x|wpa­auto­psk[wpa2­

tkip­psk} local­tkip­counter­measure
Set parameters for a security object controlling network access through the SSIDs and
security­object
Ethernet interfaces to which it is applied
<string> Enter the security object name (1­32 chars)
security Set security parameters for the security object
protocol­suite Set the security protocol suite for the security object
Enable the deauthentication of all previously authenticated clients when the local
wpa­auto­8021x[wpa2­
HiveAP detects MIC (message integrity check) failures during TKIP operations (Default:
tkip­8021x
enabled)(no)
Enable the deauthentication of all previously authenticated clients when the local
wpa­auto­psk[wpa2­
HiveAP detects MIC (message integrity check) failures during TKIP operations (Default:
tkip­psk
enabled)(no)
Enable the deauthentication of all previously authenticated clients when the local
local­tkip­counter­
HiveAP detects MIC (message integrity check) failures during TKIP operations (Default:
measure
enabled)

security­object <string> security protocol­suite {wpa­auto­8021x[wpa2­tkip­8021x|wpa­auto­psk[wpa2­

tkip­psk} remote­tkip­counter­measure
Set parameters for a security object controlling network access through the SSIDs and
security­object
Ethernet interfaces to which it is applied
<string> Enter the security object name (1­32 chars)
security Set security parameters for the security object
protocol­suite Set the security protocol suite for the security object
Enable the deauthentication of all previously authenticated clients when a client
wpa­auto­8021x[wpa2­
reports MIC (message integrity check) failures during TKIP operations (Default:
tkip­8021x
enabled)](no)
Enable the deauthentication of all previously authenticated clients when a client
wpa­auto­psk[wpa2­
reports MIC (message integrity check) failures during TKIP operations (Default:
tkip­psk
enabled)](no)
Enable the deauthentication of all previously authenticated clients when a client
remote­tkip­counter­
reports MIC (message integrity check) failures during TKIP operations (Default:
measure
enabled)]

security­object <string> security protocol­suite {wpa2­aes­psk|wpa2­aes­8021x} mfp

{mandatory|optional} [ bip ]
Set parameters for a security object controlling network access through the SSIDs and
security­object
Ethernet interfaces to which it is applied
<string> Enter the security object name (1­32 chars)
security Set security parameters for the security object
protocol­suite Set the security protocol suite for the security object

http://docs.aerohive.com/330000/docs/help/english/documentation/cli_guide_ap230_6­6r1.htm#cmd7 224/315
27/4/2016 Aerohive CLI Guide
wpa2­aes­psk Set the security protocol suite as WPA2­PSK (preshared key) key management, AES­CCMP
encryption, and open authentication
Set the security protocol suite as WPA2­EAP (802.1X) key management, AES­CCMP
wpa2­aes­8021x
encryption, and EAP (802.1X) authentication
mfp Enable 802.11w support of MFP (Management Frame Protection)
mandatory Require that clients support MFP
optional Use MFP only if clients support it
bip Set broadcast/multicast integrity protocol

security­object <string> security roaming cache update­interval <number> ageout <number>

Set parameters for a security object controlling network access through the SSIDs and
security­object
Ethernet interfaces to which it is applied
<string> Enter the security object name (1­32 chars)
security Set security parameters for the security object
roaming Set roaming parameters for clients to which the security object is applied
Set the interval between updates and the number of times to update a station's roaming
cache
cache
update­interval Set the interval for sending roaming cache updates to neighbors
<number> Enter the roaming cache update interval in seconds (Default: 60; Range: 10­36000)
Set how many times an entry must be absent from a neighbor's updates before removing it
ageout
from the roaming cache
<number> Enter the number of absences required to remove an entry (Default: 60; Range: 1­1000)

security­object <string> user­profile­allowed <string>

Set parameters for a security object controlling network access through the SSIDs and
security­object
Ethernet interfaces to which it is applied
<string> Enter the security object name (1­32 chars)
Allow network access for members of all or specified user profiles bound to the security
user­profile­allowed
object
<string> Enter the user profile name (1­32 chars)

security­object <string> user­profile­allowed {all}

Set parameters for a security object controlling network access through the SSIDs and
security­object
Ethernet interfaces to which it is applied
<string> Enter the security object name (1­32 chars)
Allow network access for members of all or specified user profiles bound to the security
user­profile­allowed
object
all Allow network access to members of all user profiles

security­object <string> user­profile­deny action ban [ <number> ] [ strict ]

Set parameters for a security object controlling network access through the SSIDs and
security­object
Ethernet interfaces to which it is applied
<string> Enter the security object name (1­32 chars)
Set parameters for denying network access to users if they do not belong to an allowed
user­profile­deny
user profile
action Set an action which will be taken if a user profile is not allowed to access this SSID
ban Set the action to ban network access for a specified length of time
Enter the amount of time in seconds to perform the action (Default: 60; Range: 1­
<number>
100000000)
Set the behavior to deauthenticate all connected stations whenever a user profile bound
strict to the security object changes (Note: When stations reauthenticate, the user profile
changes take effect.)

security­object <string> user­profile­deny action {ban­forever|disconnect} [ strict ]

Set parameters for a security object controlling network access through the SSIDs and
security­object
Ethernet interfaces to which it is applied

http://docs.aerohive.com/330000/docs/help/english/documentation/cli_guide_ap230_6­6r1.htm#cmd7 225/315
27/4/2016 Aerohive CLI Guide
<string> Enter the security object name (1­32 chars)
Set parameters for denying network access to users if they do not belong to an allowed
user­profile­deny
user profile
action Set an action which will be taken if a user profile is not allowed to access this SSID
ban­forever Set the action to ban network access indefinitely
disconnect Set the action to disconnect the station from the HiveAP
Set the behavior to deauthenticate all connected stations whenever a user profile bound
strict to the security object changes (Note: When stations reauthenticate, the user profile
changes take effect.)

security­object <string> user­profile­policy <string>

Set parameters for a security object controlling network access through the SSIDs and
security­object
Ethernet interfaces to which it is applied
<string> Enter the security object name (1­32 chars)
user­profile­policy Set the user profile mapping policy
<string> Enter a policy name (1­32 chars)

security­object <string> user­profile­sequence {cwp­ssid­mac|cwp­mac­ssid|ssid­cwp­mac|ssid­mac­

cwp|mac­ssid­cwp|mac­cwp­ssid}
Set parameters for a security object controlling network access through the SSIDs and
security­object
Ethernet interfaces to which it is applied
<string> Enter the security object name (1­32 chars)
Set the sequential order to apply user profiles when the authentication process involves
user­profile­sequence multiple components referencing different profiles (Default: mac­ssid­cwp; Note: The
user profile applied last is the one that is ultimately used.)
Apply the user profile for a captive web portal first, SSID second, and MAC
cwp­ssid­mac
authentication last
Apply the user profile for a captive web portal first, MAC authentication second, and
cwp­mac­ssid
SSID last
Apply the user profile for an SSID first, captive web portal second, and MAC
ssid­cwp­mac
authentication last
Apply the user profile for an SSID first, MAC authentication second, and captive web
ssid­mac­cwp
portal last
Apply the user profile for MAC authentication first, SSID second, and captive web portal
mac­ssid­cwp
last
Apply the user profile for MAC authentication first, captive web portal second, and SSID
mac­cwp­ssid
last

security­object <string> walled­garden hostname <string> [ service {all|web} ]

Set parameters for a security object controlling network access through the SSIDs and
security­object
Ethernet interfaces to which it is applied
<string> Enter the security object name (1­32 chars)
Set the parameters for a walled garden in which unregistered users can access specified
walled­garden
servers (Maximum: 64 IP address and host name entries combined)
hostname Set the host name of a server in the walled garden
<string> Enter the domain name (1­64 chars)
Set the service permitted to reach the server (Maximum: 8 services per IP address or
service
host name entry)
all Permit all services
web Permit HTTP and HTTPS

security­object <string> walled­garden hostname <string> service protocol <number> port <number>
Set parameters for a security object controlling network access through the SSIDs and
security­object
Ethernet interfaces to which it is applied
<string> Enter the security object name (1­32 chars)
walled­garden Set the parameters for a walled garden in which unregistered users can access specified
servers (Maximum: 64 IP address and host name entries combined)
hostname Set the host name of a server in the walled garden

http://docs.aerohive.com/330000/docs/help/english/documentation/cli_guide_ap230_6­6r1.htm#cmd7 226/315
27/4/2016 Aerohive CLI Guide
<string> Enter the domain name (1­64 chars)
Set the service permitted to reach the server (Maximum: 8 services per IP address or
service
host name entry)
protocol Set the protocol of the service that you want to permit
<number> Enter the protocol number (Note: UDP: 17; TCP: 6; All: 0; Range: 0­255)
port Set the port number
<number> Enter the port number (Range: 1­65535)

security­object <string> walled­garden ip­address <ip_addr|ip_addr/mask> [ service {all|web} ]

Set parameters for a security object controlling network access through the SSIDs and
security­object
Ethernet interfaces to which it is applied
<string> Enter the security object name (1­32 chars)
Set the parameters for a walled garden in which unregistered users can access specified
walled­garden
servers (Maximum: 64 IP address and host name entries combined)
ip­address Set the IP address of a server or a subnet in the walled garden
Enter the IP address or subnet (Note: To define a subnet, enter the first address in the
<ip_addr> subnet, followed by a slash, and then the routing prefix bit length. Example:
10.1.1.0/24)
Enter the IP address or subnet (Note: To define a subnet, enter the first address in the
<ip_addr/netmask> subnet, followed by a slash, and then the routing prefix bit length. Example:
10.1.1.0/24)
Set the service permitted to reach the server (Maximum: 8 services per IP address or
service
host name entry)
all Permit all services
web Permit HTTP and HTTPS

security­object <string> walled­garden ip­address <ip_addr|ip_addr/mask> service protocol <number>

port <number>
Set parameters for a security object controlling network access through the SSIDs and
security­object
Ethernet interfaces to which it is applied
<string> Enter the security object name (1­32 chars)
Set the parameters for a walled garden in which unregistered users can access specified
walled­garden
servers (Maximum: 64 IP address and host name entries combined)
ip­address Set the IP address of a server or a subnet in the walled garden
Enter the IP address or subnet (Note: To define a subnet, enter the first address in the
<ip_addr> subnet, followed by a slash, and then the routing prefix bit length. Example:
10.1.1.0/24)
Enter the IP address or subnet (Note: To define a subnet, enter the first address in the
<ip_addr/netmask> subnet, followed by a slash, and then the routing prefix bit length. Example:
10.1.1.0/24)
Set the service permitted to reach the server (Maximum: 8 services per IP address or
service
host name entry)
protocol Set the protocol of the service that you want to permit
<number> Enter the protocol number (Note: UDP: 17; TCP: 6; ICMP: 1; All: 0; Range: 0­255)
port Set the port number
<number> Enter the port number (Range: 1­65535)

security­object <string> web­directory <string>

Set parameters for a security object controlling network access through the SSIDs and
security­object
Ethernet interfaces to which it is applied
<string> Enter the security object name (1­32 chars)
web­directory Enter the web directory name for the captive web portal specified in the security object
<string> Enter the web directory name for the security object

security­object <string> web­server [ port <number> ] [ index­file <string> ] [ success­file <string>

] [ failure­file <string> ] [ ssl server­key <number> ]
security­object Set parameters for a security object controlling network access through the SSIDs and
Ethernet interfaces to which it is applied

http://docs.aerohive.com/330000/docs/help/english/documentation/cli_guide_ap230_6­6r1.htm#cmd7 227/315
27/4/2016 Aerohive CLI Guide

<string> Enter the security object name (1­32 chars)

web­server Enable the internal web server
port Set the HTTP port number for the web server
Enter the HTTP port number for the web server. Set the port number to 0 is disable the
<number>
HTTP method (Default: 80; Range: 0­65535)
index­file Specify the .html file as the default index page
<string> Enter the .html file name (Default: index.html; Range: 1­32 chars)
Specify the .html file that you want to appear after a user successfully registers
success­file
through the captive web portal
<string> Enter the .html file name (Default: success.html; Range: 1­32 chars)
Specify the .html file that you want to appear after a user failed registers through the
failure­file
captive web portal
<string> Enter the .html file name (Default: failure.html; Range: 1­32 chars)
ssl Enable the SSL (Secure Socket Layer) method
server­key Set the server key (a X509 certificate) for SSL
<number> Enter the server key index (Default: 0; Range: 0­15)

security­object <string> web­server web­page {mandatory­field} <number> [ optional­field <number> ]

Set parameters for a security object controlling network access through the SSIDs and
security­object
Ethernet interfaces to which it is applied
<string> Enter the security object name (1­32 chars)
web­server Enable the internal web server
web­page Set the web pages parameters
mandatory­field Set the mandatory field numbers in login web page
<number> Enter the mandatory field numbers in login web page (Default: 4; Range: 0­8)
optional­field Set the optional field numbers in login web page
<number> Enter the optional field numbers in login web page (Default: 2; Range: 0­8)

service <string> alg {ftp|tftp|sip|dns|http}

service Set a custom service
<string> Enter service name (1­32 chars)
alg Assign an ALG (Application Level Gateway) to the service
ftp Assign an FTP (File Transfer Protocol) ALG to the service
tftp Assign a TFTP (Trivial File Transfer Protocol) ALG to the service
sip Assign a SIP (Session Initiation Protocol) ALG to the service
dns Assign a DNS (Domain Name System) ALG to the service
http Assign an HTTP (Hypertext Transfer Protocol) ALG to the service

service <string> app­id <number> [ timeout <number> ]

service Set a custom service
<string> Enter service name (1­32 chars)
app­id Assign an L7 application ID to the service
<number> Assign an L7 application ID to the service
timeout Set the service session timeout
<number> Set the session timeout value in seconds (Range: 0­65535; Default 300)

service <string> protocol <number> [ port <number> ] [ timeout <number> ]

service Set a custom service
<string> Enter service name (1­32 chars)
protocol Set the protocol used by the custom service
<number> Enter the protocol number (Range: 1­255)

http://docs.aerohive.com/330000/docs/help/english/documentation/cli_guide_ap230_6­6r1.htm#cmd7 228/315
27/4/2016 Aerohive CLI Guide

port Set the destination port number for the transport protocol
<number> Enter the port number (Range: 0­65535)
timeout Set the service session timeout
Set the session timeout value in seconds (Range: 0­65535; Default TCP: 300; UDP: 100;
<number>
Other: 100)

service <string> protocol {tcp|udp|svp} [ port <number> ] [ timeout <number> ]

service Set a custom service
<string> Enter service name (1­32 chars)
protocol Set the protocol used by the custom service
tcp Enter the transport protocol as TCP (Transmission Control Protocol)
udp Enter the transport protocol as UDP (User Datagram Protocol)
svp Enter the transport protocol as SVP (SpectraLink Voice Priority)
port Set the destination port number for the transport protocol
<number> Enter the port number (Range: 0­65535)
timeout Set the service session timeout
Set the session timeout value in seconds (Range: 0­65535; Default TCP: 300; UDP: 100;
<number>
Other: 100)

sflow enable
sflow Set sflow related parameters
enable Enable sflow (Default: Disabled)

sflow instance <string> interface <ethx|wifix> collector­addr <ip_addr> [ collector­port <number> ] [

sampling­rate <number> ] [ polling­interval <number> ] [ direction {ingress|egress|both} ]
sflow Set sflow related parameters
instance Set sflow instance name (1­32 chars)
<string> Enter the instance name (1­32 chars)
interface Set the interface sflow monitors
<ethx> Enter the name of an Ethernet interface, where x = 0 or 1
<wifix> Enter the name of a Wi­Fi radio interface, where x = 0 or 1
collector­addr Set the collector address
<ip_addr> Enter the collector IP address
collector­port Set the collector port number (Default: 6343, Range: 1­65535)
<number> Enter the collector port number (Default: 6343, Range: 1­65535)
sampling­rate Set sflow sampling rate (Default: 256, Range: 50­5000)
<number> Enter the instance sampling rate (Default: 256, Range: 50­5000)
polling­interval Set sflow counters polling interval in seconds (Default: 20, Range: 5­3600)
<number> Enter the instance counters polling interval in seconds (Default: 20, Range: 5­3600)
direction Set desired direction of sampled packets (Default: both)
ingress Set desired direction of sampled packets (Default: both) ingress
egress Set desired direction of sampled packets (Default: both) egress
both Set desired direction of sampled packets (Default: both) both

show 802.1x­mac­table [ interface <ethx> ] [ mac <mac_addr> ]

show Show settings, parameters, or dynamically generated information
802.1x­mac­table Show the MAC table used for 802.1X/EAP user authentication on an Ethernet interface
interface Show interface and subinterface parameters
<ethx>
Enter the name of an Ethernet interface, where x = 0 or 1

mac Specify a station MAC address

http://docs.aerohive.com/330000/docs/help/english/documentation/cli_guide_ap230_6­6r1.htm#cmd7 229/315
27/4/2016 Aerohive CLI Guide
Enter a MAC address (Note: You can use colons, dashes, or periods to format the address.
<mac_addr>
Examples: 1111:1111:1111, 11­11­11­11­11­11, 1111.1111.1111 ...)

show aaa
show Show settings, parameters, or dynamically generated information
aaa Show parameters for AAA (authentication, authorization, accounting)

show aaa radius­server

show Show settings, parameters, or dynamically generated information
aaa Show parameters for AAA (authentication, authorization, accounting)
radius­server Show RADIUS server parameters

show aaa radius­server NAS [ <string> ]

show Show settings, parameters, or dynamically generated information
aaa Show parameters for AAA (authentication, authorization, accounting)
radius­server Show RADIUS server parameters
NAS Show the shared keys for all RADIUS NASs
<string> Enter a RADIUS NAS name

show aaa radius­server active­session [ username <string> ]

show Show settings, parameters, or dynamically generated information
aaa Show parameters for AAA (authentication, authorization, accounting)
radius­server Show RADIUS server parameters
active­session Show active sessions on the RADIUS server
username Set the username which the active session using for doing RADIUS authentication
<string> Enter a user name (1­128 chars)

show aaa radius­server cache

show Show settings, parameters, or dynamically generated information
aaa Show parameters for AAA (authentication, authorization, accounting)
radius­server Show RADIUS server parameters
cache Show RADIUS server cache entries

show aaa radius­server domain

show Show settings, parameters, or dynamically generated information
aaa Show parameters for AAA (authentication, authorization, accounting)
radius­server Show RADIUS server parameters
domain Show which Active Directory domain the AP has joined

show aaa radius­server proxy [ server ]

show Show settings, parameters, or dynamically generated information
aaa Show parameters for AAA (authentication, authorization, accounting)
radius­server Show RADIUS server parameters
proxy Show all realms parameters
server Show all RADIUS servers parameters

show aaa radius­server­key {radius­server|ldap­client}

show Show settings, parameters, or dynamically generated information
aaa
Show parameters for AAA (authentication, authorization, accounting)

http://docs.aerohive.com/330000/docs/help/english/documentation/cli_guide_ap230_6­6r1.htm#cmd7 230/315
27/4/2016 Aerohive CLI Guide
radius­server­key Show all certificates that the local AP uses as a RADIUS server and LDAP client
radius­server Show certificates that the local AP uses as a RADIUS server
ldap­client Show certificates that the local AP uses as a LDAP client

show access­console
show Show settings, parameters, or dynamically generated information
access­console Show access console status and parameters

show acsp
show Show settings, parameters, or dynamically generated information
acsp Show parameters for ACSP (Advanced Channel Selection Protocol)

show acsp channel­info [ {detail|arbiter} ]

show Show settings, parameters, or dynamically generated information
acsp Show parameters for ACSP (Advanced Channel Selection Protocol)
channel­info Show channel information for ACSP
Show detailed channel information about the calculated cost of each channel and the
detail
factors used to determine that cost
arbiter Show information regarding the assignment of channels to hive members

show acsp neighbor

show Show settings, parameters, or dynamically generated information
acsp Show parameters for ACSP (Advanced Channel Selection Protocol)
neighbor Show acsp neighbor list

show admin [ active ]

show Show settings, parameters, or dynamically generated information
admin Show admin parameters
active Show currently connected admin users

show admin auth

show Show settings, parameters, or dynamically generated information
admin Show admin parameters
auth Show admin authentication method

show admin manager­ip

show Show settings, parameters, or dynamically generated information
admin Show admin parameters
manager­ip Show IP addresses from which administrative traffic is accepted

show alg [ {ftp|tftp|sip|dns|http} ]

show Show settings, parameters, or dynamically generated information
alg Show ALG (Application Level Gateway) information
ftp Show FTP (File Transfer Protocol) information
tftp Show TFTP (Trivial File Transfer Protocol) information
sip Show SIP (Session Initiation Protocol) information
dns Show DNS (Domain Name System) information
http Show settings for the HTTP ALG

show alg sip calls [ <string> ]

http://docs.aerohive.com/330000/docs/help/english/documentation/cli_guide_ap230_6­6r1.htm#cmd7 231/315
27/4/2016 Aerohive CLI Guide
show Show settings, parameters, or dynamically generated information
alg Show ALG (Application Level Gateway) information
sip Show SIP (Session Initiation Protocol) information
calls Show information for all currently active SIP calls
<string> Enter the call ID to show information for a specific SIP call (1 ­ 128 chars)

show amrp
show Show settings, parameters, or dynamically generated information
amrp Show AMRP (Advanced Mobility Routing Protocol) parameters

show amrp Ethlink

show Show settings, parameters, or dynamically generated information
amrp Show AMRP (Advanced Mobility Routing Protocol) parameters
Show the number of AMRP Ethernet links, and the number of hive members and interfaces on
Ethlink
each link

show amrp Ethlink <mac_addr>

show Show settings, parameters, or dynamically generated information
amrp Show AMRP (Advanced Mobility Routing Protocol) parameters
Show the number of AMRP Ethernet links, and the number of hive members and interfaces on
Ethlink
each link
Enter a MAC address (Note: You can use colons, dashes, or periods to format the address.
<mac_addr>
Examples: 1111:1111:1111, 11­11­11­11­11­11, 1111.1111.1111 ...)

show amrp bonjour [ <ip_addr> ]

show Show settings, parameters, or dynamically generated information
amrp Show AMRP (Advanced Mobility Routing Protocol) parameters
bonjour Show Bonjour information
<ip_addr> Enter the BDD IPv4­address

show amrp client [ <mac_addr> ]

show Show settings, parameters, or dynamically generated information
amrp Show AMRP (Advanced Mobility Routing Protocol) parameters
client Show information about currently active clients associated with all hive members
Enter a MAC address (Note: You can use colons, dashes, or periods to format the address.
<mac_addr>
Examples: 1111:1111:1111, 11­11­11­11­11­11, 1111.1111.1111 ...)

show amrp dnxp cache [ <mac_addr> ]

show Show settings, parameters, or dynamically generated information
amrp Show AMRP (Advanced Mobility Routing Protocol) parameters
dnxp Show DNXP (Dynamic Network Extension Protocol) information
cache Show the entire DNXP cache or the cached entry for a specific client
Enter a MAC address (Note: You can use colons, dashes, or periods to format the address.
<mac_addr>
Examples: 1111:1111:1111, 11­11­11­11­11­11, 1111.1111.1111 ...)

show amrp dnxp neighbor [ <mac_addr> ]

show Show settings, parameters, or dynamically generated information
amrp Show AMRP (Advanced Mobility Routing Protocol) parameters
dnxp Show DNXP (Dynamic Network Extension Protocol) information
neighbor Show information about all DNXP neighbors or a specific neighbor to which the local
HiveAP can tunnel the traffic of roaming clients
Enter a MAC address (Note: You can use colons, dashes, or periods to format the address.
<mac_addr>
Examples: 1111:1111:1111, 11­11­11­11­11­11, 1111.1111.1111 ...)

http://docs.aerohive.com/330000/docs/help/english/documentation/cli_guide_ap230_6­6r1.htm#cmd7 232/315
27/4/2016 Aerohive CLI Guide
show amrp interface
show Show settings, parameters, or dynamically generated information
amrp Show AMRP (Advanced Mobility Routing Protocol) parameters
Show AMRP statistics for access interfaces reporting client associations and backhaul
interface
interfaces exchanging route information with other AMRP nodes

show amrp interface <ethx|redx|aggx> bmt­table

show Show settings, parameters, or dynamically generated information
amrp Show AMRP (Advanced Mobility Routing Protocol) parameters
Show AMRP statistics for access interfaces reporting client associations and backhaul
interface
interfaces exchanging route information with other AMRP nodes
<ethx> Enter the name of an Ethernet interface, where x = 0 or 1
<redx> Enter the name of the redundant interface, where x = 0
<aggx> Enter the name of the aggregate interface, where x = 0
bmt­table Broadcast Master Table

show amrp interface <ethx|redx|aggx> mac­learning

show Show settings, parameters, or dynamically generated information
amrp Show AMRP (Advanced Mobility Routing Protocol) parameters
Show AMRP statistics for access interfaces reporting client associations and backhaul
interface
interfaces exchanging route information with other AMRP nodes
<ethx> Enter the name of an Ethernet interface, where x = 0 or 1
<redx> Enter the name of the redundant interface, where x = 0
<aggx> Enter the name of the aggregate interface, where x = 0
mac­learning Show the MAC addresses learned on this interface

show amrp interface <ethx|redx|aggx|mgtx|wifix.y>

show Show settings, parameters, or dynamically generated information
amrp Show AMRP (Advanced Mobility Routing Protocol) parameters
Show AMRP statistics for access interfaces reporting client associations and backhaul
interface
interfaces exchanging route information with other AMRP nodes
<ethx> Enter the name of an Ethernet interface, where x = 0 or 1
<redx> Enter the name of the redundant interface, where x = 0
<aggx> Enter the name of the aggregate interface, where x = 0
<mgtx> Enter the name of the management interface, where x = 0
<wifix.y> Enter the name of a Wi­Fi radio subinterface (Ranges: x: 0­1; y: 1­16)

show amrp neighbor [ {Ethernet|WiFi} ]

show Show settings, parameters, or dynamically generated information
amrp Show AMRP (Advanced Mobility Routing Protocol) parameters
Show AMRP neighbor information (Note: An AMRP neighbor is another hive member that is
neighbor
one hop away.)
Ethernet Show AMRP neighbors that connect to the local HiveAP through its Ethernet interfaces
WiFi Show AMRP neighbors that connect to the local HiveAP through its WiFi interfaces

show amrp node <ip_addr|mac_addr>

show Show settings, parameters, or dynamically generated information
amrp Show AMRP (Advanced Mobility Routing Protocol) parameters
Show information about all AMRP nodes or a specific node (Note: An AMRP node is another
node
hive member in the same layer­2 domain.)
<ip_addr> Enter node address
Enter a MAC address (Note: You can use colons, dashes, or periods to format the address.
<mac_addr>

http://docs.aerohive.com/330000/docs/help/english/documentation/cli_guide_ap230_6­6r1.htm#cmd7 233/315
27/4/2016 Aerohive CLI Guide
Examples: 1111:1111:1111, 11­11­11­11­11­11, 1111.1111.1111 ...)

show amrp node [ all ]

show Show settings, parameters, or dynamically generated information
amrp Show AMRP (Advanced Mobility Routing Protocol) parameters
Show information about all AMRP nodes or a specific node (Note: An AMRP node is another
node
hive member in the same layer­2 domain.)
all Show amrp all node detail

show amrp static­neighbor

show Show settings, parameters, or dynamically generated information
amrp Show AMRP (Advanced Mobility Routing Protocol) parameters
static­neighbor Show AMRP information for neighbors with statically defined route metrics

show amrp tunnel [ <ip_addr> ]

show Show settings, parameters, or dynamically generated information
amrp Show AMRP (Advanced Mobility Routing Protocol) parameters
Show a information about all DNXP, INXP (Identity Network Extension Protocol), and VPN
tunnel
tunnels or about a tunnel to a specific peer
<ip_addr> Enter the tunnel peer IPv4 address

show amrp tunnel route [ <ip_addr> ]

show Show settings, parameters, or dynamically generated information
amrp Show AMRP (Advanced Mobility Routing Protocol) parameters
Show a information about all DNXP, INXP (Identity Network Extension Protocol), and VPN
tunnel
tunnels or about a tunnel to a specific peer
route Show tunneled route
<ip_addr> Enter the tunneled route IPv4 address

show application identification [ cdp­index <number> ] [ cdp­name <string> ]

show Show settings, parameters, or dynamically generated information
application Show L7 information
identification Show L7 identification related parameters
cdp­index Set index for custom defined application
<number> Enter the index for custom defined application (Range: 19000­19099)
cdp­name Show L7 custom applications
<string> Enter the name of the custom defined application (1 to 8 characters)

show application reporting app­stats

show Show settings, parameters, or dynamically generated information
application Show L7 information
reporting Show L7 application reporting information
app­stats Show L7 application reporting application statistics

show application reporting applications

show Show settings, parameters, or dynamically generated information
application Show L7 information
reporting Show L7 application reporting information
applications Show L7 application reporting application information

show application reporting configuration

http://docs.aerohive.com/330000/docs/help/english/documentation/cli_guide_ap230_6­6r1.htm#cmd7 234/315
27/4/2016 Aerohive CLI Guide
show Show settings, parameters, or dynamically generated information
application Show L7 information
reporting Show L7 application reporting information
configuration Show L7 application reporting configuration

show application reporting statistics

show Show settings, parameters, or dynamically generated information
application Show L7 information
reporting Show L7 application reporting information
statistics Show L7 application reporting statistics

show arp­cache
show Show settings, parameters, or dynamically generated information
arp­cache Show arp cache table

show auth [ interface <wifix.y|ethx> ]

show Show settings, parameters, or dynamically generated information
auth Show authentication parameters per interface
interface Show authentication parameters for special interface
<wifix.y> Enter the name of a Wi­Fi radio subinterface (Ranges: x: 0­1; y: 1­16)
<ethx> Enter the name of an Ethernet interface, where x = 0 or 1

show auth mac­binding <string> [ <mac_addr> ] [ <string> ]

show Show settings, parameters, or dynamically generated information
auth Show authentication parameters per interface
mac­binding Show MAC address binding information
<string> Show MAC address binding for the SSID, enter an SSID profile name (1­32 chars)
Enter a MAC address (Note: You can use colons, dashes, or periods to format the address.
<mac_addr>
Examples: 1111:1111:1111, 11­11­11­11­11­11, 1111.1111.1111 ...)
<string> Show MAC address binding for the user, enter the username of PPSK (1­32 chars)

show auth private­psk

show Show settings, parameters, or dynamically generated information
auth Show authentication parameters per interface
private­psk Show private PSK (preshared key) entries

show band­steering status

show Show settings, parameters, or dynamically generated information
band­steering Show settings, parameters, or dynamically generated information
status Show parameters for band steering in the WLAN

show bonjour­gateway filter

show Show settings, parameters, or dynamically generated information
bonjour­gateway Show the settings and status of the Bonjour gateway
Show the rules that filter which services the local Bonjour gateway transmits to Bonjour
filter
gateways in other subnets

show bonjour­gateway service local [ vlan <number> ] [ detail ]

show Show settings, parameters, or dynamically generated information
bonjour­gateway Show the settings and status of the Bonjour gateway

http://docs.aerohive.com/330000/docs/help/english/documentation/cli_guide_ap230_6­6r1.htm#cmd7 235/315
27/4/2016 Aerohive CLI Guide
service Show the Bonjour services that the local gateway discovered locally and those it learned
from other gateways
Show all the services that the local Bonjour gateway collected from hosts onits
local
immediate subnet
vlan Show the services that the local Bonjour gateway knows are available on a specific VLAN
<number> Enter the VLAN ID number (Range: 1­4094)
detail Show detailed information about Bonjour services

show bonjour­gateway service remote [ vlan <number> ] [ detail ]

show Show settings, parameters, or dynamically generated information
bonjour­gateway Show the settings and status of the Bonjour gateway
Show the Bonjour services that the local gateway discovered locally and those it learned
service
from other gateways
Show the services that the local Bonjour gateway learned about through communications
remote
with remote gateways on different subnets
vlan Show the services that the local Bonjour gateway knows are available on a specific VLAN
<number> Enter the VLAN ID number (Range: 1­4094)
detail Show detailed information about Bonjour services

show bonjour­gateway status

show Show settings, parameters, or dynamically generated information
bonjour­gateway Show the settings and status of the Bonjour gateway
status Show the status of the local Bonjour gateway

show bonjour­gateway vlan

show Show settings, parameters, or dynamically generated information
bonjour­gateway Show the settings and status of the Bonjour gateway
vlan Show Bonjour Gateway VLANs status

show boot­param
show Show settings, parameters, or dynamically generated information
boot­param Show boot parameter information

show boot­param country­code

show Show settings, parameters, or dynamically generated information
boot­param Show boot parameter information
country­code Show the country code to control channel and power selections

show cac summary

show Show settings, parameters, or dynamically generated information
cac Show CAC (Call Admission Control) parameters
summary Show a summary of CAC settings and statistics

show capture interface <wifix>

show Show settings, parameters, or dynamically generated information
capture Show packet capture parameters
interface Show the status of packet capturing on a radio interface
<wifix> Enter the name of a Wi­Fi radio interface, where x = 0 or 1

show capture local

show Show settings, parameters, or dynamically generated information

http://docs.aerohive.com/330000/docs/help/english/documentation/cli_guide_ap230_6­6r1.htm#cmd7 236/315
27/4/2016 Aerohive CLI Guide
capture Show packet capture parameters
local Show local captured files

show capture remote­sniffer

show Show settings, parameters, or dynamically generated information
capture Show packet capture parameters
remote­sniffer Show the status and connection settings for the remote packet sniffer

show capwap client

show Show settings, parameters, or dynamically generated information
Show the settings and current status for CAPWAP (Control and Provisioning of Wireless
capwap
Access Points)
client Show CAPWAP client settings and current status

show client­info­collection [ ip <ip_addr> ]

show Show settings, parameters, or dynamically generated information
client­info­collection Show client information collection result
ip Show client information by IP address
<ip_addr> Enter client IP address

show client­load­balance status

show Show settings, parameters, or dynamically generated information
client­load­balance Show settings, parameters, or dynamically generated information
status Show parameters for client load balancing in the WLAN

show client­monitor info

show Show settings, parameters, or dynamically generated information
client­monitor Show Client Monitor parameters
info Show client monitor v2.0 running data and history data

show client­monitor policy [ <string> ]

show Show settings, parameters, or dynamically generated information
client­monitor Show Client Monitor parameters
policy Show the parameters of all Client Monitor policies or one specified policy
<string> Enter the name of a Client Monitor policy (1­32 chars)

show clock
show Show settings, parameters, or dynamically generated information
clock Show the date, time of the internal clock

show cmds
show Show settings, parameters, or dynamically generated information
cmds Show CLI (Command Line Interface) commands including ones derived from optional keywords

show config rollback

show Show settings, parameters, or dynamically generated information
Show parameters for the current configuration file, which is a flash file containing
config
default and admin­defined settings
Show the configuration rollback status, the mechanism for triggering it, and the length
rollback
of time to wait before performing a rollback operation

http://docs.aerohive.com/330000/docs/help/english/documentation/cli_guide_ap230_6­6r1.htm#cmd7 237/315
27/4/2016 Aerohive CLI Guide
show config running
show Show settings, parameters, or dynamically generated information
Show parameters for the current configuration file, which is a flash file containing
config
default and admin­defined settings
running Show the running configuration

show config running password

show Show settings, parameters, or dynamically generated information
Show parameters for the current configuration file, which is a flash file containing
config
default and admin­defined settings
running Show the running configuration
Show passwords and sensitive networking keys as obscured text strings in the output
password (Default: Passwords and keys are represented by asterisks; Note: A HiveAP can recover an
original string from an obscured one, but not if the string is replaced with asterisks.)

show config version

show Show settings, parameters, or dynamically generated information
Show parameters for the current configuration file, which is a flash file containing
config
default and admin­defined settings
version Show the version number of the current configuration file

show config {current|backup|bootstrap|default|failed}

show Show settings, parameters, or dynamically generated information
Show parameters for the current configuration file, which is a flash file containing
config
default and admin­defined settings
current Show the current configuration
backup Show the backup configuration
bootstrap Show the bootstrap configuration
default Show the default configuration
failed Show the failed configuration

show console
show Show settings, parameters, or dynamically generated information
console Show console parameter

show cpu [ {detail} ]

show Show settings, parameters, or dynamically generated information
Show the percentage of the CPU used in total, for system operations, and for processing
cpu
user traffic
detail Show CPU utilization in detail

show data­collection
show
data­collection
Show settings, parameters, or dynamically generated information
Show parameters for collecting data about the types and capabilities of devices on the
network and their network usage

show device­group [ <string> ]

show Show settings, parameters, or dynamically generated information
device­group Show all device group names or the settings of an individual device group
<string> Enter a device group name (1­32 chars)

show dns
show Show settings, parameters, or dynamically generated information

http://docs.aerohive.com/330000/docs/help/english/documentation/cli_guide_ap230_6­6r1.htm#cmd7 238/315
27/4/2016 Aerohive CLI Guide
dns Show DNS (Domain Name System) parameters

show dns dynamic­dns

show Show settings, parameters, or dynamically generated information
dns Show DNS (Domain Name System) parameters
dynamic­dns Show dynamic DNS parameters

show domain­object [ <string> ]

show Show settings, parameters, or dynamically generated information
Show all domain object names or the device domains assigned to an individual domain
domain­object
object
<string> Enter an domain object name (1­32 chars)

show filter [ <number> ]

show Show settings, parameters, or dynamically generated information
filter Show capture filter parameters
<number> Enter a filter ID (Range: 1­64)

show forwarding­engine counters [ interface <wifix|wifix.y|ethx|mgtx|aggx|redx> ] [ station <mac_addr>

] [ drop ]
show Show settings, parameters, or dynamically generated information
forwarding­engine Show forwarding engine parameters
counters Show forwarding engine counter statistics
interface Show forwarding engine counter by interface
<wifix> Enter the name of a Wi­Fi radio interface, where x = 0 or 1
<wifix.y> Enter the name of a Wi­Fi radio subinterface (Ranges: x: 0­1; y: 1­16)
<ethx> Enter the name of an Ethernet interface, where x = 0 or 1
<mgtx> Enter the name of the management interface, where x = 0
<aggx> Enter the name of the aggregate interface, where x = 0
<redx> Enter the name of the redundant interface, where x = 0
station Show forwarding engine counter by station MAC
Enter a MAC address (Note: You can use colons, dashes, or periods to format the address.
<mac_addr>
Examples: 1111:1111:1111, 11­11­11­11­11­11, 1111.1111.1111 ...)
drop Show the drop packet counter

show forwarding­engine inter­ssid­flood

show Show settings, parameters, or dynamically generated information
forwarding­engine Show forwarding engine parameters
inter­ssid­flood Show status of flooding multicast or broadcast packets between access interfaces

show forwarding­engine ip­gates

show Show settings, parameters, or dynamically generated information
forwarding­engine Show forwarding engine parameters
ip­gates Show IP gates information

show forwarding­engine ip­sessions [ src­ip <ip_addr> ] [ dst­ip <ip_addr> ] [ src­port <number> ] [

dst­port <number> ] [ protocol <number> ] [ qos <number> ]
show Show settings, parameters, or dynamically generated information
forwarding­engine Show forwarding engine parameters
ip­sessions Show IP session information
src­ip Filter by source IP

http://docs.aerohive.com/330000/docs/help/english/documentation/cli_guide_ap230_6­6r1.htm#cmd7 239/315
27/4/2016 Aerohive CLI Guide
<ip_addr> Source IP address
dst­ip Filter by destination IP
<ip_addr> Destination IP address
src­port Filter by source port
<number> source IP port (Range: 1­65535)
dst­port Filter by destination port
<number> destination IP port (Range: 1­65535)
protocol Filter by protocol
<number> protocol (Range: 1­255)
qos Filter by QoS value
<number> QoS value (Range: 0­7)

show forwarding­engine ip­sessions id <number>

show Show settings, parameters, or dynamically generated information
forwarding­engine Show forwarding engine parameters
ip­sessions Show IP session information
id Show a IP session by ID
<number> Enter the flow ID (Range: 1­9999)

show forwarding­engine mac­sessions [ src­mac <mac_addr> ] [ dst­mac <mac_addr> ] [ vlan <number> ]

show Show settings, parameters, or dynamically generated information
forwarding­engine Show forwarding engine parameters
mac­sessions Show MAC session information
src­mac Filter by source MAC
Enter a MAC address (Note: You can use colons, dashes, or periods to format the address.
<mac_addr>
Examples: 1111:1111:1111, 11­11­11­11­11­11, 1111.1111.1111 ...)
dst­mac Filter by destination MAC
Enter a MAC address (Note: You can use colons, dashes, or periods to format the address.
<mac_addr>
Examples: 1111:1111:1111, 11­11­11­11­11­11, 1111.1111.1111 ...)
vlan Filter by VLAN ID of station
<number> VLAN ID (Range: 1­4094)

show forwarding­engine mac­sessions id <number>

show Show settings, parameters, or dynamically generated information
forwarding­engine Show forwarding engine parameters
mac­sessions Show MAC session information
id Show a MAC session by ID
<number> Enter the flow ID (Range: 1­9999)

show forwarding­engine max­ip­sess­per­station

show Show settings, parameters, or dynamically generated information
forwarding­engine Show forwarding engine parameters
max­ip­sess­per­
Show the maximum number of IP sessions that can be created to or from a station
station

show forwarding­engine max­mac­sess­per­station

show Show settings, parameters, or dynamically generated information
forwarding­engine Show forwarding engine parameters
max­mac­sess­per­
Show the maximum number of MAC sessions that can be created to or from a station
station

http://docs.aerohive.com/330000/docs/help/english/documentation/cli_guide_ap230_6­6r1.htm#cmd7 240/315
27/4/2016 Aerohive CLI Guide
show forwarding­engine open­ports­to­self
show Show settings, parameters, or dynamically generated information
forwarding­engine Show forwarding engine parameters
Show permitted services destined for the HiveAP itself when it is set to drop all non­
open­ports­to­self
management traffic

show forwarding­engine policy

show Show settings, parameters, or dynamically generated information
forwarding­engine Show forwarding engine parameters
policy Show policy information

show forwarding­engine static­rule

show Show settings, parameters, or dynamically generated information
forwarding­engine Show forwarding engine parameters
static­rule Show static packet­forwarding rules that preempts dynamic forwarding decisions

show forwarding­engine tunnel selective­multicast­forward

show Show settings, parameters, or dynamically generated information
forwarding­engine Show forwarding engine parameters
tunnel Show tunnel (GRE tunnel or GRE­over­IPsec tunnel) parameters
selective­multicast­
Show the settings for selective multicast forwarding through GRE tunnels
forward

show forwarding­engine tunnel tcp­mss­threshold

show Show settings, parameters, or dynamically generated information
forwarding­engine Show forwarding engine parameters
tunnel Show tunnel (GRE tunnel or GRE­over­IPsec tunnel) parameters
tcp­mss­threshold Show TCP MSS threshold parameters

show gre­tunnel
show Show settings, parameters, or dynamically generated information
gre­tunnel Show GRE (Generic Routing Encapsulation) tunnel information

show high­density status

show Show settings, parameters, or dynamically generated information
high­density Show parameters for optimizing performance in a high­density WLAN
Show high­density settings and the running status of operations pertaining to them on
status
both the 2.4 and 5 GHz radio bands

show history
show Show settings, parameters, or dynamically generated information
history Show command history

show hive <string> connecting­threshold

show Show settings, parameters, or dynamically generated information
hive Show hive parameters
<string> Enter a hive profile name (1­32 chars)
connecting­threshold Show hive neighbor connecting threshold parameters

show hive <string> counter neighbor [ <mac_addr> ]

show Show settings, parameters, or dynamically generated information

http://docs.aerohive.com/330000/docs/help/english/documentation/cli_guide_ap230_6­6r1.htm#cmd7 241/315
27/4/2016 Aerohive CLI Guide
hive Show hive parameters
<string> Enter a hive profile name (1­32 chars)
counter Show detailed statistics (counters) for neighboring hive members
neighbor Show statistics for all neighbors or a single neighbor in this hive
Enter a MAC address (Note: You can use colons, dashes, or periods to format the address.
<mac_addr>
Examples: 1111:1111:1111, 11­11­11­11­11­11, 1111.1111.1111 ...)

show hive <string> manage

show Show settings, parameters, or dynamically generated information
hive Show hive parameters
<string> Enter a hive profile name (1­32 chars)
manage Show management options enabled on wireless backhaul interfaces in this hive

show hive <string> neighbor [ mac <mac_addr> ]

show Show settings, parameters, or dynamically generated information
hive Show hive parameters
<string> Enter a hive profile name (1­32 chars)
Show information about all neighbors currently associated with the Hive or about the
neighbor
ongoing wireless activity of a specific neighbor
Show the ongoing wireless activity of a neighbor that is currently associated with the
mac
Hive (Note: To stop the display of output, press CTRL+C.)
Enter a MAC address (Note: You can use colons, dashes, or periods to format the address.
<mac_addr>
Examples: 1111:1111:1111, 11­11­11­11­11­11, 1111.1111.1111 ...)

show hive <string> security wlan dos

show Show settings, parameters, or dynamically generated information
hive Show hive parameters
<string> Enter a hive profile name (1­32 chars)
security Show hive security parameters
wlan Show WLAN parameters
dos Show WLAN Dos parameters

show hive [ <string> ]

show Show settings, parameters, or dynamically generated information
hive Show hive parameters
<string> Enter a hive profile name (1­32 chars)

show hivemanager
show Show settings, parameters, or dynamically generated information
hivemanager Show HiveManager parameters

show hiveui cas client

show Show settings, parameters, or dynamically generated information
Show settings of the NetConfig UI for defining network settings, configuring settings to
hiveui
connect to HiveManager, and uploading a new HiveOS image
Show client and server parameters for CAS (Central Authentication Service), a protocol
cas
for authenticating users such as teachers accessing TeacherView
client Show parameters for the local AP to act as a CAS client

show hw­info
show Show settings, parameters, or dynamically generated information
hw­info Show hardware information

http://docs.aerohive.com/330000/docs/help/english/documentation/cli_guide_ap230_6­6r1.htm#cmd7 242/315
27/4/2016 Aerohive CLI Guide
show icsa
show Show settings, parameters, or dynamically generated information
icsa Show ICSA (International Computer Security Association) parameters

show idm
show Show settings, parameters, or dynamically generated information
idm Show ID Manager information

show interface <blex> ibeacon

show Show settings, parameters, or dynamically generated information
interface Show interface and subinterface parameters
<blex> Enter the name of the iBeacon interface, where x = 0
ibeacon Show the Bluetooth iBeacon device

show interface <blex> ibeacon­monitor list

show Show settings, parameters, or dynamically generated information
interface Show interface and subinterface parameters
<blex> Enter the name of the iBeacon interface, where x = 0
ibeacon­monitor Show the dectected Bluetooth iBeacon device
list Show the dectected Bluetooth iBeacon device list

show interface <ethx> default­route­vlan

show Show settings, parameters, or dynamically generated information
interface Show interface and subinterface parameters
<ethx> Enter the name of an Ethernet interface, where x = 0 or 1
default­route­vlan Show all VLAN IDs for the default Layer 2 route on the interface

show interface <ethx> pppoe

show Show settings, parameters, or dynamically generated information
interface Show interface and subinterface parameters
<ethx> Enter the name of an Ethernet interface, where x = 0 or 1
pppoe Show PPPoE settings and status

show interface <ethx|aggx|redx> allowed­vlan

show Show settings, parameters, or dynamically generated information
interface Show interface and subinterface parameters
<ethx> Enter the name of an Ethernet interface, where x = 0 or 1
<aggx> Enter the name of the aggregate interface, where x = 0
<redx> Enter the name of the redundant interface, where x = 0
allowed­vlan Show all allowed VLAN IDs on the interface

show interface <ethx|aggx|redx> mac­learning {static|dynamic|all}

show Show settings, parameters, or dynamically generated information
interface Show interface and subinterface parameters
<ethx> Enter the name of an Ethernet interface, where x = 0 or 1
<aggx> Enter the name of the aggregate interface, where x = 0
<redx> Enter the name of the redundant interface, where x = 0
mac­learning Show entries in the MAC address learning table
static Show statically defined MAC address entries

http://docs.aerohive.com/330000/docs/help/english/documentation/cli_guide_ap230_6­6r1.htm#cmd7 243/315
27/4/2016 Aerohive CLI Guide
dynamic Show dynamically learned MAC address entries
all Show statically defined and dynamically learned MAC address entries

show interface <ethx|aggx|redx> manage

show Show settings, parameters, or dynamically generated information
interface Show interface and subinterface parameters
<ethx> Enter the name of an Ethernet interface, where x = 0 or 1
<aggx> Enter the name of the aggregate interface, where x = 0
<redx> Enter the name of the redundant interface, where x = 0
manage Show management options enabled on this interface

show interface <ethx|aggx|redx> qos­classifier

show Show settings, parameters, or dynamically generated information
interface Show interface and subinterface parameters
<ethx> Enter the name of an Ethernet interface, where x = 0 or 1
<aggx> Enter the name of the aggregate interface, where x = 0
<redx> Enter the name of the redundant interface, where x = 0
qos­classifier Show the QoS classification profile (classifier) assigned to the interface

show interface <ethx|aggx|redx> qos­marker

show Show settings, parameters, or dynamically generated information
interface Show interface and subinterface parameters
<ethx> Enter the name of an Ethernet interface, where x = 0 or 1
<aggx> Enter the name of the aggregate interface, where x = 0
<redx> Enter the name of the redundant interface, where x = 0
qos­marker Show the QoS marker profile assigned to the interface

show interface <ethx|aggx|redx> rate­limit

show Show settings, parameters, or dynamically generated information
interface Show interface and subinterface parameters
<ethx> Enter the name of an Ethernet interface, where x = 0 or 1
<aggx> Enter the name of the aggregate interface, where x = 0
<redx> Enter the name of the redundant interface, where x = 0
rate­limit Show the settings for interface­based rate limiting

show interface <mgtx.y> manage

show Show settings, parameters, or dynamically generated information
interface Show interface and subinterface parameters
<mgtx.y> Enter the name of the virtual management interface (Ranges: x: 0; y: 1­16)
manage Show management options enabled on this interface

show interface <mgtx> dhcp keepalive

show Show settings, parameters, or dynamically generated information
interface Show interface and subinterface parameters
<mgtx> Enter the name of the management interface, where x = 0
dhcp Show DHCP parameters
Show the status for keepalives to DHCP servers in the native VLAN, management interface
keepalive
VLAN, and all VLANs set in the DHCP keepalive range

show interface <mgtx> dhcp­probe results­summary

http://docs.aerohive.com/330000/docs/help/english/documentation/cli_guide_ap230_6­6r1.htm#cmd7 244/315
27/4/2016 Aerohive CLI Guide
show Show settings, parameters, or dynamically generated information
interface Show interface and subinterface parameters
<mgtx> Enter the name of the management interface, where x = 0
dhcp­probe Show DHCP probe parameters
results­summary Show a summary of DHCP probe results

show interface <mgtx> ipv6 dhcp client

show Show settings, parameters, or dynamically generated information
interface Show interface and subinterface parameters
<mgtx> Enter the name of the management interface, where x = 0
ipv6 Show mgt0 IPv6 dhcp clent
dhcp Show DHCP parameters
client Show DHCP client parameters

show interface <mgtx|ethx|bgdx.y|usbnetx|wifix.y> dhcp client

show Show settings, parameters, or dynamically generated information
interface Show interface and subinterface parameters
<mgtx> Enter the name of the management interface, where x = 0
<ethx> Enter the name of an Ethernet interface, where x = 0 or 1
<bgdx.y> Enter the name of the BGD (Bonjour Gateway Daemon) interface (Ranges: x: 0; y: 1­16)
<usbnetx> Enter the name of the wireless USB modem interface, where x = 0
<wifix.y> Enter the name of a Wi­Fi radio subinterface (Ranges: x: 0­1; y: 1­16)
dhcp Show DHCP parameters
client Show DHCP client parameters

show interface <mgtx|mgtx.y> dhcp­server [ detail ]

show Show settings, parameters, or dynamically generated information
interface Show interface and subinterface parameters
<mgtx> Enter the name of the management interface, where x = 0
<mgtx.y> Enter the name of the virtual management interface (Ranges: x: 0; y: 1­16)
dhcp­server Show the DHCP server parameters
detail Show details about the DHCP leases for currently active clients

show interface <mgtx|mgtx.y> dhcp­server ip­binding

show Show settings, parameters, or dynamically generated information
interface Show interface and subinterface parameters
<mgtx> Enter the name of the management interface, where x = 0
<mgtx.y> Enter the name of the virtual management interface (Ranges: x: 0; y: 1­16)
dhcp­server Show the DHCP server parameters
ip­binding Show binding parameters between the IP address and MAC address of a client

show interface <mgtx|mgtx.y> dhcp­server reserved­address

show Show settings, parameters, or dynamically generated information
interface Show interface and subinterface parameters
<mgtx> Enter the name of the management interface, where x = 0
<mgtx.y> Enter the name of the virtual management interface (Ranges: x: 0; y: 1­16)
dhcp­server Show the DHCP server parameters

reserved­address Show ranges of reserved addresses

http://docs.aerohive.com/330000/docs/help/english/documentation/cli_guide_ap230_6­6r1.htm#cmd7 245/315
27/4/2016 Aerohive CLI Guide
show interface <mgtx|mgtx.y> ip­helper
show Show settings, parameters, or dynamically generated information
interface Show interface and subinterface parameters
<mgtx> Enter the name of the management interface, where x = 0
<mgtx.y> Enter the name of the virtual management interface (Ranges: x: 0; y: 1­16)
ip­helper Show IP helper address information

show interface <mgtx|mgtx.y> ip­helper max­hops

show Show settings, parameters, or dynamically generated information
interface Show interface and subinterface parameters
<mgtx> Enter the name of the management interface, where x = 0
<mgtx.y> Enter the name of the virtual management interface (Ranges: x: 0; y: 1­16)
ip­helper Show IP helper address information
max­hops Show max hops

show interface <wifix.y> multicast

show Show settings, parameters, or dynamically generated information
interface Show interface and subinterface parameters
<wifix.y> Enter the name of a Wi­Fi radio subinterface (Ranges: x: 0­1; y: 1­16)
multicast Show multicast settings, statistics, groups, and group members

show interface <wifix> channel

show Show settings, parameters, or dynamically generated information
interface Show interface and subinterface parameters
<wifix> Enter the name of a Wi­Fi radio interface, where x = 0 or 1
channel Show channel list of the radio interface

show interface <wifix> dfs

show Show settings, parameters, or dynamically generated information
interface Show interface and subinterface parameters
<wifix> Enter the name of a Wi­Fi radio interface, where x = 0 or 1
dfs Show DFS (Dynamic Frequency Selection) status

show interface <wifix> multicast

show Show settings, parameters, or dynamically generated information
interface Show interface and subinterface parameters
<wifix> Enter the name of a Wi­Fi radio interface, where x = 0 or 1
multicast Show multicast settings, statistics, groups, and group members

show interface <wifix> wlan­idp ap­info

show Show settings, parameters, or dynamically generated information
interface Show interface and subinterface parameters
<wifix> Enter the name of a Wi­Fi radio interface, where x = 0 or 1
wlan­idp Show WLAN IDP (intrusion detection and prevention) parameters
ap­info Show IDP AP statistics for the radio interface

show interface <wifix> wlan­idp ap­info compliance {compliant|non­compliant}

show Show settings, parameters, or dynamically generated information
interface Show interface and subinterface parameters

http://docs.aerohive.com/330000/docs/help/english/documentation/cli_guide_ap230_6­6r1.htm#cmd7 246/315
27/4/2016 Aerohive CLI Guide
<wifix> Enter the name of a Wi­Fi radio interface, where x = 0 or 1
wlan­idp Show WLAN IDP (intrusion detection and prevention) parameters
ap­info Show IDP AP statistics for the radio interface
compliance Show one compliance type of IDP AP statistics for the radio interface
compliant Show compliant type of IDP AP statistics for the radio interface
non­compliant Show non­compliant type of IDP AP statistics for the radio interface

show interface <wifix> wlan­idp ap­info type {rogue|valid|external}

show Show settings, parameters, or dynamically generated information
interface Show interface and subinterface parameters
<wifix> Enter the name of a Wi­Fi radio interface, where x = 0 or 1
wlan­idp Show WLAN IDP (intrusion detection and prevention) parameters
ap­info Show IDP AP statistics for the radio interface
type Show one type of IDP AP statistics for the radio interface
rogue Show rogue type of IDP AP statistics for the radio interface
valid Show valid type of IDP AP statistics for the radio interface
external Show external type of IDP AP statistics for the radio interface

show interface <wifix> wlan­idp client­info

show Show settings, parameters, or dynamically generated information
interface Show interface and subinterface parameters
<wifix> Enter the name of a Wi­Fi radio interface, where x = 0 or 1
wlan­idp Show WLAN IDP (intrusion detection and prevention) parameters
client­info Show IDP client statistics for the radio interface

show interface <wifix> wlan­idp mitigate rogue­ap [ <mac_addr> ]

show Show settings, parameters, or dynamically generated information
interface Show interface and subinterface parameters
<wifix> Enter the name of a Wi­Fi radio interface, where x = 0 or 1
wlan­idp Show WLAN IDP (intrusion detection and prevention) parameters
mitigate Show mitigated rogue APs and their clients
rogue­ap Show rogue APs currently being mitigated or clients connected to a specific rogue AP
Enter a MAC address (Note: You can use colons, dashes, or periods to format the address.
<mac_addr>
Examples: 1111:1111:1111, 11­11­11­11­11­11, 1111.1111.1111 ...)

show interface <wifix|wifix.y> counter

show Show settings, parameters, or dynamically generated information
interface Show interface and subinterface parameters
<wifix> Enter the name of a Wi­Fi radio interface, where x = 0 or 1
<wifix.y> Enter the name of a Wi­Fi radio subinterface (Ranges: x: 0­1; y: 1­16)
counter Show detailed statistics (counters) for traffic traversing the interface

show interface [ <ethx|mgtx|mgtx.y|wifix|wifix.y|redx|aggx|tunnelx|bgdx.y> ]

show Show settings, parameters, or dynamically generated information
interface Show interface and subinterface parameters
<ethx> Enter the name of an Ethernet interface, where x = 0 or 1
<mgtx> Enter the name of the management interface, where x = 0
<mgtx.y> Enter the name of the virtual management interface (Ranges: x: 0; y: 1­16)

<wifix> Enter the name of a Wi­Fi radio interface, where x = 0 or 1

http://docs.aerohive.com/330000/docs/help/english/documentation/cli_guide_ap230_6­6r1.htm#cmd7 247/315
27/4/2016 Aerohive CLI Guide
<wifix.y> Enter the name of a Wi­Fi radio subinterface (Ranges: x: 0­1; y: 1­16)
<redx> Enter the name of the redundant interface, where x = 0
<aggx> Enter the name of the aggregate interface, where x = 0
<tunnelx> Enter the name of the tunnel interface, where x = 0 or 1
<bgdx.y> Enter the name of the BGD (Bonjour Gateway Daemon) interface (Ranges: x: 0; y: 1­16)

show ip nat­policy
show Show settings, parameters, or dynamically generated information
ip Show IP parameters
nat­policy Show parameters for a IP nat policy

show ip nat­policy <string>

show Show settings, parameters, or dynamically generated information
ip Show IP parameters
nat­policy Show parameters for a IP nat policy
<string> Enter ip nat policy name (1­32 chars)

show ip nat­policy service­port­list

show Show settings, parameters, or dynamically generated information
ip Show IP parameters
nat­policy Show parameters for a IP nat policy
service­port­list List all the service ports currently used by system and nat­policy virtual­host config

show ip path­mtu­discovery
show Show settings, parameters, or dynamically generated information
ip Show IP parameters
path­mtu­discovery Show the Path MTU Discovery status

show ip policy­route [ {l3­tunnel­all|l3­tunnel­exception|l3­tunnel­split|l3­tunnel­drop} ]

show Show settings, parameters, or dynamically generated information
ip Show IP parameters
Show all IP policy routing tables or a specific table (Note: If you do not specify a
policy­route
type of routing table, all tables are shown.)
l3­tunnel­all Show the IP policy routing table for tunneling all outbound traffic
Show the IP policy routing table for tunneling all outbound traffic other than that
l3­tunnel­exception
listed as a layer­3 tunnel exception
Show the IP policy routing table for tunneling traffic whose destination is the network
l3­tunnel­split behind the VPN gateway while forwarding all other outbound traffic to the default
gateway defined on the branch router
Show the IP policy routing table for dropping all traffic whose destination is the
l3­tunnel­drop
network behind the VPN gateway

show ip route
show Show settings, parameters, or dynamically generated information
ip Show IP parameters
route Show IP routing table

show ip session nat­policy

show Show settings, parameters, or dynamically generated information
ip Show IP parameters
session Show status of ip sessions
nat­policy Show status of ip sessions related to nat policy

http://docs.aerohive.com/330000/docs/help/english/documentation/cli_guide_ap230_6­6r1.htm#cmd7 248/315
27/4/2016 Aerohive CLI Guide

show ip session nat­policy <string>

show Show settings, parameters, or dynamically generated information
ip Show IP parameters
session Show status of ip sessions
nat­policy Show status of ip sessions related to nat policy
<string> Enter ip nat policy name (1­32 chars)

show ip tcp­mss­threshold
show Show settings, parameters, or dynamically generated information
ip Show IP parameters
tcp­mss­threshold Show the TCP MSS threshold parameters

show ip­policy
show Show settings, parameters, or dynamically generated information
ip­policy Show parameters for IP policy

show ip­policy <string>

show Show settings, parameters, or dynamically generated information
ip­policy Show parameters for IP policy
<string> Enter an IP policy name (1­32 chars)

show ip­policy user­profile <number|string> [ {from­access|to­access} ] [ from <ip_addr|string> <mask>

] [ to <ip_addr|string> <mask> ] [ service <string> ] [ action {permit|deny|inter­station­traffic­
drop} ] [ lines <number> ]
show Show settings, parameters, or dynamically generated information
ip­policy Show parameters for IP policy
user­profile Show parameters for a user profile
<number> Enter the user profile name or ID
<string> Enter the user profile name or ID
from­access Show IP policy for data sent from this station
to­access how IP policy for data arriving at this station
from Show the specific source IP (Default: any)
<ip_addr> Enable an IP or net address
<string> Enable an IP or net address
Enter a netmask or IP wildcard mask in which 0 masks the octet where it appears (For
<mask> example, the 0s in '255.0.0.255' mask the second and third octets, applying the IP
policy to all addresses matching only the first and fourth octets.)
to Show the specific destination IP (Default: any)
<ip_addr> Enter an IP or net address
<string> Enter an IP or net address
Enter a netmask or IP wildcard mask in which 0 masks the octet where it appears (For
<mask> example, the 0s in '255.0.0.255' mask the second and third octets, applying the IP
policy to all addresses matching only the first and fourth octets.)
service Show the specific service (Default: any)
<string> Enter the service (1­32 chars)
action Show the action (Default:any)
permit Set the action

deny Set the action

inter­station­traffic­
Set the action
drop
lines Set the most number of IP policy to show

http://docs.aerohive.com/330000/docs/help/english/documentation/cli_guide_ap230_6­6r1.htm#cmd7 249/315
27/4/2016 Aerohive CLI Guide
<number> Enter a num (Range: 1­32)

show ipv6 route

show Show settings, parameters, or dynamically generated information
ipv6 Show IPV6 parameters
route Show IPV6 routing table

show l3 interface [ ipv6 ]

show Show settings, parameters, or dynamically generated information
l3 Show Layer 3 information
interface Show all Layer 3 interfaces
ipv6 ipv6::Show all ipv6 Layer 3 interfaces

show library­sip­policy [ <string> ]

show Show settings, parameters, or dynamically generated information
library­sip­policy Display library SIP policy settings
<string> Enter a library SIP policy name (1­32 chars)

show license
show Show settings, parameters, or dynamically generated information
license Show license information

show lldp [ {cdp} ] [ {neighbor} ]

show Show settings, parameters, or dynamically generated information
lldp Set LLDP (Link Layer Discovery Protocol) parameters
cdp Set CDP (Cisco Discovery Protocol) parameters
neighbor Show the LLDP or CDP neighbor table

show location [ {aeroscout|tzsp} ]

show Show settings, parameters, or dynamically generated information
location Show parameters for location tracking
aeroscout Show parameters for the location processing engine
tzsp Show parameters for the location processing engine

show location aerohive

show Show settings, parameters, or dynamically generated information
location Show parameters for location tracking
aerohive Show parameters for the Aerohive location processing engine

show location aerohive list

show Show settings, parameters, or dynamically generated information
location Show parameters for location tracking
aerohive Show parameters for the Aerohive location processing engine
list Show the entries in the track list

show location aerohive rssi

show Show settings, parameters, or dynamically generated information
location Show parameters for location tracking

aerohive Show parameters for the Aerohive location processing engine

http://docs.aerohive.com/330000/docs/help/english/documentation/cli_guide_ap230_6­6r1.htm#cmd7 250/315
27/4/2016 Aerohive CLI Guide
rssi Show the RSSI readings of tracked stations

show location aerohive rssi mac <mac_addr>

show Show settings, parameters, or dynamically generated information
location Show parameters for location tracking
aerohive Show parameters for the Aerohive location processing engine
rssi Show the RSSI readings of tracked stations
mac Show the RSSI readings of a specific tracked station as determined by its MAC address
Enter a MAC address (Note: You can use colons, dashes, or periods to format the address.
<mac_addr>
Examples: 1111:1111:1111, 11­11­11­11­11­11, 1111.1111.1111 ...)

show location aerohive rssi oui <oui>

show Show settings, parameters, or dynamically generated information
location Show parameters for location tracking
aerohive Show parameters for the Aerohive location processing engine
rssi Show the RSSI readings of tracked stations
Show the RSSI readings of specific tracked stations as determined by the OUI
oui
(organizationally unique identifier) portion of their MAC addresses
Enter the OUI (Note: You can use colons, dashes, or periods to format the OUI. Examples:
<oui>
Apple iPhone=00:1b:63; D­Link Phone=00­17­9a; Vocera=00.09.ef.)

show location {aeroscout|tzsp} counter

show Show settings, parameters, or dynamically generated information
location Show parameters for location tracking
aeroscout Show parameters for the location processing engine
tzsp Show parameters for the location processing engine
counter Show statistics for location reports sent to the location processing engine

show logging
show Show settings, parameters, or dynamically generated information
logging Show logging information

show logging {buffered|flash|debug} [ level

{emergency|alert|critical|error|warning|notification|info|debug} ] [ tail <number> ] [ date <date> ] [
time <time> ]
show Show settings, parameters, or dynamically generated information
logging Show logging information
buffered Show buffered messages
flash Show flash messages
debug Show debug messages
level Specify a logging level
emergency Show emergency­level log entries (Default: debug)
alert Show log entries from alert to emergency levels (Default: debug)
critical Show log entries from critical to emergency levels (Default: debug)
error Show log entries from error to emergency levels (Default: debug)
warning Show log entries from warning to emergency levels (Default: debug)
notification Show log entries from notification to emergency levels (Default: debug)
info Show log entries from info to emergency levels (Default: debug)
debug Show log entries for all severity levels (Default: debug)

tail Show log number

<number> Show log number (Range: 1­65535)

http://docs.aerohive.com/330000/docs/help/english/documentation/cli_guide_ap230_6­6r1.htm#cmd7 251/315
27/4/2016 Aerohive CLI Guide
date Show messages start date
<date> Show messages date (Format: yyyy­mm­dd; Range: 1970­01­01 to 2035­12­31)
time Show messages start time
<time> Show messages time (Format: hh:mm:ss)

show mac­object [ <string> ]

show Show settings, parameters, or dynamically generated information
mac­object Show all MAC object names or the parameters of an individual MAC object
<string> Enter an MAC object name (1­32 chars)

show mac­policy
show Show settings, parameters, or dynamically generated information
mac­policy Show parameters for MAC policy

show mac­policy <string> [ from <mac_addr> [ <number> ] ] [ to <mac_addr> [ <number> ] ] [ action

{permit|deny} ] [ lines <number> ]
show Show settings, parameters, or dynamically generated information
mac­policy Show parameters for MAC policy
<string> Enter a MAC policy name (1­32 chars)
from Show the specific source MAC (Default: any)
Enter a MAC address (Note: You can use colons, dashes, or periods to format the address.
<mac_addr>
Examples: 1111:1111:1111, 11­11­11­11­11­11, 1111.1111.1111 ...)
<number> Enter a MAC mask length (value: 0, 24, 48)
to Show the specific destination MAC (Default: any)
Enter a MAC address (Note: You can use colons, dashes, or periods to format the address.
<mac_addr>
Examples: 1111:1111:1111, 11­11­11­11­11­11, 1111.1111.1111 ...)
<number> Enter a MAC mask length (value: 0, 24, 48)
action Show the specific action (Default:any)
permit Set the action
deny Set the action
lines Set the most number of MAC policy to show
<number> Enter a num (Range: 1­32)

show mac­policy user­profile <number|string> [ {from­access|to­access} ] [ from <mac_addr> [ <number>

] ] [ to <mac_addr> [ <number> ] ] [ action {permit|deny} ] [ lines <number> ]
show Show settings, parameters, or dynamically generated information
mac­policy Show parameters for MAC policy
user­profile Show parameters for a user profile
<number> Enter the user profile name or ID
<string> Enter the user profile name or ID
from­access Show MAC policy for data sent from this station
to­access how IP policy for data arriving at this station
from Show the specific source MAC (Default: any)
Enter a MAC address (Note: You can use colons, dashes, or periods to format the address.
<mac_addr>
Examples: 1111:1111:1111, 11­11­11­11­11­11, 1111.1111.1111 ...)
<number> Enter a MAC mask length (value: 0, 24, 48)
to Show the specific destination MAC (Default: any)
Enter a MAC address (Note: You can use colons, dashes, or periods to format the address.
<mac_addr>
Examples: 1111:1111:1111, 11­11­11­11­11­11, 1111.1111.1111 ...)
<number> Enter a MAC mask length (value: 0, 24, 48)
action Show the specific action (Default:any)
permit Set the action

http://docs.aerohive.com/330000/docs/help/english/documentation/cli_guide_ap230_6­6r1.htm#cmd7 252/315
27/4/2016 Aerohive CLI Guide
deny Set the action
lines Set the most number of MAC policy to show
<number> Enter a num (Range: 1­32)

show mdnsd [ {cache|auth­record|duplicate­record|auth­record­proxied|duplicate­record­proxied|active­

client­requests|interface|questions|memory|others} ]
show Show settings, parameters, or dynamically generated information
mdnsd Show MDNS daemon information
cache Show MDNS daemon cache information
auth­record Show MDNS daemon auth­record information
duplicate­record Show MDNS daemon duplicate­record information
auth­record­proxied Show MDNS daemon auth­record­proxied information
duplicate­record­
Show MDNS daemon duplicate­record­proxied information
proxied
active­client­requests Show MDNS daemon active­client­requests information
interface Show MDNS daemon interface information
questions Show MDNS daemon questions information
memory Show MDNS daemon memory information
others Show MDNS daemon others information

show mdnsd counter [ vlan <number> ]

show Show settings, parameters, or dynamically generated information
mdnsd Show MDNS daemon information
counter Show MDNS packet counters
vlan Show MDNS packet counters on a specific VLAN
<number> Enter the VLAN ID number (Range: 1­4094)

show memory [ {detail} ]

show Show settings, parameters, or dynamically generated information
memory Show total, free, and used system memory statistics
detail Show system memory statistics in detail

show min­password­length
show Show settings, parameters, or dynamically generated information
min­password­length Show the minimum password length

show mobile­device­policy [ <string> ]

show Show settings, parameters, or dynamically generated information
mobile­device­policy Show all mobile device policy names or the settings of an individual policy
<string> Enter a mobile device policy name (1­32 chars)

show mobility­policy [ <string> ]

show Show settings, parameters, or dynamically generated information
Show the parameters of all mobility policies or enter the name of a specific policy to
mobility­policy
see the parameters for just that one
<string> Enter the name of a specific mobility policy

show mobility­threshold gre­tunnel permitted­load

show Show settings, parameters, or dynamically generated information
mobility­threshold Show the settings for tunneling mobile user traffic
Show the settings for the volume of traffic that the local AP accepts through GRE

http://docs.aerohive.com/330000/docs/help/english/documentation/cli_guide_ap230_6­6r1.htm#cmd7 253/315
27/4/2016 Aerohive CLI Guide
gre­tunnel tunnels (Note: This only applies to portals in a L3 roaming environment.)

Show the level determining how much tunneled traffic from mobile users the local AP
permitted­load
accepts

show network­firewall
show Show settings, parameters, or dynamically generated information
network­firewall Show all rules in the Layer 3 firewall policy

show ntp
show Show settings, parameters, or dynamically generated information
ntp Show NTP (Network Time Protocol) parameters

show os­detection [ {option55­to­os­database|dhcp­fingerprint­version} ]

show Show settings, parameters, or dynamically generated information
os­detection Display the OS (Operating System) detection configuration
option55­to­os­ Display the contents of the database that contains the option55­to­database mapping
database (Note: The command displays user configuration database and default database contents.)
dhcp­fingerprint­
Display DHCP fingerprint file version
version

show os­object [ <string> ]

show Show settings, parameters, or dynamically generated information
os­object Show all OS object names or the operating systems assigned to an individual OS object
<string> Enter an OS object name (1­32 chars)

show performance­sentinel
show Show settings, parameters, or dynamically generated information
performance­sentinel Show performance sentinel parameters

show ppsk schedule [ <string> ]

show Show settings, parameters, or dynamically generated information
ppsk Show parameters of private­PSK
schedule Show information about previously defined private­PSK schedules
<string> Enter a name to see information about a specific schedule (1­32 chars)

show proxy
show Show settings, parameters, or dynamically generated information
proxy Show proxy parameters

show qos
show Show settings, parameters, or dynamically generated information
qos Show QoS (Quality of Service) parameters

show qos classifier­map 80211e [ <number> ]

show Show settings, parameters, or dynamically generated information
qos Show QoS (Quality of Service) parameters
classifier­map Show the mapping of QoS priority markers on incoming packets to Aerohive QoS classes
Show mapping of IEEE 802.11e priority markers on incoming packets to Aerohive QoS
80211e
classes
<number> Enter the IEEE 802.11e user priority (Range: 0­7)

http://docs.aerohive.com/330000/docs/help/english/documentation/cli_guide_ap230_6­6r1.htm#cmd7 254/315
27/4/2016 Aerohive CLI Guide
show qos classifier­map 8021p [ <number> ]
show Show settings, parameters, or dynamically generated information
qos Show QoS (Quality of Service) parameters
classifier­map Show the mapping of QoS priority markers on incoming packets to Aerohive QoS classes
8021p Show mapping of IEEE 802.1p priority markers on incoming packets to Aerohive QoS classes
<number> Enter IEEE 802.1p priority (Range: 0­7)

show qos classifier­map diffserv [ <number> ]

show Show settings, parameters, or dynamically generated information
qos Show QoS (Quality of Service) parameters
classifier­map Show the mapping of QoS priority markers on incoming packets to Aerohive QoS classes
Show mapping of diffserv DSCP (Differentiated Services Code Point) values on incoming
diffserv
packets to Aerohive QoS classes
<number> Enter The DSCP class (Range: 0­63)

show qos classifier­map interface <ethx|aggx|redx>

show Show settings, parameters, or dynamically generated information
qos Show QoS (Quality of Service) parameters
classifier­map Show the mapping of QoS priority markers on incoming packets to Aerohive QoS classes
interface Show interface­based classification table
<ethx> Enter the name of an Ethernet interface, where x = 0 or 1
<aggx> Enter the name of the aggregate interface, where x = 0
<redx> Enter the name of the redundant interface, where x = 0

show qos classifier­map oui [ <oui> ]

show Show settings, parameters, or dynamically generated information
qos Show QoS (Quality of Service) parameters
classifier­map Show the mapping of QoS priority markers on incoming packets to Aerohive QoS classes
oui Show the MAC OUI (Organizational Unique Identifier) classification table
Enter the OUI (Note: You can use colons, dashes, or periods to format the OUI. Examples:
<oui>
Apple iPhone=00:1b:63; D­Link Phone=00­17­9a; Vocera=00.09.ef.)

show qos classifier­map service [ <string> ]

show Show settings, parameters, or dynamically generated information
qos Show QoS (Quality of Service) parameters
classifier­map Show the mapping of QoS priority markers on incoming packets to Aerohive QoS classes
Show the service­based classification table or enter the name of a specific service to
service
see the QoS classification for just that one
<string> Enter the name of a specific service

show qos classifier­map ssid <string>

show Show settings, parameters, or dynamically generated information
qos Show QoS (Quality of Service) parameters
classifier­map Show the mapping of QoS priority markers on incoming packets to Aerohive QoS classes
ssid Show SSID (Service Set Identifier) profile names and individual profile parameters
<string> Enter an SSID name

show qos classifier­profile [ <string> ]

show Show settings, parameters, or dynamically generated information
qos Show QoS (Quality of Service) parameters
Show the parameters of all QoS classification profiles or enter the name of a specific

http://docs.aerohive.com/330000/docs/help/english/documentation/cli_guide_ap230_6­6r1.htm#cmd7 255/315
27/4/2016 Aerohive CLI Guide
classifier­profile profile to see the parameters of just that one

<string> Enter the name of a specific QoS classifier profile

show qos counter user [ <mac_addr> ]

show Show settings, parameters, or dynamically generated information
qos Show QoS (Quality of Service) parameters
counter Show QoS statistics counters
user Show station QoS statistics counters
Enter a MAC address (Note: You can use colons, dashes, or periods to format the address.
<mac_addr>
Examples: 1111:1111:1111, 11­11­11­11­11­11, 1111.1111.1111 ...)

show qos counter user­profile [ <string> ]

show Show settings, parameters, or dynamically generated information
qos Show QoS (Quality of Service) parameters
counter Show QoS statistics counters
Show QoS statistics counters for all user profiles or enter the name of a specific user
user­profile
profile to see counters for just that one
<string> Enter the name of a specific user profile

show qos l3­police [ detail ]

show Show settings, parameters, or dynamically generated information
qos Show QoS (Quality of Service) parameters
l3­police Show configuration or statistics for simplified Layer 3 (VoIP QoS) policing
detail detail::Show detailed configuration for all interfaces

show qos l3­police interface <string> [ detail ]

show Show settings, parameters, or dynamically generated information
qos Show QoS (Quality of Service) parameters
l3­police Show configuration or statistics for simplified Layer 3 (VoIP QoS) policing
interface Show configuration for a single interface
<string> Interface name
detail detail::Show detailed configuration for the specified interface

show qos l3­police statistics [ detail ]

show Show settings, parameters, or dynamically generated information
qos Show QoS (Quality of Service) parameters
l3­police Show configuration or statistics for simplified Layer 3 (VoIP QoS) policing
statistics Show statistics for simplified Layer 3 (VoIP QoS) policing
detail detail::Show detailed statistics for all interfaces

show qos l3­police statistics interface <string> [ detail ]

show Show settings, parameters, or dynamically generated information
qos Show QoS (Quality of Service) parameters
l3­police Show configuration or statistics for simplified Layer 3 (VoIP QoS) policing
statistics Show statistics for simplified Layer 3 (VoIP QoS) policing
interface Show statistics for a single interface
<string> Interface name
detail detail::Show detailed statistics for the specified interface

show qos marker­map 80211e [ <number> ]

http://docs.aerohive.com/330000/docs/help/english/documentation/cli_guide_ap230_6­6r1.htm#cmd7 256/315
27/4/2016 Aerohive CLI Guide
show Show settings, parameters, or dynamically generated information
qos Show QoS (Quality of Service) parameters
marker­map Show the mapping of Aerohive QoS classes to QoS priority markers on outgoing packets
Show mapping of Aerohive QoS classes to IEEE 802.11e priority markers on outgoing
80211e
packets
<number> Enter the Aerohive QoS class (Range: 0­7)

show qos marker­map 8021p [ <number> ]

show Show settings, parameters, or dynamically generated information
qos Show QoS (Quality of Service) parameters
marker­map Show the mapping of Aerohive QoS classes to QoS priority markers on outgoing packets
8021p Show mapping of Aerohive QoS classes to IEEE 802.1p priority markers on outgoing packets
<number> Enter the Aerohive QoS class (Range: 0­7)

show qos marker­map diffserv [ <number> ]

show Show settings, parameters, or dynamically generated information
qos Show QoS (Quality of Service) parameters
marker­map Show the mapping of Aerohive QoS classes to QoS priority markers on outgoing packets
Show map of Aerohive QoS classes to diffserv DSCP (Differentiated Services Code Point)
diffserv
values on outgoing packets
<number> Enter the Aerohive QoS class (Range: 0­7)

show qos marker­map {diffserv|8021p} <string>

show Show settings, parameters, or dynamically generated information
qos Show QoS (Quality of Service) parameters
marker­map Show the mapping of Aerohive QoS classes to QoS priority markers on outgoing packets
Show map of Aerohive QoS classes to diffserv DSCP (Differentiated Services Code Point)
diffserv
values on outgoing packets
8021p Show mapping of Aerohive QoS classes to IEEE 802.1p priority markers on outgoing packets
<string> Enter marker name (1­32 chars)

show qos marker­profile [ <string> ]

show Show settings, parameters, or dynamically generated information
qos Show QoS (Quality of Service) parameters
Show the parameters for all QoS marker profiles or enter a name to see those of a
marker­profile
specific one
<string> Enter the name of a specific QoS marker profile

show qos policy [ <string> ]

show Show settings, parameters, or dynamically generated information
qos Show QoS (Quality of Service) parameters
policy Show the parameters for all QoS policies or enter a name to see those of a specific one
<string> Enter the name of a specific a QoS policy

show radio profile [ <string> ]

show Show settings, parameters, or dynamically generated information
radio Show radio profile parameters
profile Show radio profile parameters for an interface
<string> Enter a radio profile name

show reboot schedule

http://docs.aerohive.com/330000/docs/help/english/documentation/cli_guide_ap230_6­6r1.htm#cmd7 257/315
27/4/2016 Aerohive CLI Guide
show Show settings, parameters, or dynamically generated information

reboot Show if the system is scheduled to reboot

schedule Show the next scheduled reboot time, if set

show report statistic

show Show settings, parameters, or dynamically generated information
report Show report parameters for traffic statistics
statistic Show parameters for reporting interface­level and client­level traffic statistics

show reset­button
show Show settings, parameters, or dynamically generated information
Show the state of reset button to reset the AP to its factory default settings or, if
reset­button
set, to a bootstrap config

show roaming cache

show Show settings, parameters, or dynamically generated information
roaming Show the roaming cache and neighbors
cache Show the roaming cache containing MAC addresses and PMKs (Pairwise Master Keys)

show roaming cache mac <mac_addr>

show Show settings, parameters, or dynamically generated information
roaming Show the roaming cache and neighbors
cache Show the roaming cache containing MAC addresses and PMKs (Pairwise Master Keys)
mac Specify a station MAC address
Enter a MAC address (Note: You can use colons, dashes, or periods to format the address.
<mac_addr>
Examples: 1111:1111:1111, 11­11­11­11­11­11, 1111.1111.1111 ...)

show roaming neighbor [ mac <mac_addr> ] [ ip <ip_addr> ]

show Show settings, parameters, or dynamically generated information
roaming Show the roaming cache and neighbors
neighbor Show the neighbors to which associated stations can roam
mac Specify a station MAC address
Enter a MAC address (Note: You can use colons, dashes, or periods to format the address.
<mac_addr>
Examples: 1111:1111:1111, 11­11­11­11­11­11, 1111.1111.1111 ...)
ip Specify station IP
<ip_addr> Specify IP address

show route
show Show settings, parameters, or dynamically generated information
route Show route parameters

show routing internal­sub­network

show Show settings, parameters, or dynamically generated information
routing Show routing parameters
internal­sub­network Show all internal subnetworks used in branch offices

show routing policy

show Show settings, parameters, or dynamically generated information
routing Show routing parameters
policy Show parameters for a routing policy

http://docs.aerohive.com/330000/docs/help/english/documentation/cli_guide_ap230_6­6r1.htm#cmd7 258/315
27/4/2016 Aerohive CLI Guide
show routing policy <string>
show Show settings, parameters, or dynamically generated information
routing Show routing parameters
policy Show parameters for a routing policy
<string> Enter routing policy name (1­32 chars)

show routing policy <string> route

show Show settings, parameters, or dynamically generated information
routing Show routing parameters
policy Show parameters for a routing policy
<string> Enter routing policy name (1­32 chars)
route Show route for routing policy

show routing route­request

show Show settings, parameters, or dynamically generated information
routing Show routing parameters
route­request Show parameters for requesting routing information

show routing {match­map|route­map} [ <string> ]

show Show settings, parameters, or dynamically generated information
routing Show routing parameters
match­map Show the match map of routing policy
route­map Show the route map of routing policy
<string> Show the name of match map or route map

show running­config
show Show settings, parameters, or dynamically generated information
running­config Show currently running configurations

show running­config password

show Show settings, parameters, or dynamically generated information
running­config Show currently running configurations
Show passwords and sensitive networking keys as obscured text strings in the output
password (Default: Passwords and keys are represented by asterisks; Note: A HiveAP can recover an
original string from an obscured one, but not if the string is replaced with asterisks.)

show running­config users [ password ] [ all ]

show Show settings, parameters, or dynamically generated information
running­config Show currently running configurations
users Show users configurations
Show passwords and sensitive networking keys as obscured text strings in the output
password (Default: Passwords and keys are represented by asterisks; Note: A HiveAP can recover an
original string from an obscured one, but not if the string is replaced with asterisks.)
all Show all the user configurations including temporary users

show running­config xauth­clients [ password ]

show Show settings, parameters, or dynamically generated information
running­config Show currently running configurations
Show the configuration of VPN clients and the passwords that they submit to the VPN
xauth­clients
server during the Xauth procedure between IKE phase 1 and phase 2 negotiations
Show passwords and sensitive networking keys as obscured text strings in the output
password (Default: Passwords and keys are represented by asterisks; Note: A HiveAP can recover an

http://docs.aerohive.com/330000/docs/help/english/documentation/cli_guide_ap230_6­6r1.htm#cmd7 259/315
27/4/2016 Aerohive CLI Guide
original string from an obscured one, but not if the string is replaced with asterisks.)

show schedule [ <string> ]

show Show settings, parameters, or dynamically generated information
schedule Show information about previously defined schedules
<string> Enter a name to see information about a specific schedule (1­32 chars)

show schedule­in­detail
show Show settings, parameters, or dynamically generated information
schedule­in­detail Show detailed information about all previously defined schedules

show security mac­filter [ <string> ]

show Show settings, parameters, or dynamically generated information
security Show security parameters
mac­filter Show MAC­filter parameters
<string> Specify MAC­filter name

show security protocol­suite

show Show settings, parameters, or dynamically generated information
security Show security parameters
protocol­suite Show predefine security protocol suites

show security­object <string> dhcp­server

show Show settings, parameters, or dynamically generated information
security­object Show security object names and individual parameters
<string> Enter a security object name (1­32 chars)
dhcp­server Show DHCP­server parameters

show security­object <string> dns­server

show Show settings, parameters, or dynamically generated information
security­object Show security object names and individual parameters
<string> Enter a security object name (1­32 chars)
dns­server Show DNS­server parameters

show security­object <string> mobile­device­manager {jss|airwatch|aerohive}

show Show settings, parameters, or dynamically generated information
security­object Show security object names and individual parameters
<string> Enter a security object name (1­32 chars)
mobile­device­manager Show mobile device manager parameters
jss JAMP software server
airwatch AirWatch MDM server
aerohive Aerohive MDM server

show security­object <string> mobile­device­policy

show Show settings, parameters, or dynamically generated information
security­object Show security object names and individual parameters
<string> Enter a security object name (1­32 chars)
mobile­device­policy Show the mobile device policy to which the security object is bound

show security­object <string> security aaa

http://docs.aerohive.com/330000/docs/help/english/documentation/cli_guide_ap230_6­6r1.htm#cmd7 260/315
27/4/2016 Aerohive CLI Guide

show Show settings, parameters, or dynamically generated information

security­object Show security object names and individual parameters
<string> Enter a security object name (1­32 chars)
security Show security settings
aaa Show AAA (authentication, authorization, and accounting) settings

show security­object <string> security mac­white­list

show Show settings, parameters, or dynamically generated information
security­object Show security object names and individual parameters
<string> Enter a security object name (1­32 chars)
security Show security settings
mac­white­list Show the members in MAC white list

show security­object <string> security protocol­suite

show Show settings, parameters, or dynamically generated information
security­object Show security object names and individual parameters
<string> Enter a security object name (1­32 chars)
security Show security settings
protocol­suite Show the security protocol suite

show security­object <string> walled­garden

show Show settings, parameters, or dynamically generated information
security­object Show security object names and individual parameters
<string> Enter a security object name (1­32 chars)
walled­garden Show the list of walled gardens

show security­object <string> web­server

show Show settings, parameters, or dynamically generated information
security­object Show security object names and individual parameters
<string> Enter a security object name (1­32 chars)
web­server Show the internal web server configuration in the interface

show security­object [ <string> ]

show Show settings, parameters, or dynamically generated information
security­object Show security object names and individual parameters
<string> Enter a security object name (1­32 chars)

show service [ <string> ]

show Show settings, parameters, or dynamically generated information
service Show details or counters about predefined and custom services
<string> Show the transport protocol, port, and timeout for a specific service

show service [ <string> ] counter

show Show settings, parameters, or dynamically generated information
service Show details or counters about predefined and custom services
<string> Show the transport protocol, port, and timeout for a specific service
counter Show counter statistics for all services or for a specific service

show sflow

http://docs.aerohive.com/330000/docs/help/english/documentation/cli_guide_ap230_6­6r1.htm#cmd7 261/315
27/4/2016 Aerohive CLI Guide
show Show settings, parameters, or dynamically generated information

sflow Show sflow related parameters

show sflow instance [ <string> ]

show Show settings, parameters, or dynamically generated information
sflow Show sflow related parameters
instance Set sflow instance name (1­32 chars)
<string> Enter the instance name

show snmp [ {v3­admin} ]

show Show settings, parameters, or dynamically generated information
snmp Show SNMP (Simple Network Management Protocol) parameters
v3­admin Show parameters for SNMP v3 administrators

show snmp community [ {read­only} ]

show Show settings, parameters, or dynamically generated information
snmp Show SNMP (Simple Network Management Protocol) parameters
community Show previously defined SNMP communities and their parameters
read­only Enter a community privilege to show previously defined SNMP communities parameters

show snmp contact

show Show settings, parameters, or dynamically generated information
snmp Show SNMP (Simple Network Management Protocol) parameters
contact Show SNMP contact information

show snmp location

show Show settings, parameters, or dynamically generated information
snmp Show SNMP (Simple Network Management Protocol) parameters
location Show the AP location for SNMP

show snmp trap­host

show Show settings, parameters, or dynamically generated information
snmp Show SNMP (Simple Network Management Protocol) parameters
trap­host Show parameters for SNMP trap host

show ssh­tunnel
show Show settings, parameters, or dynamically generated information
ssh­tunnel Show SSH (Secure Shell) tunnel parameters

show ssid <string> admctl tsinfo [ sta <mac_addr> ]

show Show settings, parameters, or dynamically generated information
ssid Show SSID (Service Set Identifier) profile names and individual profile parameters
<string> Enter an SSID profile name (1­32 chars)
admctl Show WMM­Admission Control parameters
tsinfo Show TS info for SSID [with station ]
sta Enter STA with MAC address
Enter a MAC address (Note: You can use colons, dashes, or periods to format the address.
<mac_addr>
Examples: 1111:1111:1111, 11­11­11­11­11­11, 1111.1111.1111 ...)

show ssid <string> counter station [ <mac_addr> ]

http://docs.aerohive.com/330000/docs/help/english/documentation/cli_guide_ap230_6­6r1.htm#cmd7 262/315
27/4/2016 Aerohive CLI Guide
show Show settings, parameters, or dynamically generated information
ssid Show SSID (Service Set Identifier) profile names and individual profile parameters
<string> Enter an SSID profile name (1­32 chars)
Show detailed statistics (counters) for stations (wireless clients) associated with the
counter
SSID
station Show statistics for all stations or a specific station associated with the SSID
Enter a MAC address (Note: You can use colons, dashes, or periods to format the address.
<mac_addr>
Examples: 1111:1111:1111, 11­11­11­11­11­11, 1111.1111.1111 ...)

show ssid <string> manage

show Show settings, parameters, or dynamically generated information
ssid Show SSID (Service Set Identifier) profile names and individual profile parameters
<string> Enter an SSID profile name (1­32 chars)
manage Show management options enabled on subinterfaces bound to the SSID

show ssid <string> multicast

show Show settings, parameters, or dynamically generated information
ssid Show SSID (Service Set Identifier) profile names and individual profile parameters
<string> Enter an SSID profile name (1­32 chars)
multicast Show multicast settings

show ssid <string> qos­classifier

show Show settings, parameters, or dynamically generated information
ssid Show SSID (Service Set Identifier) profile names and individual profile parameters
<string> Enter an SSID profile name (1­32 chars)
qos­classifier Show the QoS classification profile (classifier) assigned to the interface

show ssid <string> qos­marker

show Show settings, parameters, or dynamically generated information
ssid Show SSID (Service Set Identifier) profile names and individual profile parameters
<string> Enter an SSID profile name (1­32 chars)
qos­marker Show the QoS marker profile assigned to the interface

show ssid <string> schedule [ detail ]

show Show settings, parameters, or dynamically generated information
ssid Show SSID (Service Set Identifier) profile names and individual profile parameters
<string> Enter an SSID profile name (1­32 chars)
schedule Show all schedules bound to the SSID
detail Show detailed information about all schedules bound to the SSID

show ssid <string> security screening [ detail ]

show Show settings, parameters, or dynamically generated information
ssid Show SSID (Service Set Identifier) profile names and individual profile parameters
<string> Enter an SSID profile name (1­32 chars)
security Show SSID security parameters
screening Show SSID security screening parameters
detail Show more information

show ssid <string> security wlan dos

show Show settings, parameters, or dynamically generated information

http://docs.aerohive.com/330000/docs/help/english/documentation/cli_guide_ap230_6­6r1.htm#cmd7 263/315
27/4/2016 Aerohive CLI Guide
ssid Show SSID (Service Set Identifier) profile names and individual profile parameters
<string> Enter an SSID profile name (1­32 chars)
security Show SSID security parameters
wlan Show SSID WLAN parameters
dos Show SSID DoS parameters

show ssid <string> station [ mac <mac_addr> ]

show Show settings, parameters, or dynamically generated information
ssid Show SSID (Service Set Identifier) profile names and individual profile parameters
<string> Enter an SSID profile name (1­32 chars)
Show information about all stations currently associated with the SSID or about the
station
ongoing wireless activity of a specific station
Show the ongoing wireless activity of a station that is currently associated with the
mac
SSID (Note: To stop the display of output, press CTRL+C.)
Enter a MAC address (Note: You can use colons, dashes, or periods to format the address.
<mac_addr>
Examples: 1111:1111:1111, 11­11­11­11­11­11, 1111.1111.1111 ...)

show ssid <string> station ipv6

show Show settings, parameters, or dynamically generated information
ssid Show SSID (Service Set Identifier) profile names and individual profile parameters
<string> Enter an SSID profile name (1­32 chars)
Show information about all stations currently associated with the SSID or about the
station
ongoing wireless activity of a specific station
ipv6 Show IPv6 related information

show ssid <string> user­group

show Show settings, parameters, or dynamically generated information
ssid Show SSID (Service Set Identifier) profile names and individual profile parameters
<string> Enter an SSID profile name (1­32 chars)
user­group Show SSID bind user­groups

show ssid [ <string> ]

show Show settings, parameters, or dynamically generated information
ssid Show SSID (Service Set Identifier) profile names and individual profile parameters
<string> Enter an SSID profile name (1­32 chars)

show ssid­schedule
show Show settings, parameters, or dynamically generated information
ssid­schedule Show the status of all SSID schedules

show station [ <mac_addr> ]

show Show settings, parameters, or dynamically generated information
Show information about all stations or about the ongoing wireless activity of a specific
station
station
Enter a MAC address (Note: You can use colons, dashes, or periods to format the address.
<mac_addr>
Examples: 1111:1111:1111, 11­11­11­11­11­11, 1111.1111.1111 ...)

show station [ <mac_addr> ] counter

show Show settings, parameters, or dynamically generated information
Show information about all stations or about the ongoing wireless activity of a specific
station
station
Enter a MAC address (Note: You can use colons, dashes, or periods to format the address.
<mac_addr>
Examples: 1111:1111:1111, 11­11­11­11­11­11, 1111.1111.1111 ...)

http://docs.aerohive.com/330000/docs/help/english/documentation/cli_guide_ap230_6­6r1.htm#cmd7 264/315
27/4/2016 Aerohive CLI Guide
counter Show detailed statistics (counters) for stations (wireless clients) associated with the
HiveAP

show station ipv6

show Show settings, parameters, or dynamically generated information
Show information about all stations or about the ongoing wireless activity of a specific
station
station
ipv6 Show IPv6 related information

show supplicant cert­file [ <string> ]

show Show settings, parameters, or dynamically generated information
supplicant Show supplicant parameters
cert­file Show cert files for supplicant
<string> Enter the name of the certificate

show supplicant name [ <string> ]

show Show settings, parameters, or dynamically generated information
supplicant Show supplicant parameters
name Show supplicant names
<string> Enter a supplicant object name (1­32 chars)

show system
show Show settings, parameters, or dynamically generated information
system Show system information

show system connection­trap delay

show Show settings, parameters, or dynamically generated information
system Show system parameters
connection­trap Show system connection­trap parameters
delay Show system connection­trap delay value

show system disk­info

show Show settings, parameters, or dynamically generated information
system Show system information
disk­info Show disk information

show system led

show Show settings, parameters, or dynamically generated information
system Show system information
led Show LED configuration parameters and current status

show system power mode

show Show settings, parameters, or dynamically generated information
system Show system information
power Show power information
mode Show power mode information

show system power status

show Show settings, parameters, or dynamically generated information
system Show system information

http://docs.aerohive.com/330000/docs/help/english/documentation/cli_guide_ap230_6­6r1.htm#cmd7 265/315
27/4/2016 Aerohive CLI Guide
power Show power information
status Show power status information

show system processes [ state ]

show Show settings, parameters, or dynamically generated information
system Show system information
processes Show processes information
state Show processes running state

show system temperature

show Show settings, parameters, or dynamically generated information
system Show system information
temperature Show the current system temperature and temperature monitoring parameters

show teacher­view resource­map

show Show settings, parameters, or dynamically generated information
Show parameters for TeacherView, a tool for controlling student access to the network
teacher­view
and monitoring their activity
Show all previously defined mappings of network resources to IP addresses and port
resource­map
numbers

show tech
show Show settings, parameters, or dynamically generated information
Show the output of many "show" commands that display all the important settings and
tech
runtime data

show tech <url> [ admin <string> password <string> {basic|digest} ] [ proxy <string> [ proxy­admin
<string> password <string> ] ]
show Show settings, parameters, or dynamically generated information
Show the output of many "show" commands that display all the important settings and
tech
runtime data
Enter the HTTP protocol, remote server domain name, port, directory path, and file name
<url> (Default port: 80; 1­256 chars; Format: http://domain/path/file,
http://domain:port/path/file; Note: You can substitute 'https' for 'http'.)
admin Set the name of the server administrator
<string> Enter the administrator name (1­32 chars)
password Set the password for the server administrator
<string> Enter the server password (1­64 chars)
Set the access authentication scheme as basic, which appends a user name and password
basic
encoded with the Base64 algorithm to the authorization header in HTTP requests
Set the access authentication scheme as digest, which appends an MD5 checksum of the
digest
username, password, and other values to the authorization header in HTTP requests
proxy Set parameters for the HTTP proxy server
Enter the domain name or IP address and, optionally, the port number for the HTTP proxy
<string> server (Max length: 64 chars; Format: domainname, ip_addr, domainname:port, or
ip_addr:port)
proxy­admin Set the name of the proxy administrator
<string> Enter the proxy administrator name (1­32 chars)
password Set the password for the proxy administrator

<string> Enter the proxy password (1­64 chars)

show time­zone
show Show settings, parameters, or dynamically generated information
time­zone Show time zone

http://docs.aerohive.com/330000/docs/help/english/documentation/cli_guide_ap230_6­6r1.htm#cmd7 266/315
27/4/2016 Aerohive CLI Guide
show track [ <string> ]
show Show settings, parameters, or dynamically generated information
track Show IP tracking information
<string> Show IP tracking information for the group (1­32 chars)

show track­wan
show Show settings, parameters, or dynamically generated information
track­wan Show Wan interface IP tracking information

show usb­device
show Show settings, parameters, or dynamically generated information
Show the following information about the internal USB hub and any device connected to
the USB port: bus number, device number, vendor ID, and product ID (Note: You can learn
usb­device
the vendor name by looking up the vendor ID and product ID in the USB ID list at
http://www.linux­usb.org/usb.ids)

show usbmodem [ modem­id <string> ]

show Show settings, parameters, or dynamically generated information
usbmodem Show parameters of usbmodem
modem­id Show modem identifier
<string> Enter the name of modem­id (1­32 chars)

show usbmodem descriptor

show Show settings, parameters, or dynamically generated information
usbmodem Show parameters of usbmodem
descriptor Show descriptor information for the USB modem

show usbmodem info

show Show settings, parameters, or dynamically generated information
usbmodem Show parameters of usbmodem
Show the manufacturer, model, revision, IMEI (International Mobile Equipment Identity),
info and capabilities of the attached USB modem (Note: This information might not be
available when the modem has an active PPP connection.)

show usbmodem modeswitch

show Show settings, parameters, or dynamically generated information
usbmodem Show parameters of usbmodem
modeswitch Show modeswitch configure for the USB modem

show usbmodem network­mode

show Show settings, parameters, or dynamically generated information
usbmodem Show parameters of usbmodem
network­mode Show the network mode preference of usbmodem

show usbmodem network­service

show Show settings, parameters, or dynamically generated information
usbmodem Show parameters of usbmodem
network­service Show the network service information of usbmodem

show usbmodem rssi

show Show settings, parameters, or dynamically generated information

http://docs.aerohive.com/330000/docs/help/english/documentation/cli_guide_ap230_6­6r1.htm#cmd7 267/315
27/4/2016 Aerohive CLI Guide
usbmodem Show parameters of usbmodem
Show RSSI (Received Signal Strength Indication) and BER (Bit Error Rate) of the attached
rssi USB modem (Note: This information might not be available when the modem has an active
PPP connection.)

show usbmodem sim­info

show Show settings, parameters, or dynamically generated information
usbmodem Show parameters of usbmodem
sim­info Show the SIM card information of usbmodem

show usbmodem status

show Show settings, parameters, or dynamically generated information
usbmodem Show parameters of usbmodem
Show information about the attached USB modem, the PPP process and statistics,
status
primary/backup WAN interface status, and internal failover/failback states

show user
show Show settings, parameters, or dynamically generated information
user Show all user

show user­group <string> psk­digest [ <string> ]

show Show settings, parameters, or dynamically generated information
user­group Show a user group parameters
<string> Enter the user group name (1­32 chars)
psk­digest Show the digest string for the auto­PSK
<string> Enter the user name (1­32 chars)

show user­group [ <string> ]

show Show settings, parameters, or dynamically generated information
user­group Show a user group parameters
<string> Enter the user group name (1­32 chars)

show user­profile <string> cac airtime­percentage

show Show settings, parameters, or dynamically generated information
user­profile Show parameters for a user profile
<string> Enter the user profile name (1­32 chars)
cac Show CAC (Call Admission Control) parameters and statistics
airtime­percentage Show the percentage of airtime for VoIP calls

show user­profile <string> schedule [ detail ]

show Show settings, parameters, or dynamically generated information
user­profile Show parameters for a user profile
<string> Enter the user profile name (1­32 chars)
schedule Show all schedules bound to the user profile
detail Show detailed information about all schedules bound to the user profile

show user­profile [ <string> ]

show Show settings, parameters, or dynamically generated information
user­profile Show parameters for a user profile
<string> Enter the user profile name (1­32 chars)

http://docs.aerohive.com/330000/docs/help/english/documentation/cli_guide_ap230_6­6r1.htm#cmd7 268/315
27/4/2016 Aerohive CLI Guide
show user­profile­policy [ <string> ]
show Show settings, parameters, or dynamically generated information
user­profile­policy Show parameters for a user profile mapping policy
<string> Enter a policy name

show user­profile­schedule
show Show settings, parameters, or dynamically generated information
user­profile­schedule Show the status of all user profile schedules

show version [ {detail} ]

show Show settings, parameters, or dynamically generated information
Show information about the current and backup HiveOS versions on the HiveAP and the
version
HiveAP platform type
Show detailed information about the current and backup HiveOS versions on the HiveAP and
detail
the HiveAP platform type

show video ip <ip_addr> <number>

show Show settings, parameters, or dynamically generated information
video Show information about streaming video traffic
ip Set the IP multicast group address that is the source of the video stream
<ip_addr> Enter the IP address
<number> Enter a destination port number to which the video traffic was sent (Range: 0 ­ 65535)

show video ip <ip_addr> dst­port­range <number> ­ <number>

show Show settings, parameters, or dynamically generated information
video Show information about streaming video traffic
ip Set the IP multicast group address that is the source of the video stream
<ip_addr> Enter the IP address
dst­port­range Set a range of destination port numbers
<number> Enter the first destination port number in the range (Range: 0 ­ 65535)
­ Set a range of destination port numbers
<number> Enter the last destination port number in the range (Range: 0 ­ 65535)

show vlan­group
show Show settings, parameters, or dynamically generated information
vlan­group Show the settings and status of the Bonjour gateway

show vpn gre­tunnel

show Show settings, parameters, or dynamically generated information
vpn Show VPN information and VPN objects
gre­tunnel Show GRE (Generic Routing Encapsulation) tunnel information

show vpn ike configuration

show Show settings, parameters, or dynamically generated information
vpn Show VPN information and VPN objects
ike Show IKE information
configuration Show VPN configuration settings

show vpn ike {sa|event}

show Show settings, parameters, or dynamically generated information

http://docs.aerohive.com/330000/docs/help/english/documentation/cli_guide_ap230_6­6r1.htm#cmd7 269/315
27/4/2016 Aerohive CLI Guide
vpn Show VPN information and VPN objects
ike Show IKE information
sa Show the cookies and creation times of IKE phase1 security associations
event Show the most recent IKE events (Note: You can see up to a maximum of 32 IKE events.)

show vpn ike {sp}

show Show settings, parameters, or dynamically generated information
vpn Show VPN information and VPN objects
ike Show IKE information
sp Show IPsec security policies

show vpn ipsec sa

show Show settings, parameters, or dynamically generated information
vpn Show VPN information and VPN objects
ipsec Show IPSec information
sa Show IKE phase 2 IPsec security associations

show vpn ipsec­tunnel

show Show settings, parameters, or dynamically generated information
vpn Show VPN information and VPN objects
ipsec­tunnel Show IPSec tunnel information

show vpn l3­tunnel­exception

show Show settings, parameters, or dynamically generated information
vpn Show VPN information and VPN objects
l3­tunnel­exception Show layer­3 tunnel exception list

show vpn layer­3­tunnel

show Show settings, parameters, or dynamically generated information
vpn Show VPN information and VPN objects
layer­3­tunnel Show layer­3 tunnel information

show vpn tunnel­id [ <number> ]

show Show settings, parameters, or dynamically generated information
vpn Show VPN information and VPN objects
Show VPN tunnel destination parameters and status, or show detailed information about a
tunnel­id
specific tunnel by entering its ID number
<number> Enter the tunnel ID number (Range: 1­2147483647)

show vpn tunnel­policy

show Show settings, parameters, or dynamically generated information
vpn Show VPN information and VPN objects
tunnel­policy Show tunnel policy information

show vpn {socket|timer|memory|queue|ph2|sp|rekey}

show Show settings, parameters, or dynamically generated information
vpn Show VPN information and VPN objects
socket #hidden
timer #hidden
memory #hidden

http://docs.aerohive.com/330000/docs/help/english/documentation/cli_guide_ap230_6­6r1.htm#cmd7 270/315
27/4/2016 Aerohive CLI Guide

queue #hidden
ph2 #hidden
sp #hidden
rekey #hidden

show wan db
show Show settings, parameters, or dynamically generated information
wan Show brd wan info
db Show brd wan database info

show wan failover

show Show settings, parameters, or dynamically generated information
wan Show brd wan info
failover Show brd wan failover info

show wan interface

show Show settings, parameters, or dynamically generated information
wan Show brd wan info
interface Show brd wan interface info

show wan interface <ethx|usbnetx|wifix|tunnelx>

show Show settings, parameters, or dynamically generated information
wan Show brd wan info
interface Show brd wan interface info
<ethx> Enter the name of an Ethernet interface, where x = 0 or 1
<usbnetx> Enter the name of the wireless USB modem interface, where x = 0
<wifix> Enter the name of a Wi­Fi radio interface, where x = 0 or 1
<tunnelx> Enter the name of the tunnel interface, where x = 0 or 1

show web­directory [ ppsk­self­reg ] [ <string> ]

show Show settings, parameters, or dynamically generated information
web­directory Show the files in a web directory
ppsk­self­reg Show the files in the private PSK self­registration web directory
<string> Enter the web directory name

show web­security­proxy {websense­v1|barracuda­v1}

show Show settings, parameters, or dynamically generated information
web­security­proxy Show the web security proxy configuration
websense­v1 Show the configuration for Websense
barracuda­v1 Show the configuration for Barracuda

show web­server­key
show Show settings, parameters, or dynamically generated information
web­server­key Show web server key files information

show wlan­idp mitigate [ <mac_addr> ]

show Show settings, parameters, or dynamically generated information
wlan­idp Show WLAN IDP (intrusion detection and prevention) parameters
Show one or a list of rogue APs against which mitigation was performed, the HiveAPs that
mitigate

http://docs.aerohive.com/330000/docs/help/english/documentation/cli_guide_ap230_6­6r1.htm#cmd7 271/315
27/4/2016 Aerohive CLI Guide
reported them, and those that attacked them
Enter a MAC address (Note: You can use colons, dashes, or periods to format the address.
<mac_addr>
Examples: 1111:1111:1111, 11­11­11­11­11­11, 1111.1111.1111 ...)

show wlan­idp profile [ <string> ]

show Show settings, parameters, or dynamically generated information
wlan­idp Show WLAN IDP (intrusion detection and prevention) parameters
profile Show IDP profile parameters
<string> Enter an IDP profile name (1­32 chars)

snmp contact <string>

snmp Set SNMP (Simple Network Management Protocol) parameters
contact Set SNMP contact information
<string> Enter SNMP contact information (1­32 chars)

snmp location <string>

snmp Set SNMP (Simple Network Management Protocol) parameters
location Set the AP location for SNMP
<string> Enter the SNMP location string (1­255 chars; Default: change­me)

snmp reader version v3 admin <string> [ auth {md5|sha} password <string> ] [ encryption {aes|des}
password <string> ]
snmp Set SNMP (Simple Network Management Protocol) parameters
Set the SNMP community mode as read­only (Note: This setting allows the NMS, or network
reader
management station, to read MIB data on the AP but not receive traps from it.)
version Set the SNMP community version
v3 Set the SNMP community version as SNMP v3
admin Set the admin with read­only privileges for viewing MIB data
<string> Enter the admin name (1­32 chars)
Set the algorithm for authenticating communications between the SNMP agent on the AP and
auth
the NMS
md5 Set the authentication algorithm as MD5 (Message Digest Algorithm 5)
sha Set the authentication algorithm as SHA­1 (Secure Hash Algorithm 1)
password Set the password used during the authentication process
<string> Enter the authentication password (8­64 chars)
Set the algorithm for encrypting communications between the SNMP agent on the AP and the
encryption
NMS
aes Set the encryption algorithm as AES (Advanced Encryption Standard)
des Set the encryption algorithm as DES (Data Encryption Standard)
password Set the password used during the encryption process
<string> Enter the password (8­64 chars)

snmp reader version {v1|v2c|any} community <string> [ <string> ]

snmp Set SNMP (Simple Network Management Protocol) parameters
Set the SNMP community mode as read­only (Note: This setting allows the NMS, or network
reader
management station, to read MIB data on the AP but not receive traps from it.)
version Set the SNMP community version
v1 Set the community version as SNMP v1
v2c Set the community version as SNMP v2c

any Set the community version to support both SNMP v1 and v2c

community Set SNMP community parameters

Set the SNMP community string for authenticating communications between the SNMP agent
<string>

http://docs.aerohive.com/330000/docs/help/english/documentation/cli_guide_ap230_6­6r1.htm#cmd7 272/315
27/4/2016 Aerohive CLI Guide
on the AP and the NMS (Note: This string acts like a password or a shared secret.)
<string> Enter the domain name (1­32 chars) or the IP address and netmask for the NMS

snmp trap­host {v1|v2c} <ip_addr|string> [ port <number> ] [ {via­vpn­tunnel} ] [ community <string> ]

snmp Set SNMP (Simple Network Management Protocol) parameters
Set parameters for the SNMP trap host (Note: This is an NMS, or network management
trap­host
station, that can receive SNMP traps from the AP.)
v1 Set the trap format for SNMP v1
v2c Set the trap format for SNMP v2c
<ip_addr> Enter the domain name (1­32 chars) or the IP address for the NMS
<string> Enter the domain name (1­32 chars) or the IP address for the NMS
port Set the port number on which the NMS listens for traps that the AP sends it
<number> Enter the port number (Default: 162, Range: 1­65535)
Send all SNMP traps through a VPN tunnel (Note: Set this option on VPN clients when the
via­vpn­tunnel NMS is in a different subnet from the tunnel interface. When they are in the same
subnet, tunneling is automatic.)
Set the community string for authenticating communications between the AP and NMS (Note:
community
This string acts like a password or a shared secret.)
<string> Enter the community string (1­32 characters; Default: hivecommunity)

snmp trap­host {v3} <ip_addr|string> [ port <number> ] [ {via­vpn­tunnel} ] admin <string>

snmp Set SNMP (Simple Network Management Protocol) parameters
Set parameters for the SNMP trap host (Note: This is an NMS, or network management
trap­host
station, that can receive SNMP traps from the AP.)
v3 Set the trap format for SNMP v3
<ip_addr> Enter the domain name (1­32 chars) or the IP address for the NMS
<string> Enter the domain name (1­32 chars) or the IP address for the NMS
port Set the port number on which the NMS listens for traps that the AP sends it
<number> Enter the port number (Default: 162, Range: 1­65535)
Send all SNMP traps through a VPN tunnel (Note: Set this option on VPN clients when the
via­vpn­tunnel NMS is in a different subnet from the tunnel interface. When they are in the same
subnet, tunneling is automatic.)
admin Set the name of the SNMP admin that can receive traps from AP
<string> Enter the admin name (1­32 chars)

snmp trap­host {v3} admin <string> auth {md5|sha} password <string> [ encryption {aes|des} password
<string> ]
snmp Set SNMP (Simple Network Management Protocol) parameters
Set parameters for the SNMP trap host (Note: This is an NMS, or network management
trap­host
station, that can receive SNMP traps from the AP.)
v3 Set the trap format for SNMP v3
admin Set the admin with privileges for receiving traps
<string> Enter the admin name (1­32 chars)
Set the algorithm for authenticating communications between the SNMP agent on the AP and
auth
the NMS
md5 Set the authentication algorithm as md5 (Message Digest Algorithm 5)
sha Set the authentication algorithm as SHA­1 (Secure Hash Algorithm 1)
password Set the password used during the authentication process
<string> Enter the authentication password (8­64 chars)
Set the algorithm for encrypting communications between the SNMP agent on the AP and the
encryption
NMS
aes Set the encryption algorithm as AES (Advanced Encryption Standard)

des Set the encryption algorithm as DES (Data Encryption Standard)

password Set the password used during the encryption process

http://docs.aerohive.com/330000/docs/help/english/documentation/cli_guide_ap230_6­6r1.htm#cmd7 273/315
27/4/2016 Aerohive CLI Guide
<string> Enter the password (8­64 chars)

snmp trap­info {over­snmp|over­capwap}

snmp Set SNMP (Simple Network Management Protocol) parameters
trap­info Set parameters for the delivery of SNMP trap information
over­snmp Send trap inion over SNMP (Default: Disabled)
over­capwap Send trap information over CAPWAP (Default: Enabled)

ssh­tunnel server <string> tunnel­port <number> user <string> password <string> [ timeout <number> ]
Set SSH (Secure Shell) tunnel parameters so that Aerohive Technical Support can access
ssh­tunnel
the AP remotely
Set the domain name or IP address of the Aerohive SSH server and, optionally, its port
server
number
Enter the domain name (1­64 chars) or IP address and, optionally, the port number
<string>
(Default port: 22; Range: 1025­65535; Format: name:port or ip:port)
tunnel­port Set the port number that the SSH server uses to identify the tunnel
<number> Enter the port for identifying the SSH tunnel (Range: 1025­65535)
user Set the user name for logging in to the SSH server
<string> Enter the user name (1­32 chars)
password Set password for logging in to the SSH server
<string> Enter the password (1­32 chars)
Set the length of time during which the tunnel between the AP and the Aerohive SSH
timeout
server will be up
<number> Enter the tunnel timeout value in minutes (Range: 0­6000, Default: 0 (disable))

ssid <string>
ssid Set SSID (Service Set Identifier) parameters
<string> Enter an SSID profile name (1­32 chars)

ssid <string> 11a­rate­set [ {6|6­basic} ] [ {9|9­basic} ] [ {12|12­basic} ] [ {18|18­basic} ] [

{24|24­basic} ] [ {36|36­basic} ] [ {48|48­basic} ] [ {54|54­basic} ]
ssid Set SSID (Service Set Identifier) parameters
<string> Enter an SSID profile name (1­32 chars)
Set the basic (mandatory) and optional 11a data rates for the radio (Default rates in
11a­rate­set
Mbps: basic=6, 12, 24, opt=9, 18, 36, 48, 54)
6 Set 6 Mbps as a basic (mandatory) or optional data rate
6­basic Set 6 Mbps as a basic (mandatory) or optional data rate
9 Set 9 Mbps as a basic (mandatory) or optional data rate
9­basic Set 9 Mbps as a basic (mandatory) or optional data rate
12 Set 12 Mbps as a basic (mandatory) or optional data rate
12­basic Set 12 Mbps as a basic (mandatory) or optional data rate
18 Set 18 Mbps as a basic (mandatory) or optional data rate
18­basic Set 18 Mbps as a basic (mandatory) or optional data rate
24 Set 24 Mbps as a basic (mandatory) or optional data rate
24­basic Set 24 Mbps as a basic (mandatory) or optional data rate
36 Set 36 Mbps as a basic (mandatory) or optional data rate

36­basic Set 36 Mbps as a basic (mandatory) or optional data rate

48 Set 48 Mbps as a basic (mandatory) or optional data rate
48­basic Set 48 Mbps as a basic (mandatory) or optional data rate
54 Set 54 Mbps as a basic (mandatory) or optional data rate
54­basic Set 54 Mbps as a basic (mandatory) or optional data rate

http://docs.aerohive.com/330000/docs/help/english/documentation/cli_guide_ap230_6­6r1.htm#cmd7 274/315
27/4/2016 Aerohive CLI Guide
ssid <string> 11ac­mcs­rate­set <string>
ssid Set SSID (Service Set Identifier) parameters
<string> Enter an SSID profile name (1­32 chars)
11ac­mcs­rate­set Set the 802.11ac MCS rate indexes for which the SSID advertizes its support
Enter specific MCS rates (Range: 1­256 chars; Format: Use commas as separators. Example:
<string>
mcs2/1,mcs8/1,mcs4/2,mcs8/2,mcs9/2,mcs3/3)

ssid <string> 11g­rate­set [ {1|1­basic} ] [ {2|2­basic} ] [ {5.5|5.5­basic} ] [ {11|11­basic} ] [

{6|6­basic} ] [ {9|9­basic} ] [ {12|12­basic} ] [ {18|18­basic} ] [ {24|24­basic} ] [ {36|36­basic} ]
[ {48|48­basic} ] [ {54|54­basic} ]
ssid Set SSID (Service Set Identifier) parameters
<string> Enter an SSID profile name (1­32 chars)
Set the basic (mandatory) and optional 11g data rates for the radio (Default rates in
11g­rate­set
Mbps: basic=1, 2, 5.5, 11, opt=6, 9, 12, 18, 24, 36, 48, 54)
1 Set 1 Mbps as a basic (mandatory) or optional data rate
1­basic Set 1 Mbps as a basic (mandatory) or optional data rate
2 Set 2 Mbps as a basic (mandatory) or optional data rate
2­basic Set 2 Mbps as a basic (mandatory) or optional data rate
5.5 Set 5.5 Mbps as a basic (mandatory) or optional data rate
5.5­basic Set 5.5 Mbps as a basic (mandatory) or optional data rate
11 Set 11 Mbps as a basic (mandatory) or optional data rate
11­basic Set 11 Mbps as a basic (mandatory) or optional data rate
6 Set 6 Mbps as a basic (mandatory) or optional data rate
6­basic Set 6 Mbps as a basic (mandatory) or optional data rate
9 Set 9 Mbps as a basic (mandatory) or optional data rate
9­basic Set 9 Mbps as a basic (mandatory) or optional data rate
12 Set 12 Mbps as a basic (mandatory) or optional data rate
12­basic Set 12 Mbps as a basic (mandatory) or optional data rate
18 Set 18 Mbps as a basic (mandatory) or optional data rate
18­basic Set 18 Mbps as a basic (mandatory) or optional data rate
24 Set 24 Mbps as a basic (mandatory) or optional data rate
24­basic Set 24 Mbps as a basic (mandatory) or optional data rate
36 Set 36 Mbps as a basic (mandatory) or optional data rate
36­basic Set 36 Mbps as a basic (mandatory) or optional data rate
48 Set 48 Mbps as a basic (mandatory) or optional data rate
48­basic Set 48 Mbps as a basic (mandatory) or optional data rate
54 Set 54 Mbps as a basic (mandatory) or optional data rate
54­basic Set 54 Mbps as a basic (mandatory) or optional data rate

ssid <string> 11n­mcs­expand­rate­set <string>

ssid Set SSID (Service Set Identifier) parameters
<string> Enter an SSID profile name (1­32 chars)
Set the 802.11n MCS rate indexes for which the SSID advertizes its support(By default,
11n­mcs­expand­rate­ all MCS rates for three spatial streams on the HiveAP 330 and 350 are supported: 0­23.
set On the HiveAP 110, 120, 320, and 340, which support a maximum of two spatial streams,
use the 11n­mcs­rate­set option instead.)
Enter specific MCS rates (Range: 1­256 chars; Format: Use commas as separators. Example:
<string>
mcs2/1,mcs5/1,mcs4/2,mcs3/3)

ssid <string> admctl ac <number> enable

ssid Set SSID (Service Set Identifier) parameters
<string> Enter an SSID profile name (1­32 chars)
admctl Set WMM­Admission Control parameters

http://docs.aerohive.com/330000/docs/help/english/documentation/cli_guide_ap230_6­6r1.htm#cmd7 275/315
27/4/2016 Aerohive CLI Guide

ac Set the AC (Access Category)

<number> Enter the AC number (0­3 int), 0 as BE, 1 as BK, 2 as VI, 3 as VO
enable Enable admctl for SSID

ssid <string> admctl delts sta <mac_addr> tid <number>

ssid Set SSID (Service Set Identifier) parameters
<string> Enter an SSID profile name (1­32 chars)
admctl Set WMM­Admission Control parameters
delts Generate DELTS message to sta with and TID of SSID
sta Set STA with MAC address
Enter a MAC address (Note: You can use colons, dashes, or periods to format the address.
<mac_addr>
Examples: 1111:1111:1111, 11­11­11­11­11­11, 1111.1111.1111 ...)
tid Set the TID
<number> Enter the TID number (0­7 int)

ssid <string> block­to­wifi­mcast

ssid Set SSID (Service Set Identifier) parameters
<string> Enter an SSID profile name (1­32 chars)
Set the HiveAP to block multicast or broadcast traffic sent to the SSID (Default:
block­to­wifi­mcast
Disabled)

ssid <string> client­age­out <number>

ssid Set SSID (Service Set Identifier) parameters
<string> Enter an SSID profile name (1­32 chars)
client­age­out Set the length of time to age out inactive clients and automatically disassociate them
<number> Enter the client age­out time in minutes (Default: 5; Range: 1­30)

ssid <string> client­monitor­policy <string>

ssid Set SSID (Service Set Identifier) parameters
<string> Enter an SSID profile name (1­32 chars)
Assign a Client Monitor policy to automatically detect, analyze and report problems
client­monitor­policy
about the clients which access the network through the specified ssid
<string> Enter the Client Monitor policy name (1­32 chars)

ssid <string> dtim­period <number>

ssid Set SSID (Service Set Identifier) parameters
<string> Enter an SSID profile name (1­32 chars)
dtim­period Set the DTIM (delivery traffic indication message) period
<number> Set the number of beacons between DTIM frames (Default: 1; Range: 1­255)

ssid <string> frag­threshold <number>

ssid Set SSID (Service Set Identifier) parameters
<string> Enter an SSID profile name (1­32 chars)
frag­threshold Set the fragment threshold for the SSID
<number> Enter the fragment threshold in bytes for the SSID (Default: 2346; Range: 256­2346)

ssid <string> hide­ssid

ssid Set SSID (Service Set Identifier) parameters
<string> Enter an SSID profile name (1­32 chars)
hide­ssid Hide the SSID in beacons and ignore broadcast probe requests

http://docs.aerohive.com/330000/docs/help/english/documentation/cli_guide_ap230_6­6r1.htm#cmd7 276/315
27/4/2016 Aerohive CLI Guide
ssid <string> ignore­broadcast­probe
ssid Set SSID (Service Set Identifier) parameters
<string> Enter an SSID profile name (1­32 chars)
ignore­broadcast­probe Ignore broadcasted probe requests

ssid <string> inter­station­traffic

ssid Set SSID (Service Set Identifier) parameters
<string> Enter an SSID profile name (1­32 chars)
Set the HiveAP to permit traffic between stations connected to one or more of its access
inter­station­traffic
interfaces (Default: Enabled)

ssid <string> manage all

ssid Set SSID (Service Set Identifier) parameters
<string> Enter an SSID profile name (1­32 chars)
manage Set management service parameters
all_service::Enable all manageability options (ping, SNMP, SSH, and Telnet) for mgt0
all through subinterfaces bound to the SSID (Defaults: ping enabled, SNMP disabled, SSH
enabled, Telnet disabled)

ssid <string> manage {Telnet|SSH|SNMP|ping}

ssid Set SSID (Service Set Identifier) parameters
<string> Enter an SSID profile name (1­32 chars)
manage Set management service parameters
Enable Telnet manageability of mgt0 through subinterfaces bound to the SSID (Default:
Telnet
Disabled)
Enable SSH manageability of mgt0 through subinterfaces bound to the SSID (Default:
SSH
Enabled)
Enable SNMP manageability of mgt0 through subinterfaces bound to the SSID (Default:
SNMP
Disabled)
Enable mgt0 to respond to pings through subinterfaces bound to the SSID (Default:
ping
Enabled)

ssid <string> max­client <number>

ssid Set SSID (Service Set Identifier) parameters
<string> Enter an SSID profile name (1­32 chars)
max­client Set the maximum number of clients that can associate with the SSID
Enter the maximum number of clients that can associate (Default: 100; Range: 1­100;
<number> Note: A radio profile can support a maximum of 100 clients by default, and there can be
a maximum of 16 SSIDs per radio.)

ssid <string> mode compliance

ssid Set SSID (Service Set Identifier) parameters
<string> Enter an SSID profile name (1­32 chars)
mode Set SSID mode parameter
compliance Set SSID mode compliance with 11n standard

ssid <string> mode legacy

ssid Set SSID (Service Set Identifier) parameters
<string> Enter an SSID profile name (1­32 chars)
mode Set SSID mode parameter
Set this mode to disable the advertisement of 802.11n capabilities when there are legacy
legacy 802.11a/b/g clients that cannot support 802.11n IEs (information elements) in management
frames

http://docs.aerohive.com/330000/docs/help/english/documentation/cli_guide_ap230_6­6r1.htm#cmd7 277/315
27/4/2016 Aerohive CLI Guide
ssid <string> multicast conversion­to­unicast {auto|always|disable}
ssid Set SSID (Service Set Identifier) parameters
<string> Enter an SSID profile name (1­32 chars)
Set parameters for sending IP datagrams to a group of interested receivers in a single
multicast
transmission
conversion­to­unicast Set the method for converting multicast frames to unicast frames (Default: Disabled)
Convert from multicast to unicast automatically whenever the channel utilization or
auto
multicast group membership count is below their respective thresholds
Always convert from multicast to unicast regardless of channel utilization and group
always
membership numbers
disable Disable convert from multicast to unicast

ssid <string> multicast cu­threshold <number>

ssid Set SSID (Service Set Identifier) parameters
<string> Enter an SSID profile name (1­32 chars)
Set parameters for sending IP datagrams to a group of interested receivers in a single
multicast
transmission
Set the channel utilization threshold that determines when to convert multicast to
cu­threshold
unicast frames
Enter the channel utilization threshold as a percent (Default: 60; Range: 1­100; Note:
<number> Conversion from multicast to unicast frames occurs when the percent of channel
utilization is below or equal to this value.)

ssid <string> multicast member­threshold <number>

ssid Set SSID (Service Set Identifier) parameters
<string> Enter an SSID profile name (1­32 chars)
Set parameters for sending IP datagrams to a group of interested receivers in a single
multicast
transmission
Set the membership count threshold that determines when to convert multicast to unicast
member­threshold
frames
Enter the multicast group membership threshold (Default: 10; Range: 1­30; Note:
<number> Converting multicast frames to unicast frames occurs when the number of group members is
below or equal to this value.)

ssid <string> qos­classifier <string>

ssid Set SSID (Service Set Identifier) parameters
<string> Enter an SSID profile name (1­32 chars)
qos­classifier Assign a QoS classification profile (classifier) to the interface
<string> Enter the QoS classifier profile name (1­32 chars)

ssid <string> qos­marker <string>

ssid Set SSID (Service Set Identifier) parameters
<string> Enter an SSID profile name (1­32 chars)
qos­marker Assign a QoS marker profile to the interface
<string> Enter the QoS marker profile name (1­32 chars)

ssid <string> rrm enable

ssid Set SSID (Service Set Identifier) parameters
<string> Enter an SSID profile name (1­32 chars)
rrm Set RRM (Radio Resource Management) parameters
enable Enable RRM for SSID

ssid <string> rts­threshold <number>

ssid Set SSID (Service Set Identifier) parameters

http://docs.aerohive.com/330000/docs/help/english/documentation/cli_guide_ap230_6­6r1.htm#cmd7 278/315
27/4/2016 Aerohive CLI Guide
<string> Enter an SSID profile name (1­32 chars)
rts­threshold Set the RTS (request to send) threshold for the SSID
Enter the packet size for the RTS (request to send) threshold for the SSID (Default:
<number>
2346 bytes; Range: 1­2346)

ssid <string> schedule <string>

ssid Set SSID (Service Set Identifier) parameters
<string> Enter an SSID profile name (1­32 chars)
schedule Set a schedule during which the SSID will be available for use
<string> Enter a schedule name (1­32 chars)

ssid <string> security mac­filter <string>

ssid Set SSID (Service Set Identifier) parameters
<string> Enter an SSID profile name (1­32 chars)
security Set the security parameters for the SSID
mac­filter Assign a filter for MAC addresses or OUIs (organizational unique identifiers)
<string> Enter the filter name for MAC addresses or OUIs (organizational unique identifiers)

ssid <string> security screening radius­attack

ssid Set SSID (Service Set Identifier) parameters
<string> Enter an SSID profile name (1­32 chars)
security Set the security parameters for the SSID
screening Set the security screen parameters
radius­attack Enable the screening method of RADIUS attack procection (Default: Disabled)

ssid <string> security screening radius­attack action ban­forever

ssid Set SSID (Service Set Identifier) parameters
<string> Enter an SSID profile name (1­32 chars)
security Set the security parameters for the SSID
screening Set the security screen parameters
radius­attack Enable the screening method of RADIUS attack procection (Default: Disabled)
action Set the action to perform if an alarm is triggered (Default: alarm)
ban­forever Disconnect the station and ban it from reconnecting indefinitely

ssid <string> security screening radius­attack action {alarm|ban} [ [ <number> ] ]

ssid Set SSID (Service Set Identifier) parameters
<string> Enter an SSID profile name (1­32 chars)
security Set the security parameters for the SSID
screening Set the security screen parameters
radius­attack Enable the screening method of RADIUS attack procection (Default: Disabled)
action Set the action to perform if an alarm is triggered (Default: alarm)
alarm Send an alarm but continue to pass traffic
ban Disconnect the station and ban it from reconnecting for a period of time
Enter the amount of time in seconds to perform the action (Range: 1­100000000; Default:
<number>
10 for an alarm, 3600 for a ban)

ssid <string> security screening radius­attack threshold <number> [ action {alarm|ban} [ <number> ] ]
ssid Set SSID (Service Set Identifier) parameters
<string> Enter an SSID profile name (1­32 chars)
security Set the security parameters for the SSID

http://docs.aerohive.com/330000/docs/help/english/documentation/cli_guide_ap230_6­6r1.htm#cmd7 279/315
27/4/2016 Aerohive CLI Guide
screening Set the security screen parameters
radius­attack Enable the screening method of RADIUS attack procection (Default: Disabled)
Set the length of time during which 10 RADIUS rejections for the same source MAC address
threshold
is considered unacceptable
<number> Enter the length of time in seconds (Range: 1­3600; Default: 5)
action Set the action to perform if an alarm is triggered (Default: alarm)
alarm Send an alarm but continue to pass traffic
ban Disconnect the station and ban it from reconnecting for a period of time
Enter the amount of time in seconds to perform the action (Range: 1­100000000; Default:
<number>
10 for an alarm, 3600 for a ban)

ssid <string> security screening radius­attack threshold <number> action ban­forever

ssid Set SSID (Service Set Identifier) parameters
<string> Enter an SSID profile name (1­32 chars)
security Set the security parameters for the SSID
screening Set the security screen parameters
radius­attack Enable the screening method of RADIUS attack procection (Default: Disabled)
Set the length of time during which 10 RADIUS rejections for the same source MAC address
threshold
is considered unacceptable
<number> Enter the length of time in seconds (Range: 1­3600; Default: 5)
action Set the action to perform if an alarm is triggered (Default: alarm)
ban­forever Disconnect the station and ban it from reconnecting indefinitely

ssid <string> security screening tcp­syn­check

ssid Set SSID (Service Set Identifier) parameters
<string> Enter an SSID profile name (1­32 chars)
security Set the security parameters for the SSID
screening Set the security screen parameters
Enable checking that the SYN flag is set in TCP segments before creating new IP sessions
tcp­syn­check (Default: Disabled, Note: When enabled, the IP session idle timeout is 10 seconds until
the TCP three­way handshake is complete.)

ssid <string> security screening {icmp­flood|udp­flood|syn­flood|arp­flood|address­sweep|port­scan|ip­

spoof} [ threshold <number> ]
ssid Set SSID (Service Set Identifier) parameters
<string> Enter an SSID profile name (1­32 chars)
security Set the security parameters for the SSID
screening Set the security screen parameters
icmp­flood Enable the screening method for protection against ICMP floods (Default: Disabled)
udp­flood Enable the screening method for protection against UDP floods (Default: Disabled)
syn­flood Enable the screening method for protection against TCP SYN floods (Default: Disabled)
arp­flood Enable the screening method for protection against ARP floods (Default: Disabled)
address­sweep Enable the screening method for protection against IP address sweeps (Default: Disabled)
port­scan Enable the screening method for protection against port scans (Default: Disabled)
ip­spoof Enable the screening method for protection against IP spoofing (Default: Disabled)
Set the threshold: packets per second for syn­flood and arp­flood, air time for icmp­
threshold flood and udp­flood, milliseconds every 10 packets for address­sweep and port­scan, IP
addresses for ip­spoof
Enter the threshold value (Defaults and Ranges: ICMP flood: 20%, 1­100%; UDP flood 50%,
1­100%; SYN flood: 1000 pkts/sec, 1­1000000 pkts/sec; ARP flood 100 pkts/sec, 1­1000000
<number>
pkts/sec; address sweep and port scan: 100 ms/10 pkts, 1­10000 ms; IP spoof: 3 src
IPs/src MAC, 2­10 IPs; RADIUS attack: 5 secs/10 rejects, 1­3600 secs)

ssid <string> security screening {icmp­flood|udp­flood|syn­flood|arp­flood|address­sweep|port­scan|ip­

http://docs.aerohive.com/330000/docs/help/english/documentation/cli_guide_ap230_6­6r1.htm#cmd7 280/315
27/4/2016 Aerohive CLI Guide
spoof} action ban­forever
ssid Set SSID (Service Set Identifier) parameters
<string> Enter an SSID profile name (1­32 chars)
security Set the security parameters for the SSID
screening Set the security screen parameters
icmp­flood Enable the screening method for protection against ICMP floods (Default: Disabled)
udp­flood Enable the screening method for protection against UDP floods (Default: Disabled)
syn­flood Enable the screening method for protection against TCP SYN floods (Default: Disabled)
arp­flood Enable the screening method for protection against ARP floods (Default: Disabled)
address­sweep Enable the screening method for protection against IP address sweeps (Default: Disabled)
port­scan Enable the screening method for protection against port scans (Default: Disabled)
ip­spoof Enable the screening method for protection against IP spoofing (Default: Disabled)
action Set the action to perform if an alarm is triggered (Default: alarm)
ban­forever Disconnect the station and ban it from reconnecting indefinitely

ssid <string> security screening {icmp­flood|udp­flood|syn­flood|arp­flood|address­sweep|port­scan|ip­

spoof} action disconnect
ssid Set SSID (Service Set Identifier) parameters
<string> Enter an SSID profile name (1­32 chars)
security Set the security parameters for the SSID
screening Set the security screen parameters
icmp­flood Enable the screening method for protection against ICMP floods (Default: Disabled)
udp­flood Enable the screening method for protection against UDP floods (Default: Disabled)
syn­flood Enable the screening method for protection against TCP SYN floods (Default: Disabled)
arp­flood Enable the screening method for protection against ARP floods (Default: Disabled)
address­sweep Enable the screening method for protection against IP address sweeps (Default: Disabled)
port­scan Enable the screening method for protection against port scans (Default: Disabled)
ip­spoof Enable the screening method for protection against IP spoofing (Default: Disabled)
action Set the action to perform if an alarm is triggered (Default: alarm)
disconnect Disconnect the station but do not ban it from reconnecting

ssid <string> security screening {icmp­flood|udp­flood|syn­flood|arp­flood|address­sweep|port­scan|ip­

spoof} action {alarm|drop|ban} <number>
ssid Set SSID (Service Set Identifier) parameters
<string> Enter an SSID profile name (1­32 chars)
security Set the security parameters for the SSID
screening Set the security screen parameters
icmp­flood Enable the screening method for protection against ICMP floods (Default: Disabled)
udp­flood Enable the screening method for protection against UDP floods (Default: Disabled)
syn­flood Enable the screening method for protection against TCP SYN floods (Default: Disabled)
arp­flood Enable the screening method for protection against ARP floods (Default: Disabled)
address­sweep Enable the screening method for protection against IP address sweeps (Default: Disabled)
port­scan Enable the screening method for protection against port scans (Default: Disabled)
ip­spoof Enable the screening method for protection against IP spoofing (Default: Disabled)
action Set the action to perform if an alarm is triggered (Default: alarm)
alarm Send an alarm but continue to pass traffic

drop Drop traffic for a period of time

ban Disconnect the station and ban it from reconnecting for a period of time
Enter the amount of time in seconds to perform the action (Range: 1­1000000000; Default:
<number>
10 for alarm, 1 for drop, 3600 for ban)

http://docs.aerohive.com/330000/docs/help/english/documentation/cli_guide_ap230_6­6r1.htm#cmd7 281/315
27/4/2016 Aerohive CLI Guide
ssid <string> security screening {icmp­flood|udp­flood|syn­flood|arp­flood|address­sweep|port­scan|ip­
spoof} threshold <number> action ban­forever
ssid Set SSID (Service Set Identifier) parameters
<string> Enter an SSID profile name (1­32 chars)
security Set the security parameters for the SSID
screening Set the security screen parameters
icmp­flood Enable the screening method for protection against ICMP floods (Default: Disabled)
udp­flood Enable the screening method for protection against UDP floods (Default: Disabled)
syn­flood Enable the screening method for protection against TCP SYN floods (Default: Disabled)
arp­flood Enable the screening method for protection against ARP floods (Default: Disabled)
address­sweep Enable the screening method for protection against IP address sweeps (Default: Disabled)
port­scan Enable the screening method for protection against port scans (Default: Disabled)
ip­spoof Enable the screening method for protection against IP spoofing (Default: Disabled)
Set the threshold: packets per second for syn­flood and arp­flood, air time for icmp­
threshold flood and udp­flood, milliseconds every 10 packets for address­sweep and port­scan, IP
addresses for ip­spoof
Enter the threshold value (Defaults and Ranges: ICMP flood: 20%, 1­100%; UDP flood 50%,
1­100%; SYN flood: 1000 pkts/sec, 1­1000000 pkts/sec; ARP flood 100 pkts/sec, 1­1000000
<number>
pkts/sec; address sweep and port scan: 100 ms/10 pkts, 1­10000 ms; IP spoof: 3 src
IPs/src MAC, 2­10 IPs; RADIUS attack: 5 secs/10 rejects, 1­3600 secs)
action Set the action to perform if an alarm is triggered (Default: alarm)
ban­forever Disconnect the station and ban it from reconnecting indefinitely

ssid <string> security screening {icmp­flood|udp­flood|syn­flood|arp­flood|address­sweep|port­scan|ip­

spoof} threshold <number> action disconnect
ssid Set SSID (Service Set Identifier) parameters
<string> Enter an SSID profile name (1­32 chars)
security Set the security parameters for the SSID
screening Set the security screen parameters
icmp­flood Enable the screening method for protection against ICMP floods (Default: Disabled)
udp­flood Enable the screening method for protection against UDP floods (Default: Disabled)
syn­flood Enable the screening method for protection against TCP SYN floods (Default: Disabled)
arp­flood Enable the screening method for protection against ARP floods (Default: Disabled)
address­sweep Enable the screening method for protection against IP address sweeps (Default: Disabled)
port­scan Enable the screening method for protection against port scans (Default: Disabled)
ip­spoof Enable the screening method for protection against IP spoofing (Default: Disabled)
Set the threshold: packets per second for syn­flood and arp­flood, air time for icmp­
threshold flood and udp­flood, milliseconds every 10 packets for address­sweep and port­scan, IP
addresses for ip­spoof
Enter the threshold value (Defaults and Ranges: ICMP flood: 20%, 1­100%; UDP flood 50%,
1­100%; SYN flood: 1000 pkts/sec, 1­1000000 pkts/sec; ARP flood 100 pkts/sec, 1­1000000
<number>
pkts/sec; address sweep and port scan: 100 ms/10 pkts, 1­10000 ms; IP spoof: 3 src
IPs/src MAC, 2­10 IPs; RADIUS attack: 5 secs/10 rejects, 1­3600 secs)
action Set the action to perform if an alarm is triggered (Default: alarm)
disconnect Disconnect the station but do not ban it from reconnecting

ssid <string> security screening {icmp­flood|udp­flood|syn­flood|arp­flood|address­sweep|port­scan|ip­

spoof} threshold <number> action {alarm|drop|ban} <number>
ssid Set SSID (Service Set Identifier) parameters
<string> Enter an SSID profile name (1­32 chars)
security Set the security parameters for the SSID
screening Set the security screen parameters
icmp­flood Enable the screening method for protection against ICMP floods (Default: Disabled)

udp­flood Enable the screening method for protection against UDP floods (Default: Disabled)

http://docs.aerohive.com/330000/docs/help/english/documentation/cli_guide_ap230_6­6r1.htm#cmd7 282/315
27/4/2016 Aerohive CLI Guide
syn­flood Enable the screening method for protection against TCP SYN floods (Default: Disabled)
arp­flood Enable the screening method for protection against ARP floods (Default: Disabled)
address­sweep Enable the screening method for protection against IP address sweeps (Default: Disabled)
port­scan Enable the screening method for protection against port scans (Default: Disabled)
ip­spoof Enable the screening method for protection against IP spoofing (Default: Disabled)
Set the threshold: packets per second for syn­flood and arp­flood, air time for icmp­
threshold flood and udp­flood, milliseconds every 10 packets for address­sweep and port­scan, IP
addresses for ip­spoof
Enter the threshold value (Defaults and Ranges: ICMP flood: 20%, 1­100%; UDP flood 50%,
1­100%; SYN flood: 1000 pkts/sec, 1­1000000 pkts/sec; ARP flood 100 pkts/sec, 1­1000000
<number>
pkts/sec; address sweep and port scan: 100 ms/10 pkts, 1­10000 ms; IP spoof: 3 src
IPs/src MAC, 2­10 IPs; RADIUS attack: 5 secs/10 rejects, 1­3600 secs)
action Set the action to perform if an alarm is triggered (Default: alarm)
alarm Send an alarm but continue to pass traffic
drop Drop traffic for a period of time
ban Disconnect the station and ban it from reconnecting for a period of time
Enter the amount of time in seconds to perform the action (Range: 1­1000000000; Default:
<number>
10 for alarm, 1 for drop, 3600 for ban)

ssid <string> security wlan dos station­level frame­type {assoc­req|auth|eapol} ban <number>
ssid Set SSID (Service Set Identifier) parameters
<string> Enter an SSID profile name (1­32 chars)
security Set the security parameters for the SSID
wlan Set WLAN parameters
dos Set WLAN DoS (Denial of Service) parameters
station­level Set DoS parameters at station­level
frame­type Set WLAN DoS (Denial of Service) frame type
assoc­req Specify WLAN DoS frame type assoc­req
auth Specify WLAN DoS frame type auth
eapol Specify WLAN DoS frame type eapol
ban Set the period of time to ignore frames after a theshold has been crossed
Enter the period of time in seconds to ignore frames after a theshold has been crossed
<number>
(Default: 60; Min: 0 Max: None)

ssid <string> security wlan dos station­level frame­type {assoc­req|auth|eapol} ban forever
ssid Set SSID (Service Set Identifier) parameters
<string> Enter an SSID profile name (1­32 chars)
security Set the security parameters for the SSID
wlan Set WLAN parameters
dos Set WLAN DoS (Denial of Service) parameters
station­level Set DoS parameters at station­level
frame­type Set WLAN DoS (Denial of Service) frame type
assoc­req Specify WLAN DoS frame type assoc­req
auth Specify WLAN DoS frame type auth
eapol Specify WLAN DoS frame type eapol
ban Set the period of time to ignore frames after a theshold has been crossed
forever Set ban forever

ssid <string> security wlan dos {ssid­level|station­level} frame­type {probe­req|probe­resp|assoc­

req|assoc­resp|disassoc|auth|deauth|eapol|all}
ssid Set SSID (Service Set Identifier) parameters
<string> Enter an SSID profile name (1­32 chars)

http://docs.aerohive.com/330000/docs/help/english/documentation/cli_guide_ap230_6­6r1.htm#cmd7 283/315
27/4/2016 Aerohive CLI Guide
security Set the security parameters for the SSID
wlan Set WLAN parameters
dos Set WLAN DoS (Denial of Service) parameters
ssid­level Set DoS parameters at ssid­level
station­level Set DoS parameters at station­level
frame­type Set WLAN DoS (Denial of Service) frame type
probe­req Specify WLAN DoS frame type probe­req
probe­resp Specify WLAN DoS frame type probe­resp
assoc­req Specify WLAN DoS frame type assoc­req
assoc­resp Specify WLAN DoS frame type assoc­resp
disassoc Specify WLAN DoS frame type disassoc
auth Specify WLAN DoS frame type auth
deauth Specify WLAN DoS frame type deauth
eapol Specify WLAN DoS frame type eapol
all Specify WLAN DoS frame type all

ssid <string> security wlan dos {ssid­level|station­level} frame­type {probe­req|probe­resp|assoc­

req|assoc­resp|disassoc|auth|deauth|eapol|all} alarm <number>
ssid Set SSID (Service Set Identifier) parameters
<string> Enter an SSID profile name (1­32 chars)
security Set the security parameters for the SSID
wlan Set WLAN parameters
dos Set WLAN DoS (Denial of Service) parameters
ssid­level Set DoS parameters at ssid­level
station­level Set DoS parameters at station­level
frame­type Set WLAN DoS (Denial of Service) frame type
probe­req Specify WLAN DoS frame type probe­req
probe­resp Specify WLAN DoS frame type probe­resp
assoc­req Specify WLAN DoS frame type assoc­req
assoc­resp Specify WLAN DoS frame type assoc­resp
disassoc Specify WLAN DoS frame type disassoc
auth Specify WLAN DoS frame type auth
deauth Specify WLAN DoS frame type deauth
eapol Specify WLAN DoS frame type eapol
all Specify WLAN DoS frame type all
alarm Set the interval in seconds between alarms to indicate continuous DoS conditions
Enter the interval in seconds between alarms to indicate continuous DoS conditions
<number>
(Default: 60 secs; Min: 0 Max: None)

ssid <string> security wlan dos {ssid­level|station­level} frame­type {probe­req|probe­resp|assoc­

req|assoc­resp|disassoc|auth|deauth|eapol|all} threshold <number>
ssid Set SSID (Service Set Identifier) parameters
<string> Enter an SSID profile name (1­32 chars)
security Set the security parameters for the SSID
wlan Set WLAN parameters
dos Set WLAN DoS (Denial of Service) parameters
ssid­level Set DoS parameters at ssid­level
station­level Set DoS parameters at station­level
frame­type Set WLAN DoS (Denial of Service) frame type
probe­req Specify WLAN DoS frame type probe­req

http://docs.aerohive.com/330000/docs/help/english/documentation/cli_guide_ap230_6­6r1.htm#cmd7 284/315
27/4/2016 Aerohive CLI Guide
probe­resp Specify WLAN DoS frame type probe­resp
assoc­req Specify WLAN DoS frame type assoc­req
assoc­resp Specify WLAN DoS frame type assoc­resp
disassoc Specify WLAN DoS frame type disassoc
auth Specify WLAN DoS frame type auth
deauth Specify WLAN DoS frame type deauth
eapol Specify WLAN DoS frame type eapol
all Specify WLAN DoS frame type all
Set the frame threshold in ppm (packets per minute) that must be crossed to trigger an
threshold
alarm
Enter threshold in ppm (Default: ssid­level probe­req 12000, probe­resp 24000, eapol
6000, auth 6000, assoc­req 6000, assoc­resp 2400, all others 1200; sta­level probe­req
<number>
1200 ppm, probe­resp 2400, eapol 600, auth 600, assoc­req 600, assoc­resp 240, all
others 120; Min: 0 Max: None)

ssid <string> security­object <string>

ssid Set SSID (Service Set Identifier) parameters
<string> Enter an SSID profile name (1­32 chars)
security­object Assign a security object to control network access through this SSID
<string> Enter the security object name (1­32 chars)

ssid <string> uapsd

ssid Set SSID (Service Set Identifier) parameters
<string> Enter an SSID profile name (1­32 chars)
Enable UAPSD (Unscheduled Automatic Power Save Delivery) to support stations using WMM
uapsd
(Wi­Fi Multimedia) Power Save

ssid <string> user­group <string>

ssid Set SSID (Service Set Identifier) parameters
<string> Enter an SSID profile name (1­32 chars)
user­group Set the user­group for private­PSK on the SSID
<string> Enter the group name (1­32 chars)

ssid <string> wmm

ssid Set SSID (Service Set Identifier) parameters
<string> Enter an SSID profile name (1­32 chars)
wmm Enable the SSID to support WMM (Wi­Fi Multimedia) traffic prioritization

ssid <string> wnm enable

ssid Set SSID (Service Set Identifier) parameters
<string> Enter an SSID profile name (1­32 chars)
wnm Set WNM (802.11v) parameters
enable Enable WNM for SSID

ssid <string> wnm sta <mac_addr> send bstmreq

ssid Set SSID (Service Set Identifier) parameters
<string> Enter an SSID profile name (1­32 chars)
wnm Set WNM (802.11v) parameters
sta Specify the station
Enter a MAC address (Note: You can use colons, dashes, or periods to format the address.
<mac_addr>
Examples: 1111:1111:1111, 11­11­11­11­11­11, 1111.1111.1111 ...)
send Action of sending frames

http://docs.aerohive.com/330000/docs/help/english/documentation/cli_guide_ap230_6­6r1.htm#cmd7 285/315
27/4/2016 Aerohive CLI Guide
bstmreq Frame to be send: BSTM Request frames

supplicant <string>
supplicant Set parameters for a supplicant object for HiveOS
<string> Enter the supplicant name (1­32 chars)

supplicant <string> ca­cert <string>

supplicant Set parameters for a supplicant object for HiveOS
<string> Enter the supplicant name (1­32 chars)
ca­cert Set a ca­cert index for supplicant to verify server cert
<string> Specify ca­cert file name (1­32 chars)

supplicant <string> client­cert <string> private­key <string> [ private­key­password <string> ]

supplicant Set parameters for a supplicant object for HiveOS
<string> Enter the supplicant name (1­32 chars)
client­cert Set a client­cert name for supplicant
<string> Specify client­cert name (1­32 chars)
private­key Set the private key used when forming a TLS tunnel
<string> Enter the name of the private key file (1­32 chars)
private­key­password Set the password for encrypting the private key used when forming a TLS tunnel
<string> Enter a password (1­64 chars)

supplicant <string> eap­type {md5|peap|tls|ttls}

supplicant Set parameters for a supplicant object for HiveOS
<string> Enter the supplicant name (1­32 chars)
eap­type Choose eap­type used for 802.1x client
md5 set eap­type to md5
peap set eap­type to peap(default)
tls set eap­type to tls
ttls set eap­type to ttls

supplicant <string> password <string>

supplicant Set parameters for a supplicant object for HiveOS
<string> Enter the supplicant name (1­32 chars)
password Set the password for 802.1x client
<string> Enter the password (1­64 chars)

supplicant <string> username <string> [ password <string> ]

supplicant Set parameters for a supplicant object for HiveOS
<string> Enter the supplicant name (1­32 chars)
username Set the username for 802.1x client
<string> Enter the user name (1­64 chars)
password Set the password for 802.1x client
<string> Enter the password (1­64 chars)

system connection­trap delay <number>

system Set system parameters
connection­trap Set system connection­trap parameters
delay Set system connection­trap delay parameters

http://docs.aerohive.com/330000/docs/help/english/documentation/cli_guide_ap230_6­6r1.htm#cmd7 286/315
27/4/2016 Aerohive CLI Guide
<number> Enter the value (Range: 1­30; Default:30)

system disable­multicast­ping
system Set system parameters
disable­multicast­ping Disable responses to multicast pings (Default: Enabled)

system environment {indoor|outdoor}

system Set system parameters
environment Set the environment in which the system will operate
indoor Set the system for indoor operations (Default: indoor)
outdoor Set the system for outdoor operations (Default: indoor)

system icmp­redirect enable

system Set system parameters
icmp­redirect Accept ICMP redirect messages
enable Enable the accepting of ICMP redirect messages (Default: Disable)

system led brightness {bright|soft|dim|off}

system Set system parameters
led Set status LED configuration parameters
brightness Set the brightness level for the status LEDs (Default: bright)
bright Set brightness level to bright
soft Set brightness level to soft
dim Set brightness level to dim
off Set brightness level to off

system power­mode {802.3at|802.3af|auto}

system Set system parameters
power­mode Set power mode
802.3at
802.3af
auto

system web­server enable

system Set system parameters
web­server Set the web server parameters
enable Enable the web server (Default: Enabled)

teacher­view prompt­for­deny­url
Set parameters for TeacherView, a tool for controlling student access to the network and
teacher­view
monitoring their activity
Enable the use of an access denial notification, which the student receives when
prompt­for­deny­url accessing a blocked URL (Default: Enabled; Note: When disabled, the student does not
receive a denial of access. Instead, the connection simply times out.)

teacher­view resource­map name <string> ip <ip_addr> port <port>

Set parameters for TeacherView, a tool for controlling student access to the network and
teacher­view
monitoring their activity
resource­map Map the name of a network resource to an IP address and port number
name Set the resource name

<string> Enter the resource name (max 32 chars)

http://docs.aerohive.com/330000/docs/help/english/documentation/cli_guide_ap230_6­6r1.htm#cmd7 287/315
27/4/2016 Aerohive CLI Guide
ip Set the IP address where the resource is located
<ip_addr> Enter the IP address
port Set the port number associated with the resource
<port> [1~65535]Enter the port number (Range: 1­65535)

time­object <string> once <date> <time> to <date> <time> [ time­zone <number> ]

time­object Set a time object
<string> Enter a time object name (1­32 chars)
once Set a once schedule
Enter a start date for the schedule (Format: yyyy­mm­dd; Range: 1970­01­01 to 2035­12­
<date>
31)
Enter a start time for the schedule (Format: hh:mm; Hour Range: 00­23; Minute Range: 00­
<time>
59)
to Set a date and time range
<date> Enter an end date for the schedule (Format: yyyy­mm­dd; Range: 1970­01­01 to 2035­12­31)
Enter an end time for the schedule (Format: hh:mm; Hour Range: 00­23; Minute Range: 00­
<time>
59)
Set the time zone for the schedule (Note: If you do not specify a time zone, the time
time­zone
zone for the local system will be used.)
<number> Enter the time zone for the schedule (Default: 0; Range: ­12 to 12)

time­object <string> recurrent [ date­range <date> [ to <date> ] ] [ weekday­range

{Monday|Tuesday|Wednesday|Thursday|Friday|Saturday|Sunday} [ to
{Monday|Tuesday|Wednesday|Thursday|Friday|Saturday|Sunday} ] ] time­range <time> to <time> [ time­
range <time> to <time> ] [ time­zone <number> ]
time­object Set a time object
<string> Enter a time object name (1­32 chars)
recurrent Set a recurrent schedule
Set dates to mark the start and end of the schedule (If you do not want to set start and
date­range
end dates, do not use this option.)
Enter a start date for the schedule (Format: yyyy­mm­dd; Range: 1970­01­01 to 2035­12­
<date>
31)
to Set a date range (If you do not want to set an end date, do not use this option.)
<date> Enter a end date for the schedule (Format: yyyy­mm­dd; Range: 1970­01­01 to 2035­12­31)
Apply the schedule on specific days of the week (To apply the schedule everyday, do not
weekday­range
use this option.)
Monday Apply the schedule on every Monday within the date range
Tuesday Apply the schedule on every Tuesday within the date range
Wednesday Apply the schedule on every Wednesday within the date range
Thursday Apply the schedule on every Thursday within the date range
Friday Apply the schedule on every Friday within the date range
Saturday Apply the schedule on every Saturday within the date range
Sunday Apply the schedule on every Sunday within the date range
Set a range of weekdays during which the schedule will be applied (Example: monday to
to
friday)
Monday Apply the schedule on every Monday within the date range

Tuesday Apply the schedule on every Tuesday within the date range

Wednesday Apply the schedule on every Wednesday within the date range
Thursday Apply the schedule on every Thursday within the date range
Friday Apply the schedule on every Friday within the date range
Saturday Apply the schedule on every Saturday within the date range
Sunday Apply the schedule on every Sunday within the date range
time­range Set a time range during which the schedule will be applied on each scheduled day
Enter a start time for the schedule (Format: hh:mm; Hour Range: 00­23; Minute Range: 00­

http://docs.aerohive.com/330000/docs/help/english/documentation/cli_guide_ap230_6­6r1.htm#cmd7 288/315
27/4/2016 Aerohive CLI Guide
<time> 59)

to Set a time range

Enter a end time for the schedule,(Format: hh:mm; Hour Range: 00­23; Minute Range: 00­
<time>
59)
time­range Set a second time range for the schedule
Enter a second start time for the schedule (Format: hh:mm; Hour Range: 00­23; Minute
<time>
Range: 00­59)
to Set a time range
Enter a second end time for the schedule,(Format: hh:mm; Hour Range: 00­23; Minute
<time>
Range: 00­59)
Set the time zone for the schedule (Note: If you do not specify a time zone, the time
time­zone
zone for the local system will be used.)
<number> Enter the time zone for the schedule (Default: 0; Range: ­12 to 12)

tracert <ip_addr> [ max­hops <number> ] [ timeout <number> ] [ no­resolve ]

tracert Perform a traceroute
<ip_addr> Enter a destination IP address
max­hops Set the maximum number of hops to cross when searching for a target
Enter the maximum number of hops to cross when searching for a target (Default: 30,
<number>
Range: 1­255)
timeout Set the timeout for a response to a probe
<number> Enter the timeout in seconds for a response to a probe (Range: 2­65535)
no­resolve Do not resolve addresses to domain names

tracert <string> [ max­hops <number> ] [ timeout <number> ] [ no­resolve ]

tracert Perform a traceroute
<string> Enter a destination hostname (1­32 chars)
max­hops Set the maximum number of hops to cross when searching for a target
Enter the maximum number of hops to cross when searching for a target (Default: 30,
<number>
Range: 1­255)
timeout Set the timeout for a response to a probe
<number> Enter the timeout in seconds for a response to a probe (Range: 2­65535)
no­resolve Do not resolve addresses to domain names

track <string> [ ip <ip_addr> ]

track Set parameters to track the reachability of one or more devices on the network
<string> Enter the name for a group of one or more targets to track (1­32 chars)
ip Set an IP address for tracking
<ip_addr> Enter an IP address for tracking

track <string> action start­mesh­failover

track Set parameters to track the reachability of one or more devices on the network
<string> Enter the name for a group of one or more targets to track (1­32 chars)
Set the action to take when there are no longer responses from any tracked targets in a
action
group
start­mesh­failover Start the mesh failover procedure

track <string> action {enable­access­console|disable­access­radio}

track Set parameters to track the reachability of one or more devices on the network
<string> Enter the name for a group of one or more targets to track (1­32 chars)
Set the action to take when there are no longer responses from any tracked targets in a
action group

http://docs.aerohive.com/330000/docs/help/english/documentation/cli_guide_ap230_6­6r1.htm#cmd7 289/315
27/4/2016 Aerohive CLI Guide
enable­access­console Enable the virtual access console
disable­access­radio Disable all radios in access mode

track <string> default­gateway

track Set parameters to track the reachability of one or more devices on the network
<string> Enter the name for a group of one or more targets to track (1­32 chars)
default­gateway Set the default gateway for tracking

track <string> enable

track Set parameters to track the reachability of one or more devices on the network
<string> Enter the name for a group of one or more targets to track (1­32 chars)
enable Enable the group name for tracking (Default: Enable)

track <string> interval <number>

track Set parameters to track the reachability of one or more devices on the network
<string> Enter the name for a group of one or more targets to track (1­32 chars)
interval Set the interval for sending probes to track the IP address of a target
Enter the tracking interval (Default: 6 seconds; Range: 1­180; Note: The tracking
<number>
interval must not be shorter than the probe timeout.)

track <string> multi­dst­logic {and|or}

track Set parameters to track the reachability of one or more devices on the network
<string> Enter the name for a group of one or more targets to track (1­32 chars)
Determine if one or all tracked targets within a group must become unresponsive before
multi­dst­logic
taking action
and Take action if none of the members in the group is responding (Default:or)
or Take action if any single member in the group is not responding (Default:or)

track <string> retry <number>

track Set parameters to track the reachability of one or more devices on the network
<string> Enter the name for a group of one or more targets to track (1­32 chars)
retry Set the number of times to retry probing an unresponsive target
<number> Enter the retry value (Default: 2 times; Range: 0­1024)

track­wan <string>
Set parameters to track the reachability of one or more devices through the WAN
track­wan
interface
<string> Enter the name for a group of one or more targets to track (1­32 chars)

track­wan <string> default­gateway

Set parameters to track the reachability of one or more devices through the WAN
track­wan
interface
<string> Enter the name for a group of one or more targets to track (1­32 chars)
default­gateway Set the default gateway for tracking

track­wan <string> enable

Set parameters to track the reachability of one or more devices through the WAN
track­wan
interface
<string> Enter the name for a group of one or more targets to track (1­32 chars)
enable Enable the group name for tracking (Default: Disable)

track­wan <string> interface <ethx|usbnetx|wifix>

http://docs.aerohive.com/330000/docs/help/english/documentation/cli_guide_ap230_6­6r1.htm#cmd7 290/315
27/4/2016 Aerohive CLI Guide
track­wan Set parameters to track the reachability of one or more devices through the WAN
interface
<string> Enter the name for a group of one or more targets to track (1­32 chars)
interface Set the WAN interface through which to track targets
<ethx> Enter the name of an Ethernet interface, where x = 0 or 1
<usbnetx> Enter the name of the wireless USB modem interface, where x = 0
<wifix> Enter the name of a Wi­Fi radio interface, where x = 0 or 1

track­wan <string> interval <number>

Set parameters to track the reachability of one or more devices through the WAN
track­wan
interface
<string> Enter the name for a group of one or more targets to track (1­32 chars)
interval Set the interval for sending probes to track the IP address of a target
<number> Enter the tracking interval (Default: 10 seconds; Range: 1­180)

track­wan <string> ip <ip_addr>

Set parameters to track the reachability of one or more devices through the WAN
track­wan
interface
<string> Enter the name for a group of one or more targets to track (1­32 chars)
ip Set an IP address for tracking
<ip_addr> Enter the IP address of a target

track­wan <string> multi­dst­logic {and|or}

Set parameters to track the reachability of one or more devices through the WAN
track­wan
interface
<string> Enter the name for a group of one or more targets to track (1­32 chars)
Determine if one or all tracked targets within a group must become unresponsive before
multi­dst­logic
taking action
and Take action if none of the members in the group is responding (Default:or)
or Take action if any single member in the group is not responding (Default:or)

track­wan <string> retry <number>

Set parameters to track the reachability of one or more devices through the WAN
track­wan
interface
<string> Enter the name for a group of one or more targets to track (1­32 chars)
retry Set the number of times to retry probing an unresponsive target
<number> Enter the retry value (Default: 2 times; Range: 0­1024)

usbmodem enable
usbmodem Set parameters of usbmodem
enable Enable usbmodem (Default: Enabled)

usbmodem mode {on­demand|always­connected|primary­wan}

usbmodem Set parameters of usbmodem
mode Set the connection mode of the modem (Default: on­demand)
on­demand Connect through the modem only after the primary WAN interface (eth0) fails
Maintain a connection through the modem at all times and connect through it after the
always­connected
primary WAN interface (eth0) fails
primary­wan Connect through the modem as the primary WAN interface and switch to eth0 as the backup

usbmodem modem­id <string>

usbmodem Set parameters of usbmodem
modem­id Set modem identifier

http://docs.aerohive.com/330000/docs/help/english/documentation/cli_guide_ap230_6­6r1.htm#cmd7 291/315
27/4/2016 Aerohive CLI Guide
<string> Enter the name of modem­id (1­32 chars)

usbmodem modem­id <string> apn [ <string> ]

usbmodem Set parameters of usbmodem
modem­id Set modem identifier
<string> Enter the name of modem­id (1­32 chars)
apn Set access point name
<string> Enter the name of access point (1­100 chars)

usbmodem modem­id <string> at­cmd­get {card­info|signal­strength} <string>

usbmodem Set parameters of usbmodem
modem­id Set modem identifier
<string> Enter the name of modem­id (1­32 chars)
at­cmd­get Set the USB modem get AT commands info and save them into USB modem db
card­info Enter the at command to get card info
signal­strength Enter the at command to get signal strength
<string> Enter the at command (up to 256 chars)

usbmodem modem­id <string> at­cmd­set {network­mode­auto|network­mode­lte|network­mode­3g|network­

mode­2g|modem­reset} <string>
usbmodem Set parameters of usbmodem
modem­id Set modem identifier
<string> Enter the name of modem­id (1­32 chars)
at­cmd­set Set the USB modem set AT commands info and save them into USB modem db
network­mode­auto Enter the at command to set network mode to auto mode
network­mode­lte Enter the at command to set network mode to lte mode
network­mode­3g Enter the at command to set network mode to 3g mode
network­mode­2g Enter the at command to set network mode to 2g mode
modem­reset Enter the at command to reset modem
<string> Enter the at command (up to 256 chars)

usbmodem modem­id <string> connect­cmd <string>

usbmodem Set parameters of usbmodem
modem­id Set modem identifier
<string> Enter the name of modem­id (1­32 chars)
connect­cmd Set a USB modem connect command and save them into USB modem db
<string> Enter the USB modem connect command (up to 256 chars)

usbmodem modem­id <string> connect­status­cmd <string> connected­pattern <string> disconnect­pattern

<string>
usbmodem Set parameters of usbmodem
modem­id Set modem identifier
<string> Enter the name of modem­id (1­32 chars)
Set a USB modem connect status AT command, the connected and disconnected status string
connect­status­cmd
pattern, and then save them into USB modem db
<string> Enter the USB modem connect status command (up to 256 chars),
connected­pattern Set a USB modem connected status string pattern
<string> Enter the connected status string pattern (up to 64 chars)
disconnect­pattern Set a USB modem disconnect status string pattern

<string> Enter the disconnect status string pattern (up to 64 chars)

http://docs.aerohive.com/330000/docs/help/english/documentation/cli_guide_ap230_6­6r1.htm#cmd7 292/315
27/4/2016 Aerohive CLI Guide
usbmodem modem­id <string> connect­type {ppp­dialup|atcmd­directip|qmi­directip}
usbmodem Set parameters of usbmodem
modem­id Set modem identifier
<string> Enter the name of modem­id (1­32 chars)
connect­type Set a USB modem connect­type and save them into USB modem db
ppp­dialup Choose the USB modem connection type as ppp­dialup
atcmd­directip Choose the USB modem connection type as atcmd­directip
qmi­directip

usbmodem modem­id <string> dialup­number [ <string> ]

usbmodem Set parameters of usbmodem
modem­id Set modem identifier
<string> Enter the name of modem­id (1­32 chars)
dialup­number Set dialup number
<string> Enter the dialup number (1­32 chars)

usbmodem modem­id <string> dialup­password [ <string> ]

usbmodem Set parameters of usbmodem
modem­id Set modem identifier
<string> Enter the name of modem­id (1­32 chars)
dialup­password Set dialup password
<string> Enter the dialup­password(1­32 chars)

usbmodem modem­id <string> dialup­username [ <string> ]

usbmodem Set parameters of usbmodem
modem­id Set modem identifier
<string> Enter the name of modem­id (1­32 chars)
dialup­username Set dialup username
<string> Enter the dialup­username(1­32 chars)

usbmodem modem­id <string> disconnect­cmd <string>

usbmodem Set parameters of usbmodem
modem­id Set modem identifier
<string> Enter the name of modem­id (1­32 chars)
disconnect­cmd Set a USB modem disconnect command and save them into USB modem db
<string> Enter the USB modem disconnect command (up to 256 chars)

usbmodem modem­id <string> usbnet {cdc­ether|sierra­net}

usbmodem Set parameters of usbmodem
modem­id Set modem identifier
<string> Enter the name of modem­id (1­32 chars)
usbnet Set the USB modem network driver info and save them into USB modem db
cdc­ether Choose the USB modem network driver as cdc­ether
sierra­net Choose the USB modem network driver as sierra­net

usbmodem modem­id <string> usbserial {option|sierra|cdc­acm}

usbmodem Set parameters of usbmodem
modem­id Set modem identifier
<string> Enter the name of modem­id (1­32 chars)

http://docs.aerohive.com/330000/docs/help/english/documentation/cli_guide_ap230_6­6r1.htm#cmd7 293/315
27/4/2016 Aerohive CLI Guide
usbserial Set the USB modem serial driver info and save them into USB modem db

option Choose the USB modem serial driver as option

sierra Choose the USB modem serial driver as sierra
cdc­acm Choose the USB modem serial driver as cdc­acm

usbmodem modem­id <string> vendor­id <string> product­id <string>

usbmodem Set parameters of usbmodem
modem­id Set modem identifier
<string> Enter the name of modem­id (1­32 chars)
vendor­id Set the USB modem vendor id
<string> Enter the USB modem vendor id (4 hex digit of each)
product­id Set the USB modem product id
<string> Enter the USB modem product id (4 hex digit of each)

usbmodem modeswitch vendor­id <string> product­id <string> message <string>

usbmodem Set parameters of usbmodem
modeswitch Set a modeswitch command for the USB modem
vendor­id Set the USB modem vendor id
<string> Enter the USB modem vendor id (4 hex digit of each)
product­id Set the USB modem product id
<string> Enter the USB modem product id (4 hex digit of each)
message Configrue the message for USB modem mode switch
<string> Enter the message for USB modem mode switch (up to 256 chars)

usbmodem network­mode {auto|lte|3g|2g}

usbmodem Set parameters of usbmodem
network­mode Set the network mode preference of the modem (Default: auto)
auto set network mode preference as automatic switching mode
lte set network mode preference as LTE only mode
3g set network mode preference as 3G only mode
2g set network mode preference as 2G only mode

usbmodem power cycle

usbmodem Set parameters of usbmodem
power Set the power action on the modem (Default: enable)
cycle Cycle usbmodem power

usbmodem power enable

usbmodem Set parameters of usbmodem
power Set the power action on the modem (Default: enable)
enable Enable usbmodem power

usbmodem reset­device
usbmodem Set parameters of usbmodem
reset­device Reset the usbmodem device

usbmodem rssi­threshold <number>

usbmodem Set parameters of usbmodem
Set the RSSI (Received Signal Strength Indicator) threshold to determine when the USB
rssi­threshold
modem signal strength LED indicates that the signal it receives is strong or weak

http://docs.aerohive.com/330000/docs/help/english/documentation/cli_guide_ap230_6­6r1.htm#cmd7 294/315
27/4/2016 Aerohive CLI Guide
<number> Enter rssi threshold (Range: ­125 ~ ­1; Default: ­82)

usbport power {auto|enable|disable}

usbport Set the USB port
power Set the power action for the USB port
Set to determine USB power enable/disable behavior automatically; if the system power­
auto mode is for 802.3at or dc, the USB power is enabled and if it is for 802.3af, the USB
port is disabled
enable Enable the USB port power regardless of the system power­mode 802.3af/at
disable Disable the USB port power

user <string>
user Add one user or change user parameters
<string> Enter the user name (1­32 chars)

user <string> group <string>

user Add one user or change user parameters
<string> Enter the user name (1­32 chars)
group Attach the user to a user­group
<string> Enter the group name (1­32 chars)

user <string> password <string>

user Add one user or change user parameters
<string> Enter the user name (1­32 chars)
password Set the password for user
<string> Enter the secret string (8­63 chars)

user­group <string>
user­group Set user group parameters
<string> Enter the user group name (1­32 chars)

user­group <string> auto­generation bulk­number <number> bulk­interval <number> <time>

user­group Set user group parameters
<string> Enter the user group name (1­32 chars)
auto­generation Generate the password automatically
bulk­number Set the user number of the bulk group
<number> Enter the user number of the bulk group (Default: 1 ; Range: 1­9999)
bulk­interval Set the interval of the bulk group
<number> Enter the day interval of the bulk group (Default: 0 day; Range: 0­365)
Enter the hour and minute interval of the bulk group(Format: hh:mm; Hour Range: 00­23;
<time>
Minute Range: 00­59)

user­group <string> auto­generation index­range <number> [ <number> ]

user­group Set user group parameters
<string> Enter the user group name (1­32 chars)
auto­generation Generate the password automatically
Set the index range for the users for whom you want to generate network access
index­range
credentials (user name, password, and PSK)
Enter the start of the index range (Range: AP120/AP121/AP141/AP170/AP110=1­4096, Others
<number>
Platforms=1­9999)
Enter the end of the index range (Range: starting index number­4096
<number>
(AP120/AP121/AP141/AP170/AP110), starting index number­9999(Others Platforms))

http://docs.aerohive.com/330000/docs/help/english/documentation/cli_guide_ap230_6­6r1.htm#cmd7 295/315
27/4/2016 Aerohive CLI Guide
user­group <string> auto­generation location <string>
user­group Set user group parameters
<string> Enter the user group name (1­32 chars)
auto­generation Generate the password automatically
Set the user's physical location, which is combined with other factors (user name,
location
shared secret, ...) when generating the password automatically
<string> Enter the location (1­32 chars)

user­group <string> auto­generation password­length <number>

user­group Set user group parameters
<string> Enter the user group name (1­32 chars)
auto­generation Generate the password automatically
password­length Set the length of the automatically generated password
<number> Enter the password length (Range: 8­63; Default: 8)

user­group <string> auto­generation prefix <string>

user­group Set user group parameters
<string> Enter the user group name (1­32 chars)
auto­generation Generate the password automatically
prefix Set the prefix username for automatically generate password
<string> Enter the prefix (1­28 chars)

user­group <string> auto­generation revoke­user <number> [ <number> ]

user­group Set user group parameters
<string> Enter the user group name (1­32 chars)
auto­generation Generate the password automatically
revoke­user Set the index range for the revoked users
<number> Enter the start of the index range (Range: 1­1024)
<number> Enter the end of the index range (Range: starting index number­1024)

user­group <string> auto­generation schedule <string>

user­group Set user group parameters
<string> Enter the user group name (1­32 chars)
auto­generation Generate the password automatically
schedule Bind a schedule to change password automatically by it
<string> Enter the name of the schedule (1­32 chars)

user­group <string> auto­generation shared­secret <string>

user­group Set user group parameters
<string> Enter the user group name (1­32 chars)
auto­generation Generate the password automatically
Set the shared secret that is combined with other factors (user name, location, ...)
shared­secret
when generating the password automatically
<string> Enter the shared secret (1­64 chars)

user­group <string> cache­mode {temporary|mandatory}

user­group Set user group parameters
<string> Enter the user group name (1­32 chars)
cache­mode Set user­group cache mode
temporary Set user­group cache mode to temporary

http://docs.aerohive.com/330000/docs/help/english/documentation/cli_guide_ap230_6­6r1.htm#cmd7 296/315
27/4/2016 Aerohive CLI Guide
mandatory Set user­group cache mode to mandatory

user­group <string> expired­time <date/time>

user­group Set user group parameters
<string> Enter the user group name (1­32 chars)
expired­time Set the end of the time period during which the PSK is valid
Enter the date and time when the PSK expires (Format: YYYY­MM­DD/hh:mm:ss; Range: 1970­
<date/time>
01­01 to 2035­12­31/hh (00­23), mm (000­59), ss (000­59))

user­group <string> password­generation­method {manual|auto}

user­group Set user group parameters
<string> Enter the user group name (1­32 chars)
password­generation­
Set password generation method for the user group
method
manual Set password generation method to manual
auto Set password generation method to auto

user­group <string> pmk­auto­save

user­group Set user group parameters
<string> Enter the user group name (1­32 chars)
pmk­auto­save Enable automatically save PMK to flash

user­group <string> psk­format character­pattern {letters|digits|special­characters}

user­group Set user group parameters
<string> Enter the user group name (1­32 chars)
psk­format Set the format parameters for creating individual user PSKs (preshared keys)
Set the types of characters that can be used in automatically generated and manually
character­pattern
configured PSKs and how the character types can be combined
letters Use letters in PSKs
digits Use digits in PSKs
special­characters Use special characters in PSKs

user­group <string> psk­format combo­pattern {or|and|no}

user­group Set user group parameters
<string> Enter the user group name (1­32 chars)
psk­format Set the format parameters for creating individual user PSKs (preshared keys)
combo­pattern Set the way in which various types of characters can be combined in PSKs
or Include one character type or a combination of different types in the PSKs (Default)
and Include a combination of all specified character types in the PSKs
Include one character type in the PSKs (Note: If you specify multiple character types
no and set this option, only letters are used, if specified. If not, then only digits are
used.)

user­group <string> psk­format version {0|1}

user­group Set user group parameters
<string> Enter the user group name (1­32 chars)
psk­format Set the format parameters for creating individual user PSKs (preshared keys)
version Set the algorithm version
0 Use old algorithm version (Default)
1 Use version 1 algorithm

user­group <string> psk­generation­method username­and­password concatenated­characters <string>

http://docs.aerohive.com/330000/docs/help/english/documentation/cli_guide_ap230_6­6r1.htm#cmd7 297/315
27/4/2016 Aerohive CLI Guide

user­group Set user group parameters

<string> Enter the user group name (1­32 chars)
Set the elements from which the private PSK will be derived: password only or username
psk­generation­method
and password
username­and­password Set private­PSK generation method to username­and­password
concatenated­ Set format for concatenating the characters in the PSK that comprises a user name and
characters password
Enter the characters used to concatenate the user name and password (Default: None;
<string>
Range: 1­8 chars)

user­group <string> psk­generation­method {password­only|username­and­password}

user­group Set user group parameters
<string> Enter the user group name (1­32 chars)
Set the elements from which the private PSK will be derived: password only or username
psk­generation­method
and password
password­only Set private­PSK generation method to password­only (Default)
username­and­password Set private­PSK generation method to username­and­password

user­group <string> reauth­interval <number>

user­group Set user group parameters
<string> Enter the user group name (1­32 chars)
reauth­interval Set an interval after which a user in an ongoing RADIUS session must reauthenticate
Enter the length of time in seconds before reauthentication (Default: 1800; Range: 600­
<number>
86400, or 0 to remove the user reauthentication requirement)

user­group <string> start­time <date/time>

user­group Set user group parameters
<string> Enter the user group name (1­32 chars)
start­time Set the start of the time period during which the PSK is valid
Enter the start date and time of the date (Format: YYYY­MM­DD/hh:mm:ss; Range: 1970­01­
<date/time>
01 to 2035­12­31/hh (00­23), mm (000­59), ss (000­59))

user­group <string> user­attribute <number>

user­group Set user group parameters
<string> Enter the user group name (1­32 chars)
user­attribute Set a RADIUS attribute or a range of attributes to the user group
<number> Enter a numeric value for a single RADIUS attribute (Default: none; Range: 0­4095)

user­group <string> vlan­id <number>

user­group Set user group parameters
<string> Enter the user group name (1­32 chars)
vlan­id Set a VLAN ID for the user group
<number> Enter the default VLAN ID for the user group (Default: none; Range: 1­4094)

user­group <string> voice­device

user­group Set user group parameters
<string> Enter the user group name (1­32 chars)
Set the local device, when functioning as a RADIUS server, to return the voice­device
voice­device attribute when authenticating members of this user group (Note: This attribute is
required to support certain IP phones.)

user­profile <string> [ qos­policy <string> ] [ vlan­id <number> ] [ mobility­policy <string> ] [

attribute <number> [ ­ <number> ] ]

http://docs.aerohive.com/330000/docs/help/english/documentation/cli_guide_ap230_6­6r1.htm#cmd7 298/315
27/4/2016 Aerohive CLI Guide
user­profile Set parameters for a user profile
<string> Enter the user profile name (1­32 chars)
qos­policy Assign QoS policy to the user profile
<string> Enter the QoS policy name (1­32 chars)
vlan­id Set the default VLAN ID for the user profile
<number> Enter the default VLAN ID for the user profile (Range: 1­4094)
mobility­policy Assign mobility policy to the user profile
<string> Enter the mobility policy name (1­32 chars)
attribute Map a RADIUS attribute or a range of attributes to the user profile
Enter a numeric value for a single RADIUS attribute or the starting value for a range
<number>
(Range: 0­4095)
­ Set a range of RADIUS attributes
<number> Enter the ending value for a RADIUS attribute range (Range: 0­4095)

user­profile <string> cac airtime­percentage <number> [ share­time ]

user­profile Set parameters for a user profile
<string> Enter the user profile name (1­32 chars)
Set CAC (Call Admission Control) parameters for regulating the admission of new VoIP
cac
calls
Set the percentage of airtime reserved for the VoIP calls of users belonging to the user
airtime­percentage
profile
<number> Enter the percentage (Range: 0­100; Default: 0)
Enable the user profile to share any unused airtime with other user profiles (Default:
share­time
Disabled)

user­profile <string> deny­action­for­schedule {ban|quarantine}

user­profile Set parameters for a user profile
<string> Enter the user profile name (1­32 chars)
deny­action­for­
Set the deny action for schedule (Default: ban)
schedule
Prevent the client from connecting to the AP permanently during the scheduled time frame
ban if not in the schedule (Note: If you ban a client, then you cannot grant that client
access to the AP afterward.)
Prevent the client from connecting to the network temporarily if not in the schedule
quarantine (Note: When you quarantine a client, then you can allow client traffic afterward by
changing the permissions from deny to permit.)

user­profile <string> ip­policy­default­action {permit|deny|inter­station­traffic­drop}

user­profile Set parameters for a user profile
<string> Enter the user profile name (1­32 chars)
ip­policy­default­
Set the IP policy default action for the user profile
action
permit Set the default action to permit
deny Set the default action to deny
inter­station­traffic­ Set the action to drop traffic between stations if they are both associated with one or
drop more members of the same hive (Default: deny)

user­profile <string> ip­policy­redirect­url <string>

user­profile Set parameters for a user profile
<string> Enter the user profile name (1­32 chars)
ip­policy­redirect­url Set the redirect URL
<string> Enter the URL(max length is 256)

user­profile <string> l3­tunnel­action {all|with­exception|split|drop­tunnel­traffic}

http://docs.aerohive.com/330000/docs/help/english/documentation/cli_guide_ap230_6­6r1.htm#cmd7 299/315
27/4/2016 Aerohive CLI Guide
user­profile Set parameters for a user profile
<string> Enter the user profile name (1­32 chars)
l3­tunnel­action Set the behavior for routing traffic through Layer3 VPN tunnels (Default: split)
all Tunnel all outbound traffic to the VPN gateway
Tunnel all outbound traffic to the VPN gateway other than that listed as a Layer3 tunnel
with­exception
exception
Tunnel traffic whose destination is the network behind the VPN gateway and forward all
split
other outbound traffic to the default gateway defined on the branch router
drop­tunnel­traffic Drop all traffic whose destination is the network behind the VPN gateway

user­profile <string> mac­policy­default­action {permit|deny}

user­profile Set parameters for a user profile
<string> Enter the user profile name (1­32 chars)
mac­policy­default­
Set the MAC policy default action for the user profile
action
permit Set the default action to permit
deny Set the default action to deny

user­profile <string> qos­marker­map {diffserv|8021p} <string>

user­profile Set parameters for a user profile
<string> Enter the user profile name (1­32 chars)
qos­marker­map Assign a QoS marker­map to the user profile
diffserv diffserv marker­map
8021p 802.1p marker mapMap
<string> Enter the QoS marker­map name (1­32 chars)

user­profile <string> schedule <string>

user­profile Set parameters for a user profile
<string> Enter the user profile name (1­32 chars)
schedule Set a schedule during which the HiveAP will apply the user profile
<string> Enter a schedule name (1­32 chars)

user­profile <string> security deny {ipv4|ipv6}

user­profile Set parameters for a user profile
<string> Enter the user profile name (1­32 chars)
security Set the security parameters for the user profile
deny Set the deny action to block IPv4 or IPv6 traffic belonging to the user profile
ipv4 Choose IPv4 traffic to block
ipv6 Choose IPv6 traffic to block

user­profile <string> security ip­policy [ from­access <string> ] [ to­access <string> ]

user­profile Set parameters for a user profile
<string> Enter the user profile name (1­32 chars)
security Set the security parameters for the user profile
Apply Layer 3 IP firewall policies to traffic belonging to the user profile that is
ip­policy
received and transmitted on an access interface
from­access Set the IP policy for traffic from wired or wireless clients
<string> Enter the name of a previously defined IP firewall policy
to­access
Set the IP policy for traffic transmitted to wired or wireless clients

<string> Enter the name of a previously defined IP firewall policy

http://docs.aerohive.com/330000/docs/help/english/documentation/cli_guide_ap230_6­6r1.htm#cmd7 300/315
27/4/2016 Aerohive CLI Guide
user­profile <string> security mac­policy [ from­access <string> ] [ to­access <string> ]
user­profile Set parameters for a user profile
<string> Enter the user profile name (1­32 chars)
security Set the security parameters for the user profile
Apply Layer 2 MAC firewall policies to traffic belonging to the user profile that is
mac­policy
received and transmitted on an access interface
from­access Set the MAC policy for traffic from wired or wireless clients
<string> Enter the name of a previously defined MAC firewall policy
to­access Set the MAC policy for traffic transmitted to wired or wireless clients
<string> Enter the name of a previously defined MAC firewall policy

user­profile <string> tunnel­policy <string>

user­profile Set parameters for a user profile
<string> Enter the user profile name (1­32 chars)
tunnel­policy Set the tunnel policy to apply to traffic belonging to members of the user profile
<string> Enter the name of the tunnel policy name (1­32 chars)

user­profile <string> vlan­group <string>

user­profile Set parameters for a user profile
<string> Enter the user profile name (1­32 chars)
vlan­group Set the VLAN group for the user profile
<string> Enter the VLAN group name (1­32 chars)

user­profile <string> {after|before} <string>

user­profile Set parameters for a user profile
<string> Enter the user profile name (1­32 chars)
after Move the user profile after another user profile
before Move the user profile before another user profile
<string> Enter the user profile name (1­32 chars)

user­profile <string> {performance­sentinel} action {log|boost}

user­profile Set parameters for a user profile
<string> Enter the user profile name (1­32 chars)
performance­sentinel Set performance sentinel parameters to moderate client throughput
action Set an action to take in response to a performance sentinel violation
log Generate a log entry about the performance sentinel violation (Default: Log)
Increase the performance available for clients so they can obtain their minimum
boost
guaranteed bandwidth (Default: Log)

user­profile <string> {performance­sentinel} enable

user­profile Set parameters for a user profile
<string> Enter the user profile name (1­32 chars)
performance­sentinel Set performance sentinel parameters to moderate client throughput
enable Enable performance sentinel (Default: Disabled)

user­profile <string> {performance­sentinel} guaranteed­bandwidth <number>

user­profile Set parameters for a user profile
<string> Enter the user profile name (1­32 chars)
performance­sentinel Set performance sentinel parameters to moderate client throughput
guaranteed­bandwidth Set the minimum guaranteed bandwidth per user

http://docs.aerohive.com/330000/docs/help/english/documentation/cli_guide_ap230_6­6r1.htm#cmd7 301/315
27/4/2016 Aerohive CLI Guide
<number> Enter the minimum guaranteed bandwidth (Default: 500 Kbps; Range: 100­500000)

user­profile­policy <string>
user­profile­policy Set the user profile mapping policy
<string> Enter a policy name (1­32 chars)

user­profile­policy <string> action­for­upid­change {switch|sustain|ignore}

user­profile­policy Set the user profile mapping policy
<string> Enter a policy name (1­32 chars)
action­for­upid­change Set the process used to change the user profile attribute ID (Default: ignore)
Change the user profile ID immediately, and if the VLAN must be changed, then disconnect
switch
the station from the network
Change the user profile ID immediately, but do not change the VLAN until the managed
sustain
mobile device reconnects to the network
Do not change the user profile ID nor the VLAN until the managed mobile device
ignore
reconnects to the network

user­profile­policy <string> mdm­timeout <number>

user­profile­policy Set the user profile mapping policy
<string> Enter a policy name (1­32 chars)
mdm­timeout Set the time span during which an MDM query remains valid
<number> Enter the timeout in seconds (Range: 1­300; Default: 10)

user­profile­policy <string> rule <number> auth­attrs <string>

user­profile­policy Set the user profile mapping policy
<string> Enter a policy name (1­32 chars)
rule Set a rule for user profile mapping policy
<number> Enter the rule number (Range: 1­16)
Set the attribute value list that the authentication process must return for this test
auth­attrs
condition to be true
<string> Enter auth user profile attribute ID list (1­32 chars)

user­profile­policy <string> rule <number> device­location <string>

user­profile­policy Set the user profile mapping policy
<string> Enter a policy name (1­32 chars)
rule Set a rule for user profile mapping policy
<number> Enter the rule number (Range: 1­16)
Set the device location value that must match the value contained in the location field
device­location
of the device for this test condition to be true
<string> Enter the device location (1­128 chars)

user­profile­policy <string> rule <number> group­name <string>

user­profile­policy Set the user profile mapping policy
<string> Enter a policy name (1­32 chars)
rule Set a rule for user profile mapping policy
<number> Enter the rule number (Range: 1­16)
Set the group name that the authentication process must return for this test condition
group­name
to be true
<string> Enter group name (1­32 chars)

user­profile­policy <string> rule <number> mac­object <string>

user­profile­policy Set the user profile mapping policy

http://docs.aerohive.com/330000/docs/help/english/documentation/cli_guide_ap230_6­6r1.htm#cmd7 302/315
27/4/2016 Aerohive CLI Guide
<string> Enter a policy name (1­32 chars
rule Set a rule for user profile mapping policy
<number> Enter the rule number (Range: 1­16)
Set the MAC object name that the authentication process must return for this test
mac­object
condition to be true
<string> Enter MAC object name (1­32 chars)

user­profile­policy <string> rule <number> mdm­object <string>

user­profile­policy Set the user profile mapping policy
<string> Enter a policy name (1­32 chars)
rule Set a rule for user profile mapping policy
<number> Enter the rule number (Range: 1­16)
mdm­object Set the value that must match the configured MDM object name
<string> Enter the MDM object name (1­32 chars)

user­profile­policy <string> rule <number> os­object <string>

user­profile­policy Set the user profile mapping policy
<string> Enter a policy name (1­32 chars)
rule Set a rule for user profile mapping policy
<number> Enter the rule number (Range: 1­16)
Set the OS object name that the authentication process must return for this test
os­object
condition to be true
<string> Enter OS object name (1­32 chars)

user­profile­policy <string> rule <number> time­object <string>

user­profile­policy Set the user profile mapping policy
<string> Enter a policy name (1­32 chars)
rule Set a rule for user profile mapping policy
<number> Enter the rule number (Range: 1­16)
time­object Set the time object name
<string> Enter the time object name (1­32 chars)

user­profile­policy <string> rule <number> user­profile­attr­id <number>

user­profile­policy Set the user profile mapping policy
<string> Enter a policy name (1­32 chars)
rule Set a rule for user profile mapping policy
<number> Enter the rule number (Range: 1­16)
Set the new attribute number to which the user profile changes if the tests of this rule
user­profile­attr­id
match the actual network conditions
<number> Enter a user profile attribute ID (Range: 0­4095)

vlan­group <string> <number> [ <number> ]

vlan­group Set a VLAN group
<string> Enter the VLAN group name (1­32 chars)
Add a VLAN ID to the group (Range: 1­4094; Note: If you are defining a range of VLANs,
<number>
this is the starting point of that range.)
<number> Enter the last VLAN ID in the range (Range: 1­4094)

vpn client­ip­pool <string> local <ip_addr> <ip_addr> netmask <ip_addr>

vpn Set parameters for VPN (virtual private network) tunneling
Set an IP pool from which the HiveAP assigns addresses to VPN clients (Note: Only set
client­ip­pool this command on a HiveAP acting as a VPN server.)

http://docs.aerohive.com/330000/docs/help/english/documentation/cli_guide_ap230_6­6r1.htm#cmd7 303/315
27/4/2016 Aerohive CLI Guide

<string> Enter the client IP pool name (1­32 chars)

local Set the client IP pool on the local HiveAP
<ip_addr> Enter the IP address at the start of the address range in the pool
<ip_addr> Enter the IP address at the end of the address range in the pool
netmask Set the netmask for the IP addresses in the pool
<ip_addr> Enter the netmask

vpn ipsec­tunnel <string> client­list <string> [ client­ip­pool <string> dns­server <ip_addr> ]

vpn Set parameters for VPN (virtual private network) tunneling
ipsec­tunnel Set IPsec tunnel parameters
<string> Enter the name of the IPsec tunnel entry (1­32 chars)
client­list Specify a list of VPN clients to check during Xauth authentication
<string> Enter the name of the VPN client list (1­32 chars)
Specify the VPN client IP pool used when assigning an IP address to the tunnel interface
client­ip­pool on a VPN client (Note: This is required for a layer­2 VPN and optional for a layer­3
VPN.)
<string> Enter the name of the IP pool (1­32 chars)
Set the DNS server address that VPN clients can use to resolve domain names on the VPN
dns­server server network (Note: This is required for a layer­2 VPN and optional for a layer­3
VPN.)
<ip_addr> Enter the IP address of the DNS server

vpn ipsec­tunnel <string> dpd idle­interval <number> retry <number> retry­interval <number>
vpn Set parameters for VPN (virtual private network) tunneling
ipsec­tunnel Set IPsec tunnel parameters
<string> Enter the name of the IPsec tunnel entry (1­32 chars)
dpd Set DPD (Dead Peer Detection) parameters for the IPsec tunnel
idle­interval Set the interval for sending DPD R­U­There messages
<number> Enter the interval in seconds (Range: 0­65535; Default: 10; Note: 0 disables DPD)
Set the number of times to retry sending a DPD R­U­There message when it does not elicit
retry
a response
<number> Enter the number of messages to retry sending (Range: 1­65535; Default: 5)
retry­interval Set the interval for resending DPD R­U­There messages
<number> Enter the retry interval in seconds (Range: 1­60; Default: 3)

vpn ipsec­tunnel <string> gateway <ip_addr> client­name <string> password <string>

vpn Set parameters for VPN (virtual private network) tunneling
ipsec­tunnel Set IPsec tunnel parameters
<string> Enter the name of the IPsec tunnel entry (1­32 chars)
Set the address of the IKE gateway at the server end of the VPN tunnel (Note: Only
gateway
define an IKE gateway on VPN clients.)
<ip_addr> Enter an IKE gateway address
Set the name that the VPN client uses to authenticate itself to the VPN server using
client­name
Xauth
<string> Enter the client name (8­32 chars)
Set password that the VPN client uses to authenticate itself to the VPN server using
password
Xauth
<string> Enter the password string (16­32 chars)

vpn ipsec­tunnel <string> ike phase1 auth­method {hybrid|rsa­sig|psk}

vpn Set parameters for VPN (virtual private network) tunneling
ipsec­tunnel Set IPsec tunnel parameters

http://docs.aerohive.com/330000/docs/help/english/documentation/cli_guide_ap230_6­6r1.htm#cmd7 304/315
27/4/2016 Aerohive CLI Guide
<string> Enter the name of the IPsec tunnel entry (1­32 chars)
ike Set IKE (Internet Key Exchange) parameters
phase1 Set IKE phase 1 parameters
auth­method Set the authentication method for IKE phase 1 negotiations
Set peer authentication in hybrid mode (Default: Hybrid mode, in which the VPN server
hybrid authenticates itself with an RSA signature and the client authenticates itself through
Xauth.)
Set both VPN peers­­server and client­­to authenticate themselves with RSA signatures
rsa­sig
(Default: Hybrid mode)
psk Set both VPN peers­­server and client­­to authenticate themselves with a preshared key

vpn ipsec­tunnel <string> ike phase1 dh­group {group1|group2|group5}

vpn Set parameters for VPN (virtual private network) tunneling
ipsec­tunnel Set IPsec tunnel parameters
<string> Enter the name of the IPsec tunnel entry (1­32 chars)
ike Set IKE (Internet Key Exchange) parameters
phase1 Set IKE phase 1 parameters
dh­group Set the Diffie­Hellman group for generating a shared key during phase 1 negotiations
group1 Use Diffie­Hellman group 1 (Default: Diffie­Hellman group 2)
group2 Use Diffie­Hellman group 2 (Default: Diffie­Hellman group 2)
group5 Use Diffie­Hellman group 5 (Default: Diffie­Hellman group 2)

vpn ipsec­tunnel <string> ike phase1 mode {main|aggressive}

vpn Set parameters for VPN (virtual private network) tunneling
ipsec­tunnel Set IPsec tunnel parameters
<string> Enter the name of the IPsec tunnel entry (1­32 chars)
ike Set IKE (Internet Key Exchange) parameters
phase1 Set IKE phase 1 parameters
mode Set the mode of IKE phase1
main Main mode performs three two­way exchanges totaling six packets
aggressive two exchanges take place totaling three packets

vpn ipsec­tunnel <string> ike phase1 psk <string>

vpn Set parameters for VPN (virtual private network) tunneling
ipsec­tunnel Set IPsec tunnel parameters
<string> Enter the name of the IPsec tunnel entry (1­32 chars)
ike Set IKE (Internet Key Exchange) parameters
phase1 Set IKE phase 1 parameters
psk Set the preshared key used for VPN peer authentication
<string> Enter the preshared key string (1­128 chars)

vpn ipsec­tunnel <string> ike phase2 pfs­group {no­pfs|group1|group2|group5}

vpn Set parameters for VPN (virtual private network) tunneling
ipsec­tunnel Set IPsec tunnel parameters
<string> Enter the name of the IPsec tunnel entry (1­32 chars)
ike Set IKE (Internet Key Exchange) parameters
phase2 Set IKE phase 2 parameters
pfs­group Set the PFS (perfect forward secrecy) parameters for phase 2 negotiations
Do not perform a second Diffie­Hellman key exchange during phase 2 negotiations
no­pfs
(Default: Diffie­Hellman group 2)

http://docs.aerohive.com/330000/docs/help/english/documentation/cli_guide_ap230_6­6r1.htm#cmd7 305/315
27/4/2016 Aerohive CLI Guide
group1 Use Diffie­Hellman group 1 (Default: Diffie­Hellman group 2)
group2 Use Diffie­Hellman group 2 (Default: Diffie­Hellman group 2)
group5 Use Diffie­Hellman group 5 (Default: Diffie­Hellman group 2)

vpn ipsec­tunnel <string> ike {phase1|phase2} encryption­algorithm {3des|aes128|aes192|aes256}

vpn Set parameters for VPN (virtual private network) tunneling
ipsec­tunnel Set IPsec tunnel parameters
<string> Enter the name of the IPsec tunnel entry (1­32 chars)
ike Set IKE (Internet Key Exchange) parameters
phase1 Set IKE phase 1 parameters
phase2 Set IKE phase 2 parameters
encryption­algorithm Set the encryption algorithm
Use 3DES (Triple DES, Data Encryption Standard) as the encryption algorithm (Default:
3des
AES­128)
Use AES (Advanced Encryption Standard) with a 128­bit key as the encryption algorithm
aes128
(Default: AES­128)
aes192 Use AES with a 192­bit key as the encryption algorithm (Default: AES­128)
aes256 Use AES with a 256­bit key as the encryption algorithm (Default: AES­128)

vpn ipsec­tunnel <string> ike {phase1|phase2} hash {md5|sha1}

vpn Set parameters for VPN (virtual private network) tunneling
ipsec­tunnel Set IPsec tunnel parameters
<string> Enter the name of the IPsec tunnel entry (1­32 chars)
ike Set IKE (Internet Key Exchange) parameters
phase1 Set IKE phase 1 parameters
phase2 Set IKE phase 2 parameters
hash Set the IKE hash algorithm
md5 Use MD­5 (Message Digest, version 5) as the hash algorithm (Default: SHA­1)
sha1 Use SHA­1 (Secure Hash Algorithm) as the hash algorithm (Default: SHA­1)

vpn ipsec­tunnel <string> ike {phase1|phase2} lifetime <number>

vpn Set parameters for VPN (virtual private network) tunneling
ipsec­tunnel Set IPsec tunnel parameters
<string> Enter the name of the IPsec tunnel entry (1­32 chars)
ike Set IKE (Internet Key Exchange) parameters
phase1 Set IKE phase 1 parameters
phase2 Set IKE phase 2 parameters
Set the SA (security association) lifetime (Note: Before the SA expires, the
lifetime
authentication and encryption keys are automatically refreshed with new ones.)
Enter the SA expiration time in seconds (Range: 180­10000000;Phase 1 Default: 86400;
<number>
Phase 2 Default: 3600 )

vpn ipsec­tunnel <string> local­ike­id {asn1dn|address|fqdn|ufqdn|keyid} <string>

vpn Set parameters for VPN (virtual private network) tunneling
ipsec­tunnel Set IPsec tunnel parameters
<string> Enter the name of the IPsec tunnel entry (1­32 chars)
local­ike­id Set the IKE identity for the local HiveAP
Set the IKE identity type as an ASN.1 DN (Abstract Syntax Notation One Distinguished
asn1dn
Name; Example: C=US, ST=CA, L=SF, O=Aerohive, OU=Sales, CN=PaulSmith)
address Set the IKE identity type as an IP address (Example: 10.1.1.5)
Set the IKE identity type as an FQDN (fully qualified domain name; Example:
fqdn
www.aerohive.com)

http://docs.aerohive.com/330000/docs/help/english/documentation/cli_guide_ap230_6­6r1.htm#cmd7 306/315
27/4/2016 Aerohive CLI Guide
ufqdn Set the IKE identity type as a user FQDN (Example: psmith@aerohive.com)
keyid Set the IKE identity type as a keyid (Example: tunnel­group­name as test)
Enter the IP address, or user FQDN (email address), or FQDN, or ASN.1 DN (1­128 chars)
<string>
or KEYID (1­32 chars)

vpn ipsec­tunnel <string> nat­policy <string>

vpn Set parameters for VPN (virtual private network) tunneling
ipsec­tunnel Set IPsec tunnel parameters
<string> Enter the name of the IPsec tunnel entry (1­32 chars)
nat­policy Enable NAT (network address translation) policy on the interface
<string> Enter ip nat policy name (1­32 chars)

vpn ipsec­tunnel <string> nat­traversal enable

vpn Set parameters for VPN (virtual private network) tunneling
ipsec­tunnel Set IPsec tunnel parameters
<string> Enter the name of the IPsec tunnel entry (1­32 chars)
nat­traversal Set the VPN to be able to traverse NAT devices encountered along its data path
enable Enable NAT traversal (Default: Enabled)

vpn ipsec­tunnel <string> peer­ike­id {asn1dn|address|fqdn|ufqdn} <string>

vpn Set parameters for VPN (virtual private network) tunneling
ipsec­tunnel Set IPsec tunnel parameters
<string> Enter the name of the IPsec tunnel entry (1­32 chars)
peer­ike­id Set IKE identity for the remote VPN peer
Set the IKE identity type as an ASN.1 DN (Abstract Syntax Notation One Distinguished
asn1dn
Name; Example: C=US, ST=CA, L=SF, O=Aerohive, OU=Sales, CN=PaulSmith)
address Set the IKE identity type as an IP address (Example: 10.1.1.5)
Set the IKE identity type as an FQDN (fully qualified domain name; Example:
fqdn
www.aerohive.com)
ufqdn Set the IKE identity type as a user FQDN (Example: psmith@aerohive.com)
<string> Enter the IP address, or user FQDN (email address), or FQDN, or ASN.1 DN (1­128 chars)

vpn l3­tunnel­exception <ip_addr|ip_addr/mask|string>

vpn Set parameters for VPN (virtual private network) tunneling
Set a destination to which outbound traffic is forwarded to the default gateway on the
branch router instead of being tunneled to the VPN gateway (Note: Only set a layer­3
l3­tunnel­exception
tunnel exception if all outbound traffic is being tunneled but you want to forward
traffic directly to just a few select locations.)
Enter the domain name or host name (1­32 chars) or the IP address of the destination or
<ip_addr>
the subnet of the destination
Enter the domain name or host name (1­32 chars) or the IP address of the destination or
<ip_addr/netmask>
the subnet of the destination
Enter the domain name or host name (1­32 chars) or the IP address of the destination or
<string>
the subnet of the destination

vpn tunnel­policy <string> client ipsec­tunnel <string> [ primary ]

vpn Set parameters for VPN (virtual private network) tunneling
tunnel­policy Set the IPsec tunnel policy
<string> Enter a tunnel policy name (1­32 chars)
client Set the tunnel policy for a VPN client
ipsec­tunnel Set the IPsec tunnel entry to use in the tunnel policy
<string> Enter the IPsec tunnel entry name (1­32 chars)
primary Set the VPN entry as the primary VPN gateway

http://docs.aerohive.com/330000/docs/help/english/documentation/cli_guide_ap230_6­6r1.htm#cmd7 307/315
27/4/2016 Aerohive CLI Guide
vpn tunnel­policy <string> password <string>
vpn Set parameters for VPN (virtual private network) tunneling
tunnel­policy Set the IPsec tunnel policy
<string> Enter a tunnel policy name (1­32 chars)
Set the password for the GRE tunnel check (Note: The password on the server and client
password
must match for the GRE tunnel check to succeed.)
<string> Enter a password (8­32 chars)

vpn tunnel­policy <string> server ipsec­tunnel <string>

vpn Set parameters for VPN (virtual private network) tunneling
tunnel­policy Set the IPsec tunnel policy
<string> Enter a tunnel policy name (1­32 chars)
server Set the tunnel policy for a VPN server
ipsec­tunnel Set the IPsec tunnel entry to use in the tunnel policy
<string> Enter the IPsec tunnel entry name (1­32 chars)

vpn xauth­client­list <string> client­name <string> password <string>

vpn Set parameters for VPN (virtual private network) tunneling
xauth­client­list Set a list of VPN client names and passwords for Xauth
<string> Set a VPN client list name
client­name Set a VPN client name
<string> Enter the VPN client name (1­32 chars)
password Set the password for the VPN client
<string> Enter the password (8­32 chars)

vpn xauth­client­list <string> local

vpn Set parameters for VPN (virtual private network) tunneling
xauth­client­list Set a list of VPN client names and passwords for Xauth
<string> Set a VPN client list name
local Set the location of the client list on the local HiveAP (Default: local)

vpn {client­ipsec­tunnel|server­ipsec­tunnel} <string> [ vpn­mode {layer­2|layer­3} ]

vpn Set parameters for VPN (virtual private network) tunneling
client­ipsec­tunnel Set the local HiveAP as a client that builds an IPsec tunnel to the VPN server
server­ipsec­tunnel Set the local HiveAP as the VPN server to which remote HiveAPs build IPsec tunnels
<string> Enter the name of a VPN tunnel entry (1­32 chars)
Set the packet­forwarding mode of the VPN tunnel (Default: Use a layer 2 packet­
vpn­mode
forwarding mechanism)
layer­2 Forward packets through the VPN tunnel based on MAC (layer 2) tunnel policies
layer­3 Forward packets through the VPN tunnel based on IP (layer 3) routing decisions

web­directory <string> link­to­resources <string> <string>

web­directory Create a web directory for the internal web server
Enter the name of the web directory to store files used by a captive web portal or, when
<string>
preceded by "ppsk­self­reg", for use with private PSK self­registration (1­32 chars)
Create a link to a web directory whose content can be shared by all captive web portals
link­to­resources
or to a specific file in that shared directory
Enter the name of the link (Max: 32 chars; Note: Each web directory includes a default
<string>
link called "shared" that points to a predefined directory named "shared".)
<string> Enter the name of the target directory (Max: 32 chars; Example: shared)

web­directory [ {ppsk­self­reg} ] <string>

http://docs.aerohive.com/330000/docs/help/english/documentation/cli_guide_ap230_6­6r1.htm#cmd7 308/315
27/4/2016 Aerohive CLI Guide

web­directory Create a web directory for the internal web server

Create a web directory for the private PSK server to use when receiving self­
ppsk­self­reg
registration requests
Enter the name of the web directory to store files used by a captive web portal or, when
<string>
preceded by "ppsk­self­reg", for use with private PSK self­registration (1­32 chars)

web­security­proxy client­info­collection enable

Proxy HTTP and HTTPS traffic bound for the Internet to a web security server for
web­security­proxy
filtering
client­info­collection Collect client information and send it DNS server
enable Enable the client information collection function (Default: Disabled)

web­security­proxy websense­v1 account­key <string>

Proxy HTTP and HTTPS traffic bound for the Internet to a web security server for
web­security­proxy
filtering
websense­v1 Use the Websense web filtering solution
account­key Set the encryption key for your Websense customer account
<string> Enter the key (32 chars)

web­security­proxy {websense­v1|barracuda­v1} account­id <string>

Proxy HTTP and HTTPS traffic bound for the Internet to a web security server for
web­security­proxy
filtering
websense­v1 Use the Websense web filtering solution
barracuda­v1 Use the Barracuda Networks web filtering solution
account­id Set the customer account ID for the web security service
<string> Enter the account ID (1­64 chars)

web­security­proxy {websense­v1|barracuda­v1} default­domain <string>

Proxy HTTP and HTTPS traffic bound for the Internet to a web security server for
web­security­proxy
filtering
websense­v1 Use the Websense web filtering solution
barracuda­v1 Use the Barracuda Networks web filtering solution
Set the default domain to send to the web security server when a domain cannot be
default­domain
retrieved from the user authentication process
<string> Enter the domain name (1­32 chars)

web­security­proxy {websense­v1|barracuda­v1} default­username <string>

Proxy HTTP and HTTPS traffic bound for the Internet to a web security server for
web­security­proxy
filtering
websense­v1 Use the Websense web filtering solution
barracuda­v1 Use the Barracuda Networks web filtering solution
Set the default user name to send to the web security server when a name cannot be
default­username retrieved from the user authentication process (Note: The server uses the account ID and
user name to determine which filtering policy to apply.)
<string> Enter the user name (1­32 chars)

web­security­proxy {websense­v1|barracuda­v1} enable

Proxy HTTP and HTTPS traffic bound for the Internet to a web security server for
web­security­proxy
filtering
websense­v1 Use the Websense web filtering solution
barracuda­v1 Use the Barracuda Networks web filtering solution
Enable the proxying of HTTP and HTTPS sessions to a web security server (Default:
enable
Disabled)

web­security­proxy {websense­v1|barracuda­v1} http­proxy­host <string>

http://docs.aerohive.com/330000/docs/help/english/documentation/cli_guide_ap230_6­6r1.htm#cmd7 309/315
27/4/2016 Aerohive CLI Guide
Proxy HTTP and HTTPS traffic bound for the Internet to a web security server for
web­security­proxy
filtering
websense­v1 Use the Websense web filtering solution
barracuda­v1 Use the Barracuda Networks web filtering solution
Set the domain name or IP address of the web security server to which HTTP packets are
http­proxy­host
proxied
<string> Enter the domain name or IP address of the server (1­64 chars)

web­security­proxy {websense­v1|barracuda­v1} http­proxy­port <port>

Proxy HTTP and HTTPS traffic bound for the Internet to a web security server for
web­security­proxy
filtering
websense­v1 Use the Websense web filtering solution
barracuda­v1 Use the Barracuda Networks web filtering solution
http­proxy­port Set the port number to which HTTP packets are proxied for web filtering
<port> [1~65535]Enter the port number (Range: 1­65535; Default: 8080)

web­security­proxy {websense­v1|barracuda­v1} https­proxy­host <string>

Proxy HTTP and HTTPS traffic bound for the Internet to a web security server for
web­security­proxy
filtering
websense­v1 Use the Websense web filtering solution
barracuda­v1 Use the Barracuda Networks web filtering solution
Set the domain name or IP address of the web security server to which HTTPS packets are
https­proxy­host
proxied
<string> Enter the domain name or IP address of the server (1­64 chars)

web­security­proxy {websense­v1|barracuda­v1} https­proxy­port <port>

Proxy HTTP and HTTPS traffic bound for the Internet to a web security server for
web­security­proxy
filtering
websense­v1 Use the Websense web filtering solution
barracuda­v1 Use the Barracuda Networks web filtering solution
https­proxy­port Set the port number to which HTTPS packets are proxied for web filtering
<port> [1~65535]Enter the port number (Range: 1­65535; Default: 8443)

web­security­proxy {websense­v1|barracuda­v1} subnet <ip_addr/netmask> [ action­if­unreachable

{allow|block} ]
Proxy HTTP and HTTPS traffic bound for the Internet to a web security server for
web­security­proxy
filtering
websense­v1 Use the Websense web filtering solution
barracuda­v1 Use the Barracuda Networks web filtering solution
subnet Set the subnet from which HTTP and HTTPS traffic are proxied for web filtering
<ip_addr/netmask> Enter the IP address/netmask for the source subnet
Set the action if connectivity from this subnet to the web security server is lost
action­if­unreachable
(Default: Block unfiltered HTTP and HTTPS traffic)
Allow unfiltered outbound HTTP and HTTPS traffic if connectivity to the web security
allow
server is lost
Block unfiltered outbound HTTP and HTTPS traffic if connectivity to the web security
block
server is lost

web­security­proxy {websense­v1|barracuda­v1} whitelist <string>

Proxy HTTP and HTTPS traffic bound for the Internet to a web security server for
web­security­proxy
filtering
websense­v1 Use the Websense web filtering solution
barracuda­v1 Use the Barracuda Networks web filtering solution
Set the FQDN or domain suffix for destinations to which HTTP packets will not be proxied
whitelist
(Note: The whitelist can have up to 32 entries.)
<string> Enter the FQDN or domain name suffix to be added to the whitelist (1­64 chars)

http://docs.aerohive.com/330000/docs/help/english/documentation/cli_guide_ap230_6­6r1.htm#cmd7 310/315
27/4/2016 Aerohive CLI Guide

Accessing and Using the CLI

Through the Aerohive CLI, you can log in to a HiveAP and perform the following operations:

Configure firmware features and hardware components

View settings
View and clear dynamically generated data
Update firmware
Save a configuration to and from the device
Reset the device

To access the CLI, you can make a direct serial connection through the console port (on HiveAP models that have one) or a Telnet or SSH
connection over the network through the Ethernet interface or an SSID on a Wifi subinterface to the mgt0 interface. Each method is
described in the following sections:

Using the Console Port

Using Telnet
Using SSH

For an introduction to the CLI and some useful tips, see the following sections:

Using the Aerohive CLI

Exploring the CLI
Searching for a Text String
Filtering Command Output
Using Command Line Completion
Useful Keyboard Shortcuts

Using the Console Port

You can make a direct serial connection from your management system to the HiveAP and log in to the CLI. For details and pin assignments,
see the Aerohive Deployment Guide. Follow these steps:

1. Connect the power cable to the HiveAP and turn on the power.
2. Depending on the HiveAP model, connect one end of an RS‐232 (or "null modem") serial cable or an RJ‐45‐to‐DB‐9 serial cable to the
serial port (or Com port) on your management system.
3. Connect the other end of the cable to the console port on the HiveAP.
4. On your management system, run a VT100 terminal emulation program, such as Tera Term Pro (a free terminal emulator) or Hilgraeve
Hyperterminal (provided with Windows operating systems). Use the following settings:

Bits per second (baud rate):9600

Data bits: 8
Parity: none
Stop bits: 1
Flow control: none

5. Press the ENTER key to see the login prompt.

6. Log in using the default user name admin and passwordaerohive.

Using Telnet

You can make a Telnet connection from your management system to the HiveAP across an Ethernet or WiFi network (or even just across an
Ethernet cable between your management system and the HiveAP). Because Telnet uses a client/server relationship, you need a Telnet
client on your management system. (All Windows operating systems include a Telnet client.) The client connects to the Telnet server on
the HiveAP using TCP port 23.

Because a Telnet connection requires that the HiveAP already have an IP address, you must first make a serial connection to the device and
assign it an address using the interface command:

interface mgt0 ip_addr netmask

http://docs.aerohive.com/330000/docs/help/english/documentation/cli_guide_ap230_6­6r1.htm#cmd7 311/315
27/4/2016 Aerohive CLI Guide
where ip_addr netmask define an address on the network that is accessible from your management system. See "Using the Console Port".

By default, Telnet manageability is disabled on HiveAPs. You must first access the HiveAP by another means‐ console, SSH, HiveManager, or
a management AP‐and enable it. Use the following commands to enable Telnet through an Ethernet interface and through an SSID (for
wireless Telnet access):

interface { eth0 | eth1 } manage telnet

ssid <string> manage telnet

1. With the HiveAP connected to a power source, connect an Ethernet cable from the Ethernet port on the HiveAP to a switch that is on
the same network as your management system. Optionally, you can connect the Ethernet cable from the HiveAP directly to your
management system.

Note: Because the Ethernet port on the HiveAP is autosensing, the cable can have either straight‐through or cross‐over wiring. For
details, see the Aerohive Deployment Guide.

After you have created an SSID and enabled Telnet access to the mgt0 interface through that SSID, you can form a wireless association with
the HiveAP and use Telnet to access the CLI wirelessly.

2. On your management system, run the Telnet client and connect to the Telnet server on the HiveAP. In Windows, for example, do the
following:

1. Click Start > Run.

2. In the command prompt, type telnet, and then click OK.

The following appears:

Welcome to Microsoft Telnet Client

Escape Character is 'CTRL+]'

Microsoft Telnet>

3. At the Microsoft Telnet> prompt, enter the IP address of the mgt0 interface, and then press Enter. The Telnet client on the
management system connects to the Telnet server on the HiveAP. The login prompt appears.

3. Log in using your user name and password. The default user name is admin and the default password is aerohive.

Using SSH

You can make an SSH2 (Secure Shell version 2) connection from an SSH client on your management system to the SSH server on the HiveAP
across an Ethernet or WiFi network. SSH allows you to open a remote command shell securely and run commands on the SSH server. You
need an SSHv2 client, such as puTTY (a free SSHv2 client), on your management system. The client connects to the SSHv2 server on the
HiveAP using TCP port 22.

Because an SSH connection requires that the HiveAP already have an IP address, you must first make a serial connection to the device and
assign it an address using the interface command:

interface mgt0 ip_addr netmask

where ip_addr netmask define an address on the network that is accessible from your management system. See "Using the Console Port".
By default, SSH manageability is enabled on Ethernet interfaces and SSIDs.

1. With the HiveAP connected to a power source, connect an Ethernet cable from the Ethernet port on the HiveAP to a switch that is on
the same network as your management system. Optionally, you can connect the Ethernet cable from the HiveAP directly to your
management system.

Note: Because the Ethernet port on the HiveAP is autosensing, the cable can have either straight‐through or cross‐over wiring. For
details, see the Aerohive Deployment Guide.

After you have created an SSID, you can form a wireless association with the HiveAP and use SSH to access the CLI wirelessly.

http://docs.aerohive.com/330000/docs/help/english/documentation/cli_guide_ap230_6­6r1.htm#cmd7 312/315
27/4/2016 Aerohive CLI Guide
2. On your management system, run the SSHv2 client and connect to the SSHv2 server on the HiveAP. Using puTTY, for example, do the
following:

1. Launch puTTY, and then click Session in the Category menu tree.

2. In the Host Name (or IP address) field, enter the IP address of the mgt0 interface, and then select SSH.

3. Click SSH in the Category menu tree, and make sure that the Preferred SSH protocol version is 2 or 2 only.

4. To initiate an SSH connection to the HiveAP, click Open.

The SSH client on the management system connects to the SSH server on the HiveAP. The login prompt appears.

3. Log in using your user name and password. The default user name is admin and the default password is aerohive.

Using the Aerohive CLI

There are three main types of commands in the Aerohive CLI:

keyword commands for setting various parameters. Examples are the admin and interface commands.
show commands for displaying parameters or dynamically generated data. Examples are the show service and show memory
commands.
action commands for executing some type of action. Examples are ping, save, and reboot commands.

Exploring the CLI

To see a list of commands, and their accompanying CLI Help, type a question mark ( ? ). For example, to display all the keyword and action
commands, enter a question mark at the command prompt:

aerohive#?

aaa Set parameters for AAA (authentication, authorization, accounting)

access‐console Set access console parameters
admin Set administrators and passwords
... ...

To display all the show commands, enter the following:

aerohive#show ?

aaa Show parameters for AAA (authentication, authorization, accounting)

access‐console Show access console status and parameters
acsp Show parameters for ACSP (Aerohive Channel Selection Protocol)
... ...

To see all the commands beginning with a particular character or string of characters, enter the character or character string followed
immediately by a question mark; that is, do not include a space between the last character and the question mark. For example, to see all
the commands beginning with "a", enter the following:

aerohive#a?

aaa Set parameters for AAA (authentication, authorization, accounting)

access‐console Set access console parameters
admin Set administrators and passwords

Similar to the above methods for seeing lists of commands, you can use a question mark within commands to see subsequent choices. For
example, to see the options following clock, enter the following:

aerohive#clock ?

date‐time Set the date and time for the internal clock
time‐zone Set the time zone for the internal clock

http://docs.aerohive.com/330000/docs/help/english/documentation/cli_guide_ap230_6­6r1.htm#cmd7 313/315
27/4/2016 Aerohive CLI Guide
Searching for a Text String

If you want to find a command that uses a particular character or string of characters, you can do a search using the following command:

show cmds | include string

where string is the word or string of characters you want to find. For example, if you want to see all the commands in which the word
"enable" appears, enter the following:

aerohive#show cmds | include enable

qos enable

qos airtime enable

...

Searching for just the string of letters "ena" produces similar results:

aerohive#show cmds | include ena

qos enable

qos airtime enable

Note: You can search for more than one word by enclosing them within quotation marks. For example, you can do a search for "qos class"
to see the commands containing "qos classifier".

Filtering Command Output

You can filter the output of a show command to include or exclude certain text strings. To do this use the following syntax: show cmd | {
exclude | include } string. For example, to find the MAC address 0016:cf8d:56bc among a number of associated stations in SSID "west",
enter the following command:

aerohive#show ssid west stations | include 0016:cf8d:56bc

0016:cf8d:56bc 11 1M 68 8021x aes ccm00:21:17 1 Yes

If you want to filter a space‐separated string, put the string within quotation marks. For example, to filter a MAC address ending with "20"
on the eth0 interface, enter the following:

aerohive#show route | include "0 4096"

0019:770e:55a0 0019:770e:5580 wifi1.1 0 4096 IL

Using Command Line Completion

The Aerohive CLI supports command line completion (or "tab completion"), which allows you to complete the remainder of an unambiguous
word by pressing the TAB key. For example:

aerohive#show qos co (Press TAB here.)

aerohive#show qos counter (The word "counter" is automatically completed.)

If the remainder of the word is ambiguous, pressing TAB twice shows the possibilities. For example:

aerohive#show qos c (Press TAB here.)

aerohive#show qos c (Press TAB again.)

aerohive#show qos c

classifier‐map classifier‐profile counter (The three subsequent choices appear.)

http://docs.aerohive.com/330000/docs/help/english/documentation/cli_guide_ap230_6­6r1.htm#cmd7 314/315
27/4/2016 Aerohive CLI Guide
Useful Keyboard Shortcuts

The following keyboard commands are useful to know and can make your work with the CLI more efficient. Note that the plus sign ( + )
indicates that both keys must be pressed simultaneously. For example, CTRL + s means "press the CTRL key and the s key at the same
time". If there is no plus sign between adjacent key names, press them sequentially. For example, ESC b means "press the ESC key and then
press the b key".

To perform this task Press this key or key combination

Lock the console CTRL + s
Unlock the console CTRL + q
Stopping the display of output, such as the output of the show log
q
buffered command
Advance the display of lengthy output, such as the output from the
ENTER
show logging messages command, by one line
Advance the display of lengthy output by sets of multiple lines at a
TAB
time
Autocomplete an unambiguous keyword when typing a command TAB
Stopping the execution of a task, such as sending ICMP echo requests CTRL+c
UP ARROW or CTRL + p (to move backward) and DOWN ARROW or
Moving backward or forward through command history
CTRL + n (to move forward)
LEFT ARROW or CTRL + b (to move backward) and RIGHT ARROW or
Moving backward or forward in a command
CTRL + f (to move forward)
Move the cursor backward or forward through a command word by
ESC b (to move backward) and ESC f (to move forward)
word
CTRL + a (to move to the beginning) and CTRL + e (to move to the
Move the cursor to the beginning or end of a command
end)
Erase the character under the cursor CTRL + d
Erase the character to the left of the cursor BACKSPACE or CTRL + h
Erase the previous word CTRL + w
Erase everything on the line to the left of the cursor CTRL + u
Erase everything on the line under and to the right of the cursor CTRL + k
Reverse the last two characters in a command; for example, to
CTRL + t
change show ssdi to show ssid
Execute a command ENTER or CTRL + j or CTRL + m
Log out of the console session CTRL + \

Copyright © 2012 Aerohive Networks, Inc.

http://docs.aerohive.com/330000/docs/help/english/documentation/cli_guide_ap230_6­6r1.htm#cmd7 315/315