← Back to Skills Marketplace
scsun1978

Aruba Iap Publish

by scsun1978 · GitHub ↗ · v1.2.0
cross-platform ⚠ suspicious
843
Downloads
0
Stars
2
Active Installs
7
Versions
Install in OpenClaw
/install aruba-iap
Description
Comprehensive Aruba Instant AP (IAP) configuration management with automatic baseline capture, rollback support, and health monitoring. Supports device disco...
README (SKILL.md)

Aruba IAP Configuration Manager

Comprehensive Aruba Instant AP (IAP) configuration management with automatic baseline capture, rollback support, and health monitoring.

Features

✨ Core Capabilities

  • Device Mode Detection: Automatically detects Virtual Controller, Single-Node Cluster, or Standalone AP mode
  • Configuration Snapshots: Full configuration capture with structured JSON output
  • Safe Configuration Changes: Apply changes with automatic baseline capture and rollback support
  • Comprehensive Monitoring: 40+ monitoring commands across 10 categories
  • Risk Assessment: Automatic risk evaluation for configuration changes
  • Secret Management: Secure secret references (no plain-text passwords)
  • Change History: Full audit trail with timestamped artifacts
  • Interactive Configuration Mode: Support for Aruba IAP CLI commit model

📊 Configuration Change Types

Type Risk Description
ssid_profile Medium Create complete SSID profile with WPA2-PSK-AES
ssid_delete High Remove existing SSID profile
snmp_community Low SNMP community configuration
snmp_host Low-Medium SNMP host/trap destination
syslog_level Low Syslog logging levels
auth_server Medium RADIUS/CPPM authentication server
ap_allowlist Medium Add/remove APs from allowlist
wired_port_profile Medium Wired port configuration
ntp Low NTP server configuration
dns Low DNS server configuration
rf_template Low RF template application

Quick Start

1. Installation

# Clone or download the skill
cd ~/.openclaw/workspace/skills/aruba-iap-publish

# Run install script
./install.sh

# Verify installation
iapctl --help

2. Basic Usage

# Device Discovery
iapctl discover --cluster office-iap --vc 192.168.20.56 --out ./out

# Configuration Snapshot
iapctl snapshot --cluster office-iap --vc 192.168.20.56 --out ./out

# Verify Configuration
iapctl verify --cluster office-iap --vc 192.168.20.56 --level basic --out ./out

3. Add SSID

# Create SSID configuration JSON
cat > add-ssid.json \x3C\x3C 'EOF'
{
  "changes": [
    {
      "type": "ssid_profile",
      "profile_name": "MyWiFi",
      "essid": "MyNetwork",
      "opmode": "wpa2-psk-aes",
      "wpa_passphrase": "MySecurePassword123",
      "vlan": 1,
      "rf_band": "all"
    }
  ]
}
EOF

# Generate diff
iapctl diff --cluster office-iap --vc 192.168.20.56 \
  --in add-ssid.json --out ./diff

# Apply changes
iapctl apply --cluster office-iap --vc 192.168.20.56 \
  --change-id $(cat diff/commands.json | jq -r '.change_id') \
  --in diff/commands.json --out ./apply

4. Delete SSID

# Create delete SSID configuration JSON
cat > delete-ssid.json \x3C\x3C 'EOF'
{
  "changes": [
    {
      "type": "ssid_delete",
      "profile_name": "OldSSID"
    }
  ]
}
EOF

# Generate diff
iapctl diff --cluster office-iap --vc 192.168.20.56 \
  --in delete-ssid.json --out ./diff

# Apply changes
iapctl apply --cluster office-iap --vc 192.168.20.56 \
  --change-id $(cat diff/commands.json | jq -r '.change_id') \
  --in diff/commands.json --out ./apply

5. Monitor Device

# Monitor all categories
iapctl monitor --cluster office-iap --vc 192.168.20.56 --out ./monitor

# Monitor specific categories
iapctl monitor --cluster office-iap --vc 192.168.20.56 \
  -c "system ap clients wlan" --out ./monitor

Configuration Modes

Supported Device Modes

  1. Virtual Controller Mode

    • Manages multiple IAPs
    • Full CLI command set available

  2. Single-Node Cluster Mode ✨ NEW

    • Single IAP with VC configuration
    • Supports interactive config mode
    • configure terminal → config commands → commit apply

  3. Standalone AP Mode

    • Individual AP without cluster
    • Basic configuration available

Interactive Configuration Mode

For Aruba IAP devices, configuration uses the CLI commit model:

  1. Enter configuration mode: configure terminal
  2. Enter sub-mode (e.g., wlan ssid-profile \x3Cname>)
  3. Configure parameters (flat commands, no indentation)
  4. Exit sub-mode: exit
  5. Exit configuration mode: exit
  6. Save configuration: write memory
  7. Apply configuration: commit apply

Risk Assessment

iapctl automatically assesses risks for each change set:

Risk Levels

  • low: Minimal impact, safe to apply
  • medium: May affect connectivity, review recommended
  • high: Major changes, requires careful planning

Common Warnings

  • Removing WLAN or RADIUS configuration may disconnect users
  • WPA passphrase changes will require clients to re-authenticate
  • AP allowlist changes may prevent APs from joining the cluster
  • VLAN changes may affect network connectivity
  • Large number of changes - consider applying in stages

Best Practices

1. Use Secret References

Always use secret_ref for passwords and keys:

{
  "type": "auth_server",
  "server_name": "radius-primary",
  "ip": "10.10.10.10",
  "secret_ref": "secret:radius-primary-key"
}

Never commit plain-text secrets to version control.

2. Review Risk Assessment

Always review risk.json before applying changes:

cat diff/risk.json

3. Use Dry Run First

Test with --dry-run to verify commands without applying:

iapctl apply --dry-run ...

4. Verify After Changes

Always run verify after applying changes:

iapctl verify --level full ...

5. Apply Changes in Stages

For large change sets, break them into smaller batches:

  • Stage 1: SNMP and syslog configuration
  • Stage 2: Authentication servers
  • Stage 3: SSID profiles
  • Stage 4: AP allowlist and wired ports

Testing

Comprehensive testing performed on real hardware:

  • ✅ Device discovery and mode detection
  • ✅ Configuration snapshot with multiple artifacts
  • ✅ Configuration diff generation
  • ✅ SSID profile addition
  • ✅ SSID profile deletion
  • ✅ Configuration apply with interactive mode
  • ✅ Configuration verification
  • ✅ Health monitoring
  • ✅ Risk assessment
  • ✅ AP allowlist management

Test Results: 10/11 tests passed (91%)

Known Issues & Limitations

Rollback Functionality

  • Status: Partially working
  • Issue: Rollback command execution has limitations
  • Impact: Low - can be done manually if needed
  • Workaround: Use no \x3Ccommand> for manual rollback

Post-Apply Verification

  • Status: Sometimes times out
  • Issue: show running-config after commit apply can timeout
  • Impact: Minimal - configuration is applied successfully
  • Workaround: Wait a few seconds and retry

Changelog

v1.1.1 (2026-02-23)

  • ✅ Add ssid_delete change type
  • ✅ Add send_config_and_apply() method
  • ✅ Add send_config_commands() method
  • ✅ Update diff_engine.py for flat command generation
  • ✅ Fix Result action pattern for 'monitor'
  • ✅ Support Aruba IAP single-node cluster mode
  • ✅ Comprehensive testing on real hardware

v1.1.0 (2026-02-23)

  • ✅ Initial release with core functionality
  • ✅ Device discovery and mode detection
  • ✅ Configuration snapshots
  • ✅ SSID profile management
  • ✅ Configuration diff and apply
  • ✅ Risk assessment
  • ✅ Health monitoring

Requirements

  • Python 3.8+
  • scrapli[paramiko] for SSH connections
  • Aruba Instant AP 6.x, 8.x, or AOS 10.x

License

MIT License - See LICENSE file for details

Support

For issues, questions, or contributions:

Usage Guidance
This skill appears to implement the advertised Aruba IAP operations, but exercise caution before installing or running it: - Inspect install.sh before executing it. The package contains an install script (not a registry install spec) so running it will execute code from the repository on your machine. - Review secrets/examples/backups in the repository. Several included backup files (show_running-config, backups/..., running-config files) contain sensitive values (virtual-controller-key, RADIUS keys, SNMP community strings and WPA passphrases). Remove or redact those files and any example secrets.json before placing the skill in production or sharing the repo. - Prefer secret_ref/env-based secret injection at runtime rather than storing secrets in files in the repo. If you must use a secrets.json file, keep it out of the skill workspace and out of version control. - If you will run this in a production environment, test in an isolated lab first. Verify the code (especially connection.py and install.sh) to ensure it only connects to the IPs you intend and does not transmit data to third-party endpoints. - Confirm the publisher/source. The skill lists Aruba's homepage but the owner ID is an unknown publisher; verify the origin/publishing trust before deploying in production. If you want, I can: summarize the exact lines/files that contain sensitive keys, extract the install.sh contents and highlight risky commands, or search the code for network endpoints and upload/exfiltration patterns.
Capability Analysis
Type: OpenClaw Skill Name: aruba-iap Version: 1.2.0 The skill is classified as suspicious due to multiple critical security vulnerabilities, primarily found in the utility scripts and the core `iapctl` Python code. Key issues include: 1) Hardcoded default credentials (`aruba`/`aruba123`) in `scripts/config_backup.py`, `scripts/diagnose_iap.py`, and `scripts/monitor_clients.py`. 2) Local shell injection vulnerabilities in these same Python scripts due to `subprocess.run(shell=True)` with unquoted user-controlled inputs (`self.username`, `self.ap_ip`) in the SSH command string. 3) Man-in-the-Middle (MitM) vulnerability across all SSH connections, as `StrictHostKeyChecking=no` is explicitly set in `iapctl/src/iapctl/connection.py` and used in the Python scripts. 4) A Local File Inclusion (LFI) vulnerability in `iapctl/src/iapctl/secrets.py` allowing arbitrary file reads via `file:<path>` in `secret_ref` if an attacker controls the input. 5) Potential remote command injection on the target IAP device via unvalidated fields in `iapctl/src/iapctl/models.py` that are used in CLI command construction in `iapctl/src/iapctl/diff_engine.py`. 6) Password exposure in process lists when `ssh_password` is passed as a command-line argument in shell scripts and `iapctl` CLI commands. These vulnerabilities, while not demonstrating explicit malicious intent, create severe attack surfaces that could be exploited for unauthorized access, data exfiltration, or remote code execution.
Capability Assessment
Purpose & Capability
The skill's name, description, CLI, and code files (connection.py, operations.py, monitor.py, secrets.py, etc.) are coherent with Aruba IAP configuration/monitoring. However the registry metadata marked it as 'instruction-only' / no install spec while the package includes full source code and an install.sh — an inconsistency in packaging/metadata that should be explained by the publisher.
Instruction Scope
SKILL.md instructs running ./install.sh and using iapctl to connect to device IPs and capture/modify configs. That scope is expected, but the repo also contains many backup artifacts and full running-config files that include sensitive secrets (virtual-controller-key, RADIUS/shared keys, SNMP community strings, WPA passphrases or hashed passphrases). The documentation and examples sometimes show plaintext secrets and recommend creating secrets.json files in the repo if used; this increases the chance of credential leakage. The runtime instructions do not explicitly warn to remove these example/backups or to inspect install.sh before running.
Install Mechanism
There is no Registry install spec, but an install.sh is included and SKILL.md tells you to run it. That means install actions are performed by an unreviewed script in the package; this is higher risk than a pure instruction-only skill because it writes files and may install dependencies. The package does not reference remote download URLs in the manifest provided here (no evidence of remote fetch in metadata), but you should inspect install.sh before executing it.
Credentials
The skill declares no required env vars or primary credential (which is reasonable), and it supports secret_ref patterns and env: references for sensitive data. That's acceptable in principle — however the repository contains example secrets.json and actual backup artifacts containing live secrets/keys (virtual-controller-key, RADIUS key, SNMP community, WPA passphrases). Keeping such sensitive data in the skill repository is disproportionate and increases risk of accidental exfiltration if the repo is shared or pushed to remote systems.
Persistence & Privilege
The skill does not request always:true, does not declare system-wide config changes, and is user-invocable. It does include an install script which will create local files/binaries in the workspace when run, but there is no evidence it attempts to persistently enable itself across other agents or modify unrelated skill configs.
How to Use
  1. Make sure OpenClaw is installed (local or Docker)
  2. Run the install command in chat: /install aruba-iap
  3. After installation, invoke the skill by name or use /aruba-iap
  4. Provide required inputs per the skill's parameter spec and get structured output
Version History
v1.2.0
v1.2.0 - Complete functionality test with real Aruba IAP 224 **Major Updates:** - Fixed SNMP command syntax (removed unsupported ro/rw parameter) - Added password authentication support to all utility scripts - Complete testing on real hardware (Aruba IAP 224, ArubaOS 8.6.0.25) **Test Results:** - 16/18 tests passed (88.9% success rate) - Core functions: 100% available - Device discovery, snapshots, monitoring: 100% success - Configuration diff and apply: Successfully tested **Features:** - Device mode detection (VC/Single-node/Standalone) - Configuration snapshots with 7+ artifacts - Comprehensive monitoring (10 categories, 38+ commands) - SSID management (add/delete) - Risk assessment for all changes - Safe apply workflow with dry-run support - Rollback support for all changes **Known Limitations:** - Post-apply verification may timeout (configuration is applied successfully) - Recommend using --dry-run for critical changes **Scripts:** - quick-monitor.sh - Fast health checks - auto-backup.sh - Automated configuration backups - safe-apply.sh - Safe configuration changes with verification
v1.1.0
Version 1.1.0: Add SSID removal support and comprehensive version upgrade documentation
v1.0.2
Update: Enhanced configuration management with improved monitoring commands, better error handling, and updated documentation.
v1.0.1
Enhanced device mode detection with single-node cluster support, automatic command fallback, improved standalone AP compatibility, and comprehensive troubleshooting guides
v0.3.1
New single-node-cluster mode. Enhanced device mode detection with 3 modes. Smart command fallback support. Fixed Parse error issues.
v0.3.0
✨ New single-node-cluster mode for APs with VC configuration but only one AP Features: - Enhanced device mode detection with 3 modes: virtual-controller, single-node-cluster, standalone - BSS table analysis to distinguish single-node from multi-node clusters - Instant AP command support (show ap bss-table) for single-node clusters - Smart command fallback to bss-table when standard commands fail - Updated discover command with device-mode-aware command selection Fixes: - Fixed discover command to use correct commands for single-node clusters - Fixed snapshot/verify commands to handle all three device modes properly - Resolves Parse error issues on single-node cluster devices Documentation: - Updated SKILL.md with single-node cluster mode documentation - Added comprehensive command compatibility matrix - Added troubleshooting guide for device mode issues - Enhanced examples section with single-node cluster examples Tested on Aruba IAP 224 (ArubaOS 8.6.0.14)
v1.0.0
Initial release: Complete Aruba IAP/UAP configuration, management, and troubleshooting skill. Includes CLI command reference, configuration templates, automation scripts (diagnostics, backup, monitoring), troubleshooting guide, and best practices for Aruba Instant AP devices.
Metadata
Slug aruba-iap
Version 1.2.0
License
All-time Installs 2
Active Installs 2
Total Versions 7
Frequently Asked Questions

What is Aruba Iap Publish?

Comprehensive Aruba Instant AP (IAP) configuration management with automatic baseline capture, rollback support, and health monitoring. Supports device disco... It is an AI Agent Skill for Claude Code / OpenClaw, with 843 downloads so far.

How do I install Aruba Iap Publish?

Run "/install aruba-iap" in the OpenClaw or Claude Code chat to install it in one step — no extra setup required.

Is Aruba Iap Publish free?

Yes, Aruba Iap Publish is completely free (open-source). You can download, install and use it at no cost.

Which platforms does Aruba Iap Publish support?

Aruba Iap Publish is cross-platform and runs anywhere OpenClaw / Claude Code is available (cross-platform).

Who created Aruba Iap Publish?

It is built and maintained by scsun1978 (@scsun1978); the current version is v1.2.0.

More Skills
self-improving agent
Captures learnings, errors, and corrections to enable continuous improvement. Use when: (1) A command or operation fails unexpectedly, (2) User corrects Clau...
⬇ 463283 · by pskoett
Skill Vetter
Security-first skill vetting for AI agents. Use before installing any skill from ClawdHub, GitHub, or other sources. Checks for red flags, permission scope, and suspicious patterns.
⬇ 259410 · by spclaudehome
Polymarket
Query Polymarket prediction markets. Check odds, find trending markets, search events, track price movements.
⬇ 232503 · by joelchance
Self-Improving + Proactive Agent
Self-reflection + Self-criticism + Self-learning + Self-organizing memory. Agent evaluates its own work, catches mistakes, and improves permanently. Use when...
⬇ 200423 · by ivangdavila
Github
Interact with GitHub using the `gh` CLI. Use `gh issue`, `gh pr`, `gh run`, and `gh api` for issues, PRs, CI runs, and advanced queries.
⬇ 191115 · by steipete
ontology
Typed knowledge graph for structured agent memory and composable skills. Use when creating/querying entities (Person, Project, Task, Event, Document), linkin...
⬇ 190156 · by oswalpalash

💬 Comments