← 返回 Skills 市场
scsun1978

Aruba Iap Publish

作者 scsun1978 · GitHub ↗ · v1.2.0
cross-platform ⚠ suspicious
843
总下载
0
收藏
2
当前安装
7
版本数
在 OpenClaw 中安装
/install aruba-iap
功能描述
Comprehensive Aruba Instant AP (IAP) configuration management with automatic baseline capture, rollback support, and health monitoring. Supports device disco...
使用说明 (SKILL.md)

Aruba IAP Configuration Manager

Comprehensive Aruba Instant AP (IAP) configuration management with automatic baseline capture, rollback support, and health monitoring.

Features

✨ Core Capabilities

  • Device Mode Detection: Automatically detects Virtual Controller, Single-Node Cluster, or Standalone AP mode
  • Configuration Snapshots: Full configuration capture with structured JSON output
  • Safe Configuration Changes: Apply changes with automatic baseline capture and rollback support
  • Comprehensive Monitoring: 40+ monitoring commands across 10 categories
  • Risk Assessment: Automatic risk evaluation for configuration changes
  • Secret Management: Secure secret references (no plain-text passwords)
  • Change History: Full audit trail with timestamped artifacts
  • Interactive Configuration Mode: Support for Aruba IAP CLI commit model

📊 Configuration Change Types

Type Risk Description
ssid_profile Medium Create complete SSID profile with WPA2-PSK-AES
ssid_delete High Remove existing SSID profile
snmp_community Low SNMP community configuration
snmp_host Low-Medium SNMP host/trap destination
syslog_level Low Syslog logging levels
auth_server Medium RADIUS/CPPM authentication server
ap_allowlist Medium Add/remove APs from allowlist
wired_port_profile Medium Wired port configuration
ntp Low NTP server configuration
dns Low DNS server configuration
rf_template Low RF template application

Quick Start

1. Installation

# Clone or download the skill
cd ~/.openclaw/workspace/skills/aruba-iap-publish

# Run install script
./install.sh

# Verify installation
iapctl --help

2. Basic Usage

# Device Discovery
iapctl discover --cluster office-iap --vc 192.168.20.56 --out ./out

# Configuration Snapshot
iapctl snapshot --cluster office-iap --vc 192.168.20.56 --out ./out

# Verify Configuration
iapctl verify --cluster office-iap --vc 192.168.20.56 --level basic --out ./out

3. Add SSID

# Create SSID configuration JSON
cat > add-ssid.json \x3C\x3C 'EOF'
{
  "changes": [
    {
      "type": "ssid_profile",
      "profile_name": "MyWiFi",
      "essid": "MyNetwork",
      "opmode": "wpa2-psk-aes",
      "wpa_passphrase": "MySecurePassword123",
      "vlan": 1,
      "rf_band": "all"
    }
  ]
}
EOF

# Generate diff
iapctl diff --cluster office-iap --vc 192.168.20.56 \
  --in add-ssid.json --out ./diff

# Apply changes
iapctl apply --cluster office-iap --vc 192.168.20.56 \
  --change-id $(cat diff/commands.json | jq -r '.change_id') \
  --in diff/commands.json --out ./apply

4. Delete SSID

# Create delete SSID configuration JSON
cat > delete-ssid.json \x3C\x3C 'EOF'
{
  "changes": [
    {
      "type": "ssid_delete",
      "profile_name": "OldSSID"
    }
  ]
}
EOF

# Generate diff
iapctl diff --cluster office-iap --vc 192.168.20.56 \
  --in delete-ssid.json --out ./diff

# Apply changes
iapctl apply --cluster office-iap --vc 192.168.20.56 \
  --change-id $(cat diff/commands.json | jq -r '.change_id') \
  --in diff/commands.json --out ./apply

5. Monitor Device

# Monitor all categories
iapctl monitor --cluster office-iap --vc 192.168.20.56 --out ./monitor

# Monitor specific categories
iapctl monitor --cluster office-iap --vc 192.168.20.56 \
  -c "system ap clients wlan" --out ./monitor

Configuration Modes

Supported Device Modes

  1. Virtual Controller Mode

    • Manages multiple IAPs
    • Full CLI command set available

  2. Single-Node Cluster Mode ✨ NEW

    • Single IAP with VC configuration
    • Supports interactive config mode
    • configure terminal → config commands → commit apply

  3. Standalone AP Mode

    • Individual AP without cluster
    • Basic configuration available

Interactive Configuration Mode

For Aruba IAP devices, configuration uses the CLI commit model:

  1. Enter configuration mode: configure terminal
  2. Enter sub-mode (e.g., wlan ssid-profile \x3Cname>)
  3. Configure parameters (flat commands, no indentation)
  4. Exit sub-mode: exit
  5. Exit configuration mode: exit
  6. Save configuration: write memory
  7. Apply configuration: commit apply

Risk Assessment

iapctl automatically assesses risks for each change set:

Risk Levels

  • low: Minimal impact, safe to apply
  • medium: May affect connectivity, review recommended
  • high: Major changes, requires careful planning

Common Warnings

  • Removing WLAN or RADIUS configuration may disconnect users
  • WPA passphrase changes will require clients to re-authenticate
  • AP allowlist changes may prevent APs from joining the cluster
  • VLAN changes may affect network connectivity
  • Large number of changes - consider applying in stages

Best Practices

1. Use Secret References

Always use secret_ref for passwords and keys:

{
  "type": "auth_server",
  "server_name": "radius-primary",
  "ip": "10.10.10.10",
  "secret_ref": "secret:radius-primary-key"
}

Never commit plain-text secrets to version control.

2. Review Risk Assessment

Always review risk.json before applying changes:

cat diff/risk.json

3. Use Dry Run First

Test with --dry-run to verify commands without applying:

iapctl apply --dry-run ...

4. Verify After Changes

Always run verify after applying changes:

iapctl verify --level full ...

5. Apply Changes in Stages

For large change sets, break them into smaller batches:

  • Stage 1: SNMP and syslog configuration
  • Stage 2: Authentication servers
  • Stage 3: SSID profiles
  • Stage 4: AP allowlist and wired ports

Testing

Comprehensive testing performed on real hardware:

  • ✅ Device discovery and mode detection
  • ✅ Configuration snapshot with multiple artifacts
  • ✅ Configuration diff generation
  • ✅ SSID profile addition
  • ✅ SSID profile deletion
  • ✅ Configuration apply with interactive mode
  • ✅ Configuration verification
  • ✅ Health monitoring
  • ✅ Risk assessment
  • ✅ AP allowlist management

Test Results: 10/11 tests passed (91%)

Known Issues & Limitations

Rollback Functionality

  • Status: Partially working
  • Issue: Rollback command execution has limitations
  • Impact: Low - can be done manually if needed
  • Workaround: Use no \x3Ccommand> for manual rollback

Post-Apply Verification

  • Status: Sometimes times out
  • Issue: show running-config after commit apply can timeout
  • Impact: Minimal - configuration is applied successfully
  • Workaround: Wait a few seconds and retry

Changelog

v1.1.1 (2026-02-23)

  • ✅ Add ssid_delete change type
  • ✅ Add send_config_and_apply() method
  • ✅ Add send_config_commands() method
  • ✅ Update diff_engine.py for flat command generation
  • ✅ Fix Result action pattern for 'monitor'
  • ✅ Support Aruba IAP single-node cluster mode
  • ✅ Comprehensive testing on real hardware

v1.1.0 (2026-02-23)

  • ✅ Initial release with core functionality
  • ✅ Device discovery and mode detection
  • ✅ Configuration snapshots
  • ✅ SSID profile management
  • ✅ Configuration diff and apply
  • ✅ Risk assessment
  • ✅ Health monitoring

Requirements

  • Python 3.8+
  • scrapli[paramiko] for SSH connections
  • Aruba Instant AP 6.x, 8.x, or AOS 10.x

License

MIT License - See LICENSE file for details

Support

For issues, questions, or contributions:

安全使用建议
This skill appears to implement the advertised Aruba IAP operations, but exercise caution before installing or running it: - Inspect install.sh before executing it. The package contains an install script (not a registry install spec) so running it will execute code from the repository on your machine. - Review secrets/examples/backups in the repository. Several included backup files (show_running-config, backups/..., running-config files) contain sensitive values (virtual-controller-key, RADIUS keys, SNMP community strings and WPA passphrases). Remove or redact those files and any example secrets.json before placing the skill in production or sharing the repo. - Prefer secret_ref/env-based secret injection at runtime rather than storing secrets in files in the repo. If you must use a secrets.json file, keep it out of the skill workspace and out of version control. - If you will run this in a production environment, test in an isolated lab first. Verify the code (especially connection.py and install.sh) to ensure it only connects to the IPs you intend and does not transmit data to third-party endpoints. - Confirm the publisher/source. The skill lists Aruba's homepage but the owner ID is an unknown publisher; verify the origin/publishing trust before deploying in production. If you want, I can: summarize the exact lines/files that contain sensitive keys, extract the install.sh contents and highlight risky commands, or search the code for network endpoints and upload/exfiltration patterns.
功能分析
Type: OpenClaw Skill Name: aruba-iap Version: 1.2.0 The skill is classified as suspicious due to multiple critical security vulnerabilities, primarily found in the utility scripts and the core `iapctl` Python code. Key issues include: 1) Hardcoded default credentials (`aruba`/`aruba123`) in `scripts/config_backup.py`, `scripts/diagnose_iap.py`, and `scripts/monitor_clients.py`. 2) Local shell injection vulnerabilities in these same Python scripts due to `subprocess.run(shell=True)` with unquoted user-controlled inputs (`self.username`, `self.ap_ip`) in the SSH command string. 3) Man-in-the-Middle (MitM) vulnerability across all SSH connections, as `StrictHostKeyChecking=no` is explicitly set in `iapctl/src/iapctl/connection.py` and used in the Python scripts. 4) A Local File Inclusion (LFI) vulnerability in `iapctl/src/iapctl/secrets.py` allowing arbitrary file reads via `file:<path>` in `secret_ref` if an attacker controls the input. 5) Potential remote command injection on the target IAP device via unvalidated fields in `iapctl/src/iapctl/models.py` that are used in CLI command construction in `iapctl/src/iapctl/diff_engine.py`. 6) Password exposure in process lists when `ssh_password` is passed as a command-line argument in shell scripts and `iapctl` CLI commands. These vulnerabilities, while not demonstrating explicit malicious intent, create severe attack surfaces that could be exploited for unauthorized access, data exfiltration, or remote code execution.
能力评估
Purpose & Capability
The skill's name, description, CLI, and code files (connection.py, operations.py, monitor.py, secrets.py, etc.) are coherent with Aruba IAP configuration/monitoring. However the registry metadata marked it as 'instruction-only' / no install spec while the package includes full source code and an install.sh — an inconsistency in packaging/metadata that should be explained by the publisher.
Instruction Scope
SKILL.md instructs running ./install.sh and using iapctl to connect to device IPs and capture/modify configs. That scope is expected, but the repo also contains many backup artifacts and full running-config files that include sensitive secrets (virtual-controller-key, RADIUS/shared keys, SNMP community strings, WPA passphrases or hashed passphrases). The documentation and examples sometimes show plaintext secrets and recommend creating secrets.json files in the repo if used; this increases the chance of credential leakage. The runtime instructions do not explicitly warn to remove these example/backups or to inspect install.sh before running.
Install Mechanism
There is no Registry install spec, but an install.sh is included and SKILL.md tells you to run it. That means install actions are performed by an unreviewed script in the package; this is higher risk than a pure instruction-only skill because it writes files and may install dependencies. The package does not reference remote download URLs in the manifest provided here (no evidence of remote fetch in metadata), but you should inspect install.sh before executing it.
Credentials
The skill declares no required env vars or primary credential (which is reasonable), and it supports secret_ref patterns and env: references for sensitive data. That's acceptable in principle — however the repository contains example secrets.json and actual backup artifacts containing live secrets/keys (virtual-controller-key, RADIUS key, SNMP community, WPA passphrases). Keeping such sensitive data in the skill repository is disproportionate and increases risk of accidental exfiltration if the repo is shared or pushed to remote systems.
Persistence & Privilege
The skill does not request always:true, does not declare system-wide config changes, and is user-invocable. It does include an install script which will create local files/binaries in the workspace when run, but there is no evidence it attempts to persistently enable itself across other agents or modify unrelated skill configs.
如何使用
  1. 确保已安装 OpenClaw(本地或 Docker 部署)
  2. 在对话框中输入安装命令:/install aruba-iap
  3. 安装完成后,直接呼叫该 Skill 的名称或使用 /aruba-iap 触发
  4. 根据 Skill 的参数说明提供必要输入,即可获得结构化输出
版本历史
v1.2.0
v1.2.0 - Complete functionality test with real Aruba IAP 224 **Major Updates:** - Fixed SNMP command syntax (removed unsupported ro/rw parameter) - Added password authentication support to all utility scripts - Complete testing on real hardware (Aruba IAP 224, ArubaOS 8.6.0.25) **Test Results:** - 16/18 tests passed (88.9% success rate) - Core functions: 100% available - Device discovery, snapshots, monitoring: 100% success - Configuration diff and apply: Successfully tested **Features:** - Device mode detection (VC/Single-node/Standalone) - Configuration snapshots with 7+ artifacts - Comprehensive monitoring (10 categories, 38+ commands) - SSID management (add/delete) - Risk assessment for all changes - Safe apply workflow with dry-run support - Rollback support for all changes **Known Limitations:** - Post-apply verification may timeout (configuration is applied successfully) - Recommend using --dry-run for critical changes **Scripts:** - quick-monitor.sh - Fast health checks - auto-backup.sh - Automated configuration backups - safe-apply.sh - Safe configuration changes with verification
v1.1.0
Version 1.1.0: Add SSID removal support and comprehensive version upgrade documentation
v1.0.2
Update: Enhanced configuration management with improved monitoring commands, better error handling, and updated documentation.
v1.0.1
Enhanced device mode detection with single-node cluster support, automatic command fallback, improved standalone AP compatibility, and comprehensive troubleshooting guides
v0.3.1
New single-node-cluster mode. Enhanced device mode detection with 3 modes. Smart command fallback support. Fixed Parse error issues.
v0.3.0
✨ New single-node-cluster mode for APs with VC configuration but only one AP Features: - Enhanced device mode detection with 3 modes: virtual-controller, single-node-cluster, standalone - BSS table analysis to distinguish single-node from multi-node clusters - Instant AP command support (show ap bss-table) for single-node clusters - Smart command fallback to bss-table when standard commands fail - Updated discover command with device-mode-aware command selection Fixes: - Fixed discover command to use correct commands for single-node clusters - Fixed snapshot/verify commands to handle all three device modes properly - Resolves Parse error issues on single-node cluster devices Documentation: - Updated SKILL.md with single-node cluster mode documentation - Added comprehensive command compatibility matrix - Added troubleshooting guide for device mode issues - Enhanced examples section with single-node cluster examples Tested on Aruba IAP 224 (ArubaOS 8.6.0.14)
v1.0.0
Initial release: Complete Aruba IAP/UAP configuration, management, and troubleshooting skill. Includes CLI command reference, configuration templates, automation scripts (diagnostics, backup, monitoring), troubleshooting guide, and best practices for Aruba Instant AP devices.
元数据
Slug aruba-iap
版本 1.2.0
许可证
累计安装 2
当前安装数 2
历史版本数 7
常见问题

Aruba Iap Publish 是什么?

Comprehensive Aruba Instant AP (IAP) configuration management with automatic baseline capture, rollback support, and health monitoring. Supports device disco... 它是一个面向 Claude Code / OpenClaw 的 AI Agent Skill 插件,目前累计下载 843 次。

如何安装 Aruba Iap Publish?

在 OpenClaw 或 Claude Code 对话框中运行命令「/install aruba-iap」即可一键安装,无需额外配置。

Aruba Iap Publish 是免费的吗?

是的,Aruba Iap Publish 完全免费(开源免费),可自由下载、安装和使用。

Aruba Iap Publish 支持哪些平台?

Aruba Iap Publish 跨平台运行,可在任意部署了 OpenClaw / Claude Code 的环境中使用(cross-platform)。

谁开发了 Aruba Iap Publish?

由 scsun1978(@scsun1978)开发并维护,当前版本 v1.2.0。

推荐 Skills
self-improving agent
Captures learnings, errors, and corrections to enable continuous improvement. Use when: (1) A command or operation fails unexpectedly, (2) User corrects Clau...
⬇ 463283 · by pskoett
Skill Vetter
Security-first skill vetting for AI agents. Use before installing any skill from ClawdHub, GitHub, or other sources. Checks for red flags, permission scope, and suspicious patterns.
⬇ 259410 · by spclaudehome
Polymarket
Query Polymarket prediction markets. Check odds, find trending markets, search events, track price movements.
⬇ 232503 · by joelchance
Self-Improving + Proactive Agent
Self-reflection + Self-criticism + Self-learning + Self-organizing memory. Agent evaluates its own work, catches mistakes, and improves permanently. Use when...
⬇ 200423 · by ivangdavila
Github
Interact with GitHub using the `gh` CLI. Use `gh issue`, `gh pr`, `gh run`, and `gh api` for issues, PRs, CI runs, and advanced queries.
⬇ 191115 · by steipete
ontology
Typed knowledge graph for structured agent memory and composable skills. Use when creating/querying entities (Person, Project, Task, Event, Document), linkin...
⬇ 190156 · by oswalpalash

💬 留言讨论