IAPViewer API Reference

Last updated: May 31, 2026 — v2.0 (build 0.6.0)

This page lists every Aruba Virtual Controller call IAPViewer makes. It exists for transparency — so administrators can review exactly what the app does on their network before connecting.

Read-only by design. Every call below is either an authentication endpoint or a show-style query. There is no write, configure, commit, or any other state-changing path in the codebase. Anything that would change the cluster's state is offered as copy-and-paste CLI text instead — you run it manually if you want to.

Transport

All calls go to the Virtual Controller's REST API on TCP port 4343 over HTTPS, on the local network only. The VC presents a self-signed HPE certificate — IAPViewer handles that automatically without modifying the device's trust store. Calls are issued serially (the VC rejects concurrent requests).

Authentication endpoints

EndpointPurpose
POST /rest/loginExchanges username + password for a session ID. Credentials come from the system Keychain; the session ID is held in memory only and discarded on disconnect or app close.
POST /rest/logoutTears down the session on the controller. Always called on user-initiated disconnect.
POST /rest/show-cmdThe single channel through which IAPViewer issues every read query below. Each entry in the tables that follow is a value passed to this endpoint's cmd= parameter.

Cluster identity & configuration

CommandWhat IAPViewer uses it for
show versionFirmware version, AOS train, model of the Virtual Controller. Drives the Firmware tool and the connection-screen version pill.
show summaryCluster name, country code, total AP count, total client count. Populates the site pill before the full AP list arrives.
show running-configFull raw configuration. Displayed in Config Viewer; also parsed by VSG Check to flag deviations from Aruba Validated Solution Guide best practices.
show interfaceVC management interface IP and status.
show networkConfigured SSIDs, security, VLAN bindings — used by Channel Detail and the Config view.

Access points

CommandWhat IAPViewer uses it for
show apsCluster-wide AP list with model, IP, channel, TX power, utilisation, and noise floor per radio. The primary AP-state query.
show aps power-monitorLive PoE draw per AP. Surfaced in AP detail and the PoE column.
show allowed-apsAllowlist of APs permitted to join the cluster. Used to identify offline APs that have a slot reserved but aren't currently up.
show ap bss-tablePer-AP list of broadcast BSSIDs, with band, PHY, bonded channel width, and EIRP. Authoritative source for 20 / 40 / 80 / 160 MHz width detection.
show ap associationClients currently associated to a given AP, including BSSID, signal, retry stats. Drives the AP-detail client list.
show ap debug radio-stateConducted TX power, noise floor, and channel-busy statistics per radio. Fallback when show aps data is blanked.
show ap debug driver-configAuthoritative radio mode (AP vs Air Monitor) and channel assignment. Used to repair the rare case where show aps reports "Scanning" for an active radio.
show ap debug lldp infoLLDP neighbour data per AP — identifies the upstream switch, port, allocated PoE wattage, and switch capability flags.
show ap debug cloud-serverAruba Central / Activate registration state for the cluster. Used to diagnose the "expired subscription" failure mode.

Clients

CommandWhat IAPViewer uses it for
show clientsWireless client list with IP, MAC, SSID, AP, signal, speed, PHY type, authentication.
show clients debugExtended wireless client detail including encryption flags and association timestamps.
show clients wiredWired clients learned through AP Ethernet ports.
show clients wired debugExtended wired-client detail (port, VLAN, learn time).
show stats client <mac>Per-client live statistics — signal trace, frame counts, throughput, retry rate, mobility trail. Drives the Performance tab and the live trace in Client Detail.
show ap debug client-tablePer-AP client table used as a cross-check during the performance analysis.
show ap roam-cache mac <mac>Roam history for a specific client — best-effort, not all AOS versions expose this.
show datapath session | inc <ip>Active sessions for a client IP — on-demand from Client Detail.

Channel quality & spectrum

CommandWhat IAPViewer uses it for
show ap arm rf-summaryPer-AP ARM (Adaptive Radio Management) summary — primary channel, quality score, channel busy. The backbone of the Channel Quality tool.
show ap spectrum statusDistinguishes "Spectrum Monitor" (FFT-active) from "Air Monitor" mode on a per-radio basis.
show ap spectrum channel-metricsPer-channel utilisation, WiFi/non-WiFi split, noise floor — only available from a Spectrum Monitor radio.
show ap spectrum channel-detailsDetailed per-channel breakdown including non-WiFi device contribution. Powers the Channel Detail card.
show ap spectrum device-listNon-WiFi RF emitters detected by Spectrum Monitor radios (microwave, Bluetooth, cordless phone, etc.).
show ap spectrum client-listPer-channel client load observed by Spectrum Monitor radios.
show spectrum-alert 100Recent spectrum alerts (rogue, interference) raised by Spectrum Monitor radios — cluster-wide, single call.

RF environment

CommandWhat IAPViewer uses it for
show ap monitor ap-listEvery BSSID detected by the cluster's monitoring radios. Drives RF Neighbors and the Channel View foreign-SSID ghost overlay.
show ap monitor pot-ap-listPotential ("pot") AP list — supplementary detection data feeding RF Neighbors.
show ids apsIDS classification (valid / interfering / rogue) for detected neighbour APs.
show ids clientsIDS-flagged client devices.

Voice & Video (UCC)

These run only at the end of a load when Load UCC Data is enabled in Site Settings (off by default). They power the Voice/Video view's "active call vs registered" classification.

CommandWhat IAPViewer uses it for
show ucm hashtableCluster-wide. Identifies which clients are running Unified Communications apps (Wi-Fi calling, FaceTime, Teams/Zoom/Meet, etc.) and the app/server each is using.
show wificall-dns-patternsCluster-wide. The carrier ePDG DNS patterns the controller uses to recognise Wi-Fi-calling traffic. Fetched once per session and cached.
show ucm cdrsPer-AP (only APs hosting a UC-classified client). Call Detail Records — the primary "is a call up?" signal; sees encrypted streams (Wi-Fi Calling, SRTP) that the datapath filter drops.
show datapath session uccPer-AP. Byte/packet counters for UC media flows the AP can deep-inspect — a secondary throughput signal.
show datapath session | inc 4500Per-AP. IPsec (UDP/4500) tunnel counters. Compared against the previous refresh to tell an active Wi-Fi call from an idle ePDG registration.

Bluetooth (BLE) discovery

Runs only at the end of a load when Load BLE Data is enabled in Site Settings (off by default). Powers the BLE radios shown under each AP in the Clients & APs tree and the BLE Discovery browser.

CommandWhat IAPViewer uses it for
show ap debug ble-table allPer-AP. The AP's onboard BLE radio plus every beacon-class BLE device it currently hears, with this AP's RSSI. Fanned out to every online AP, then aggregated by device MAC across the cluster (the AP's own radios are filtered out).

Security & deny list

CommandWhat IAPViewer uses it for
show denylist-clientCurrent deny-list entries with reason, timestamp, and MAC. Drives the Deny List tool; also feeds the cleanup-script generator (output is shown to you as text — the app does not run it).
show log user 200Authentication log — pulled on demand from the Deny List tool to show why a specific MAC was denied.

Logs & diagnostics

CommandWhat IAPViewer uses it for
show log <type> <count>Filterable event log retrieval — the Logs tab issues one of these per selected log type (system, security, network, user, etc.) with a user-chosen line count.
show activateAruba Activate cloud registration state — pulled only when the controller reports it is Activate / Central-managed.

Test API tool

The Settings → Test API screen lets you send any read-only show command of your choice to the VC and see the raw output. This is the only place where the command is user-supplied; the input is validated to start with show before being passed to POST /rest/show-cmd. The tool exists so administrators can verify what the controller is returning when a IAPViewer parser appears to mis-read something.

What IAPViewer does NOT do: No call writes configuration, no call commits changes, no call reboots APs, no call modifies the VLAN / SSID / radio / security / RADIUS / allow-list / deny-list state. Those operations exist in the Aruba REST API; IAPViewer never invokes them. If a future feature ever needed to, it would be opt-in and disclosed in the release notes.

See also: Support · Documentation · Privacy Policy · Terms of Use