IAPViewer API Reference
Last updated: May 31, 2026 — v2.0 (build 0.6.0)
This page lists every Aruba Virtual Controller call IAPViewer makes. It exists for transparency — so administrators can review exactly what the app does on their network before connecting.
Read-only by design. Every call below is either an authentication endpoint or a show-style query. There is no write, configure, commit, or any other state-changing path in the codebase. Anything that would change the cluster's state is offered as copy-and-paste CLI text instead — you run it manually if you want to.
Transport
All calls go to the Virtual Controller's REST API on TCP port 4343 over HTTPS, on the local network only. The VC presents a self-signed HPE certificate — IAPViewer handles that automatically without modifying the device's trust store. Calls are issued serially (the VC rejects concurrent requests).
Authentication endpoints
| Endpoint | Purpose |
POST /rest/login | Exchanges username + password for a session ID. Credentials come from the system Keychain; the session ID is held in memory only and discarded on disconnect or app close. |
POST /rest/logout | Tears down the session on the controller. Always called on user-initiated disconnect. |
POST /rest/show-cmd | The single channel through which IAPViewer issues every read query below. Each entry in the tables that follow is a value passed to this endpoint's cmd= parameter. |
Cluster identity & configuration
| Command | What IAPViewer uses it for |
show version | Firmware version, AOS train, model of the Virtual Controller. Drives the Firmware tool and the connection-screen version pill. |
show summary | Cluster name, country code, total AP count, total client count. Populates the site pill before the full AP list arrives. |
show running-config | Full raw configuration. Displayed in Config Viewer; also parsed by VSG Check to flag deviations from Aruba Validated Solution Guide best practices. |
show interface | VC management interface IP and status. |
show network | Configured SSIDs, security, VLAN bindings — used by Channel Detail and the Config view. |
Access points
| Command | What IAPViewer uses it for |
show aps | Cluster-wide AP list with model, IP, channel, TX power, utilisation, and noise floor per radio. The primary AP-state query. |
show aps power-monitor | Live PoE draw per AP. Surfaced in AP detail and the PoE column. |
show allowed-aps | Allowlist of APs permitted to join the cluster. Used to identify offline APs that have a slot reserved but aren't currently up. |
show ap bss-table | Per-AP list of broadcast BSSIDs, with band, PHY, bonded channel width, and EIRP. Authoritative source for 20 / 40 / 80 / 160 MHz width detection. |
show ap association | Clients currently associated to a given AP, including BSSID, signal, retry stats. Drives the AP-detail client list. |
show ap debug radio-state | Conducted TX power, noise floor, and channel-busy statistics per radio. Fallback when show aps data is blanked. |
show ap debug driver-config | Authoritative radio mode (AP vs Air Monitor) and channel assignment. Used to repair the rare case where show aps reports "Scanning" for an active radio. |
show ap debug lldp info | LLDP neighbour data per AP — identifies the upstream switch, port, allocated PoE wattage, and switch capability flags. |
show ap debug cloud-server | Aruba Central / Activate registration state for the cluster. Used to diagnose the "expired subscription" failure mode. |
Clients
| Command | What IAPViewer uses it for |
show clients | Wireless client list with IP, MAC, SSID, AP, signal, speed, PHY type, authentication. |
show clients debug | Extended wireless client detail including encryption flags and association timestamps. |
show clients wired | Wired clients learned through AP Ethernet ports. |
show clients wired debug | Extended wired-client detail (port, VLAN, learn time). |
show stats client <mac> | Per-client live statistics — signal trace, frame counts, throughput, retry rate, mobility trail. Drives the Performance tab and the live trace in Client Detail. |
show ap debug client-table | Per-AP client table used as a cross-check during the performance analysis. |
show ap roam-cache mac <mac> | Roam history for a specific client — best-effort, not all AOS versions expose this. |
show datapath session | inc <ip> | Active sessions for a client IP — on-demand from Client Detail. |
Channel quality & spectrum
| Command | What IAPViewer uses it for |
show ap arm rf-summary | Per-AP ARM (Adaptive Radio Management) summary — primary channel, quality score, channel busy. The backbone of the Channel Quality tool. |
show ap spectrum status | Distinguishes "Spectrum Monitor" (FFT-active) from "Air Monitor" mode on a per-radio basis. |
show ap spectrum channel-metrics | Per-channel utilisation, WiFi/non-WiFi split, noise floor — only available from a Spectrum Monitor radio. |
show ap spectrum channel-details | Detailed per-channel breakdown including non-WiFi device contribution. Powers the Channel Detail card. |
show ap spectrum device-list | Non-WiFi RF emitters detected by Spectrum Monitor radios (microwave, Bluetooth, cordless phone, etc.). |
show ap spectrum client-list | Per-channel client load observed by Spectrum Monitor radios. |
show spectrum-alert 100 | Recent spectrum alerts (rogue, interference) raised by Spectrum Monitor radios — cluster-wide, single call. |
RF environment
| Command | What IAPViewer uses it for |
show ap monitor ap-list | Every BSSID detected by the cluster's monitoring radios. Drives RF Neighbors and the Channel View foreign-SSID ghost overlay. |
show ap monitor pot-ap-list | Potential ("pot") AP list — supplementary detection data feeding RF Neighbors. |
show ids aps | IDS classification (valid / interfering / rogue) for detected neighbour APs. |
show ids clients | IDS-flagged client devices. |
Voice & Video (UCC)
These run only at the end of a load when Load UCC Data is enabled in Site Settings (off by default). They power the Voice/Video view's "active call vs registered" classification.
| Command | What IAPViewer uses it for |
show ucm hashtable | Cluster-wide. Identifies which clients are running Unified Communications apps (Wi-Fi calling, FaceTime, Teams/Zoom/Meet, etc.) and the app/server each is using. |
show wificall-dns-patterns | Cluster-wide. The carrier ePDG DNS patterns the controller uses to recognise Wi-Fi-calling traffic. Fetched once per session and cached. |
show ucm cdrs | Per-AP (only APs hosting a UC-classified client). Call Detail Records — the primary "is a call up?" signal; sees encrypted streams (Wi-Fi Calling, SRTP) that the datapath filter drops. |
show datapath session ucc | Per-AP. Byte/packet counters for UC media flows the AP can deep-inspect — a secondary throughput signal. |
show datapath session | inc 4500 | Per-AP. IPsec (UDP/4500) tunnel counters. Compared against the previous refresh to tell an active Wi-Fi call from an idle ePDG registration. |
Bluetooth (BLE) discovery
Runs only at the end of a load when Load BLE Data is enabled in Site Settings (off by default). Powers the BLE radios shown under each AP in the Clients & APs tree and the BLE Discovery browser.
| Command | What IAPViewer uses it for |
show ap debug ble-table all | Per-AP. The AP's onboard BLE radio plus every beacon-class BLE device it currently hears, with this AP's RSSI. Fanned out to every online AP, then aggregated by device MAC across the cluster (the AP's own radios are filtered out). |
Security & deny list
| Command | What IAPViewer uses it for |
show denylist-client | Current deny-list entries with reason, timestamp, and MAC. Drives the Deny List tool; also feeds the cleanup-script generator (output is shown to you as text — the app does not run it). |
show log user 200 | Authentication log — pulled on demand from the Deny List tool to show why a specific MAC was denied. |
Logs & diagnostics
| Command | What IAPViewer uses it for |
show log <type> <count> | Filterable event log retrieval — the Logs tab issues one of these per selected log type (system, security, network, user, etc.) with a user-chosen line count. |
show activate | Aruba Activate cloud registration state — pulled only when the controller reports it is Activate / Central-managed. |
Test API tool
The Settings → Test API screen lets you send any read-only show command of your choice to the VC and see the raw output. This is the only place where the command is user-supplied; the input is validated to start with show before being passed to POST /rest/show-cmd. The tool exists so administrators can verify what the controller is returning when a IAPViewer parser appears to mis-read something.
What IAPViewer does NOT do: No call writes configuration, no call commits changes, no call reboots APs, no call modifies the VLAN / SSID / radio / security / RADIUS / allow-list / deny-list state. Those operations exist in the Aruba REST API; IAPViewer never invokes them. If a future feature ever needed to, it would be opt-in and disclosed in the release notes.
See also: Support · Documentation · Privacy Policy · Terms of Use