API-Central
Integrates with Git for version control of the API-Central tooling, with git-ignored configuration files for security and project management.
Provides GitHub integration for cloning the repository, reporting security issues via GitHub Issues, and managing the project's codebase and documentation.
Includes Postman download scripts for API collections, facilitating API testing and integration with HPE Aruba Central's REST API endpoints.
Integrates with Pytest for running unit and integration tests, ensuring code quality and reliability of the HPE Aruba Central automation tools.
Built with Python for network automation tooling, providing CLI tools for batch migration workflows and the underlying implementation of MCP servers.
Uses YAML for credential configuration files (credentials.yaml), providing structured and readable configuration management for HPE Aruba Central API authentication.
Click on "Install Server".
Wait a few minutes for the server to deploy. Once ready, it will show a "Started" state.
In the chat, type
@followed by the MCP server name and your instructions, e.g., "@API-Centralshow me all access points at the New York office"
That's it! The server will respond to your query, and you can continue using it as needed.
Here is a step-by-step guide with screenshots.
centralmcp — HPE Networking MCP toolkit
Low-token Model Context Protocol (MCP) server for HPE Networking automation: Aruba Central, HPE GreenLake Platform, ClearPass, Juniper Mist, Apstra, ArubaOS 8, EdgeConnect, and HPE Aruba UXI.
centralmcp gives MCP-capable AI clients a low-token way to search Aruba/HPE docs, look up exact OpenAPI details, inspect Central health, run troubleshooting workflows, manage configuration, and use guarded GreenLake Platform operations.
It is built around direct REST calls with httpx.
flowchart LR
client["MCP clients<br/>Cursor, VS Code, Claude, local agents<br/>or any MCP-capable model"]
router["aruba-tool-router<br/>find_tool<br/>invoke_read_tool<br/>invoke_tool"]
rag["Embedded RAG<br/>LanceDB docs<br/>SQLite OpenAPI lookup"]
core["Core Aruba backends<br/>Central monitoring/config/NAC/ops<br/>GreenLake Platform"]
optional["Optional starters<br/>ClearPass, Mist, Apstra<br/>AOS8, EdgeConnect, UXI"]
client -->|"stdio or streamable HTTP"| router
router -->|"search_docs / ask_docs / lookup_api"| rag
router -->|"async httpx REST"| core
router -->|"opt-in only"| optionalSearch keywords
HPE Networking MCP server, HPE Aruba Networking MCP server, HPE Aruba Central
MCP server, Aruba Central AI tools, HPE GreenLake Platform MCP, GreenLake
Platform MCP, GreenLake service catalog MCP, GreenLake reporting status MCP,
FastMCP network automation, Model Context Protocol networking, network
configuration MCP, Aruba API RAG, Aruba Central OpenAPI lookup, ClearPass MCP,
Juniper Mist MCP, Apstra MCP, ArubaOS 8 MCP, AOS8 automation, HPE Aruba
EdgeConnect MCP, EdgeConnect SD-WAN MCP, HPE Aruba UXI MCP, UXI sensor status MCP,
guarded read/write lab automation, EdgeConnect zones, EdgeConnect interface
labels, zone-based firewall MCP, Python httpx network automation,
EdgeConnect ACL object groups, EdgeConnect services, EdgeConnect bypass mode,
EdgeConnect link integrity diagnostics.
Related MCP server: network-mcp
Who this is for
You want to... | Use centralmcp to... |
Connect an MCP-capable AI client to Aruba Central | Run the low-token |
Ask questions about Aruba/HPE docs and APIs | Use embedded LanceDB + SQLite RAG/OpenAPI lookup without Docker |
Inspect Central health, devices, clients, alerts, events, or sites | Discover tools with |
Automate migrations or SSID workflows | Use the 8-stage migration pipeline and SSID helpers |
Experiment with ClearPass, Mist, Apstra, AOS8, EdgeConnect, or UXI | Enable optional starter backends only when needed |
Quick links
Need | Start here |
Documentation site | |
Guided setup | |
Try without API credentials | |
Try it quickly | |
Check your local setup | |
Install and connect an MCP client | |
Copy/paste MCP client setup | |
Enable optional products | |
See typed product workflow roadmap | |
Download prebuilt RAG/OpenAPI indexes | |
Fix setup or HTTP issues | |
Try useful prompts | |
Understand the low-token router | |
Run with any MCP-capable AI client/model | |
See the architecture diagrams | |
Browse the documentation map | |
Review the RAG design | |
Run validation before pushing | |
Get support or report issues | |
Contribute safely | |
Agent/developer conventions |
What is included
Area | Current coverage |
MCP tools | 213 core tools / 312 read-only optional starters / 346 read-write optional starters indexed |
Core servers | Central monitoring, configuration, operations, NAC, GLP, and RAG |
Router |
|
RAG | Embedded LanceDB docs index + SQLite OpenAPI lookup; no Docker required |
GLP | Devices, subscriptions, users, audit logs, workspaces, reporting statuses, service catalog, guarded read-only GLP GET, and feature-gated writes |
Optional products | ClearPass, Mist, Apstra, AOS8, EdgeConnect, and UXI starter backends |
Pipeline | 8-stage migration flow plus SSID build/delete helpers |
Why the router matters
Point your MCP client at one server: mcp_servers/tool_router.py.
The recommended minimal router profile keeps the MCP tool list small while still giving access to the larger backend catalog:
Use
find_toolto discover the right backend tool.Use
invoke_read_toolfor read-only calls.Use
invoke_toolonly for intentional write/destructive calls.
invoke_tool is deliberately marked destructive because it can dispatch destructive backend tools. This gives MCP clients a safer warning boundary without loading hundreds of direct tools into context.
Try it locally without credentials
You can verify the install, build the router catalog, and start the MCP HTTP server before adding Aruba Central or GreenLake credentials. API-backed tools will need credentials later, but the local setup path is safe to test first.
git clone https://github.com/secure-ssid/centralmcp.git
cd centralmcp
python3 scripts/setup_wizard.py --yes --skip-credentials
uv run python scripts/doctor.py
MCP_PORT=8010 bash scripts/run_http_router.shThen connect an MCP-capable AI client to:
http://127.0.0.1:8010/mcpQuick start
git clone https://github.com/secure-ssid/centralmcp.git
cd centralmcp
python3 scripts/setup_wizard.pyThe wizard can run uv sync, write local MCP client configs, pick a Central API
gateway region, fill credentials without echoing secrets, enable optional
products, build the router catalog, and run the local doctor.
Review:
config/credentials.yamlwith your Central / GLP OAuth credentials..envif you enabled ClearPass, Mist, Apstra, AOS8, EdgeConnect, or UXI..mcp.jsonif you want to tune the generated stdio MCP client config..mcp.http.jsonif your MCP client connects to an already-running streamable HTTP server instead of launching stdio..claude/launch.jsonif you use those launch profiles; choose the minimalaruba-tool-routerprofile for daily use.
Build the lightweight router tool index:
uv run python scripts/ingest_tools.pyFor optional product starters too:
uv run python scripts/ingest_tools.py --products allFor full RAG docs/API search, download the prebuilt release index:
uv run python scripts/download_indexes.pyTo rebuild locally, populate the git-ignored ingestion/sources/ tree with
scraped docs/API source files first, then run:
uv run python ingestion/ingest_docs.pyRAG source targets are tracked in
ingestion/source_manifest.json, including
DevHub, New Central techdocs, and the Switching Feature Navigator seeds.
Check the local setup without making API calls:
uv run python scripts/doctor.pyThe doctor reports missing local stdio/HTTP MCP config copies, index files, RAG source-manifest drift, placeholder stdio paths, low-token router profile drift, HTTP config URL or transport mismatches, optional product env, and HTTP listener status without calling Central or GLP APIs.
See docs/getting-started.md for the full setup path.
Default MCP client profile
The committed client examples are intentionally lean:
CENTRALMCP_ROUTER_MODE=minimal
CENTRALMCP_TOOLSETS=central,glp,ragEnable optional products only when needed:
CENTRALMCP_PRODUCTS=clearpass,mist,apstra,aos8,edgeconnect,uxi
CENTRALMCP_PRODUCT_ACCESS=read-onlyThe setup wizard can enable a subset for you, write the matching local .env,
and add only the product selector to local stdio MCP configs so tokens stay in
one local file:
python3 scripts/setup_wizard.py --products clearpass,mistThe optional product starter tools are lab-friendly. Write-capable products
include guarded writes that default to dry_run=True with confirm=True
required for execution; UXI starts as compact read-only workflows for sensors,
agents, groups, networks, service tests, and assignments. Optional product
access defaults to read-only, which hides and blocks optional product write
tools. Set CENTRALMCP_PRODUCT_ACCESS=read-write or run the wizard with
--product-access read-write only for trusted lab write workflows.
Streamable HTTP mode
The MCP server is model-agnostic: any AI client/model that supports MCP streamable HTTP can connect to the same router endpoint.
Start the low-token HTTP router in the foreground. The helper defaults to port
8010, matching the HTTP client example:
MCP_PORT=8010 bash scripts/run_http_router.shThen point your MCP client at:
http://127.0.0.1:8010/mcpUse .mcp.http.json.example as a generic HTTP client
snippet. Plain curl is only useful for checking that the server is listening;
real MCP clients use streaming headers such as Accept: text/event-stream.
The helper loads local .env assignments first, so optional product settings created by
the wizard are available to HTTP mode too.
If the port is already in use, the helper exits before starting another router
and prints the listener details plus the kill <PID> stop command.
Common environment variables
Variable | Purpose | Default |
| Credentials YAML path |
|
| OAuth token cache directory |
|
| Router mode: |
|
| Loaded backend profiles; examples use | all core Aruba backends |
| Optional product backends | empty |
| Optional product write-tool visibility: |
|
| Enable guarded GLP write tools | off |
| Normalize outbound MAC strings in router responses | off |
| Override GLP SSO token URL | HPE default |
| Override GLP API base URL | HPE default |
|
|
|
| HTTP bind address for streamable HTTP mode |
|
| HTTP port for streamable HTTP mode; |
|
Product starter backends also use product-specific URL/token variables. See docs/getting-started.md.
Project layout
.claude/ Optional launch profiles and repo agent notes
.cursor/ Cursor MCP profiles: router default and direct-server dev mode
.vscode/ VS Code MCP example config
config/ Credentials template; real credentials stay git-ignored
docker-compose.yml Optional localhost-only Redis/Ollama server backend for power users
mcp_servers/
tool_router.py Low-token MCP entrypoint
prompts.py Guided MCP prompt templates
monitoring.py Central health, alerts, events, clients, devices
config.py SSIDs, VLANs, profiles, webhooks, firmware
ops.py Ping, traceroute, show, reboot, PoE, cable test
nac.py MAC reg, MPSK, visitors, AAA, auth policies
glp.py GreenLake Platform tools
rag.py ask_docs, search_docs, lookup_api
clearpass.py Optional ClearPass starter backend
mist.py Optional Mist starter backend
apstra.py Optional Apstra starter backend
aos8.py Optional ArubaOS 8 starter backend
edgeconnect.py Optional EdgeConnect starter backend
uxi.py Optional HPE Aruba UXI starter backend
ingestion/
ingest_docs.py Build docs/API indexes into LanceDB + SQLite
pipeline/
clients/ httpx clients, token manager, LanceDB, SQLite specs
stages/ 8-stage migration pipeline
docs/
getting-started.md Setup and MCP connection guide
tool-router.md Router modes and low-token usage
architecture/ System overview and RAG design notes
inputs/ Example CSV inputs for migration workflows
resources/ Postman/API reference material and resource notes
ingestion/source_manifest.json RAG source seed URLs and source folders
scripts/ Tool catalog ingest, local doctor, HTTP router helper, release validation
tests/ Unit, integration, and RAG eval tests
.mcp.json.example Generic stdio MCP client example using the minimal router
.mcp.http.json.example Generic streamable HTTP MCP client example
run_pipeline.py Migration pipeline CLI
run_ssid.py SSID helper CLIRAG and API lookup
The default RAG stack is embedded:
Index | File | Tool | Purpose |
Docs |
|
| Hybrid retrieval over Aruba/HPE docs |
API specs |
|
| Exact endpoint/schema/enum lookup |
Tools |
|
| Semantic router tool discovery |
Measured on the bundled eval set:
Metric | Result |
| 1.00 |
| 0.90 |
| 0.90 |
Safety model
Credentials stay in
config/credentials.yamlor environment variables; do not commit real credentials.Token caches live under
~/.cache/centralmcp/by default with0600permissions.GLP v2beta1 writes fail closed unless
CENTRALMCP_GLP_V2BETA1_WRITES=1.Optional product writes fail closed unless
CENTRALMCP_PRODUCT_ACCESS=read-write.Destructive Central operations use MCP elicitation/confirmation where supported.
The router's
invoke_read_toolblocks non-read-only backend tools.The generic router
invoke_toolis marked destructive because it can reach write/destructive tools.find_toolomits full JSON schemas by default; requestinclude_schema=trueonly when needed.Generic GLP and optional product GET tools bound list responses with
limit/offset.MCP tool list defaults are capped at 200 items to protect client context windows.
Report vulnerabilities and accidental credential exposure through SECURITY.md; do not publish real tokens, tenant IDs, or customer data in issues or PRs.
Validation
Run unit tests:
uv run pytest tests/unit -qRun the local release gate:
uv run python scripts/validate_release.pyThe release helper runs unit tests, optional RAG/API eval when indexes exist, tool catalog floor checks, and local tool-index freshness checks. Unit tests also include static guards for the active MCP/pipeline code, committed low-token MCP config examples, local-only config files, router product/toolset docs, bounded generic read-only GET tools, MCP list default bounds, RAG/search top_k bounds, public tool-count claims, tool-count docstrings, tracked Markdown local links and images, Pages sitemap and robots metadata, documented router example arguments, product workflow tool-name tables, and wizard optional-product env tables.
Related projects
With appreciation to these projects and maintainers for official APIs, MCP patterns, and community references that helped shape centralmcp's low-token, lab-friendly direction:
HewlettPackard/gl-mcp - official GreenLake Platform MCP server
modelcontextprotocol/python-sdk - MCP Python SDK
KarthikSKumar98/central-mcp-server - community Aruba Central MCP server
nowireless4u/hpe-networking-mcp - unified HPE networking MCP reference
Disclaimer
This is an independent community project. It is not an official HPE or HPE Aruba Networking product and is not endorsed by or supported by HPE.
License
MIT - see LICENSE.
This server cannot be installed
Maintenance
Resources
Unclaimed servers have limited discoverability.
Looking for Admin?
If you are the server author, to access and configure the admin panel.
Latest Blog Posts
- Your AI Chatbot Just Exposed Your CEO's Salary to an InternBy Om-Shree-0709 on .Agent IdentityMCP SecurityOAuth Delegation
- Why MCP Servers Need Execution Sandboxing (And Why Your Current Stack Isn't Enough)By Om-Shree-0709 on .Agentic AiPrompt InjectionWebAssembly
MCP directory API
We provide all the information about MCP servers via our MCP API.
curl -X GET 'https://glama.ai/api/mcp/v1/servers/secure-ssid/centralmcp'
If you have feedback or need assistance with the MCP directory API, please join our Discord server