Contents
Search
Loading, please wait ...

Loading

  • Aruba 2540 Access Security Guide for ArubaOS-Switch 16.07
    • Home
    • About this guide
      • Applicable products
      • Switch prompts used in this guide
    • Security Overview
      • Introduction
        • About this guide
        • For more information
      • Access security features
      • Network security features
      • Getting started with access security
        • Physical security
        • Using the Management Interface wizard
          • Configuring security settings using the CLI wizard
          • WebAgent: Management Interface wizard
        • SNMP security guidelines
          • General SNMP access to the switch
          • SNMP access to the authentication configuration MIB
      • Precedence of security options
        • Precedence of port-based security options
        • Precedence of client-based authentication: Dynamic Configuration Arbiter (DCA)
          • Arbitrating client-specific attributes
    • Configuring Username and Password Security
      • Overview
        • Configuring password security
      • Configuring local password security
        • Setting passwords and usernames (CLI)
          • Removing password protection
          • Username and password length
          • General rules for usernames and passwords
          • Restrictions for the setmib command
          • Additional restrictions
          • Passwords implications when upgrading or downgrading software versions
          • Unable to use previous password
        • Setting passwords and usernames (WebAgent)
      • Saving security credentials in a config file
        • Benefits of saving security credentials
        • Enabling the storage and display of security credentials
        • Security settings that can be saved
        • Executing include-credentials or include-credentials store-in-config
          • The no include-credentials store-in-config option
        • Local manager and operator passwords
        • Password command options
        • SNMP security credentials
        • TACACS+ encryption key authentication
        • RADIUS shared-secret key authentication
        • The include-credentials radius-tacacs-only option
        • SSH Re-Keying for SSH Server and SSH Client
        • SSH client public-key authentication
        • Displaying the status of include-credentials
        • Storage states when using include-credentials
        • Operating notes
        • Restrictions on enabling security credentials
      • Encrypting credentials in the configuration file
        • Enabling encrypt-credentials
        • Displaying the state of encrypt-credentials
        • Affected commands
        • Important operating notes
        • Interaction with include-credentials settings
      • Front panel security
        • When security is important
        • Front-panel button functions
          • Clear button
          • Reset button
          • Restoring the factory default configuration
        • Configuring front panel security
          • Disabling the clear password function of the Clear button
          • Re-enabling the Clear button and setting or changing the ‘reset-on-clear’ operation
          • Changing the operation Reset+Clear combination
      • Password recovery
        • Disabling or re-enabling the password recovery process
        • Password recovery process
    • Virus throttling (connection-rate filtering)
      • Configuring connection-rate filtering
        • Viewing the connection-rate configuration
        • Enabling global connection-rate filtering and sensitivity
        • Configuring per-port filtering
          • Basic configuration
      • Blocked hosts
        • Listing currently-blocked hosts
        • Unblocking currently-blocked hosts
      • Configuring and applying connection-rate ACLs
        • Configuring a connection-rate ACL using source IP address criteria
        • Configuring a connection-rate ACL using UDP/TCP criteria
        • Applying connection-rate ACLs
        • Using an ACL in a connection-rate configuration example
      • Connection-rate filtering
        • Features and benefits
        • General operation
          • Filtering options
          • Sensitivity to connection rate detection
          • Application options
          • Operating rules
          • Unblocking a currently blocked host
        • Applying connection-rate ACLs
          • Connection-rate ACL operation
          • Connection-Rate ACL operating notes
        • Using CIDR notation to enter the ACE mask
        • Connection-rate log and trap messages
      • Overview
      • Configuring connection-rate filtering for low risk networks
      • Configuring connection-rate filtering for high risk networks
    • Web and MAC Authentication
      • Overview
        • Web-based authentication
        • MAC authentication
        • Concurrent web-based and MAC authentication
        • Authorized and unauthorized client VLANs
        • RADIUS-based authentication
        • Wireless clients
      • How web-based and MAC authentication operate
        • Web-based authentication
          • Order of priority for assigning VLANs
        • MAC-based authentication
      • Operating rules and notes
      • Setup procedure for web-based/MAC authentication
        • Configuring the RADIUS server to support MAC authentication
        • Configuring the switch to access a RADIUS server
        • Radius service tracking
          • radius-server tracking
          • radius-server tracking user-name
      • Configuring web-based authentication
        • Overview
        • Configuration commands for web-based authentication
          • Controlled directions
          • Disable web-based authentication
          • Specifying the VLAN
          • Maximum authenticated clients
          • Specifies base address
          • Specifies lease length
          • Specifying the period
          • Specifying the number of authentication attempts
          • Specifying maximum retries
          • Specifying the time period
          • Specifying the re-authentication period
          • Specifying a forced reauthentication
          • Specifying the URL
          • Specifying the timeout
        • Show commands for web-based authentication
      • Configuring MAC authentication
        • Preparation for configuring MAC authentication
        • Configuration commands for MAC authentication
          • Configuring the global MAC authentication password
          • Configuring a MAC-based address format
          • Creating a custom delimiter for a MAC address
          • Configuring other MAC-based commands
        • Configuring custom messages for failed logins
          • Web page display of access denied message
        • Viewing the show commands for MAC authentication
          • Viewing session information for MAC authenticated clients on a switch
          • Viewing detail on status of MAC authenticated client sessions
          • Error log
          • Viewing MAC authentication settings on ports
          • Viewing details of MAC Authentication settings on ports
          • Viewing MAC Authentication settings including RADIUS server-specific
        • Client status
    • Captive Portal for ClearPass
      • Requirements
      • Best Practices
      • Limitations
      • Features
        • High Availability
        • Load balancing and redundancy
      • Disabling Captive Portal
        • Disabling Captive Portal
      • Configuring Captive Portal on CPPM
        • Import the HPE RADIUS dictionary
        • Create enforcement profiles
        • Create a ClearPass guest self-registration
        • Configure the login delay
      • Configuring the switch
        • Configure the URL key
      • Configuring a certificate for Captive Portal usage
      • Display Captive Portal configuration
      • Show certificate information
      • Troubleshooting
        • Event Timestamp not working
        • Cannot enable Captive Portal
        • Unable to enable feature
        • Authenticated user redirected to login page
        • Unable to configure a URL hash key
        • authentication command
        • show command
        • Debug command
    • Local MAC Authentication
      • Overview
        • Concepts
      • Possible scenarios for deployment
      • Show commands
      • Configuration commands
        • Per-port attributes
        • Configuration examples
          • Configuration example 1
          • Configuration example 2
          • Configuration using mac-groups
          • Configuration without using mac-groups
    • Port-based MAC authentication
      • Overview
      • Operating notes
      • aaa port-access use-lldp-data
    • TACACS+ Authentication
      • Overview
      • General system requirements
      • General authentication setup procedure
      • Configuring TACACS+ on the switch
        • show authentication
        • Viewing the current TACACS+ server contact configuration
        • Configuring the switch authentication methods
          • Using the privilege-mode option for login
          • Authentication parameters
        • Configuring TACACS+ server
        • Configuring the TACACS+ server for single login
        • Configuring the switch TACACS+ server access
          • TACACS+ authorization and accounting commands
          • Device running a TACACS+ server application
          • Optional, global "encryption key"
          • Specifying how long the switch waits for a TACACS+ server to respond to an authentication request
          • Adding, removing, or changing the priority of a TACACS+ server
          • Configuring an encryption key
        • Configuring cipher text for TACACS+ key
        • Process of configuring TACACS+ key with encrypt-credentials and hide-sensitive-data
        • hide-sensitive-data
        • tacacs-server key
        • encrypt-credentials
        • encrypt-credentials
      • How authentication operates
        • General authentication process using a TACACS+ server
        • Local authentication process (TACACS+)
        • Using the encryption key
          • General operation
          • Encryption options in the switch
      • Controlling WebAgent access when using TACACS+ authentication
      • Messages related to TACACS+ operation
      • Operating notes
    • RADIUS Authentication, Authorization, and Accounting
      • Overview
        • Authentication Services
        • Accounting services
        • RADIUS-administered CoS and rate-limiting
        • RADIUS-administered commands authorization
        • SNMP access to the switch authentication configuration MIB
      • Switch operating rules for RADIUS
      • General RADIUS setup procedure
      • Configuring the switch for RADIUS authentication
        • Configuring authentication for the access methods that RADIUS protects
        • Enabling manager access privilege (optional)
        • Configuring the switch to access a RADIUS server
        • Configuring the switch global RADIUS parameters
        • Using multiple RADIUS server groups
          • Connecting a RADIUS server with a server group
          • Configuring the primary password authentication method for console, Telnet, SSH and WebAgent
          • Configuring the primary password authentication method for port-access, MAC-based, and web-based access
          • Viewing RADIUS server group information
      • Using SNMP to view and configure switch authentication features
        • Viewing and changing the SNMP access configuration
      • Local authentication process (RADIUS)
      • Controlling WebAgent access
      • Commands authorization
        • Enabling authorization
        • Viewing authorization information
        • Configuring commands authorization on a RADIUS server
          • Using vendor specific attributes (VSAs)
          • Example configuration using FreeRADIUS
      • Dynamic port access auth via RADIUS
        • Overview
        • Configuring the RADIUS VSAs
        • Viewing port-access information
        • Operating notes
      • VLAN assignment in an authentication session
        • Tagged and untagged VLAN attributes
      • Additional RADIUS attributes
      • MAC-based VLANs
      • Accounting services
        • Accounting service types
        • Operating rules for RADIUS accounting
        • Acct-Session-ID options in a management session
          • Unique Acct-Session-ID operation
          • Common Acct-Session-ID operation
        • Configuring RADIUS accounting
          • Steps for configuring RADIUS accounting
      • Viewing RADIUS statistics
        • General RADIUS statistics
        • RADIUS authentication statistics
        • RADIUS accounting statistics
      • Changing RADIUS-server access order
      • Creating local privilege levels
        • Configuring groups for local authorization
        • Configuring a local user for a group
        • Displaying command authorization information
      • Dynamic removal of authentication limits
      • Messages related to RADIUS operation
      • Security event log
        • Security user log access
        • Creating a security user
        • Security user commands
        • Authentication and Authorization through RADIUS
        • Authentication and Authorization through TACACS+
        • Restrictions
        • Event log wrap
        • Configuring concurrent sessions
          • For non-stackable switches
          • For stackable switches
        • Configuring concurrent sessions per user
          • For non-stackable switches
          • For stackable switches
        • Configuring concurrent sessions per user
        • Failed login attempts delay
    • User roles
      • Overview
      • Captive-portal commands
        • Overview
        • [no] aaa authentication captive-portal profile
          • Validation rules
          • Net-service and Net-destination Local user role
      • Policy commands
        • Overview
        • policy user
        • [no] policy user
        • policy resequence
        • Commands in the policy-user context
          • (policy-user)# class
      • User role configuration
        • aaa authorization user-role
          • Error log
        • captive-portal-profile
        • policy
        • reauth-period
          • Validation rules
        • VLAN commands
          • vlan-id
          • vlan-name
      • VLAN range commands
      • Applying a UDR
        • aaa port-access local-mac apply user-role
      • VXLAN show commands
        • show captive-portal profile
        • show user-role
        • show port-access clients
      • Overview of Monitoring Static IP Devices
      • ip client-tracker
      • ip client-tracker probe-delay
      • Tagged VLAN for user role
        • vlan-id-tagged
        • user-role vlan-id
      • Downloadable user-roles
        • aaa authorization user-role enable download
        • radius-server cppm identity
        • downloadable-role-delete
        • show user-role <XYZ>
        • show port-access clients
        • debug usertn
        • Net-service and Net-destination Downloadable User Role
    • IPv4 Access Control Lists (ACLs)
      • Options for applying IPv4 ACLs on the switch
        • Static ACLs
        • Dynamic port ACLs
      • Overview
        • Types of IPv4 ACLs
          • Standard ACL
          • Extended ACL
        • ACL applications
          • VACL applications
          • Static port ACL and RADIUS-assigned ACL applications
          • RADIUS-assigned (dynamic) port ACL applications
        • Multiple ACLs on an interface
        • Features common to all ACL applications
        • General steps for planning and configuring ACLs
      • IPv4 static ACL operation
        • Introduction
        • The packet-filtering process
          • Sequential comparison and action
          • Implicit Deny
      • Planning an ACL application
        • IPv4 traffic management and improved network performance
        • Security
        • Guidelines for planning the structure of a static ACL
        • IPv4 ACL configuration and operating rules
        • How an ACE uses a mask to screen packets for matches
          • What Is the difference between network (or subnet) masks and the masks used with ACLs?
          • Rules for defining a match between a packet and an ACE
      • Configuring and assigning an IPv4 ACL
        • General steps for implementing ACLs
        • Options for permit/deny policies
        • ACL configuration structure
          • Standard ACL structure
          • Extended ACL configuration structure
        • ACL configuration factors
          • The sequence of entries in an ACL is significant
          • Allowing for the Implied Deny function
          • A configured ACL has no effect until you apply it to an interface
          • You can assign an ACL name or number to an interface even if the ACL does not exist in the switch configuration
        • Using the CLI to create an ACL
          • Inserting or adding an ACE to an ACL
          • Using CIDR notation to enter the IPv4 ACL mask
      • Configuring standard ACLs
        • Configuring named, standard ACLs
          • Entering the IPv4 named ACL context
          • Configuring ACEs in a named, standard ACL
          • Creating numbered, standard ACLs
      • Configuring extended ACLs
        • Configuring named, extended ACLs
        • Configuring ACEs in named, extended ACLs
        • Including options for TCP and UDP traffic in extended ACLs
        • Options for ICMP traffic in extended ACLs
        • Option for IGMP in extended ACLs
        • Configuring numbered, extended ACLs
          • Creating or adding to an extended, numbered ACL
          • Controlling TCP and UDP traffic flow
          • Controlling ICMP traffic flow
          • Controlling IGMP traffic flow
      • Adding or removing an ACL assignment on an interface
        • Filtering IPv4 traffic inbound on a VLAN
        • Filtering inbound IPv4 traffic per port
      • Deleting an ACL
      • Editing an existing ACL
        • Using the CLI to edit ACLs
        • General editing rules
        • Sequence numbering in ACLs
          • Inserting an ACE in an existing ACL
          • Deleting an ACE from an existing ACL
          • Resequencing the ACEs in an ACL
          • Attaching a remark to an ACE
          • Operating notes for remarks
      • Viewing ACL configuration data
        • Viewing an ACL summary
        • Viewing the content of all ACLs on the switch
        • Viewing the VACL assignments for a VLAN
        • Viewing static port (and trunk) ACL assignments
        • Viewing the content of a specific ACL
        • Viewing all ACLs and their assignments in the switch startup-config and running-config files
      • Creating or editing an ACL offline
      • Monitoring static ACL performance
      • General ACL operating notes
    • MAC ACLs
      • Overview
      • MAC ACL configuration commands
        • Mac-access-list creation syntax
        • Mac-access-list standard configuration context
        • Mac-access-list extended configuration context
        • Remark command
        • Mac-access-list application syntax (PACL)
        • Mac-access-list application syntax (VACL)
        • Show access-list
        • Show access-list by name
        • Show access-list config
        • Show access-list port
        • Show access-list vlan
        • Show access-list resources
        • Show statistics
        • clear statistics
      • CLI command error messages
    • ACL Grouping
      • Overview
      • Commands
        • IPv4 access-group (PACL)
        • IPv6 access-group (PACL)
        • MAC access-group (PACL)
        • IPv4 access-group (VACL)
        • IPv6 access-group (VACL)
        • MAC access-group (VACL)
      • Modify existing commands
        • show configuration
        • show statistics
        • show access-list
          • show access-list ports
        • show access-list vlan
      • Error messages
    • Net-destination and Net-service
      • Overview
      • netservice [tcp | udp | port]
      • net-destination host |position | network
      • show net-destination
      • Platform wise scalability
    • RADIUS Services Support on Aruba Switches
      • Configuring
        • Configuring the switch to support RADIUS-assigned ACLs
      • Viewing
        • Viewing the currently active per-port CoS and rate-limiting configuration
        • Viewing CLI-configured rate-limiting and port priority for ports
      • Using
        • ACE syntax configuration options in a RADIUS server, using the standard attribute in an IPv4 ACL (Example)
        • Using VSA 63 to assign IPv6 and IPv4 ACLs
        • Using VSA 61 to assign IPv4 ACLs
        • Displaying the current RADIUS-assigned ACL activity on the switch
      • Overview
        • About RADIUS server support
          • RADIUS client and server requirements
          • RADIUS server configuration for CoS (802.1p priority) and rate-limiting
          • Applied rates for RADIUS-assigned rate limits
          • Per-port bandwidth override
          • Configuring and using dynamic (RADIUS-assigned) access control lists
          • RADIUS filter-id
          • Contrasting RADIUS-assigned and static ACLs
          • How a RADIUS server applies a RADIUS-assigned ACL to a client on a switch port
          • General ACL features, planning, and configuration
          • The packet-filtering process
          • Operating rules for RADIUS-assigned ACLs
          • Configuring an ACL in a RADIUS server
          • Nas-filter-Rule attribute options
          • ACE syntax in RADIUS servers
          • Configuration notes
          • Monitoring shared resources
          • Event log messages
      • Force client re-authorization
    • RBAC
      • RBAC Overview
      • Limitations
      • Roles
      • Rules
        • Command rules
        • Feature rules
        • VLAN policy rules
        • Interface policy rules
      • Creating roles and assigning rules
        • Enabling authorization
        • Creating a role
        • Configuring command rules
        • Configuring VLAN policy
        • Configuring interface policy
        • Configuring feature policy
      • Displaying rules for predefined roles
      • Displaying predefined features
      • Troubleshooting
        • Cannot modify group name
        • Cannot delete a group
        • Unable to run a command
        • Unable to add a rule
      • aaa authorization group
      • Predefined features
    • Password Complexity
      • Password complexity overview
      • Password expiration periods
      • Requirements
      • Limitations
      • Configuring Password Complexity
        • Viewing the password configuration
        • Enable Password Complexity
        • Configure the Password Complexity parameters
        • Configure password minimum length
        • Configure password composition
        • Configure password complexity checks
      • password configuration commands
      • password configuration-control
      • password configuration
      • password minimum-length
      • password
      • aaa authentication local-user
      • password complexity
      • password composition
      • show password-configuration
      • Troubleshooting
        • Unable to enable Password Complexity
        • Unable to download the configuration file
        • Display messages
    • Configuring Secure Shell (SSH)
      • Overview
        • Client public-key authentication (login/operator level) with user password authentication (enable/manager level)
        • Switch SSH and user password authentication
      • Prerequisite for using SSH
      • Public key formats
      • Steps for configuring and using SSH for switch and client authentication
      • General operating rules and notes
      • Configuring the switch for SSH operation
        • Generating or erasing the switch public/private host key pair
          • crypto key generate
          • show crypto host-public-key
          • zeroize
        • Displaying the public key
        • Providing the switch public key to clients
        • Enabling SSH on the switch and anticipating SSH client contact behavior
          • ip ssh
        • Disabling SSH on the switch
        • Configuring the switch for SSH authentication
          • Option A: Configuring SSH access for password-only SSH authentication
          • Option B: Configuring the switch for client Public-Key SSH authentication
          • SSH client contact behavior
      • Disable username prompt for management interface authentication in the Quick Base system
        • Switch behavior with Telnet
        • Switch behavior with SSH
        • Switch behavior with WebUI
      • SSH client public-key authentication notes
        • Using client public-key authentication
        • Creating a client public-key text file
        • Replacing or clearing the public-key file
        • Enabling client public-key authentication
      • SSH client and secure sessions
        • Opening a secure session to switch
        • General operating rules and notes
        • Copying client key files
        • Copying the ssh-client-known-hosts file
          • Replacing or appending the ssh-client-known-hosts file
          • Copying the SSH client known hosts file to another location
        • Copying the host public key
        • Removing the SSH client key pair
        • Removing the SSH client known hosts file
        • Displaying open sessions
      • Messages related to SSH operation
        • Logging messages
        • Debug logging
    • Configuring Secure Shell (SSH) with two-factor authentication
      • Overview
      • Two-factor authentication configuration commands
        • aaa authentication ssh
        • aaa authentication ssh two-factor
        • aaa authentication ssh two-factor two-factor-type
        • aaa authentication ssh two-factor two-factor-type publickey-password
        • aaa authentication ssh two-factor two-factor-type certificate-password
        • Two-factor authentication restrictions
        • Two-factor authentication event log messages
    • Configuring Secure Sockets Layer (SSL)
      • Overview
        • Server certificate authentication with user password authentication
      • Prerequisite for using SSL
      • Steps for configuring and using SSL for switch and client authentication
      • General operating rules and notes
      • Configuring the switch for SSL operation
        • Assigning a local login (operator) and enabling (manager) password
          • Using the WebAgent to configure local passwords
        • Generating the switch's server host certificate
          • To generate or erase the switch's server certificate with the CLI
          • Comments on certificate fields
          • Generate a self-signed host certificate with the WebAgent
          • Generate a CA-Signed server host certificate with the WebAgent
        • Enabling SSL on the switch and anticipating SSL browser contact behavior
          • SSL client contact behavior
          • Using the CLI interface to enable SSL
          • Using the WebAgent to enable SSL
      • Common errors in SSL setup
    • Configuring Advanced Threat Protection
      • Introduction
      • DHCP snooping
        • Enabling DHCP snooping
        • Enabling DHCP snooping on VLANs
        • Configuring DHCP snooping trusted ports
          • For DHCPv4 servers
          • For DHCPv6 servers
        • Configuring authorized server addresses
        • Using DHCP snooping with option 82
          • Changing the remote-id from a MAC to an IP address
          • Disabling the MAC address check
        • DHCP binding database
        • DHCPv4 snooping max-binding
        • Enabling debug logging
        • DHCP operational notes
        • Log messages
      • IPv6 Network Defense
        • DSNOOPv6 and DIPLDv6
          • Configuring DHCPv6 snooping
          • Configuring traps for DHCPv6 snooping
          • Clearing DHCPv6 snooping statistics
          • Enabling debug logging for DHCPv6 snooping
          • DHCPv6 show commands
      • Dynamic ARP protection
        • Enabling dynamic ARP protection
        • Configuring trusted ports
        • Adding an IP-to-MAC binding to the DHCP database
          • Clearing the DHCP snooping binding table
          • Adding a static binding
        • Configuring additional validation checks on ARP packets
        • Verifying the configuration of dynamic ARP protection
        • Displaying ARP packet statistics
        • Monitoring dynamic ARP protection
      • Dynamic IP lockdown
        • Protection against IP source address spoofing
        • Prerequisite: DHCP snooping
        • Filtering IP and MAC addresses per-port and per-VLAN
        • Enabling Dynamic IP Lockdown
          • IPv4
          • IPv6
        • Operational notes
        • Adding an IP-to-MAC binding to the DHCP binding database
          • Potential issues with bindings
          • Adding a static binding
        • Verifying the dynamic IP lockdown configuration
          • For IPv4
          • For IPv6
        • Displaying the static configuration of IP-to-MAC bindings
          • For IPv4
          • For IPv6
        • Debugging dynamic IP lockdown
      • Using the instrumentation monitor
        • Operating notes
        • Configuring instrumentation monitor
        • Viewing the current instrumentation monitor configuration
    • Traffic/Security Filters and Monitors
      • Overview
        • Filter limits
        • Using port trunks with filter
      • Filter types and operation
        • Source-port filters
          • Operating rules for source-port filters
        • Name source-port filters
          • Operating rules for named source-port filters
          • Defining and configuring named source-port filters
          • Viewing a named source-port filter
          • Using named source-port filters
        • Static multicast filters
        • Protocol filters
      • Configuring traffic/security filters
        • Configuring a source-port traffic filter
          • Configuring a filter on a port trunk
        • Editing a source-port filter
        • Configuring a multicast or protocol traffic filter
        • Filtering index
        • Displaying traffic/security filters
    • Configuring Port and User-Based Access Control (802.1X)
      • Overview
        • Why use port or user-based access control?
        • General features
        • User authentication methods
          • 802.1X user-based access control
          • 802.1X port-based access control
          • Alternative to using a RADIUS server
          • Accounting
      • General 802.1X authenticator operation
        • Example of the authentication process
        • VLAN membership priority
      • General operating rules and notes
      • General setup procedure for 802.1X access control
        • Overview: configuring 802.1X authentication on the switch
      • Configuring switch ports as 802.1X authenticators
        • Enable 802.1X authentication on selected ports
          • Enable the selected ports as authenticators and enable the (default) port-based authentication
          • Specify user-based authentication or return to port-based authentication
        • Reconfigure settings for port-access
        • Configuring the 802.1X authentication method
        • Enter the RADIUS host IP address(es)
        • Enable 802.1X authentication on the switch
        • Reset authenticator operation (optional)
        • Configure 802.1X controlled direction (optional)
          • Wake-on-LAN Traffic
          • Operating notes
        • Unauthenticated VLAN access (guest VLAN access)
          • Characteristics of mixed port access mode
          • Configuring mixed port access mode
      • 802.1X Open VLAN mode
        • Introduction
        • VLAN membership priorities
        • Use models for 802.1X Open VLAN modes
        • Operating rules for authorized and unauthorized-client VLANs
        • Setting up and configuring 802.1X Open VLAN mode
          • Configuring general 802.1X operation
          • Configuring 802.1X Open VLAN mode
          • Inspecting 802.1X Open VLAN mode operation
        • 802.1X Open VLAN operating notes
      • Option for authenticator ports: configure port-security to allow only 802.1X-authenticated devices
        • Port-Security
          • Configure the port access type
      • Configuring switch ports to operate as supplicants for 802.1X connections to other switches
        • Supplicant port configuration
          • Enabling a switch port as a supplicant
          • Configuring a supplicant switch port
      • Displaying 802.1X configuration, statistics, and counters
        • Show commands for port-access authenticator
        • Viewing 802.1X Open VLAN mode status
        • Show commands for port-access supplicant
          • Note on supplicant statistics
      • How RADIUS/802.1X authentication affects VLAN operation
        • VLAN assignment on a port
        • Operating notes
        • Example of untagged VLAN assignment in a RADIUS-based authentication session
        • Enabling the use of GVRP-learned dynamic VLANs in authentication sessions
      • Messages related to 802.1X operation
    • Configuring and Monitoring Port Security
      • Overview
      • Port security
        • Basic operation
        • Eavesdrop Prevention
          • Disabling Eavesdrop Prevention
          • Feature interactions when Eavesdrop Prevention is disabled
          • MIB Support
        • Blocked unauthorized traffic
        • Trunk group exclusion
        • Planning port security
        • Port security command options and operation
          • Displaying port security settings
        • Configuring port security
          • Port security commands
        • Retention of static addresses
          • Learned addresses
          • Assigned/authorized addresses
          • Specifying authorized devices and intrusion responses
          • Adding an authorized device to a port
          • Removing a device from the “authorized” list for a port
        • Clear MAC address table
          • Configuring clearing of learned MAC addresses
      • MAC Lockdown
        • How MAC Lockdown works
        • Differences between MAC Lockdown and port security
        • MAC Lockdown operating notes
          • Limits
          • Event Log messages
          • Limiting the frequency of log messages
        • Deploying MAC Lockdown
          • Basic MAC Lockdown deployment
          • Problems using MAC Lockdown in networks with multiple paths
      • MAC Lockout
        • How MAC Lockout works
      • User-based lockout compliance
        • aaa authentication
        • aaa authentication unlock
        • show authentication
        • Console session lockout overview
          • aaa authentication console-lockout
      • Port security and MAC Lockout
      • Reading intrusion alerts and resetting alert flags
        • Notice of security violations
        • How the intrusion log operates
        • Keeping the intrusion log current by resetting alert flags
          • Checking for intrusions, listing intrusion alerts, and resetting alert flags (CLI)
        • Using the Event Log to find intrusion alerts (CLI)
      • Operating notes for port security
        • Proxy Web servers
        • "Prior to" entries in the Intrusion Log
        • Alert flag status for entries forced off of the Intrusion Log
        • LACP not available on ports configured for port security
    • Using Authorized IP Managers
      • Introduction
      • Defining authorized management stations
        • Overview of IP mask operation
        • Viewing and configuring IP Authorized managers (CLI)
          • Listing the switch’s current IP Authorized manager(s)
          • Configuring IP Authorized managers for the switch (CLI)
      • Configuring IP Authorized managers (WebAgent)
        • Web proxy servers
        • How to eliminate the web proxy server
        • Using a web proxy server to access the WebAgent
      • Building IP Masks
        • Configuring one station per Authorized manager IP entry
        • Configuring multiple stations per Authorized manager IP entry
      • Operating notes
    • Key Management System
      • Overview
      • Configuring key chain management
        • Creating and deleting key chain entries
        • Assigning a time-independent key to a chain
          • Assigning time-dependent keys to a chain
    • Certificate Manager
      • Configuration support
        • Trust anchor profile (crypto pki ta-profile)
        • Web User’s Interface
      • Switch identity profile
      • Local certificate enrollment – manual mode
        • Self-signed certificate enrollment
        • Self-signed certificate
      • Removal of certificates/CSRs
      • Zeroization
      • File transfer
      • Loading a local certificate
      • Debug logging
      • Certificate specific
      • Profile specific—TA profile
        • Show profile specific
        • Certificate details
        • Display PKI certificate
      • Web support
        • SSL screen
          • Panel hierarchy
      • Error messages
    • Conformance to Suite-B Cryptography requirements
      • Configuration support
        • CRL configuration facts
        • OCSP configuration facts
        • Configure CRL for revocation check
        • Configure OCSP for revocation check
      • Retrieve CRL
      • Set TA profile to validate CRL and OCSP
      • Clear CRL
      • Create a certificate signing request
      • Create and enroll a self-signed certificate
      • Configure or remove the minimum levels of security minLos for TLS
      • Install authentication files
      • Remove authentication files
      • show crypto client-public-key
      • Remove the client public keys from configuration
      • Show details of TA profile
    • Websites
    • Support and other resources
      • Accessing Hewlett Packard Enterprise Support
      • Accessing updates
      • Customer self repair
      • Remote support
      • Warranty information
      • Regulatory information
      • Documentation feedback
    • ArubaOS-Switch RADIUS Vendor-Specific Attributes
      • Management access
      • Access control feature control
      • Access control
      • Class of service
      • Bandwidth
      • Filtering