Loading, please wait ...
- Home
- About this guide
- Security Overview
- Configuring Username and Password Security
- Overview
- Configuring local password security
- Saving security credentials in a config file
- Benefits of saving security credentials
- Enabling the storage and display of security credentials
- Security settings that can be saved
- Executing include-credentials or include-credentials store-in-config
- Local manager and operator passwords
- Password command options
- SNMP security credentials
- TACACS+ encryption key authentication
- RADIUS shared-secret key authentication
- The include-credentials radius-tacacs-only option
- SSH Re-Keying for SSH Server and SSH Client
- SSH client public-key authentication
- Displaying the status of include-credentials
- Storage states when using include-credentials
- Operating notes
- Restrictions on enabling security credentials
- Encrypting credentials in the configuration file
- Front panel security
- Password recovery
- Virus throttling (connection-rate filtering)
- Configuring connection-rate filtering
- Blocked hosts
- Configuring and applying connection-rate ACLs
- Connection-rate filtering
- Overview
- Configuring connection-rate filtering for low risk networks
- Configuring connection-rate filtering for high risk networks
- Web and MAC Authentication
- Overview
- How web-based and MAC authentication operate
- Operating rules and notes
- Setup procedure for web-based/MAC authentication
- Configuring web-based authentication
- Overview
- Configuration commands for web-based authentication
- Controlled directions
- Disable web-based authentication
- Specifying the VLAN
- Maximum authenticated clients
- Specifies base address
- Specifies lease length
- Specifying the period
- Specifying the number of authentication attempts
- Specifying maximum retries
- Specifying the time period
- Specifying the re-authentication period
- Specifying a forced reauthentication
- Specifying the URL
- Specifying the timeout
- Show commands for web-based authentication
- Configuring MAC authentication
- Preparation for configuring MAC authentication
- Configuration commands for MAC authentication
- Configuring custom messages for failed logins
- Viewing the show commands for MAC authentication
- Viewing session information for MAC authenticated clients on a switch
- Viewing detail on status of MAC authenticated client sessions
- Error log
- Viewing MAC authentication settings on ports
- Viewing details of MAC Authentication settings on ports
- Viewing MAC Authentication settings including RADIUS server-specific
- Client status
- Captive Portal for ClearPass
- Local MAC Authentication
- Port-based MAC authentication
- TACACS+ Authentication
- Overview
- General system requirements
- General authentication setup procedure
- Configuring TACACS+ on the switch
- show authentication
- Viewing the current TACACS+ server contact configuration
- Configuring the switch authentication methods
- Configuring TACACS+ server
- Configuring the TACACS+ server for single login
- Configuring the switch TACACS+ server access
- TACACS+ authorization and accounting commands
- Device running a TACACS+ server application
- Optional, global "encryption key"
- Specifying how long the switch waits for a TACACS+ server to respond to an authentication request
- Adding, removing, or changing the priority of a TACACS+ server
- Configuring an encryption key
- Configuring cipher text for TACACS+ key
- Process of configuring TACACS+ key with encrypt-credentials and hide-sensitive-data
- hide-sensitive-data
- tacacs-server key
- encrypt-credentials
- encrypt-credentials
- How authentication operates
- Controlling WebAgent access when using TACACS+ authentication
- Messages related to TACACS+ operation
- Operating notes
- RADIUS Authentication, Authorization, and Accounting
- Overview
- Switch operating rules for RADIUS
- General RADIUS setup procedure
- Configuring the switch for RADIUS authentication
- Using SNMP to view and configure switch authentication features
- Local authentication process (RADIUS)
- Controlling WebAgent access
- Commands authorization
- Dynamic port access auth via RADIUS
- VLAN assignment in an authentication session
- Additional RADIUS attributes
- MAC-based VLANs
- Accounting services
- Viewing RADIUS statistics
- Changing RADIUS-server access order
- Creating local privilege levels
- Dynamic removal of authentication limits
- Messages related to RADIUS operation
- Security event log
- Security user log access
- Creating a security user
- Security user commands
- Authentication and Authorization through RADIUS
- Authentication and Authorization through TACACS+
- Restrictions
- Event log wrap
- Configuring concurrent sessions
- Configuring concurrent sessions per user
- Configuring concurrent sessions per user
- Failed login attempts delay
- User roles
- IPv4 Access Control Lists (ACLs)
- Options for applying IPv4 ACLs on the switch
- Overview
- IPv4 static ACL operation
- Planning an ACL application
- Configuring and assigning an IPv4 ACL
- Configuring standard ACLs
- Configuring extended ACLs
- Adding or removing an ACL assignment on an interface
- Deleting an ACL
- Editing an existing ACL
- Viewing ACL configuration data
- Creating or editing an ACL offline
- Monitoring static ACL performance
- General ACL operating notes
- MAC ACLs
- Overview
- MAC ACL configuration commands
- Mac-access-list creation syntax
- Mac-access-list standard configuration context
- Mac-access-list extended configuration context
- Remark command
- Mac-access-list application syntax (PACL)
- Mac-access-list application syntax (VACL)
- Show access-list
- Show access-list by name
- Show access-list config
- Show access-list port
- Show access-list vlan
- Show access-list resources
- Show statistics
- clear statistics
- CLI command error messages
- ACL Grouping
- Net-destination and Net-service
- RADIUS Services Support on Aruba Switches
- Configuring
- Viewing
- Using
- Overview
- About RADIUS server support
- RADIUS client and server requirements
- RADIUS server configuration for CoS (802.1p priority) and rate-limiting
- Applied rates for RADIUS-assigned rate limits
- Per-port bandwidth override
- Configuring and using dynamic (RADIUS-assigned) access control lists
- RADIUS filter-id
- Contrasting RADIUS-assigned and static ACLs
- How a RADIUS server applies a RADIUS-assigned ACL to a client on a switch port
- General ACL features, planning, and configuration
- The packet-filtering process
- Operating rules for RADIUS-assigned ACLs
- Configuring an ACL in a RADIUS server
- Nas-filter-Rule attribute options
- ACE syntax in RADIUS servers
- Configuration notes
- Monitoring shared resources
- Event log messages
- About RADIUS server support
- Force client re-authorization
- RBAC
- Password Complexity
- Password complexity overview
- Password expiration periods
- Requirements
- Limitations
- Configuring Password Complexity
- password configuration commands
- password configuration-control
- password configuration
- password minimum-length
- password
- aaa authentication local-user
- password complexity
- password composition
- show password-configuration
- Troubleshooting
- Configuring Secure Shell (SSH)
- Overview
- Prerequisite for using SSH
- Public key formats
- Steps for configuring and using SSH for switch and client authentication
- General operating rules and notes
- Configuring the switch for SSH operation
- Disable username prompt for management interface authentication in the Quick Base system
- SSH client public-key authentication notes
- SSH client and secure sessions
- Messages related to SSH operation
- Configuring Secure Shell (SSH) with two-factor authentication
- Overview
- Two-factor authentication configuration commands
- aaa authentication ssh
- aaa authentication ssh two-factor
- aaa authentication ssh two-factor two-factor-type
- aaa authentication ssh two-factor two-factor-type publickey-password
- aaa authentication ssh two-factor two-factor-type certificate-password
- Two-factor authentication restrictions
- Two-factor authentication event log messages
- Configuring Secure Sockets Layer (SSL)
- Overview
- Prerequisite for using SSL
- Steps for configuring and using SSL for switch and client authentication
- General operating rules and notes
- Configuring the switch for SSL operation
- Common errors in SSL setup
- Configuring Advanced Threat Protection
- Introduction
- DHCP snooping
- IPv6 Network Defense
- Dynamic ARP protection
- Dynamic IP lockdown
- Protection against IP source address spoofing
- Prerequisite: DHCP snooping
- Filtering IP and MAC addresses per-port and per-VLAN
- Enabling Dynamic IP Lockdown
- Operational notes
- Adding an IP-to-MAC binding to the DHCP binding database
- Verifying the dynamic IP lockdown configuration
- Displaying the static configuration of IP-to-MAC bindings
- Debugging dynamic IP lockdown
- Using the instrumentation monitor
- Traffic/Security Filters and Monitors
- Configuring Port and User-Based Access Control (802.1X)
- Overview
- General 802.1X authenticator operation
- General operating rules and notes
- General setup procedure for 802.1X access control
- Configuring switch ports as 802.1X authenticators
- Enable 802.1X authentication on selected ports
- Reconfigure settings for port-access
- Configuring the 802.1X authentication method
- Enter the RADIUS host IP address(es)
- Enable 802.1X authentication on the switch
- Reset authenticator operation (optional)
- Configure 802.1X controlled direction (optional)
- Unauthenticated VLAN access (guest VLAN access)
- 802.1X Open VLAN mode
- Option for authenticator ports: configure port-security to allow only 802.1X-authenticated devices
- Configuring switch ports to operate as supplicants for 802.1X connections to other switches
- Displaying 802.1X configuration, statistics, and counters
- How RADIUS/802.1X authentication affects VLAN operation
- Messages related to 802.1X operation
- Configuring and Monitoring Port Security
- Overview
- Port security
- MAC Lockdown
- MAC Lockout
- User-based lockout compliance
- Port security and MAC Lockout
- Reading intrusion alerts and resetting alert flags
- Operating notes for port security
- Using Authorized IP Managers
- Key Management System
- Certificate Manager
- Conformance to Suite-B Cryptography requirements
- Configuration support
- Retrieve CRL
- Set TA profile to validate CRL and OCSP
- Clear CRL
- Create a certificate signing request
- Create and enroll a self-signed certificate
- Configure or remove the minimum levels of security minLos for TLS
- Install authentication files
- Remove authentication files
- show crypto client-public-key
- Remove the client public keys from configuration
- Show details of TA profile
- Websites
- Support and other resources
- ArubaOS-Switch RADIUS Vendor-Specific Attributes