Loading, please wait ...
- Home
- About this guide
- Security Overview
- Configuring Username and Password Security
- Web and MAC Authentication
- Overview
- How web-based and MAC authentication operate
- Operating rules and notes
- Setup procedure for web-based/MAC authentication
- Configuring web-based authentication
- Overview
- Configuration commands for web-based authentication
- Controlled direction
- Disable web-based authentication
- Specifying the VLAN
- Maximum authenticated clients
- Specifies base address
- Specifies lease length
- Allowing client moves between specified ports
- Specifying the period
- Specifying the number of authentication attempts
- Specifying maximum retries
- Specifying the time period
- Specifying the re-authentication period
- Specifying a forced reauthentication
- Specifying the URL
- Specifying the timeout
- Enabling or disabling SSL login
- Configuring MAC authentication
- Captive Portal for ClearPass
- Local MAC Authentication
- Port-based MAC authentication
- TACACS+ Authentication and Accounting
- Definition of terms
- Overview
- Configuring TACACS+ on the switch
- Before you begin
- Selecting the access method for configuration
- Configuring the switch authentication method
- Configuring the TACACS+ server
- Configuring the switch TACACS+ server access
- ip source-interface
- ipv6 source-interface
- Configuring cipher text for TACACS+ key
- Process of configuring TACACS+ key with encrypt-credentials and hide-sensitive-data
- hide-sensitive-data
- tacacs-server key
- encrypt-credentials
- Configuring dead time
- Enabling authorization for commands
- aaa accounting
- show authorization
- Show all accounting configurations
- Show current authentication configurations
- Show key information
- show tacacs
- show tacacs host
- Show accounting sessions
- show ip source-interface
- show ipv6 source-interface
- Specifying devices
- Specifying switch timeout
- Encryption options in the switch
- Using the privilege-mode option for login
- Examples for adding, removing, or changing the priority of a TACACS+ server
- Controlling Web UI access when using TACACS+ authentication
- Event Messages
- Operating notes
- RADIUS Authentication, Authorization, and Accounting
- Overview
- Authentication order and priority
- Switch operating rules for RADIUS
- General RADIUS setup procedure
- Configuring the switch for RADIUS authentication
- Using SNMP to view and configure switch authentication features
- Local authentication process (RADIUS)
- Controlling WebAgent access
- Commands authorization
- Additional RADIUS attributes
- MAC-based VLANs
- Accounting services
- Viewing RADIUS statistics
- Changing RADIUS-server access order
- User roles
- IPv4 Access Control Lists (ACLs)
- Options for applying IPv4 ACLs on the switch
- Overview
- IPv4 static ACL operation
- Planning an ACL application
- Configuring and assigning an IPv4 ACL
- Configuring standard ACLs
- Configuring extended ACLs
- Adding or removing an ACL assignment on an interface
- Deleting an ACL
- Editing an existing ACL
- Viewing ACL configuration data
- Creating or editing an ACL offline
- Enable ACL “deny” or “permit” logging
- General ACL operating notes
- RADIUS Services Support on Aruba Switches
- RADIUS client and server requirements
- RADIUS server configuration for CoS (802.1p priority) and rate-limiting
- Configuring and using dynamic (RADIUS-assigned) access control lists
- Overview of RADIUS-assigned, dynamic ACLs
- Contrasting RADIUS-assigned and static ACLs
- How a RADIUS server applies a RADIUS-assigned ACL to a client on a switch port
- General ACL features, planning, and configuration
- The packet-filtering process
- Operating rules for RADIUS-assigned ACLs
- Configuring an ACL in a RADIUS server
- ACE syntax in RADIUS servers
- Configuring the switch to support RADIUS-assigned ACLs
- Displaying the current RADIUS-assigned ACL activity on the switch
- Event Log messages
- Causes of client deauthentication immediately after authenticating
- Monitoring shared resources
- RADIUS filter-id
- Force client re-authorization
- Password Complexity
- Password complexity overview
- Password expiration periods
- Requirements
- Limitations
- Configuring Password Complexity
- password configuration commands
- password configuration-control
- password configuration
- password minimum-length
- password
- aaa authentication local-user
- password complexity
- password composition
- show password-configuration
- Troubleshooting
- Configuring Secure Shell (SSH)
- Overview
- Prerequisite for using SSH
- Public key formats
- Steps for configuring and using SSH for switch and client authentication
- General operating rules and notes
- Configuring the switch for SSH operation
- Disable username prompt for management interface authentication in the Quick Base system
- SSH client public-key authentication notes
- Messages related to SSH operation
- Configuring Secure Sockets Layer (SSL)
- Overview
- Prerequisite for using SSL
- Steps for configuring and using SSL for switch and client authentication
- General operating rules and notes
- Configuring the switch for SSL operation
- Common errors in SSL setup
- Configuring Advanced Threat Protection
- Introduction
- DHCP snooping
- IPv6 Network Defense
- Dynamic ARP protection
- Dynamic IP lockdown
- Protection against IP source address spoofing
- Prerequisite: DHCP snooping
- Filtering IP and MAC addresses per-port and per-VLAN
- Enabling Dynamic IP Lockdown
- Operational notes
- Adding an IP-to-MAC binding to the DHCP binding database
- Verifying the dynamic IP lockdown configuration
- Displaying the static configuration of IP-to-MAC bindings
- Debugging dynamic IP lockdown
- Using the instrumentation monitor
- Traffic/Security Filters and Monitors
- Configuring Port and User-Based Access Control (802.1X)
- Overview
- General 802.1X authenticator operation
- General operating rules and notes
- General setup procedure for 802.1X access control
- Configuring switch ports as 802.1X authenticators
- Enable 802.1X authentication on selected ports
- Reconfigure settings for port-access
- Configuring the 802.1X authentication method
- Enter the RADIUS host IP address(es)
- Enable 802.1X authentication on the switch
- Reset authenticator operation (optional)
- Optional: Configure 802.1X Controlled Direction
- Wake-on-LAN Traffic
- Unauthenticated VLAN access (guest VLAN access)
- Configuring RADIUS port speed VSA
- Configuring the port
- Viewing the port operation mode
- 802.1X Open VLAN mode
- Option for authenticator ports: configure port-security to allow only 802.1X-authenticated devices
- Configuring switch ports to operate as supplicants for 802.1X connections to other switches
- Displaying 802.1X configuration, statistics, and counters
- How RADIUS/802.1X authentication affects VLAN operation
- EAP identifier compliance for 802.1x
- Configuring and Monitoring Port Security
- Overview
- Port security
- MAC Lockdown
- MAC Lockout
- Port security and MAC Lockout
- Denial of Service packet filtering
- Reading intrusion alerts and resetting alert flags
- Operating notes for port security
- Using Authorized IP Managers
- Key Management System
- Conformance to Suite-B Cryptography requirements
- Configuration support
- Retrieve CRL
- Set TA profile to validate CRL and OCSP
- Clear CRL
- Create a certificate signing request
- Create and enroll a self-signed certificate
- Configure or remove the minimum levels of security minLos for TLS
- Install authentication files
- Remove authentication files
- Remove the client public keys from configuration
- Show details of TA profile
- Websites
- Support and other resources
- ArubaOS-Switch RADIUS Vendor-Specific Attributes