Contents
Search
Loading, please wait ...

Loading

  • Aruba 2530 Access Security Guide for ArubaOS-Switch 16.08
    • Home
    • About this guide
      • Applicable products
      • Switch prompts used in this guide
    • Security Overview
      • Introduction
        • About this guide
        • For more information
      • Access security features
      • Getting started with access security
        • Physical security
        • Using the Management Interface wizard
          • Configuring security settings using the CLI wizard
          • WebAgent: Management Interface wizard
        • SNMP security guidelines
          • General SNMP access to the switch
          • SNMP access to the authentication configuration MIB
    • Configuring Username and Password Security
      • Overview
        • Configuring password security
      • Configuring local password security
        • Setting passwords and usernames (CLI)
          • Removing password protection
        • Setting passwords and usernames (WebAgent)
      • Saving security credentials in a config file
        • Benefits of saving security credentials
        • Enabling the storage and display of security credentials
        • Security settings that can be saved
        • Local manager and operator passwords
      • Front panel security
        • When security is important
        • Front-panel button functions
          • Clear button
          • Reset button
          • Restoring the factory default configuration
        • Configuring front panel security
          • Disabling the clear password function of the Clear button
          • Re-enabling the Clear button and setting or changing the ‘reset-on-clear’ operation
          • Changing the operation Reset+Clear combination
      • Password recovery
        • Disabling or re-enabling the password recovery process
        • Password recovery process
    • Web and MAC Authentication
      • Overview
        • Web-based authentication
        • MAC authentication
        • Concurrent web-based and MAC authentication
        • Authorized and unauthorized client VLANs
        • RADIUS-based authentication
        • Wireless clients
      • How web-based and MAC authentication operate
        • Web-based authentication
          • Order of priority for assigning VLANs
        • MAC-based authentication
      • Operating rules and notes
      • Setup procedure for web-based/MAC authentication
        • Configuring the RADIUS server to support MAC authentication
        • Configuring the switch to access a RADIUS server
        • Radius service tracking
          • radius-server tracking
          • radius-server tracking user-name
      • Configuring web-based authentication
        • Overview
        • Configuration commands for web-based authentication
          • Controlled direction
          • Disable web-based authentication
          • Specifying the VLAN
          • Maximum authenticated clients
          • Specifies base address
          • Specifies lease length
          • Allowing client moves between specified ports
          • Specifying the period
          • Specifying the number of authentication attempts
          • Specifying maximum retries
          • Specifying the time period
          • Specifying the re-authentication period
          • Specifying a forced reauthentication
          • Specifying the URL
          • Specifying the timeout
          • Enabling or disabling SSL login
      • Configuring MAC authentication
        • Preparation for configuring MAC authentication
        • Configuration commands for MAC authentication
          • Configuring a MAC-based address format
          • Configuring other MAC-based commands
        • Show status and configuration of web-based authentication
        • Show status and configuration of MAC-based authentication
        • Client status
        • Configuring MAC pinning
          • aaa port-access local-mac <PORT-LIST> mac-pin
          • aaa port-access mac-based <PORT-LIST> mac-pin
    • Captive Portal for ClearPass
      • Requirements
      • Best Practices
      • Limitations
      • Features
        • High Availability
        • Load balancing and redundancy
      • Captive Portal when disabled
        • Disabling Captive Portal
      • Configuring Captive Portal on ClearPass
        • Import the HPE RADIUS dictionary
        • Create enforcement profiles
        • Create a ClearPass guest self-registration
        • Configure the login delay
      • Configuring the switch
        • Configure the URL key
      • Configuring a certificate for Captive Portal usage
      • Display Captive Portal configuration
      • Show certificate information
      • Troubleshooting
        • Event Timestamp not working
        • Cannot enable Captive Portal
        • Unable to enable feature
        • Authenticated user redirected to login page
        • Unable to configure a URL hash key
        • authentication command
        • show command
        • Debug command
    • Local MAC Authentication
      • Overview
        • Concepts
      • Possible scenarios for deployment
      • Show commands
      • Configuration commands
        • Per-port attributes
        • Configuration examples
          • Configuration example 1
          • Configuration example 2
          • Configuration using mac-groups
          • Configuration without using mac-groups
    • Port-based MAC authentication
      • Overview
      • Operating notes
      • aaa port-access use-lldp-data
    • TACACS+ Authentication and Accounting
      • Definition of terms
      • Overview
        • TACACS+ authentication process
          • TACACS+ authentication setup
          • General authentication process using a TACACS+ server
          • Local authentication process
          • Authentication parameters
      • Configuring TACACS+ on the switch
        • Before you begin
        • Selecting the access method for configuration
        • Configuring the switch authentication method
        • Configuring the TACACS+ server
        • Configuring the switch TACACS+ server access
        • ip source-interface
        • ipv6 source-interface
        • Configuring cipher text for TACACS+ key
        • Process of configuring TACACS+ key with encrypt-credentials and hide-sensitive-data
        • hide-sensitive-data
        • tacacs-server key
        • encrypt-credentials
        • Configuring dead time
        • Enabling authorization for commands
        • aaa accounting
        • show authorization
        • Show all accounting configurations
        • Show current authentication configurations
        • Show key information
        • show tacacs
        • show tacacs host
        • Show accounting sessions
        • show ip source-interface
        • show ipv6 source-interface
        • Specifying devices
        • Specifying switch timeout
        • Encryption options in the switch
          • Encryption operation keys
          • Configuring an encryption key
          • Configuring server specific encryption key
        • Using the privilege-mode option for login
        • Examples for adding, removing, or changing the priority of a TACACS+ server
      • Controlling Web UI access when using TACACS+ authentication
      • Event Messages
        • Messages related to TACACS+ operation
      • Operating notes
    • RADIUS Authentication, Authorization, and Accounting
      • Overview
        • Authentication Services
        • Accounting services
        • SNMP access to the switch authentication configuration MIB
      • Authentication order and priority
        • Configuring the Authentication order, priority, and fallback
      • Switch operating rules for RADIUS
      • General RADIUS setup procedure
      • Configuring the switch for RADIUS authentication
        • Configuring authentication for the access methods that RADIUS protects
        • Enabling manager access privilege (optional)
        • Configuring the switch to access a RADIUS server
        • RADIUS server groups
          • Per-port RADIUS server group for MAC authentication
          • Configuring RADIUS server group for NAS-ID
        • Configuring the switch global RADIUS parameters
      • Using SNMP to view and configure switch authentication features
        • Viewing and changing the SNMP access configuration
      • Local authentication process (RADIUS)
      • Controlling WebAgent access
      • Commands authorization
        • Enabling authorization
        • Viewing authorization information
        • Configuring commands authorization on a RADIUS server
          • Using vendor specific attributes (VSAs)
          • Example configuration using FreeRADIUS
      • Additional RADIUS attributes
      • MAC-based VLANs
      • Accounting services
        • Accounting service types
        • Operating rules for RADIUS accounting
        • Configuring RADIUS accounting
          • Steps for configuring RADIUS accounting
      • Viewing RADIUS statistics
        • General RADIUS statistics
        • RADIUS authentication statistics
        • RADIUS accounting statistics
      • Changing RADIUS-server access order
    • User roles
      • Overview
      • Captive-portal commands
        • Overview
        • no aaa authentication captive-portal profile
          • Netservice and Netdestination Local user role
      • Policy commands
        • Overview
        • policy user
        • no policy user
        • policy resequence
        • Commands in the policy-user context
          • (policy-user)# class
      • User role configuration
        • aaa authorization user-role
          • Error log
        • captive-portal-profile
        • policy
        • reauth-period
        • VLAN commands
          • vlan-id
          • vlan-name
      • VLAN range commands
      • Applying User Derived Role with Local MAC Authentication
        • aaa port-access local-mac apply user-role
      • VXLAN show commands
        • show captive-portal profile
        • show user-role
        • show port-access clients
      • Tagged VLAN for user role
        • vlan-id-tagged
        • user-role vlan-id
    • IPv4 Access Control Lists (ACLs)
      • Options for applying IPv4 ACLs on the switch
        • Static ACLs
      • Overview
        • Types of IPv4 ACLs
          • Standard ACL
          • Extended ACL
        • ACL applications
          • VACL applications
          • Static port ACL and RADIUS-assigned ACL applications
        • Multiple ACLs on an interface
          • For a packet to be permitted, it must have a match with a "permit" ACE in all applicable ACLs assigned to an interface
          • Exception for connection-rate filtering
        • Features common to all ACL applications
        • General steps for planning and configuring ACLs
      • IPv4 static ACL operation
        • Introduction
        • The packet-filtering process
          • Sequential comparison and action
          • Implicit Deny
      • Planning an ACL application
        • IPv4 traffic management and improved network performance
        • Security
        • Guidelines for planning the structure of a static ACL
        • IPv4 ACL configuration and operating rules
        • How an ACE uses a mask to screen packets for matches
          • What Is the difference between network (or subnet) masks and the masks used with ACLs?
          • Rules for defining a match between a packet and an ACE
      • Configuring and assigning an IPv4 ACL
        • General steps for implementing ACLs
        • Options for permit/deny policies
        • ACL configuration structure
          • Standard ACL structure
          • Extended ACL configuration structure
        • ACL configuration factors
          • The sequence of entries in an ACL is significant
          • Allowing for the Implied Deny function
          • A configured ACL has no effect until you apply it to an interface
          • You can assign an ACL name or number to an interface even if the ACL does not exist in the switch configuration
        • Using the CLI to create an ACL
          • Inserting or adding an ACE to an ACL
          • Using CIDR notation to enter the IPv4 ACL mask
      • Configuring standard ACLs
        • Configuring named, standard ACLs
          • Entering the IPv4 named ACL context
          • Configuring ACEs in a named, standard ACL
          • Creating numbered, standard ACLs
      • Configuring extended ACLs
        • Configuring named, extended ACLs
        • Configuring ACEs in named, extended ACLs
        • Including options for TCP and UDP traffic in extended ACLs
        • Configuring numbered, extended ACLs
          • Creating or adding to an extended, numbered ACL
          • Controlling TCP and UDP traffic flow
      • Adding or removing an ACL assignment on an interface
        • Filtering IPv4 traffic inbound on a VLAN
        • Filtering inbound IPv4 traffic per port
      • Deleting an ACL
      • Editing an existing ACL
        • Using the CLI to edit ACLs
        • General editing rules
        • Sequence numbering in ACLs
          • Inserting an ACE in an existing ACL
          • Deleting an ACE from an existing ACL
          • Resequencing the ACEs in an ACL
          • Attaching a remark to an ACE
          • Operating notes for remarks
      • Viewing ACL configuration data
        • Viewing an ACL summary
        • Viewing the content of all ACLs on the switch
        • Viewing the VACL assignments for a VLAN
        • Viewing static port (and trunk) ACL assignments
        • Viewing specific ACL configuration details
        • Viewing all ACLs and their assignments in the routing switch startup-config and running-config files
      • Creating or editing an ACL offline
      • Enable ACL “deny” or “permit” logging
        • Requirements for using ACL logging
        • ACL logging operation
        • Enabling ACL logging on the switch
        • Configuring logging timer
        • Monitoring static ACL performance
          • IPv6 counter operation with multiple interface assignments
      • General ACL operating notes
    • RADIUS Services Support on Aruba Switches
      • RADIUS client and server requirements
      • RADIUS server configuration for CoS (802.1p priority) and rate-limiting
        • Applied rates for RADIUS-assigned rate limits
          • Per-port bandwidth override
        • Viewing the currently active per-port CoS and rate-limiting configuration
          • Viewing CLI-configured rate-limiting and port priority for ports
      • Configuring and using dynamic (RADIUS-assigned) access control lists
        • Overview of RADIUS-assigned, dynamic ACLs
          • Traffic applications
        • Contrasting RADIUS-assigned and static ACLs
        • How a RADIUS server applies a RADIUS-assigned ACL to a client on a switch port
          • Multiple clients sharing the same RADIUS-assigned ACL
          • Effect of multiple ACL application types on an interface
        • General ACL features, planning, and configuration
        • The packet-filtering process
        • Operating rules for RADIUS-assigned ACLs
        • Configuring an ACL in a RADIUS server
          • Nas-filter-rule options
        • ACE syntax in RADIUS servers
          • Using the standard attribute in an IPv4 ACL (example)
          • Using HPE VSA 63 to assign IPv6 and IPv4 ACLs (example)
          • Using HPE VSA 61 to assign IPv4 ACLs (example)
          • Configuration notes
        • Configuring the switch to support RADIUS-assigned ACLs
        • Displaying the current RADIUS-assigned ACL activity on the switch
        • Event Log messages
        • Causes of client deauthentication immediately after authenticating
        • Monitoring shared resources
      • RADIUS filter-id
        • Forcing reauthentication
        • show access-list radius
        • show access-list (NAS rule) and (filter-id)
        • Log messages
      • Force client re-authorization
    • Password Complexity
      • Password complexity overview
      • Password expiration periods
      • Requirements
      • Limitations
      • Configuring Password Complexity
        • Viewing the password configuration
        • Enable Password Complexity
        • Configure the Password Complexity parameters
        • Configure password minimum length
        • Configure password composition
        • Configure password complexity checks
      • password configuration commands
      • password configuration-control
      • password configuration
      • password minimum-length
      • password
      • aaa authentication local-user
      • password complexity
      • password composition
      • show password-configuration
      • Troubleshooting
        • Unable to enable Password Complexity
        • Unable to download the configuration file
        • Display messages
    • Configuring Secure Shell (SSH)
      • Overview
        • Client public-key authentication (login/operator level) with user password authentication (enable/manager level)
        • Switch SSH and user password authentication
      • Prerequisite for using SSH
      • Public key formats
      • Steps for configuring and using SSH for switch and client authentication
      • General operating rules and notes
      • Configuring the switch for SSH operation
        • Generating or erasing the switch public/private host key pair
          • crypto key generate
          • show crypto host-public-key
          • zeroize
        • Displaying the public key
        • Providing the switch public key to clients
        • Enabling SSH on the switch and anticipating SSH client contact behavior
          • ip ssh
        • Disabling SSH on the switch
        • Configuring the switch for SSH authentication
          • Option A: Configuring SSH access for password-only SSH authentication
          • Option B: Configuring the switch for client Public-Key SSH authentication
          • SSH client contact behavior
      • Disable username prompt for management interface authentication in the Quick Base system
        • Switch behavior with Telnet
        • Switch behavior with SSH
        • Switch behavior with WebUI
      • SSH client public-key authentication notes
        • Using client public-key authentication
        • Creating a client public-key text file
        • Replacing or clearing the public-key file
        • Enabling client public-key authentication
      • Messages related to SSH operation
        • Logging messages
        • Debug logging
    • Configuring Secure Sockets Layer (SSL)
      • Overview
        • Server certificate authentication with user password authentication
      • Prerequisite for using SSL
      • Steps for configuring and using SSL for switch and client authentication
      • General operating rules and notes
      • Configuring the switch for SSL operation
        • Assigning a local login (operator) and enabling (manager) password
          • Using the WebAgent to configure local passwords
        • Generating the switch's server host certificate
          • To generate or erase the switch's server certificate with the CLI
          • Comments on certificate fields
          • Generate a self-signed host certificate with the WebAgent
          • Generate a CA-Signed server host certificate with the WebAgent
        • Enabling SSL on the switch and anticipating SSL browser contact behavior
          • SSL client contact behavior
          • Using the CLI interface to enable SSL
          • Using the WebAgent to enable SSL
      • Common errors in SSL setup
    • Configuring Advanced Threat Protection
      • Introduction
      • DHCP snooping
        • Enabling DHCP snooping
        • Enabling DHCP snooping on VLANs
        • Configuring DHCP snooping trusted ports
          • For DHCPv4 servers
          • For DHCPv6 servers
        • Configuring authorized server addresses
        • Using DHCP snooping with option 82
          • Changing the remote-id from a MAC to an IP address
          • Disabling the MAC address check
        • DHCP binding database
        • DHCPv4 snooping max-binding
        • Enabling debug logging
        • DHCP operational notes
        • Log messages
      • IPv6 Network Defense
        • DSNOOPv6 and DIPLDv6
          • Configuring DHCPv6 snooping
          • Configuring traps for DHCPv6 snooping
          • Clearing DHCPv6 snooping statistics
          • Enabling debug logging for DHCPv6 snooping
          • DHCPv6 show commands
      • Dynamic ARP protection
        • Enabling dynamic ARP protection
        • Configuring trusted ports
        • Adding an IP-to-MAC binding to the DHCP database
          • Clearing the DHCP snooping binding table
          • Adding a static binding
        • Configuring additional validation checks on ARP packets
        • Verifying the configuration of dynamic ARP protection
        • Displaying ARP packet statistics
        • Monitoring dynamic ARP protection
      • Dynamic IP lockdown
        • Protection against IP source address spoofing
        • Prerequisite: DHCP snooping
        • Filtering IP and MAC addresses per-port and per-VLAN
        • Enabling Dynamic IP Lockdown
          • IPv4
          • IPv6
        • Operational notes
        • Adding an IP-to-MAC binding to the DHCP binding database
          • Potential issues with bindings
          • Adding a static binding
        • Verifying the dynamic IP lockdown configuration
          • For IPv4
          • For IPv6
        • Displaying the static configuration of IP-to-MAC bindings
          • For IPv4
          • For IPv6
        • Debugging dynamic IP lockdown
      • Using the instrumentation monitor
        • Operating notes
        • Configuring instrumentation monitor
        • Viewing the current instrumentation monitor configuration
    • Traffic/Security Filters and Monitors
      • Overview
        • Filter limits
        • Using port trunks with filter
      • Filter types and operation
        • Source-port filters
          • Operating rules for source-port filters
        • Name source-port filters
          • Operating rules for named source-port filters
          • Defining and configuring named source-port filters
          • Viewing a named source-port filter
          • Using named source-port filters
      • Configuring traffic/security filters
        • Configuring a source-port traffic filter
          • Configuring a filter on a port trunk
        • Editing a source-port filter
        • Configuring a multicast filter
        • Filtering index
        • Displaying traffic/security filters
        • Advanced Threat Detection
          • logging
          • logging filter
          • logging filter enable | disable
          • show logging filter
          • show syslog configuration
    • Configuring Port and User-Based Access Control (802.1X)
      • Overview
        • Why use port or user-based access control?
        • General features
        • User authentication methods
          • 802.1X user-based access control
          • 802.1X port-based access control
          • Authenticating users
          • Providing a path for downloading 802.1X supplicant software
          • Authenticating one switch to another
          • Accounting
      • General 802.1X authenticator operation
        • Example of the authentication process
        • VLAN membership priority
      • General operating rules and notes
      • General setup procedure for 802.1X access control
        • Overview: configuring 802.1X authentication on the switch
      • Configuring switch ports as 802.1X authenticators
        • Enable 802.1X authentication on selected ports
          • Enable the selected ports as authenticators and enable the (default) port-based authentication
          • Specify user-based authentication or return to port-based authentication
        • Reconfigure settings for port-access
        • Configuring the 802.1X authentication method
        • Enter the RADIUS host IP address(es)
        • Enable 802.1X authentication on the switch
        • Reset authenticator operation (optional)
        • Optional: Configure 802.1X Controlled Direction
        • Wake-on-LAN Traffic
        • Unauthenticated VLAN access (guest VLAN access)
          • Characteristics of mixed port access mode
          • Configuring mixed port access mode
        • Configuring RADIUS port speed VSA
        • Configuring the port
        • Viewing the port operation mode
      • 802.1X Open VLAN mode
        • Introduction
        • VLAN membership priorities
        • Use models for 802.1X Open VLAN modes
        • Operating rules for authorized and unauthorized-client VLANs
        • Setting up and configuring 802.1X Open VLAN mode
          • Configuring general 802.1X operation
          • Configuring 802.1X Open VLAN mode
          • Inspecting 802.1X Open VLAN mode operation
        • 802.1X Open VLAN operating notes
      • Option for authenticator ports: configure port-security to allow only 802.1X-authenticated devices
        • Port-Security
          • Configure the port access type
      • Configuring switch ports to operate as supplicants for 802.1X connections to other switches
        • Supplicant port configuration
          • Enabling a switch port as a supplicant
          • Configuring a supplicant switch port
      • Displaying 802.1X configuration, statistics, and counters
        • Show commands for port-access authenticator
        • Viewing 802.1X Open VLAN mode status
        • Show commands for port-access supplicant
          • Note on supplicant statistics
      • How RADIUS/802.1X authentication affects VLAN operation
        • VLAN assignment on a port
        • Operating notes
        • Example of untagged VLAN assignment in a RADIUS-based authentication session
        • Enabling the use of GVRP-learned dynamic VLANs in authentication sessions
      • EAP identifier compliance for 802.1x
        • Overview
        • aaa port-access authenticator eap-id-compliance
    • Configuring and Monitoring Port Security
      • Overview
      • Port security
        • Basic operation
        • Eavesdrop Prevention
        • Blocked unauthorized traffic
        • Trunk group exclusion
        • Planning port security
        • Port security command options and operation
          • Displaying port security settings
        • Configuring port security
          • Port security commands
        • Retention of static addresses
          • Learned addresses
          • Assigned/authorized addresses
          • Specifying authorized devices and intrusion responses
          • Adding an authorized device to a port
          • Removing a device from the “authorized” list for a port
      • MAC Lockdown
        • How MAC Lockdown works
        • Differences between MAC Lockdown and port security
        • MAC Lockdown operating notes
          • Limits
          • Event Log messages
          • Limiting the frequency of log messages
        • Deploying MAC Lockdown
          • Basic MAC Lockdown deployment
          • Problems using MAC Lockdown in networks with multiple paths
      • MAC Lockout
        • How MAC Lockout works
      • Port security and MAC Lockout
      • Denial of Service packet filtering
      • Reading intrusion alerts and resetting alert flags
        • Notice of security violations
        • How the intrusion log operates
        • Keeping the intrusion log current by resetting alert flags
          • Checking for intrusions, listing intrusion alerts, and resetting alert flags (CLI)
        • Using the Event Log to find intrusion alerts (CLI)
      • Operating notes for port security
        • Proxy Web servers
        • "Prior to" entries in the Intrusion Log
        • Alert flag status for entries forced off of the Intrusion Log
        • LACP not available on ports configured for port security
    • Using Authorized IP Managers
      • Introduction
      • Defining authorized management stations
        • Overview of IP mask operation
        • Viewing and configuring IP Authorized managers (CLI)
          • Listing the switch’s current IP Authorized manager(s)
          • Configuring IP Authorized managers for the switch (CLI)
      • Configuring IP Authorized managers (WebAgent)
        • Web proxy servers
        • How to eliminate the web proxy server
        • Using a web proxy server to access the WebAgent
      • Building IP Masks
        • Configuring one station per Authorized manager IP entry
        • Configuring multiple stations per Authorized manager IP entry
      • Operating notes
    • Key Management System
      • Overview
      • Configuring key chain management
        • Creating and deleting key chain entries
        • Assigning a time-independent key to a chain
          • Assigning time-dependent keys to a chain
    • Conformance to Suite-B Cryptography requirements
      • Configuration support
        • CRL configuration facts
        • OCSP configuration facts
        • Configure CRL for revocation check
        • Configure OCSP for revocation check
      • Retrieve CRL
      • Set TA profile to validate CRL and OCSP
      • Clear CRL
      • Create a certificate signing request
      • Create and enroll a self-signed certificate
      • Configure or remove the minimum levels of security minLos for TLS
      • Install authentication files
      • Remove authentication files
      • Remove the client public keys from configuration
      • Show details of TA profile
    • Websites
    • Support and other resources
      • Accessing Hewlett Packard Enterprise Support
      • Accessing updates
      • Customer self repair
      • Remote support
      • Warranty information
      • Regulatory information
      • Documentation feedback
    • ArubaOS-Switch RADIUS Vendor-Specific Attributes
      • Management access
      • Access control
      • Class of service
      • Bandwidth
      • Filtering