Loading, please wait ...
- Home
- About this guide
- Configuring Username and Password Security
- Console access
- Creating password security
- Security credentials
- Local manager and operator credentials
- Password command options
- SNMP Security Credentials
- 802.1X port access credentials
- TACACS+ encryption key authentication
- RADIUS shared-secret key authentication
- SSH client public-key authentication
- X.509v3 certificate authentication for SSH
- SSH Re-Keying for SSH Server and SSH Client.
- Restrictions to enabling security credentials
- Include-Credentials
- include-credentials radius-tacacs-only option
- Displaying the status of include-credentials on the switch
- Executing include-credentials or include-credentials store-in-config
- Storage states when using include-credentials
- [no]include-credentials store-in-config option
- Enabling the storage and display of security credentials
- Setting an encrypted password
- Front panel security
- Front panel security
- Configuring front panel security
- Disabling the clear password function of the Clear button
- Setting the Clear button functionality
- Changing what the Reset+Clear button combination does
- Restoring the factory default configuration
- Enabling and disabling password recovery
- Recovering passwords
- Password recovery
- Saving user name and password security
- Operating Notes
- Virus throttling (connection-rate filtering)
- Configuring connection-rate filtering
- Blocked hosts
- Configuring and applying connection-rate ACLs
- Connection-rate filtering
- Overview
- Configuring connection-rate filtering for low risk networks
- Configuring connection-rate filtering for high risk networks
- Web-based and MAC authentication
- Configuring MAC authentication on the switch
- Prerequisites for web-based or MAC authentication
- Preparation for configuring MAC authentication
- Configuring a global MAC authentication password
- Commands to configure the global MAC authentication password
- Configuring a MAC address format
- Creating a custom delimiter for a MAC address
- Enabling/disabling MAC authentication
- Per Port Initial Role
- Specifying the maximum authenticated MACs allowed on a port
- Allowing addresses to move without re-authentication
- Specifying the VLAN for an authorized client
- Specifying the time period enforced for implicit logoff
- Specifying how many authentication attempts can time-out before failure
- Specifying how long the switch waits before processing a request from a MAC address that failed authentication
- Specifying time period enforced on a client to re-authenticate
- Forcing re-authentication of clients
- Specifying the period to wait for a server response to an authentication request
- Specifying the VLAN to use when authentication fails
- Configuring custom messages for failed logins
- web page display of access denied message
- Redirecting HTTP when MAC address not found
- Registering HTTP redirect
- Using the restrictive-filter option
- Reauthenticating a MAC Authenticated client
- Configuring the registration server URL
- Unconfiguring a MAC Authenticated registration server
- Using Password Authentication Protocol (PAP) for MAC Authentication
- Configuring web-based authentication
- Preparation for web-based authentication
- Configuration commands for web-based authentication
- Controlled directions
- Disable web-based authentication
- Specifying the VLAN
- Clearing statistics
- Maximum authenticated clients
- Specifies base address
- Specifies lease length
- Configures web server connection
- Specifying the period
- Specifying the number of authentication attempts
- Specifying maximum retries
- Specifying the time period
- Specifying the re-authentication period
- Specifying a forced reauthentication
- Specifying the URL
- Specifying the timeout
- Configuring MAC pinning
- Configuring the RADIUS server to support MAC authentication
- Customizing
- Viewing
- Viewing the status and settings of ports enabled for web-based authentication
- Viewing status of ports enabled for web-based authentication
- Viewing session details for web-Auth clients
- Viewing status details of web-based authentication sessions on specified ports
- Viewing web-based authentication settings for ports
- Viewing details of web-based authentication settings for ports
- Viewing web-based authentication settings for ports, including RADIUS server specific
- Viewing web-based authentication settings for ports, including web specific settings
- Viewing the show commands for MAC authentication
- Viewing session information for MAC authenticated clients on a switch
- Viewing detail on status of MAC authenticated client sessions
- Error log
- Viewing MAC authentication settings on ports
- Viewing details of MAC Authentication settings on ports
- Viewing MAC Authentication settings including RADIUS server-specific
- Viewing the status and settings of ports enabled for web-based authentication
- Overview
- About web and MAC authentication
- Web-based authentication
- MAC authentication
- Concurrent web-based and MAC authentication
- Authorized and unauthorized client VLANs
- RADIUS-based authentication
- Wireless clients
- How web-based and MAC authentication operate
- Web-based authentication
- Order of priority for assigning VLANs
- Clientless Endpoint Integrity
- MAC authentication
- Operating notes and guidelines
- Customizing HTML templates
- Configuring a DNS Server for Enhanced web authentication
- Operating notes and guidelines for implementing customized web-Auth pages
- Customizable HTML templates
- About web and MAC authentication
- Configuring MAC authentication on the switch
- Captive Portal for ClearPass
- Local MAC Authentication
- IPv4 Access Control Lists (ACLs)
- Configuring BYOD
- Viewing
- Viewing an ACL summary
- Viewing the content of all ACLs on the switch
- Viewing the RACL and VACL assignments for a VLAN
- Viewing static port (and trunk) ACL assignments
- Viewing specific ACL configuration details
- Viewing all ACLs and their assignments in the routing switch startup-config and running-config files
- Using
- Adding or removing an ACL assignment on an interface
- Creating ACLs
- Deleting an ACL
- Inserting an ACE in an existing ACL
- Deleting an ACE from an existing ACL
- Resequencing the ACEs in an ACL
- Attaching a remark to an ACE
- Appending remarks and related ACEs to the end of an ACL
- Inserting remarks and related ACEs within an existing list
- Inserting a remark for an ACE that already exists in an ACL
- Removing a remark from an existing ACE
- Enable ACL “Deny” or “Permit” Logging
- Requirements for using ACL Logging
- ACL Logging Operation
- Enabling ACL logging on the switch
- Monitoring static ACL performance
- ACE counter operation
- Resetting ACE Hit counters to zero
- Using IPv6 counters with multiple interface assignments
- Using IPv4 counters with multiple interface assignments
- Additional configuration guidelines
- Introduction
- General ACL operating notes
- About IPv4 static ACL operation
- Introduction to IPv4 static ACL operation
- Options for applying IPv4 ACLs on the switch
- Types of IPv4 ACLs
- ACL applications
- Multiple ACLs on an interface
- Features common to all ACL applications
- General steps for planning and configuring ACLs
- The packet-filtering process
- Operating notes for remarks
- Planning an ACL application
- Configuring standard ACLs
- Editing an existing ACL
- IPv4 ACL configuration and operating rules
- How an ACE uses a mask to screen packets for matches
- Using CIDR notation to enter the IPv4 ACL mask
- General steps for implementing ACLs
- Options for permit/deny policies
- ACL configuration structure
- ACL configuration factors
- Enabling ACL "Deny" logging
- Requirements for using ACL logging
- ACL logging operation
- ACL/ACE match-related logging commands
- MAC ACLs
- Overview
- MAC ACL configuration commands
- Mac-access-list creation syntax
- Mac-access-list standard configuration context
- Mac-access-list extended configuration context
- Remark command
- Mac-access-list application syntax (PACL)
- Mac-access-list application syntax (VACL)
- Show access-list
- Show access-list by name
- Show access-list config
- Show access-list port
- Show access-list vlan
- Show access-list resource
- Show statistics
- clear statistics
- Event Log messages
- ACL Grouping
- Netdestination and Netservice
- Infrastructure MACsec
- Overview
- MACsec configuration commands
- Create, modify or delete a MACsec policy
- Configuring mode of MACsec policy
- MACsec policy: configuring confidentiality (policy context)
- Configuring replay protection
- Configuring include-sci-tag
- Apply policy on a port-list
- MKA configuration on a port-list
- Clearing MKA statistics on ports
- Clearing MACsec statistics on ports
- Show commands
- Mutually exclusive commands with MACsec configuration on a port
- MACsec Log messages
- TACACS+ Authentication and Accounting
- Definition of terms
- Overview
- Configuring TACACS+ on the switch
- Before you begin
- Selecting the access method for configuration
- Configuring the switch authentication method
- Configuring the TACACS+ server
- Configuring the switch TACACS+ server access
- ip source-interface
- ipv6 source-interface
- Configuring cipher text for TACACS+ key
- Process of configuring TACACS+ key with encrypt-credentials and hide-sensitive-data
- hide-sensitive-data
- tacacs-server key
- encrypt-credentials
- Configuring dead time
- Enabling authorization for commands
- aaa accounting
- show authorization
- Show all accounting configurations
- Show current authentication configurations
- Show key information
- show tacacs
- show tacacs host
- Show accounting sessions
- show ip source-interface
- show ipv6 source-interface
- Specifying devices
- Specifying switch timeout
- Encryption options in the switch
- Using the privilege-mode option for login
- Examples for adding, removing, or changing the priority of a TACACS+ server
- Controlling Web UI access when using TACACS+ authentication
- Event Messages
- Operating notes
- RADIUS Authentication, Authorization, and Accounting
- Overview
- Accounting services
- Radius-administered CoS and rate-limiting
- Radius-administered commands authorization
- SNMP access to the switch authentication configuration MIB
- About the dynamic removal of authentication limits
- RADIUS operation
- Commands authorization on HTTPS overview
- WebAgent windows when using command authorization
- MAC-based VLANs
- Configuring
- Preparation procedures for RADIUS
- Configuring the switch for RADIUS authentication
- Connecting a RADIUS server with a server group
- RADIUS server groups
- Configuring the primary password authentication method for console, Telnet, REST, SSH and WebAgent
- Commands used to configure the primary password authentication method for port-access, MAC-based, and web-based access
- Creating a dictionary file (with VSA definitions) with Free RADIUS
- Enabling the processing of the HP-Command-String VSA for RADIUS accounting
- Configuring RADIUS accounting
- Configuring a switch to access a RADIUS server
- RADIUS service tracking
- RADIUS server dead time
- RADIUS Tracking enhancements
- Reconfiguring the Acct-Session-ID operation (Optional)
- Configure accounting types and controls for sending reports to the RADIUS server
- Configuring session blocking and interim updating options (Optional)
- Configuring commands authorization on a RADIUS server
- Configuring the RADIUS VSAs
- Configuring FQDN support for RADIUS server
- Automatic certificate download with ClearPass
- Enhanced commands for RADIUS Server Groups
- Support for Framed IP Address in RADIUS requests
- Viewing
- Using
- Using multiple RADIUS server groups
- Adding and deleting servers to the RADIUS configuration
- Setting accounting type, and how data is sent
- Allowing reauthentication when RADIUS server is unavailable
- Setting the time period to allow cached reauthentication
- Enabling authorization to control access to CLI commands
- Creating Local Privilege Levels
- Changing RADIUS-server access order
- Using SNMP to view and configure switch authentication features
- Cached reauthentication
- Local authentication process
- Controlling WebAgent access
- Commands authorization
- VLAN assignment in an authentication session
- Tagged and untagged VLAN attributes
- Additional RADIUS attributes
- Accounting services
- Acct-Session-ID options in a management session
- Dynamic removal of authentication limits
- Messages related to RADIUS operation
- Authentication order and priority
- Bypassing authentication
- Security event log
- Security user log access
- Creating a security user
- Security user commands
- Authentication and Authorization through RADIUS
- Authentication and Authorization through TACACS+
- Restrictions
- Event log wrap
- Configuring concurrent sessions
- Configuring concurrent sessions per user
- Configuring concurrent sessions per
- Failed login attempts delay
- Overview
- User roles
- RADIUS services supported on switches
- RADIUS client and server requirements
- RADIUS server support
- RADIUS server configuration for CoS (802.1p priority) and rate-limiting
- Applied rates for RADIUS-assigned rate limits
- Per-port bandwidth override
- Configuring and using dynamic (RADIUS-assigned) access control lists
- Contrasting RADIUS-assigned and static ACLs
- How a RADIUS server applies a RADIUS-assigned ACL to a client on a switch port
- General ACL features, planning, and configuration
- The packet-filtering process
- Operating rules for RADIUS-assigned ACLs
- Configuring an ACL in a RADIUS server
- Nas-filter-Rule attributes
- ACE syntax in RADIUS servers
- Configuration notes
- Monitoring shared resources
- Event Log messages
- RADIUS server support
- Configuring Radius assigned ACLs
- Viewing
- RADIUS filter-id
- Force client re-authorization
- RADIUS client and server requirements
- Critical and Open Authentication
- RBAC
- Password Complexity
- Password complexity overview
- Password expiration periods
- Requirements
- Limitations
- Configuring Password Complexity
- password configuration commands
- password configuration-control
- password configuration
- password minimum-length
- password
- aaa authentication local-user
- password complexity
- password composition
- show password-configuration
- Troubleshooting
- Configuring Secure Shell (SSH) with two-factor authentication
- Overview
- Two-factor authentication configuration commands
- aaa authentication ssh
- aaa authentication ssh two-factor
- aaa authentication ssh two-factor two-factor-type
- aaa authentication ssh two-factor two-factor-type publickey-password
- aaa authentication ssh two-factor two-factor-type certificate-password
- crypto enforce secure-rsa
- Two-factor authentication restrictions
- Two-factor authentication event log messages
- Configuring Secure Sockets Layer (SSL)
- Port Security
- Configuring
- Planning port security
- Configuring port security
- Eavesdrop Prevention is Disabled
- Blocked unauthorized traffic
- Overview
- Configuring Trusted Ports for Dynamic ARP Protection
- Configuring Additional Validation Checks on ARP Packets
- Verifying the configuration of dynamic ARP protection
- Configuring DHCP snooping trusted ports
- Clearing DHCP snooping table overview
- clear dhcp-snooping binding
- clear dhcp-snooping statistics
- Error Log
- RMON table
- Configuring authorized server addresses
- Configuring MAC Lockdown
- Configuring MAC Lockout
- Configuring instrumentation monitor
- User-based lockout compliance
- Viewing
- Using Port Security
- Enabling port security eavesdrop-prevention
- Configuring DHCP snooping
- Enabling Dynamic ARP protection
- Enabling Dynamic IP Lockdown
- Removing MAC Addresses
- Removing a MAC Address from the Authorized list for a port
- Clear MAC address table
- Deploying MAC Lockdown
- Adding an IP-to-MAC Binding to the DHCP Database
- Verifying the dynamic IP lockdown configuration
- Adding a MAC Address to a port
- Checking for intrusions, listing intrusion alerts, and resetting alert flags (CLI)
- Using the event log to find intrusion alerts CLI
- Overview
- DHCP Snooping
- DHCP Operational Notes
- Dynamic ARP Protection
- Dynamic IP Lockdown
- Adding an IP-to-MAC binding to the DHCP binding database
- Using the instrumentation monitor
- About port security
- Basic operation
- Eavesdrop prevention
- Blocking unauthorized traffic
- Trunk group exclusion
- Retention of static addresses
- How MAC Lockdown works
- MAC Lockdown operating notes
- Differences between MAC lockdown and port security
- Deploying MAC lockdown
- How MAC Lockout works
- Port security and MAC Lockout
- Reading intrusion alerts and resetting alert flags
- Operating notes for port security
- Log Messages
- Configuring
- Authorized IP Managers
- Key Management System
- Traffic/Security Features and Monitors
- Configuring traffic/security
- Viewing
- Using switch security features
- Physical security
- Using the Management Interface wizard
- SNMP security guidelines
- Precedence of security options
- Arbitrating client-specific attributes
- Access security features
- Network security features
- Using named source-port filters
- Editing a source-port filter
- Displaying traffic/security filters
- Advanced Threat Detection
- Overview
- Port-Based and User-Based Access Control (802.1X)
- Overview
- Configuring Port-Based Access
- Why Use Port-Based or User-Based Access Control?
- User Authentication Methods
- General Setup Procedure for 802.1X Access Control
- Configuring switch ports as 802.1X authenticators
- Enabling 802.1X authentication on selected ports
- Specify User-Based Authentication or Return to Port-Based Authentication
- Reconfigure settings for port-access
- Configure the 802.1X Authentication Method
- Enter the RADIUS Host IP Addresses
- Enable 802.1X Authentication on the Switch
- Optional: Reset Authenticator Operation
- Optional: Configure 802.1X Controlled Direction
- Wake-on-LAN Traffic
- Setting Up and Configuring 802.1X Open VLAN Mode
- Configuring General 802.1X Operation
- Configuring 802.1X Open VLAN Mode
- Inspecting 802.1X Open VLAN Mode Operation.
- Option For Authenticator Ports: Configure Port-Security To Allow Only 802.1X-Authenticated Devices
- Viewing 802.1X Open VLAN Mode Status
- Show Commands for Port-Access Supplicant
- How RADIUS/802.1X Authentication Affects VLAN Operation
- Port-Security
- Configuring switch Ports to operate as supplicants for 802.1X connections to other switches
- Supplicant Port Configuration
- Configuring Mixed Port Access Mode
- General 802.1X Authenticator Operation
- Viewing
- Using
- EAP identifier compliance for 802.1x
- Messages Related to 802.1X Operation
- Device Fingerprinting
- Prerequisites
- device-fingerprinting policy
- device-fingerprinting timer
- device-fingerprinting client-limit
- device-fingerprinting incoming-clients-only
- device-fingerprinting apply
- show device-fingerprinting profile-name
- show device-fingerprinting active
- show device-fingerprinting client-status
- show device-fingerprinting client-details
- Limitations
- Troubleshooting
- Secure mode(FIPS)
- Overview
- Configuring secure mode
- Commands affected when enhanced secure mode is enabled
- Feature-specific show commands
- Show flash and show version command output
- Show config commands
- MIB CLI commands
- Password commands
- Additional password command option
- Prompt for password when first logging in
- Behavior when changing or exiting levels
- Additional password commands
- Secret keys
- SSH changes
- SSL changes
- Zeroizing with HA
- Opacity-shields command
- Operating notes for passwords in enhanced secure mode
- Troubleshooting
- Overview
- Certificate manager
- Conformance to Suite-B Cryptography requirements
- Configuration support
- Retrieve CRL
- Set TA profile to validate CRL and OCSP
- Clear CRL
- Create a certificate signing request
- Create and enroll a self-signed certificate
- Configure or remove the minimum levels of security minLos for TLS
- Install authentication files
- Remove authentication files
- show crypto client-public-key
- Remove the client public keys from configuration
- Show details of TA profile
- Websites
- Support and other resources
- ArubaOS-Switch RADIUS Vendor-Specific Attributes