Contents
Search
Loading, please wait ...

Loading

  • Aruba 3810 / 5400R Access Security Guide for ArubaOS-Switch 16.08
    • Home
    • About this guide
      • Applicable products
      • Switch prompts used in this guide
    • Configuring Username and Password Security
      • Console access
      • Creating password security
        • Setting an inactivity timer
        • Setting a new console password
        • Deleting password protection
        • Recovering from a lost manager password
        • Setting passwords and user names
        • Password storage in SHA-256 format
        • Removing password protection using the CLI
        • General password rules
          • Local user and password Length
          • Restrictions for the setmib command
          • Additional restrictions
          • Upgrading or downgrading software versions implications for passwords
          • Unable to use previous password
      • Security credentials
        • Local manager and operator credentials
        • Password command options
        • SNMP Security Credentials
        • 802.1X port access credentials
        • TACACS+ encryption key authentication
        • RADIUS shared-secret key authentication
        • SSH client public-key authentication
        • X.509v3 certificate authentication for SSH
        • SSH Re-Keying for SSH Server and SSH Client.
        • Restrictions to enabling security credentials
      • Include-Credentials
        • include-credentials radius-tacacs-only option
        • Displaying the status of include-credentials on the switch
        • Executing include-credentials or include-credentials store-in-config
        • Storage states when using include-credentials
        • [no]include-credentials store-in-config option
        • Enabling the storage and display of security credentials
      • Setting an encrypted password
        • Encrypting credentials in the configuration file
          • Enabling Encrypt-Credentials
          • Displaying the state of encrypt-credentials
          • Affected commands
      • Front panel security
        • Front panel security
          • When security is important
          • Front-panel button functions
        • Configuring front panel security
        • Disabling the clear password function of the Clear button
        • Setting the Clear button functionality
          • To enable password-clear with reset-on-clear disabled
          • To enable password-clear with reset-on-clear also enabled
        • Changing what the Reset+Clear button combination does
        • Restoring the factory default configuration
        • Enabling and disabling password recovery
        • Recovering passwords
        • Password recovery
      • Saving user name and password security
        • Security settings that can be saved
        • Benefits of saving security credentials
        • Saving local manager and operator passwords
        • Saving SNMP security credentials
        • Storing 802.1X port-access credentials
        • Storage states when using include-credentials
      • Operating Notes
        • Interaction with include-credentials settings
    • Virus throttling (connection-rate filtering)
      • Configuring connection-rate filtering
        • Viewing the connection-rate configuration
        • Enabling global connection-rate filtering and sensitivity
        • Configuring per-port filtering
          • Basic configuration
      • Blocked hosts
        • Listing currently-blocked hosts
        • Unblocking currently-blocked hosts
      • Configuring and applying connection-rate ACLs
        • Configuring a connection-rate ACL using source IP address criteria
        • Configuring a connection-rate ACL using UDP/TCP criteria
        • Applying connection-rate ACLs
        • Using an ACL in a connection-rate configuration example
      • Connection-rate filtering
        • Features and benefits
        • General operation
          • Filtering options
          • Sensitivity to connection rate detection
          • Application options
          • Operating rules
          • Unblocking a currently blocked host
        • Applying connection-rate ACLs
          • Connection-rate ACL operation
          • Connection-Rate ACL operating notes
        • Using CIDR notation to enter the ACE mask
        • Connection-rate log and trap messages
      • Overview
      • Configuring connection-rate filtering for low risk networks
      • Configuring connection-rate filtering for high risk networks
    • Web-based and MAC authentication
      • Configuring MAC authentication on the switch
        • Prerequisites for web-based or MAC authentication
        • Preparation for configuring MAC authentication
        • Configuring a global MAC authentication password
          • Commands to configure the global MAC authentication password
          • Configuring a MAC address format
          • Creating a custom delimiter for a MAC address
          • Enabling/disabling MAC authentication
          • Per Port Initial Role
          • Specifying the maximum authenticated MACs allowed on a port
          • Allowing addresses to move without re-authentication
          • Specifying the VLAN for an authorized client
          • Specifying the time period enforced for implicit logoff
          • Specifying how many authentication attempts can time-out before failure
          • Specifying how long the switch waits before processing a request from a MAC address that failed authentication
          • Specifying time period enforced on a client to re-authenticate
          • Forcing re-authentication of clients
          • Specifying the period to wait for a server response to an authentication request
          • Specifying the VLAN to use when authentication fails
          • Configuring custom messages for failed logins
          • web page display of access denied message
          • Redirecting HTTP when MAC address not found
          • Registering HTTP redirect
          • Using the restrictive-filter option
          • Reauthenticating a MAC Authenticated client
          • Configuring the registration server URL
          • Unconfiguring a MAC Authenticated registration server
          • Using Password Authentication Protocol (PAP) for MAC Authentication
      • Configuring web-based authentication
        • Preparation for web-based authentication
        • Configuration commands for web-based authentication
          • Controlled directions
          • Disable web-based authentication
          • Specifying the VLAN
          • Clearing statistics
          • Maximum authenticated clients
          • Specifies base address
          • Specifies lease length
          • Configures web server connection
          • Specifying the period
          • Specifying the number of authentication attempts
          • Specifying maximum retries
          • Specifying the time period
          • Specifying the re-authentication period
          • Specifying a forced reauthentication
          • Specifying the URL
          • Specifying the timeout
        • Configuring MAC pinning
          • aaa port-access local-mac <PORT-LIST> mac-pin
          • aaa port-access mac-based <PORT-LIST> mac-pin
          • Using MAC pinning in User Roles
        • Configuring the RADIUS server to support MAC authentication
      • Customizing
        • Customizing user login web pages
          • Implementing customized web-based authentication pages
      • Viewing
        • Viewing the status and settings of ports enabled for web-based authentication
          • Viewing status of ports enabled for web-based authentication
          • Viewing session details for web-Auth clients
          • Viewing status details of web-based authentication sessions on specified ports
          • Viewing web-based authentication settings for ports
          • Viewing details of web-based authentication settings for ports
          • Viewing web-based authentication settings for ports, including RADIUS server specific
          • Viewing web-based authentication settings for ports, including web specific settings
        • Viewing the show commands for MAC authentication
          • Viewing session information for MAC authenticated clients on a switch
          • Viewing detail on status of MAC authenticated client sessions
          • Error log
          • Viewing MAC authentication settings on ports
          • Viewing details of MAC Authentication settings on ports
          • Viewing MAC Authentication settings including RADIUS server-specific
      • Overview
        • About web and MAC authentication
          • Web-based authentication
          • MAC authentication
          • Concurrent web-based and MAC authentication
          • Authorized and unauthorized client VLANs
          • RADIUS-based authentication
          • Wireless clients
          • How web-based and MAC authentication operate
          • Web-based authentication
          • Order of priority for assigning VLANs
          • Clientless Endpoint Integrity
          • MAC authentication
          • Operating notes and guidelines
          • Customizing HTML templates
          • Configuring a DNS Server for Enhanced web authentication
          • Operating notes and guidelines for implementing customized web-Auth pages
          • Customizable HTML templates
    • Captive Portal for ClearPass
      • Requirements
      • Best Practices
      • Limitations
      • Features
        • High Availability
        • Load balancing and redundancy
      • Disabling Captive Portal
        • Disabling Captive Portal
      • Configuring Captive Portal on ClearPass
        • Import the HPE RADIUS dictionary
        • Create enforcement profiles
        • Create a ClearPass guest self-registration
        • Configure the login delay
      • Configuring the switch
        • Configure the URL key
      • Configuring a certificate for Captive Portal usage
      • Display Captive Portal configuration
      • Show certificate information
      • Troubleshooting
        • Event Timestamp not working
        • Cannot enable Captive Portal
        • Unable to enable feature
        • Authenticated user redirected to login page
        • Unable to configure a URL hash key
        • authentication command
        • show command
        • Debug command
    • Local MAC Authentication
      • Overview
        • Concepts
      • Possible scenarios for deployment
      • Show commands
      • Configuration commands
        • Per-port attributes
        • Configuration examples
          • Configuration example 1
          • Configuration using mac-groups
          • Configuration without using mac-groups
    • IPv4 Access Control Lists (ACLs)
      • Configuring BYOD
        • Configuring named, standard ACLs
          • Entering the IPv4 named ACL context
          • Configuring ACEs in a named, standard ACL
          • Deleting an ACE
          • Creating or adding to a standard, numbered ACL
        • Configuring extended ACLs
          • Creating and configuring a named, extended ACL
          • Configuring ACEs in named, extended ACLs
          • Including options for TCP and UDP traffic in extended ACLs
          • Controlling ICMP traffic in extended ACLs
          • Controlling IGMP traffic in extended ACLs
        • Configuring numbered, extended ACLs
          • Creating or adding to an extended, numbered ACL
          • Controlling TCP and UDP traffic flow
          • Controlling ICMP traffic flow
          • Controlling IGMP traffic flow
        • Configuring logging timer
      • Viewing
        • Viewing an ACL summary
        • Viewing the content of all ACLs on the switch
        • Viewing the RACL and VACL assignments for a VLAN
        • Viewing static port (and trunk) ACL assignments
        • Viewing specific ACL configuration details
        • Viewing all ACLs and their assignments in the routing switch startup-config and running-config files
      • Using
        • Adding or removing an ACL assignment on an interface
          • Filtering routed IPv4 traffic
          • Filtering IPv4 traffic inbound on a VLAN
          • Filtering inbound IPv4 traffic per port
        • Creating ACLs
          • Using the CLI to create an ACL
          • Creating or editing an ACL offline
        • Deleting an ACL
        • Inserting an ACE in an existing ACL
        • Deleting an ACE from an existing ACL
        • Resequencing the ACEs in an ACL
        • Attaching a remark to an ACE
        • Appending remarks and related ACEs to the end of an ACL
        • Inserting remarks and related ACEs within an existing list
        • Inserting a remark for an ACE that already exists in an ACL
        • Removing a remark from an existing ACE
        • Enable ACL “Deny” or “Permit” Logging
        • Requirements for using ACL Logging
        • ACL Logging Operation
        • Enabling ACL logging on the switch
        • Monitoring static ACL performance
        • ACE counter operation
        • Resetting ACE Hit counters to zero
        • Using IPv6 counters with multiple interface assignments
        • Using IPv4 counters with multiple interface assignments
      • Additional configuration guidelines
        • Introduction
        • General ACL operating notes
        • About IPv4 static ACL operation
          • Introduction to IPv4 static ACL operation
          • Options for applying IPv4 ACLs on the switch
          • Types of IPv4 ACLs
          • ACL applications
          • Multiple ACLs on an interface
          • Features common to all ACL applications
          • General steps for planning and configuring ACLs
          • The packet-filtering process
          • Operating notes for remarks
          • Planning an ACL application
          • Configuring standard ACLs
          • Editing an existing ACL
          • IPv4 ACL configuration and operating rules
          • How an ACE uses a mask to screen packets for matches
          • Using CIDR notation to enter the IPv4 ACL mask
          • General steps for implementing ACLs
          • Options for permit/deny policies
          • ACL configuration structure
          • ACL configuration factors
          • Enabling ACL "Deny" logging
          • Requirements for using ACL logging
          • ACL logging operation
        • ACL/ACE match-related logging commands
          • Overview
          • sys-debug destination
          • sys-debug <FILTER-TYPE> <FILTER-OPTIONS>
          • sys-debug acl
          • access-list logtimer
          • Show command (running configuration) (for ACLs)
          • debug destination
          • debug acl
    • MAC ACLs
      • Overview
      • MAC ACL configuration commands
        • Mac-access-list creation syntax
        • Mac-access-list standard configuration context
        • Mac-access-list extended configuration context
        • Remark command
        • Mac-access-list application syntax (PACL)
        • Mac-access-list application syntax (VACL)
        • Show access-list
        • Show access-list by name
        • Show access-list config
        • Show access-list port
        • Show access-list vlan
        • Show access-list resource
        • Show statistics
        • clear statistics
      • Event Log messages
    • ACL Grouping
      • Overview
      • Commands
        • IPv4 access-group (PACL)
        • IPv6 access-group (PACL)
        • MAC access-group (PACL)
        • IPv4 access-group (VACL)
        • IPv6 access-group (VACL)
        • MAC access-group (VACL)
      • Modify existing commands
        • show configuration
        • show statistics
        • show access-list
          • show access-list ports
        • show access-list vlan
      • Error messages
    • Netdestination and Netservice
      • Overview
      • netdestination host |position | network
      • netservice [tcp | udp | port]
      • show netdestination
      • Modifying Netdestination Entries
        • Overview
        • netedit-update
        • Limitations
      • Platform wise scalability
    • Infrastructure MACsec
      • Overview
        • MACsec switch support
      • MACsec configuration commands
        • Create, modify or delete a MACsec policy
        • Configuring mode of MACsec policy
          • Encrypted-credentials mode
        • MACsec policy: configuring confidentiality (policy context)
        • Configuring replay protection
        • Configuring include-sci-tag
        • Apply policy on a port-list
        • MKA configuration on a port-list
        • Clearing MKA statistics on ports
        • Clearing MACsec statistics on ports
      • Show commands
        • Show command for MACsec policies
          • Command validations
          • Details
        • Show command for MACsec status
          • Command validation
        • Show command for MACsec status on a port
        • Show command for MACsec statistics
          • Command validations
        • Show command for detailed MACsec statistics on a port
        • Command validations
        • Show command for MKA status
          • Command validations
        • Show command for MKA statistics
          • Command validations
        • Show tech command
      • Mutually exclusive commands with MACsec configuration on a port
      • MACsec Log messages
    • TACACS+ Authentication and Accounting
      • Definition of terms
      • Overview
        • TACACS+ authentication process
          • TACACS+ authentication setup
          • General authentication process using a TACACS+ server
          • Local authentication process
          • Authentication parameters
      • Configuring TACACS+ on the switch
        • Before you begin
        • Selecting the access method for configuration
        • Configuring the switch authentication method
        • Configuring the TACACS+ server
        • Configuring the switch TACACS+ server access
        • ip source-interface
        • ipv6 source-interface
        • Configuring cipher text for TACACS+ key
        • Process of configuring TACACS+ key with encrypt-credentials and hide-sensitive-data
        • hide-sensitive-data
        • tacacs-server key
        • encrypt-credentials
        • Configuring dead time
        • Enabling authorization for commands
        • aaa accounting
        • show authorization
        • Show all accounting configurations
        • Show current authentication configurations
        • Show key information
        • show tacacs
        • show tacacs host
        • Show accounting sessions
        • show ip source-interface
        • show ipv6 source-interface
        • Specifying devices
        • Specifying switch timeout
        • Encryption options in the switch
          • Encryption operation keys
          • Configuring an encryption key
          • Configuring server specific encryption key
        • Using the privilege-mode option for login
        • Examples for adding, removing, or changing the priority of a TACACS+ server
      • Controlling Web UI access when using TACACS+ authentication
      • Event Messages
        • Messages related to TACACS+ operation
      • Operating notes
    • RADIUS Authentication, Authorization, and Accounting
      • Overview
        • Accounting services
          • Accounting Service Types
          • Operating rules for RADIUS accounting
          • Acct-Session-ID Options in a Management Session
          • Unique Acct-Session-ID operation
          • Common Acct-Session-ID operation
        • Radius-administered CoS and rate-limiting
        • Radius-administered commands authorization
        • SNMP access to the switch authentication configuration MIB
        • About the dynamic removal of authentication limits
        • RADIUS operation
          • Switch operating rules for RADIUS
          • Operating notes
        • Commands authorization on HTTPS overview
        • WebAgent windows when using command authorization
        • MAC-based VLANs
      • Configuring
        • Preparation procedures for RADIUS
        • Configuring the switch for RADIUS authentication
          • Configuring authentication for RADIUS access methods
          • Enabling manager access privilege (optional)
          • Configuring the switch to access a RADIUS server
          • Configuring the switch global RADIUS parameters
        • Connecting a RADIUS server with a server group
        • RADIUS server groups
          • Per-port RADIUS server group for MAC authentication
          • Configuring RADIUS server group for NAS-ID
        • Configuring the primary password authentication method for console, Telnet, REST, SSH and WebAgent
        • Commands used to configure the primary password authentication method for port-access, MAC-based, and web-based access
        • Creating a dictionary file (with VSA definitions) with Free RADIUS
        • Enabling the processing of the HP-Command-String VSA for RADIUS accounting
        • Configuring RADIUS accounting
          • Configuring a switch to access a RADIUS server
          • RADIUS service tracking
          • RADIUS server dead time
          • RADIUS Tracking enhancements
          • Reconfiguring the Acct-Session-ID operation (Optional)
          • Configure accounting types and controls for sending reports to the RADIUS server
          • Configuring session blocking and interim updating options (Optional)
        • Configuring commands authorization on a RADIUS server
          • Using Vendor Specific Attributes (VSAs)
        • Configuring the RADIUS VSAs
        • Configuring FQDN support for RADIUS server
          • radius-server host key
        • Automatic certificate download with ClearPass
          • radius-server host key clearpass
          • crypto ca-download usage clearpass retry
          • crypto ca-download usage clearpass force
          • Limitations
        • Enhanced commands for RADIUS Server Groups
        • Support for Framed IP Address in RADIUS requests
      • Viewing
        • Viewing RADIUS server group information
        • Viewing and changing the SNMP access configuration
        • Viewing authorization information
        • Viewing RADIUS Statistics
        • Viewing RADIUS authentication statistics
        • Viewing port-access information
        • Viewing RADIUS accounting statistics
      • Using
        • Using multiple RADIUS server groups
        • Adding and deleting servers to the RADIUS configuration
        • Setting accounting type, and how data is sent
        • Allowing reauthentication when RADIUS server is unavailable
        • Setting the time period to allow cached reauthentication
        • Enabling authorization to control access to CLI commands
        • Creating Local Privilege Levels
          • Configuring Groups for Local Authorization
          • Configuring a local user for a group
          • Displaying Command Authorization Information
        • Changing RADIUS-server access order
        • Using SNMP to view and configure switch authentication features
        • Cached reauthentication
          • Timing considerations
        • Local authentication process
        • Controlling WebAgent access
        • Commands authorization
        • VLAN assignment in an authentication session
        • Tagged and untagged VLAN attributes
        • Additional RADIUS attributes
        • Accounting services
          • Accounting service types
        • Acct-Session-ID options in a management session
          • Unique Acct-Session-ID operation
          • Common Acct-Session-ID operation
        • Dynamic removal of authentication limits
          • Overview
      • Messages related to RADIUS operation
      • Authentication order and priority
        • Configuring the Authentication order, priority, and fallback
      • Bypassing authentication
        • Bypassing Authentication for VoIP Phones
          • Overview
          • Configuring device-identity as CDP
          • Configuration commands to authenticate PCs connected to VoIP devices.
          • Show commands
        • Bypassing authentication for Aruba APs and custom devices
          • Overview
          • Configuration commands
          • Show commands
          • Feature interaction
          • Error Log
      • Security event log
        • Security user log access
        • Creating a security user
        • Security user commands
        • Authentication and Authorization through RADIUS
        • Authentication and Authorization through TACACS+
        • Restrictions
        • Event log wrap
        • Configuring concurrent sessions
          • For non-stackable switches
          • For 5400R switches
          • For stackable switches
        • Configuring concurrent sessions per user
          • For non-stackable switches
          • For 5400R switches
          • For stackable switches
        • Configuring concurrent sessions per
        • Failed login attempts delay
    • User roles
      • Overview
      • Captive-portal commands
        • Overview
        • [no] aaa authentication captive-portal profile
      • Policy commands
        • Overview
        • policy user
        • [no] policy user
        • policy resequence
        • Commands in the policy-user context
          • (policy-user)# class
      • User role configuration
        • aaa authorization user-role
          • Error log
        • captive-portal-profile
        • policy
        • reauth-period
        • aaa authorization user-role name cached-reauth-period
        • VLAN commands
          • vlan-id
          • vlan-name
          • vlan-id-tagged
        • Device Attributes
          • Device Attributes for User Roles
      • Applying User Derived Role with Local MAC Authentication
        • aaa port-access local-mac apply user-role
      • show captive-portal profile
      • show user-role
      • show port-access clients
      • Downloadable user-roles
        • aaa authorization user-role enable download
        • radius-server cppm identity
        • downloadable-role-delete
        • show user-role <XYZ>
        • show port-access clients
        • debug usertn
        • Net-service and Net-destination Downloadable User Role
      • Access Point Onboarding Scenario
    • RADIUS services supported on switches
      • RADIUS client and server requirements
        • RADIUS server support
          • RADIUS server configuration for CoS (802.1p priority) and rate-limiting
          • Applied rates for RADIUS-assigned rate limits
          • Per-port bandwidth override
          • Configuring and using dynamic (RADIUS-assigned) access control lists
          • Contrasting RADIUS-assigned and static ACLs
          • How a RADIUS server applies a RADIUS-assigned ACL to a client on a switch port
          • General ACL features, planning, and configuration
          • The packet-filtering process
          • Operating rules for RADIUS-assigned ACLs
          • Configuring an ACL in a RADIUS server
          • Nas-filter-Rule attributes
          • ACE syntax in RADIUS servers
          • Configuration notes
          • Monitoring shared resources
          • Event Log messages
      • Configuring Radius assigned ACLs
        • Procedure to support RADIUS-assigned ACLs
        • Show RADIUS-assigned ACL activity
      • Viewing
        • Show active per-port CoS and rate-limiting configuration
        • Show rate-limiting and port priority for ports
        • Configuring RADIUS-assigned IPv4 ACL support on FreeRADIUS
        • Using VSA 63 to assign IPv6 and IPv4 ACLs
        • Using VSA 61 to assign IPv4 ACLs
      • RADIUS filter-id
        • Forcing reauthentication
        • show access-list radius
        • Show access-list (NAS rule) and (filter-id)
        • Log messages
      • Force client re-authorization
    • Critical and Open Authentication
      • aaa port-access open-auth voice-vlan
      • aaa port-access open-auth data-vlan
      • aaa port-access open-auth user-role
      • show port-access clients
      • Critical authentication
        • Examples of Behaviors
        • Deploying Critical VLAN
          • Creating a VLAN for voice traffic.
          • Creating a user-role
          • Associating a critical user-role to the critical VLAN
        • aaa port-access critical-auth
      • Cached reauthentication
        • aaa authentication mac-based cached-reauth authorized
        • aaa authentication port-access cached-reauth authorized
        • Configuring a client for retain-unauth-clients
        • Time considerations for reauthenticating clients
      • Resilient 802.1x cached-reauth
        • Configuring a client for retain-unauth-clients
    • RBAC
      • RBAC Overview
      • Limitations
      • Roles
      • Rules
        • Command rules
        • Feature rules
        • VLAN policy rules
        • Interface policy rules
      • Creating roles and assigning rules
        • Enabling authorization
        • Creating a role
        • Configuring command rules
        • Configuring VLAN policy
        • Configuring interface policy
        • Configuring feature policy
      • Displaying rules for predefined roles
      • Displaying predefined features
      • Troubleshooting
        • Cannot modify group name
        • Cannot delete a group
        • Unable to run a command
        • Unable to add a rule
      • aaa authorization group
      • Predefined features
    • Password Complexity
      • Password complexity overview
      • Password expiration periods
      • Requirements
      • Limitations
      • Configuring Password Complexity
        • Viewing the password configuration
        • Enable Password Complexity
        • Configure the Password Complexity parameters
        • Configure password minimum length
        • Configure password composition
        • Configure password complexity checks
      • password configuration commands
      • password configuration-control
      • password configuration
      • password minimum-length
      • password
      • aaa authentication local-user
      • password complexity
      • password composition
      • show password-configuration
      • Troubleshooting
        • Unable to enable Password Complexity
        • Unable to download the configuration file
        • Display messages
    • Configuring Secure Shell (SSH) with two-factor authentication
      • Overview
      • Two-factor authentication configuration commands
        • aaa authentication ssh
        • aaa authentication ssh two-factor
        • aaa authentication ssh two-factor two-factor-type
        • aaa authentication ssh two-factor two-factor-type publickey-password
        • aaa authentication ssh two-factor two-factor-type certificate-password
        • crypto enforce secure-rsa
        • Two-factor authentication restrictions
        • Two-factor authentication event log messages
    • Configuring Secure Sockets Layer (SSL)
      • Overview
        • Server certificate authentication with user password authentication
      • Configuration summary
        • Assigning a local login (operator) and enabling (manager) password
          • Using the WebAgent to configure local passwords
        • Installing the switch's server web host certificate
          • Self-signed certificate
          • Authority-signed certificate
        • Enabling SSL on the switch and anticipating SSL browser contact behavior
          • Using the CLI interface to enable web management over SSL/TLS
    • Port Security
      • Configuring
        • Planning port security
        • Configuring port security
        • Eavesdrop Prevention is Disabled
        • Blocked unauthorized traffic
          • Trunk Group Exclusion
        • Overview
          • port-security disable-timer
        • Configuring Trusted Ports for Dynamic ARP Protection
        • Configuring Additional Validation Checks on ARP Packets
        • Verifying the configuration of dynamic ARP protection
        • Configuring DHCP snooping trusted ports
          • For DHCPv4 servers
          • For DHCPv6 servers
        • Clearing DHCP snooping table overview
        • clear dhcp-snooping binding
        • clear dhcp-snooping statistics
        • Error Log
        • RMON table
        • Configuring authorized server addresses
        • Configuring MAC Lockdown
        • Configuring MAC Lockout
        • Configuring instrumentation monitor
      • User-based lockout compliance
        • aaa authentication
        • aaa authentication unlock
        • show authentication
        • Console session lockout overview
          • aaa authentication console-lockout
      • Viewing
        • Displaying port security settings
        • Displaying ARP Packet Statistics
        • Monitoring Dynamic ARP Protection
        • Listing authorized and detected MAC addresses
        • Viewing the current instrumentation monitor configuration
      • Using Port Security
        • Enabling port security eavesdrop-prevention
        • Configuring DHCP snooping
          • Configuring DHCPv4 snooping
          • Configuring DHCPv6 snooping
        • Enabling Dynamic ARP protection
        • Enabling Dynamic IP Lockdown
          • For IPv4
          • For IPv6
        • Removing MAC Addresses
          • Assigned/authorized addresses
        • Removing a MAC Address from the Authorized list for a port
        • Clear MAC address table
          • Configuring Clearing of Learned MAC Addresses
        • Deploying MAC Lockdown
        • Adding an IP-to-MAC Binding to the DHCP Database
          • Clearing the DHCP snooping binding table
          • Adding a static binding
          • Displaying the static configuration of IP-to-MAC bindings
          • Debugging dynamic IP lockdown
        • Verifying the dynamic IP lockdown configuration
          • For IPv4
          • For IPv6
        • Adding a MAC Address to a port
        • Checking for intrusions, listing intrusion alerts, and resetting alert flags (CLI)
        • Using the event log to find intrusion alerts CLI
      • Overview
        • DHCP Snooping
        • DHCP Operational Notes
        • Dynamic ARP Protection
        • Dynamic IP Lockdown
          • Protection against IP source address spoofing
          • Prerequisite: DHCP snooping
          • Filtering IP and MAC addresses per-port and per-VLAN
          • Operational notes
        • Adding an IP-to-MAC binding to the DHCP binding database
          • Potential issues with bindings
        • Using the instrumentation monitor
          • Operating notes for the instrumentation monitor
        • About port security
        • Basic operation
          • Default port security operation
          • Trusted ports
          • Intruder protection
          • Eavesdrop protection
          • General operation for port security
        • Eavesdrop prevention
          • Disabling Eavesdrop Prevention
          • Feature interactions when Eavesdrop Prevention is disabled
        • Blocking unauthorized traffic
        • Trunk group exclusion
        • Retention of static addresses
          • Learned addresses
          • Assigned/Authorized Addresses.
          • Specifying Authorized Devices and Intrusion Responses
          • Adding an Authorized Device to a Port
          • Removing a Device From the “Authorized” List for a Port
        • How MAC Lockdown works
        • MAC Lockdown operating notes
          • Limits
          • Event Log messages
          • Limiting the frequency of log messages
        • Differences between MAC lockdown and port security
        • Deploying MAC lockdown
          • Basic MAC Lockdown deployment.
          • Problems using MAC Lockdown in networks with multiple paths
        • How MAC Lockout works
        • Port security and MAC Lockout
        • Reading intrusion alerts and resetting alert flags
          • Notice of security violations
          • How the intrusion log operates
          • Keeping the intrusion log current by resetting alert flags
        • Operating notes for port security
          • Proxy Web servers
          • "Prior To" entries in the intrusion log
          • Alert flag status for entries forced off of the intrusion log
          • LACP not available on ports configured for port security
      • Log Messages
    • Authorized IP Managers
      • Overview
        • Introduction
        • About using authorized IP Managers
          • Options
          • Access Levels
          • Defining authorized management stations
          • Operating notes
      • Configuring
        • To authorize manager access
          • To edit an existing manager access entry
          • To delete an authorized manager entry
        • Configuring IP Authorized Managers for the switch (CLI)
          • To Authorize Manager Access
          • To Edit an Existing Manager Access Entry.
          • To Delete an Authorized Manager Entry.
      • Using
        • Listing the switch current Authorized IP Manager (CLI)
        • Building IP Masks: Configuring one station per Authorized Manager IP entry
        • Building IP Masks: Configuring multiple stations per Authorized Manager IP entry
    • Key Management System
      • Configuring key chain management
      • Creating and deleting key chain entries
      • Assigning a time-independent key to a chain
        • Assigning time-dependent keys to a chain
      • Overview
    • Traffic/Security Features and Monitors
      • Configuring traffic/security
        • Configuring security settings using the CLI wizard
        • Defining and configuring named source-port filters
        • Configuring traffic/security filters
          • Configuring a source-port traffic filter
          • Configuring a filter on a port trunk
        • Configuring a multicast or protocol traffic filter
      • Viewing
        • Viewing a named source-port filer
      • Using switch security features
        • Physical security
        • Using the Management Interface wizard
          • WebAgent: Management Interface wizard
        • SNMP security guidelines
          • General SNMP access to the switch
          • SNMP access to the authentication configuration MIB
        • Precedence of security options
          • Precedence of Port-based security options
          • Precedence of Client-based authentication: Dynamic Configuration Arbiter
        • Arbitrating client-specific attributes
        • Access security features
        • Network security features
        • Using named source-port filters
        • Editing a source-port filter
        • Displaying traffic/security filters
        • Advanced Threat Detection
          • logging
          • logging filter
          • logging filter enable | disable
          • show logging filter
          • show syslog configuration
      • Overview
        • Filter Limits
        • Using port trunks with filter
        • Filter types and operation
          • Source-Port Filters
          • Operating Rules for Source-Port Filters
          • Name source-port filters
          • Operating rules for named source—port filters
          • Static multicast filters
          • Protocol filters
          • Filtering index
        • CLI Wizard: Operating notes and restrictions
    • Port-Based and User-Based Access Control (802.1X)
      • Overview
        • Introduction
        • General Features
        • VLAN Membership Priorities
        • Use Models for 802.1X Open VLAN Modes
        • 802.1X Open VLAN Operating Notes
        • General Operating Rules and Notes
          • Operating Notes
          • Unauthenticated VLAN Access (Guest VLAN Access)
          • Characteristics of Mixed Port Access Mode
        • Operating Notes VLAN Assignment on a Port
      • Configuring Port-Based Access
        • Why Use Port-Based or User-Based Access Control?
        • User Authentication Methods
          • 802.1X User-Based Access Control
          • 802.1X Port-Based Access Control
          • Alternative To Using a RADIUS Server
          • Accounting
        • General Setup Procedure for 802.1X Access Control
        • Configuring switch ports as 802.1X authenticators
          • Enabling 802.1X authentication on selected ports
          • Specify User-Based Authentication or Return to Port-Based Authentication
          • Reconfigure settings for port-access
          • Configure the 802.1X Authentication Method
          • Enter the RADIUS Host IP Addresses
          • Enable 802.1X Authentication on the Switch
          • Optional: Reset Authenticator Operation
          • Optional: Configure 802.1X Controlled Direction
          • Wake-on-LAN Traffic
        • Setting Up and Configuring 802.1X Open VLAN Mode
          • Configuring General 802.1X Operation
          • Configuring 802.1X Open VLAN Mode
          • Inspecting 802.1X Open VLAN Mode Operation.
          • Option For Authenticator Ports: Configure Port-Security To Allow Only 802.1X-Authenticated Devices
          • Viewing 802.1X Open VLAN Mode Status
          • Show Commands for Port-Access Supplicant
          • How RADIUS/802.1X Authentication Affects VLAN Operation
          • Port-Security
          • Configuring switch Ports to operate as supplicants for 802.1X connections to other switches
          • Supplicant Port Configuration
        • Configuring Mixed Port Access Mode
        • General 802.1X Authenticator Operation
          • Example of the Authentication Process
          • VLAN Membership Priorities
      • Viewing
        • Displaying 802.1X Configuration, Statistics, and Counters
          • Show Commands for Port-Access Authenticator
      • Using
        • Enabling the Use of GVRP-Learned Dynamic VLANs in Authentication Sessions
        • Tagged and untagged VLAN attributes
      • EAP identifier compliance for 802.1x
        • Overview
        • aaa port-access authenticator eap-id-compliance
      • Messages Related to 802.1X Operation
    • Device Fingerprinting
      • Prerequisites
        • Server certificate installation on CPPM
      • device-fingerprinting policy
      • device-fingerprinting timer
      • device-fingerprinting client-limit
      • device-fingerprinting incoming-clients-only
      • device-fingerprinting apply
      • show device-fingerprinting profile-name
      • show device-fingerprinting active
      • show device-fingerprinting client-status
      • show device-fingerprinting client-details
      • Limitations
      • Troubleshooting
        • Device fingerprinting client details is blank
        • Device fingerprinting client status is blank
    • Secure mode(FIPS)
      • Overview
        • Configuring secure mode
        • Commands affected when enhanced secure mode is enabled
        • Feature-specific show commands
        • Show flash and show version command output
        • Show config commands
        • MIB CLI commands
        • Password commands
        • Additional password command option
        • Prompt for password when first logging in
        • Behavior when changing or exiting levels
        • Additional password commands
        • Secret keys
        • SSH changes
        • SSL changes
        • Zeroizing with HA
        • Opacity-shields command
        • Operating notes for passwords in enhanced secure mode
      • Troubleshooting
        • Verifying the flash is signed
        • Setting the diagnostic level
        • Zeroizing from the ROM console
        • Error messages
    • Certificate manager
      • Configuration support
        • Trust anchor profile
        • Web User’s Interface
      • Switch identity profile
      • Local certificate enrollment — manual mode
        • Self-signed certificate enrollment
        • Self-Signed certificate
      • Removal of certificates/CSRs
      • Zeroization
      • File transfer
      • Loading a local certificate
      • Debug logging
      • Certificate specific
      • Profile specific—TA profile
        • show crypto pki ta-profile
        • Certificate details
      • Web support
        • SSL screen
          • Panel hierarchy
      • Error messages
    • Conformance to Suite-B Cryptography requirements
      • Configuration support
        • CRL configuration facts
        • OCSP configuration facts
        • Configure CRL for revocation check
        • Configure OCSP for revocation check
      • Retrieve CRL
      • Set TA profile to validate CRL and OCSP
      • Clear CRL
      • Create a certificate signing request
      • Create and enroll a self-signed certificate
      • Configure or remove the minimum levels of security minLos for TLS
      • Install authentication files
      • Remove authentication files
      • show crypto client-public-key
      • Remove the client public keys from configuration
      • Show details of TA profile
    • Websites
    • Support and other resources
      • Accessing Hewlett Packard Enterprise Support
      • Accessing updates
      • Customer self repair
      • Remote support
      • Warranty information
      • Regulatory information
      • Documentation feedback
    • ArubaOS-Switch RADIUS Vendor-Specific Attributes
      • Management access
      • Access control
      • Class of service
      • Bandwidth
      • Filtering