You must enable javascript in order to view this page or you can go
here
to view the webhelp.
Contents
Search
Loading, please wait ...
ArubaOS-CX 10.04 Security Guide
Home
About this document
Applicable products
Latest version available online
Command syntax notation conventions
About the examples
Identifying switch ports and interfaces
Identifying switch components
About security
About Authentication, Authorization, and Accounting (AAA)
Managing local users and groups
Default user admin
Built-in user groups and their privileges
User-defined user groups
User name requirements
Password requirements
User and user group management tasks
Resetting the switch admin password using the Service OS console
Resetting the admin password by reverting the switch to factory defaults
User and group commands
user
user-group
user password
service export-password
show user-group
show user information
show user-list
SSH server
About the SSH server
SSH defaults
SSH server tasks
SSH server commands
show ssh host-key
show ssh server
show ssh server sessions
ssh certified-algorithms-only
ssh host-key
ssh known-host remove
ssh maximum-auth-attempts
ssh server vrf
SSH client
About the SSH client
SSH client commands
ssh (client login)
Local AAA
About local AAA
Local AAA defaults and limits
Local authentication
Local authentication overview
Local authentication tasks
Local authorization
Local authorization overview
Local authorization tasks
Local accounting
Local accounting overview
Local accounting tasks
Local AAA commands
aaa accounting all-mgmt
aaa authentication limit-login-attempts
aaa authentication login
aaa authentication minimum-password-length
aaa authorization commands
show aaa accounting
show aaa authentication
show aaa authorization
show ssh authentication-method
show user
ssh password-authentication
ssh public-key-authentication
user authorized-key
Remote AAA with TACACS+
About remote AAA with TACACS+
Default server groups
Remote AAA (TACACS+) defaults and limits
About global versus per-TACACS+ server passkeys (shared secrets)
Remote AAA TACACS+ server configuration requirements
User role assignment using TACACS+ attributes
TACACS+ server redundancy and access sequence
Single source IP address for consistent source identification to AAA servers
TACACS+ general tasks
TACACS+ authentication
TACACS+ authentication overview
About authentication fail-through
TACACS+ authentication tasks
TACACS+ authorization
TACACS+ authorization overview
About authentication fail-through and authorization
TACACS+ authorization tasks
TACACS+ accounting
TACACS+ accounting overview
TACACS+ accounting tasks
Example: Configuring the switch for Remote AAA with TACACS+
Remote AAA with RADIUS
About remote AAA with RADIUS
Default server groups
Remote AAA (RADIUS) defaults and limits
About global versus per-RADIUS server passkeys (shared secrets)
Remote AAA RADIUS server configuration requirements
User role assignment using RADIUS attributes
RADIUS server redundancy and access sequence
Single source IP address for consistent source identification to AAA servers
RADIUS general tasks
RADIUS authentication
RADIUS authentication overview
About authentication fail-through
RADIUS authentication tasks
Configuring two-factor authentication
RADIUS accounting
RADIUS accounting overview
RADIUS accounting tasks
Example: Configuring the switch for Remote AAA with RADIUS
Remote AAA (TACACS+, RADIUS) commands
aaa accounting all-mgmt
aaa accounting port-access (RADIUS only)
aaa authentication allow-fail-through
aaa authentication login
aaa authorization commands
aaa group server
radius-server auth-type
radius-server host
radius-server host (ClearPass)
radius-server host secure ipsec
radius-server key
radius-server retries
radius-server timeout
radius-server tracking
server
show aaa accounting
show aaa accounting port-access (RADIUS only)
show aaa authentication
show aaa authorization
show aaa server-groups
show accounting log
show accounting log port-access
show radius-server
show radius-server secure ipsec
show radius-server statistics
show tacacs-server
show tacacs-server statistics
show tech aaa
tacacs-server auth-type
tacacs-server host
tacacs-server key
tacacs-server timeout
tacacs-server tracking
Captive portal (RADIUS)
About captive portal (RADIUS)
Captive portal example configuration
Captive portal (RADIUS) commands
aaa authentication port-access captive-portal-profile
url
url-hash-key
show port-access captive-portal-profile
RADIUS dynamic authorization
About RADIUS dynamic authorization
Requirements and tips
RADIUS dynamic authorization commands
radius dyn-authorization enable
radius dyn-authorization client
radius dyn-authorization port
show radius dyn-authorization
show radius dyn-authorization client
PKI
PKI concepts
PKI on the switch
Installing a self-signed leaf certificate (created inside the switch)
Installing a self-signed leaf certificate (created outside the switch)
Installing a certificate of a root CA
Installing a CA-signed leaf certificate (initiated in the switch)
Installing a CA-signed leaf certificate (created outside the switch)
PKI commands
crypto pki application
crypto pki certificate
crypto pki ta-profile
enroll self-signed
enroll terminal
import (CA-signed leaf certificate)
import (self-signed leaf certificate)
key-type
ocsp disable-nonce
ocsp enforcement-level
ocsp url
ocsp vrf
revocation-check ocsp
show crypto pki application
show crypto pki certificate
show crypto pki ta-profile
subject
ta-certificate
Configuring enhanced security
About enhanced security
Configuring enhanced security
password complexity
CLI user session management
cli-session
Configuring remote logging using SSH reverse tunnel
Auditors and auditing tasks
Auditing tasks (CLI)
Auditing tasks (Web UI)
REST requests and accounting logs
Port access
Port access general commands
aaa authentication port-access auth-mode
aaa authentication port-access auth-precedence
aaa authentication port-access client-limit
aaa authentication port-access (role)
port-access allow-flood-traffic
port-access log-off client mac
port-access reauthenticate interface
port-access security violation action
port-access security violation action shutdown auto-recovery
port-access security violation action shutdown recovery-timer
show aaa authentication port-access interface client-status mac
show port-access security violation client-limit-exceeded interface
Port access 802.1X authentication
Overview
Port access 802.1X authentication commands
aaa authentication port-access dot1x authenticator
aaa authentication port-access dot1x authenticator auth-method
aaa authentication port-access dot1x authenticator cached-reauth
aaa authentication port-access dot1x authenticator cached-reauth-period
aaa authentication port-access dot1x authenticator discovery-period
aaa authentication port-access dot1x authenticator eapol-timeout
aaa authentication port-access dot1x authenticator max-eapol-requests
port-access dot1x authenticator max-retries
aaa authentication port-access dot1x authenticator quiet-period
aaa authentication port-access dot1x authenticator radius server-group
aaa authentication port-access dot1x authenticator reauth
aaa authentication port-access dot1x authenticator reauth-period
clear dot1x authenticator statistics interface
show aaa authentication port-access dot1x authenticator interface client-status
show aaa authentication port-access dot1x authenticator interface port-statistics
Port access MAC authentication
Overview
How MAC authentication works
Port access MAC authentication commands
aaa authentication port-access mac-auth
aaa authentication port-access mac-auth addr-format
aaa authentication port-access mac-auth auth-method
aaa authentication port-access mac-auth cached-reauth
aaa authentication port-access mac-auth cached-reauth-period
aaa authentication port-access mac-auth password
aaa authentication port-access mac-auth quiet-period
aaa authentication port-access mac-auth radius server-group
aaa authentication port-access mac-auth reauth
aaa authentication port-access mac-auth reauth-period
clear mac-auth statistics
show aaa authentication port-access mac-auth interface client-status
show aaa authentication port-access mac-auth interface port-statistics
Port access policy
Overview
Classes and actions supported by port access policies
Port access policy commands
port-access policy
port-access policy copy
port-access policy resequence
port-access policy reset
clear port-access policy hitcounts
show port-access policy
show port-access policy hitcounts
Port access role
Overview
Operational notes
Downloadable user roles
Special roles
Critical role
Reject role
Pre-authentication role
Auth-role
Port access role commands
associate captive-portal-profile
associate policy
auth-mode
client-inactivity timeout
description
gateway-zone zone gateway-role
mtu
poe-priority
port-access role
reauth-period
session timeout
show aaa authentication port-access interface client-status
show port-access role
trust-mode
vlan
Supported RADIUS attributes
Attributes supported in 802.1X authentication
Attributes supported in MAC authentication
Attributes supported in dynamic authorization
Session authorization attributes supported in 802.1X and MAC authentication, and CoA
Standard session attributes supported
Vendor-Specific Attributes supported in session authorization
Attributes supported in RADIUS network accounting
Attributes supported in RADIUS server tracking
Port security
Overview
Basic operation
Default port security operation
Trusted ports
Intruder protection
General operation for port security
Blocking unauthorized traffic
Trunk group exclusion
Port security commands
port-access port-security
port-access port-security client-limit
port-access port-security mac-address
show port-access port-security interface client-status
show port-access port-security interface port-statistics
Websites
Support and other resources
Accessing Aruba Support
Accessing updates
Warranty information
Regulatory information
Documentation feedback
Your browser does not support iframes.