You must enable javascript in order to view this page or you can go
here
to view the webhelp.
Case sensitive
Contents
Search
Loading, please wait ...
Aruba 3810 / 5400R Access Security Guide for ArubaOS-Switch 16.06
Home
About this guide
Applicable products
Switch prompts used in this guide
Configuring Username and Password Security
Console access
Creating password security
Setting an inactivity timer
Setting a new console password
Deleting password protection
Recovering from a lost manager password
Setting passwords and user names in the CLI
Password storage in SHA-256 format
Removing password protection using the CLI
General password rules
Local user and password Length
Restrictions for the setmib command
Additional restrictions
Upgrading or downgrading software versions implications for passwords
Unable to use previous password
Security credentials
Local manager and operator credentials
Password command options
SNMP Security Credentials
802.1X port access credentials
TACACS+ encryption key authentication
RADIUS shared-secret key authentication
SSH client public-key authentication
X.509v3 certificate authentication for SSH
SSH Re-Keying for SSH Server and SSH Client.
Restrictions to enabling security credentials
Include-Credentials
include-credentials radius-tacacs-only option
Displaying the status of include-credentials on the switch
Executing include-credentials or include-credentials store-in-config
Storage states when using include-credentials
[no]include-credentials store-in-config option
Enabling the storage and display of security credentials
Setting an encrypted password
Encrypting credentials in the configuration file
Enabling Encrypt-Credentials
Displaying the state of encrypt-credentials
Affected commands
Front panel security
Front panel security
When security is important
Front-panel button functions
Configuring front panel security
Disabling the clear password function of the Clear button
Setting the Clear button functionality
To enable password-clear with reset-on-clear disabled
To enable password-clear with reset-on-clear also enabled
Changing what the Reset+Clear button combination does
Restoring the factory default configuration
Enabling and disabling password recovery
Recovering passwords
Password recovery
Saving user name and password security
Security settings that can be saved
Benefits of saving security credentials
Saving local manager and operator passwords
Saving SNMP security credentials
Storing 802.1X port-access credentials
Storage states when using include-credentials
Operating Notes
Interaction with include-credentials settings
Virus throttling (connection-rate filtering)
Configuring connection-rate filtering
Viewing the connection-rate configuration
Enabling global connection-rate filtering and sensitivity
Configuring per-port filtering
Basic configuration
Blocked hosts
Listing currently-blocked hosts
Unblocking currently-blocked hosts
Configuring and applying connection-rate ACLs
Configuring a connection-rate ACL using source IP address criteria
Configuring a connection-rate ACL using UDP/TCP criteria
Applying connection-rate ACLs
Using an ACL in a connection-rate configuration example
Connection-rate filtering
Features and benefits
General operation
Filtering options
Sensitivity to connection rate detection
Application options
Operating rules
Unblocking a currently blocked host
Applying connection-rate ACLs
Connection-rate ACL operation
Connection-Rate ACL operating notes
Using CIDR notation to enter the ACE mask
Connection-rate log and trap messages
Overview
Configuring connection-rate filtering for low risk networks
Configuring connection-rate filtering for high risk networks
Web-based and MAC authentication
Configuring MAC authentication on the switch
Prerequisites for web-based or MAC authentication
Preparation for configuring MAC authentication
Configuring a global MAC authentication password
Commands to configure the global MAC authentication password
Configuring a MAC address format
Creating a custom delimiter for a MAC address
Enabling/disabling MAC authentication
Per Port Initial Role
Specifying the maximum authenticated MACs allowed on a port
Allowing addresses to move without re-authentication
Specifying the VLAN for an authorized client
Specifying the time period enforced for implicit logoff
Specifying how many authentication attempts can time-out before failure
Specifying how long the switch waits before processing a request from a MAC address that failed authentication
Specifying time period enforced on a client to re-authenticate
Forcing re-authentication of clients
Specifying the period to wait for a server response to an authentication request
Specifying the VLAN to use when authentication fails
Configuring custom messages for failed logins
web page display of access denied message
Redirecting HTTP when MAC address not found
Registering HTTP redirect
Using the restrictive-filter option
Reauthenticating a MAC Authenticated client
Configuring the registration server URL
Unconfiguring a MAC Authenticated registration server
Configuring web-based authentication
Preparation for web-based authentication
Configuration commands for web-based authentication
Controlled directions
Disable web-based authentication
Specifying the VLAN
Clearing statistics
Maximum authenticated clients
Specifies base address
Specifies lease length
Configures web server connection
Specifying the period
Specifying the number of authentication attempts
Specifying maximum retries
Specifying the time period
Specifying the re-authentication period
Specifying a forced reauthentication
Specifying the URL
Specifying the timeout
Configuring MAC pinning
aaa port-access local-mac <PORT-LIST> mac-pin
aaa port-access mac-based <PORT-LIST> mac-pin
Configuring the RADIUS server to support MAC authentication
Customizing
Customizing user login web pages
Implementing customized web-based authentication pages
Viewing
Viewing the status and settings of ports enabled for web-based authentication
Viewing status of ports enabled for web-based authentication
Viewing session details for web-Auth clients
Viewing status details of web-based authentication sessions on specified ports
Viewing web-based authentication settings for ports
Viewing details of web-based authentication settings for ports
Viewing web-based authentication settings for ports, including RADIUS server specific
Viewing web-based authentication settings for ports, including web specific settings
Viewing the show commands for MAC authentication
Viewing session information for MAC authenticated clients on a switch
Viewing detail on status of MAC authenticated client sessions
Error log
Viewing MAC authentication settings on ports
Viewing details of MAC Authentication settings on ports
Viewing MAC Authentication settings including RADIUS server-specific
Overview
About web and MAC authentication
Web-based authentication
MAC authentication
Concurrent web-based and MAC authentication
Authorized and unauthorized client VLANs
RADIUS-based authentication
Wireless clients
How web-based and MAC authentication operate
Web-based authentication
Order of priority for assigning VLANs
Clientless Endpoint Integrity
MAC authentication
Operating notes and guidelines
Customizing HTML templates
Configuring a DNS Server for Enhanced web authentication
Operating notes and guidelines for implementing customized web-Auth pages
Customizable HTML templates
Local MAC Authentication
Overview
Concepts
Possible scenarios for deployment
Show commands
Configuration commands
Per-port attributes
Configuration examples
Configuration example 2
Configuration using mac-groups
Configuration without using mac-groups
MAC ACLs
Overview
MAC ACL configuration commands
Mac-access-list creation syntax
Mac-access-list standard configuration context
Mac-access-list extended configuration context
Remark command
Mac-access-list application syntax (PACL)
Mac-access-list application syntax (VACL)
Show access-list
Show access-list by name
Show access-list config
Show access-list port
Show access-list vlan
Show access-list resources
Show statistics
clear statistics
Event Log messages
ACL Grouping
Overview
Commands
IPv4 access-group (PACL)
IPv6 access-group (PACL)
MAC access-group (PACL)
IPv4 access-group (VACL)
IPv6 access-group (VACL)
MAC access-group (VACL)
Modify existing commands
show configuration
show statistics
show access-list
show access-list ports
show access-list vlan
Error messages
Infrastructure MACsec
Overview
MACsec switch support
MACsec configuration commands
Create, modify or delete a MACsec policy
Configuring mode of MACsec policy
Encrypted-credentials mode
MACsec policy: configuring confidentiality (policy context)
Configuring replay protection
Configuring include-sci-tag
Apply policy on a port-list
MKA configuration on a port-list
Clearing MKA statistics on ports
Clearing MACsec statistics on ports
Show commands
Show command for MACsec policies
Command validations
Details
Show command for MACsec status
Command validation
Show command for MACsec status on a port
Show command for MACsec statistics
Command validations
Show command for detailed MACsec statistics on a port
Command validations
Show command for MKA status
Command validations
Show command for MKA statistics
Command validations
Show tech command
Mutually exclusive commands with MACsec configuration on a port
MACsec Log messages
TACACS+ Authentication and Accounting
Overview
Operating notes
TACACS+ authentication process
TACACS+ authentication setup
General authentication process using a TACACS+ server
Local authentication process
Authentication parameters
Configuring TACACS+ on the switch
Before you begin
Selecting the access method for configuration
Configuring the switch authentication method
Command to configure the TACACS+ server
Configuring the TACACS+ server for single login
Configuring the switch TACACS+ server access
Cipher text for TACACS key
Process of configuring TACACS key with encrypt-credentials and hide-sensitive-data
hide-sensitive-data
tacacs-server key
encrypt-credentials
Command to configure dead time
Command to enable authorization
Command to enable accounting
Show all authorization configurations
Show all accounting configurations
Show current authentication configurations
Show key information
Show TACACS+
Show TACACS+ host details
Show accounting sessions
Specifying devices
Specifying switch response
Encryption options in the switch
Encryption operation
Configuring an encryption key
Server specific encryption key
Using the privilege-mode option for login
Adding, removing, or changing the priority of a TACACS+ server
Controlling webagent access when using TACACS+ authentication
Event Messages
Messages related to TACACS+ operation
Messages related to RADIUS Operation
RADIUS Authentication, Authorization, and Accounting
Overview
Accounting services
Accounting Service Types
Operating rules for RADIUS accounting
Acct-Session-ID Options in a Management Session
Unique Acct-Session-ID operation
Common Acct-Session-ID operation
Radius-administered CoS and rate-limiting
Radius-administered commands authorization
SNMP access to the switch's authentication configuration MIB
About the dynamic removal of authentication limits
RADIUS operation
Switch operating rules for RADIUS
Operating notes
Commands authorization on HTTPS overview
WebAgent windows when using command authorization
MAC-based VLANs
Configuring
Preparation procedures for RADIUS
Configuring the switch for RADIUS authentication
Configuring authentication for access methods RADIUS is to protect
Enabling manager access privilege (optional)
Configuring the switch to access a RADIUS server
Configuring the switch global RADIUS parameters
Connecting a RADIUS server with a server group
Configuring the primary password authentication method for console, Telnet, SSH and WebAgent
Commands used to configure the primary password authentication method for port-access, MAC-based, and web-based access
Creating a dictionary file (with VSA definitions) with Free RADIUS
Enabling the processing of the HP-Command-String VSA for RADIUS accounting
Configuring RADIUS accounting
Configuring a switch to access a RADIUS server
RADIUS service tracking
RADIUS server dead time
RADIUS Tracking enhancements
Reconfiguring the Acct-Session-ID operation (Optional)
Configure accounting types and controls for sending reports to the RADIUS server
Configuring session blocking and interim updating options (Optional)
Configuring commands authorization on a RADIUS server
Using Vendor Specific Attributes (VSAs)
Configuring the RADIUS VSAs
Enhanced commands
Viewing
Viewing RADIUS server group information
Viewing and changing the SNMP access configuration
Viewing authorization information
Viewing RADIUS Statistics
Viewing RADIUS authentication statistics
Viewing port-access information
Viewing RADIUS accounting statistics
Using
Using multiple RADIUS server groups
Adding and deleting servers to the RADIUS configuration
Setting accounting type, and how data is sent
Allowing reauthentication when RADIUS server is unavailable
Setting the time period to allow cached reauthentication
Enabling authorization to control access to CLI commands
Creating Local Privilege Levels
Configuring Groups for Local Authorization
Configuring a local user for a group
Displaying Command Authorization Information
Changing RADIUS-server access order
Using SNMP to view and configure switch authentication features
Cached reauthentication
Timing considerations
Local authentication process
Controlling WebAgent access
Commands authorization
VLAN assignment in an authentication session
Tagged and untagged VLAN attributes
Additional RADIUS attributes
Accounting services
Accounting service types
Acct-Session-ID options in a management session
Unique Acct-Session-ID operation
Common Acct-Session-ID operation
Dynamic removal of authentication limits
Overview
Messages related to RADIUS operation
Security event log
Security user log access
Creating a security user
Security user commands
Authentication and Authorization through RADIUS
Authentication and Authorization through TACACS+
Restrictions
Event log wrap
Configuring concurrent sessions
For non-stackable switches
For HPE 5400R switches
For stackable switches
Configuring concurrent sessions per user
For non-stackable switches
For HPE 5400R switches
For stackable switches
Configuring concurrent sessions per
Failed login attempts delay
RADIUS services supported on HPE switches
RADIUS client and server requirements
RADIUS server support
RADIUS server configuration for CoS (802.1p priority) and rate-limiting
Applied rates for RADIUS-assigned rate limits
Per-port bandwidth override
Configuring and using dynamic (RADIUS-assigned) access control lists
Contrasting RADIUS-assigned and static ACLs
How a RADIUS server applies a RADIUS-assigned ACL to a client on a switch port
General ACL features, planning, and configuration
The packet-filtering process
Operating rules for RADIUS-assigned ACLs
Configuring an ACL in a RADIUS server
Nas-Filter-Rule-Options
ACE syntax in RADIUS servers
Configuration notes
Monitoring shared resources
Event log messages
Configuring Radius assigned ACLs
Procedure to support RADIUS-assigned ACLs
Show RADIUS-assigned ACL activity
Viewing
Show active per-port CoS and rate-limiting configuration
Show rate-limiting and port priority for ports
Configuring RADIUS-assigned IPv4 ACL support on FreeRADIUS
Using HPE VSA 63 to assign IPv6 and IPv4 ACLs
Using HPE VSA 61 to assign IPv4 ACLs
RADIUS filter-id
Forcing reauthentication
show access-list radius
Show access-list (NAS rule) and (filter-id)
Log messages
Force client re-authorization
Open Authentication
aaa port-access open-auth voice-vlan
aaa port-access open-auth data-vlan
aaa port-access open-auth user-role
show port-access clients
Critical authentication
Examples of Behaviors
Deploying Critical VLAN
Creating a VLAN for voice traffic.
Creating a user-role
Associating a critical user-role to the critical VLAN
aaa port-access critical-auth
Cached reauthentication
aaa authentication mac-based cached-reauth authorized
aaa authentication port-access cached-reauth authorized
Configuring a client for retain-unauth-clients
Resilient 802.1x cached-reauth
Configuring a client for retain-unauth-clients
RBAC
RBAC Overview
Limitations
Roles
Rules
Command rules
Feature rules
VLAN policy rules
Interface policy rules
Creating roles and assigning rules
Enabling authorization
Creating a role
Configuring command rules
Configuring VLAN policy
Configuring interface policy
Configuring feature policy
Displaying rules for predefined roles
Displaying predefined features
Troubleshooting
Cannot modify group name
Cannot delete a group
Unable to run a command
Unable to add a rule
aaa authorization group
Predefined features
Password Complexity
Password complexity overview
Password expiration periods
Requirements
Limitations
Configuring Password Complexity
Viewing the password configuration
Enable Password Complexity
Configure the Password Complexity parameters
Configure password minimum length
Configure password composition
Configure password complexity checks
password configuration commands
password configuration-control
password configuration
password minimum-length
password
aaa authentication local-user
password complexity
password composition
show password-configuration
Troubleshooting
Unable to enable Password Complexity
Unable to download the configuration file
Display messages
Configuring Secure Shell (SSH) with two-factor authentication
Overview
Two-factor authentication configuration commands
aaa authentication ssh
aaa authentication ssh two-factor
aaa authentication ssh two-factor two-factor-type
aaa authentication ssh two-factor two-factor-type publickey-password
aaa authentication ssh two-factor two-factor-type certificate-password
crypto enforce secure-rsa
Two-factor authentication restrictions
Two-factor authentication event log messages
Configuring Secure Sockets Layer (SSL)
Overview
Server certificate authentication with user password authentication
Configuration summary
Assigning a local login (operator) and enabling (manager) password
Using the WebAgent to configure local passwords
Installing the switch's server web host certificate
Self-signed certificate
Authority-signed certificate
Enabling SSL on the switch and anticipating SSL browser contact behavior
Using the CLI interface to enable web management over SSL/TLS
IPv4 Access Control Lists (ACLs)
Configuring
Configuring named, standard ACLs
Entering the IPv4 named ACL context
Configuring ACEs in a named, standard ACL
Deleting an ACE
Creating or adding to a standard, numbered ACL
Configuring extended ACLs
Creating and configuring a named, extended ACL
Configuring ACEs in named, extended ACLs
Including options for TCP and UDP traffic in extended ACLs
Controlling ICMP traffic in extended ACLs
Controlling IGMP traffic in extended ACLs
Configuring numbered, extended ACLs
Creating or adding to an extended, numbered ACL
Controlling TCP and UDP traffic flow
Controlling ICMP traffic flow
Controlling IGMP traffic flow
Configuring logging timer
Viewing
Viewing an ACL summary
Viewing the content of all ACLs on the switch
Viewing the RACL and VACL assignments for a VLAN
Viewing static port (and trunk) ACL assignments
Viewing specific ACL configuration details
Viewing all ACLs and their assignments in the routing switch startup-config and running-config files
Using
Adding or removing an ACL assignment on an interface
Filtering routed IPv4 traffic
Filtering IPv4 traffic inbound on a VLAN
figure_9-7
Filtering inbound IPv4 traffic per port
Creating ACLs
Using the CLI to create an ACL
Creating or editing an ACL offline
Deleting an ACL
Inserting an ACE in an existing ACL
Deleting an ACE from an existing ACL
Resequencing the ACEs in an ACL
Attaching a remark to an ACE
Appending remarks and related ACEs to the end of an ACL
Inserting remarks and related ACEs within an existing list
Inserting a remark for an ACE that already exists in an ACL
Removing a remark from an existing ACE
Enable ACL “Deny” or “Permit” Logging
Requirements for using ACL Logging
ACL Logging Operation
Enabling ACL logging on the switch
Monitoring static ACL performance
ACE counter operation
Resetting ACE Hit counters to zero
Using IPv6 counters with multiple interface assignments
Using IPv4 counters with multiple interface assignments
Additional configuration guidelines
Introduction
General ACL operating notes
About IPv4 static ACL operation
Introduction to IPv4 static ACL operation
Options for applying IPv4 ACLs on the switch
Types of IPv4 ACLs
ACL applications
Multiple ACLs on an interface
Features common to all ACL applications
General steps for planning and configuring ACLs
The packet-filtering process
Operating notes for remarks
Planning an ACL application
Configuring standard ACLs
Editing an existing ACL
IPv4 ACL configuration and operating rules
How an ACE uses a mask to screen packets for matches
Using CIDR notation to enter the IPv4 ACL mask
General steps for implementing ACLs
Options for permit/deny policies
ACL configuration structure
ACL configuration factors
Enabling ACL 'Deny' logging
Requirements for using ACL logging
ACL logging operation
ACL/ACE match-related logging commands
Overview
sys-debug destination
sys-debug <FILTER-TYPE> <FILTER-OPTIONS>
sys-debug acl
access-list logtimer
Show command (running configuration) (for ACLs)
debug destination
debug acl
Port Security
Configuring
Planning port security
Configuring port security
Eavesdrop Prevention is Disabled
Blocked unauthorized traffic
Trunk Group Exclusion
Overview
port-security disable-timer
Configuring Trusted Ports for Dynamic ARP Protection
Configuring Additional Validation Checks on ARP Packets
Verifying the configuration of dynamic ARP protection
Configuring DHCP snooping trusted ports
For DHCPv4 servers
For DHCPv6 servers
Overview
clear dhcp-snooping binding
clear dhcp-snooping statistics
Error Log
RMON table
Configuring authorized server addresses
Configuring MAC Lockdown
Configuring MAC Lockout
Configuring instrumentation monitor
User-based lockout compliance
aaa authentication
aaa authentication unlock
show authentication
Console session lockout overview
aaa authentication console-lockout
Viewing
Displaying port security settings
Displaying ARP Packet Statistics
Monitoring Dynamic ARP Protection
Listing authorized and detected MAC addresses
Viewing the current instrumentation monitor configuration
Using Port Security
Enabling port security eavesdrop-prevention
Configuring DHCP snooping
Configuring DHCPv4 snooping
Configuring DHCPv6 snooping
Enabling Dynamic ARP protection
Enabling Dynamic IP Lockdown
For IPv4
For IPv6
Removing MAC Addresses
Assigned/authorized addresses
Removing a MAC Address from the Authorized list for a port
Clear MAC address table
Configuring Clearing of Learned MAC Addresses
Deploying MAC Lockdown
Adding an IP-to-MAC Binding to the DHCP Database
Clearing the DHCP snooping binding table
Adding a static binding
Displaying the static configuration of IP-to-MAC bindings
Debugging dynamic IP lockdown
Verifying the dynamic IP lockdown configuration
For IPv4
For IPv6
Adding a MAC Address to a port
Checking for intrusions, listing intrusion alerts, and resetting alert flags (CLI)
Checking for intrusions, listing intrusion alerts, and resetting alert flags (Menu)
Using the event log to find intrusion alerts CLI
Using the event log to find intrusion alerts menu
Overview
DHCP Snooping
DHCP Operational Notes
Dynamic ARP Protection
Dynamic IP Lockdown
Protection against IP source address spoofing
Prerequisite: DHCP snooping
Filtering IP and MAC addresses per-port and per-VLAN
Operational notes
Adding an IP-to-MAC binding to the DHCP binding database
Potential issues with bindings
Using the instrumentation monitor
Operating notes for the instrumentation monitor
About port security
Basic operation
Default port security operation
Trusted ports
Intruder protection
Eavesdrop protection
General operation for port security
Eavesdrop prevention
Disabling Eavesdrop Prevention
Feature interactions when Eavesdrop Prevention is disabled
Blocking unauthorized traffic
Trunk group exclusion
Retention of static addresses
Learned addresses
Assigned/Authorized Addresses.
Specifying Authorized Devices and Intrusion Responses
Adding an Authorized Device to a Port
Removing a Device From the “Authorized” List for a Port
How MAC Lockdown works
MAC Lockdown operating notes
Limits
Event Log messages
Limiting the frequency of log messages
Differences between MAC lockdown and port security
Deploying MAC lockdown
Basic MAC Lockdown deployment.
Problems using MAC Lockdown in networks with multiple paths
How MAC Lockout works
Port security and MAC Lockout
Reading intrusion alerts and resetting alert flags
Notice of security violations
How the intrusion log operates
Keeping the intrusion log current by resetting alert flags
Operating notes for port security
Proxy Web servers
'Prior To' entries in the intrusion log
Alert flag status for entries forced off of the intrusion log
LACP not available on ports configured for port security
Log Messages
Authorized IP Managers
Overview
Overview
About using authorized IP Managers
Options
Access Levels
Defining authorized management stations
Operating notes
Configuring
Viewing and configuring IP Authorized Managers (Menu)
To authorize manager access
To edit an existing manager access entry
To delete an authorized manager entry
Configuring IP Authorized Managers for the switch (CLI)
To Authorize Manager Access
To Edit an Existing Manager Access Entry.
To Delete an Authorized Manager Entry.
Using
Editing or deleting an Authorized Manager entry (Menu)
Listing the switch current Authorized IP Manager (CLI)
Building IP Masks: Configuring one station per Authorized Manager IP entry
Building IP Masks: Configuring multiple stations per Authorized Manager IP entry
Key Management System
Configuring key chain management
Creating and deleting key chain entries
Assigning a time-independent key to a chain
Assigning time-dependent keys to a chain
Overview
Traffic/Security Features and Monitors
Configuring traffic/security
Configuring security settings using the CLI wizard
Defining and configuring named source-port filters
Configuring traffic/security filters
Configuring a source-port traffic filter
Configuring a filter on a port trunk
Configuring a multicast or protocol traffic filter
Viewing
Viewing a named source-port filer
Using HPE switch security features
Physical security
Using the Management Interface wizard
WebAgent: Management Interface wizard
SNMP security guidelines
General SNMP access to the switch
SNMP access to the authentication configuration MIB
Precedence of security options
Precedence of Port-based security options
Precedence of Client-based authentication: Dynamic Configuration Arbiter
Arbitrating client-specific attributes
Access security features
Network security features
Using named source-port filters
Editing a source-port filter
Displaying traffic/security filters
Advanced Threat Detection
logging
logging filter
logging filter enable | disable
show logging filter
show syslog configuration
Overview
Filter Limits
Using port trunks with filter
Filter types and operation
Source-Port Filters
Operating Rules for Source-Port Filters
Name source-port filters
Operating rules for named source—port filters
Static multicast filters
Protocol filters
Filtering index
CLI Wizard: Operating notes and restrictions
Port-Based and User-Based Access Control (802.1X)
Configuring Port-Based Access
Why Use Port-Based or User-Based Access Control?
User Authentication Methods
802.1X User-Based Access Control
802.1X Port-Based Access Control
Alternative To Using a RADIUS Server
Accounting
General Setup Procedure for 802.1X Access Control
Configuring switch ports as 802.1X authenticators
Enabling 802.1X authentication on selected ports
Specify User-Based Authentication or Return to Port-Based Authentication
Reconfigure settings for port-access
Configure the 802.1X Authentication Method
Enter the RADIUS Host IP Addresses
Enable 802.1X Authentication on the Switch
Optional: Reset Authenticator Operation
Optional: Configure 802.1X Controlled Direction
Wake-on-LAN Traffic
Setting Up and Configuring 802.1X Open VLAN Mode
Configuring General 802.1X Operation
Configuring 802.1X Open VLAN Mode
Inspecting 802.1X Open VLAN Mode Operation.
Option For Authenticator Ports: Configure Port-Security To Allow Only 802.1X-Authenticated Devices
Viewing 802.1X Open VLAN Mode Status
Show Commands for Port-Access Supplicant
How RADIUS/802.1X Authentication Affects VLAN Operation
Port-Security
Configuring Switch Ports To Operate As Supplicants for 802.1X Connections to Other Switches
Supplicant Port Configuration
Configuring Mixed Port Access Mode
General 802.1X Authenticator Operation
Example of the Authentication Process
VLAN Membership Priorities
Viewing
Displaying 802.1X Configuration, Statistics, and Counters
Show Commands for Port-Access Authenticator
Using
Enabling the Use of GVRP-Learned Dynamic VLANs in Authentication Sessions
Tagged and untagged VLAN attributes
Overview
General Features
Introduction
VLAN Membership Priorities
Use Models for 802.1X Open VLAN Modes
802.1X Open VLAN Operating Notes
General Operating Rules and Notes
Operating Notes
Unauthenticated VLAN Access (Guest VLAN Access)
Characteristics of Mixed Port Access Mode
Operating Notes VLAN Assignment on a Port
Messages Related to 802.1X Operation
Device Fingerprinting
Prerequisites
Server certificate installation on CPPM
device-fingerprinting policy
device-fingerprinting timer
device-fingerprinting client-limit
device-fingerprinting incoming-clients-only
device-fingerprinting apply
show device-fingerprinting profile-name
show device-fingerprinting active
show device-fingerprinting client-status
show device-fingerprinting client-details
Limitations
Troubleshooting
Device fingerprinting client details is blank
Device fingerprinting client status is blank
Secure Mode (3800, 3810, 5400zl, and 8200zl Switches)
Overview
Configuring secure mode
Commands affected when enhanced secure mode is enabled
Feature-specific show commands
Show flash and show version command output
Show config commands
MIB CLI commands
Password commands
Additional password command option
Prompt for password when first logging in
Behavior when changing or exiting levels
Additional password commands
Secret keys
SSH changes
SSL changes
Zeroizing with HA
Opacity-shields command
Operating notes for passwords in enhanced secure mode
Troubleshooting
Verifying the flash is signed
Setting the diagnostic level
Zeroizing from the ROM console
Error messages
Certificate manager
Configuration support
Trust anchor profile
Web User’s Interface
Switch identity profile
Local certificate enrollment — manual mode
Self-signed certificate enrollment
Self-Signed certificate
Removal of certificates/CSRs
Zeroization
File transfer
Loading a local certificate
Debug logging
Certificate specific
Profile specific—TA profile
Show profile specific
Certificate details
Display PKI certificate
Web support
SSL screen
Panel hierarchy
Error messages
Conformance to Suite-B Cryptography requirements
Configuration support
CRL configuration facts
OCSP configuration facts
Configure CRL for revocation check
Configure OCSP for revocation check
Retrieve CRL
Set TA profile to validate CRL and OCSP
Clear CRL
Create a certificate signing request
Create and enroll a self-signed certificate
Configure or remove the minimum levels of security minLos for TLS
Install authentication files
Remove authentication files
show crypto client-public-key
Remove the client public keys from configuration
Show details of TA profile
Websites
Support and other resources
Accessing Hewlett Packard Enterprise Support
Accessing updates
Customer self repair
Remote support
Warranty information
Regulatory information
Documentation feedback
ArubaOS-Switch RADIUS Vendor-Specific Attributes
Management access
Access control feature control
Access control
Class of service
Bandwidth
Filtering
RADIUS Authentication, Authorization,...
Next