Authentication, authorization, and accounting

By default, no user authentication is configured, leaving the switch open to anyone with physical or remote access. ArubaOS-Switch provides a number of methods for authenticating users and preventing unauthorized management access to the device, ranging from basic password protection to role-based authentication using external servers.

Each management interface (console, SSH, and so on) allows configuration of a primary and secondary method of authenticating users. Aruba switches default to the following: 

switch# show authentication 

 Status and Counters - Authentication Information

  Login Attempts : 3
  Lockout Delay : 0
  Respect Privilege : Disabled
  Bypass Username For Operator and Manager Access : Disabled

                 | Login       Login        Login
  Access Task    | Primary     Server Group Secondary
  -------------- + ----------- ------------ ----------
  Console        | Local                    None
  Telnet         | Local                    None
  Port-Access    | Local                    None
  Webui          | Local                    None
  SSH            | Local                    None
  Web-Auth       | ChapRadius  radius       None
  MAC-Auth       | ChapRadius  radius       None
  SNMP           | Local                    None
  Local-MAC-Auth | Local                    None

                 | Enable      Enable       Enable
  Access Task    | Primary     Server Group Secondary
  -------------- + ----------- ------------ ----------
  Console        | Local                    None
  Telnet         | Local                    None
  Webui          | Local                    None
  SSH            | Local                    None
NOTE:

Port-access (802.1x), Web-Auth, and MAC-Auth are primarily means of securing the network from unauthorized users, not the switch itself, and are considered beyond the scope of this document.

The “Respect Privilege” option instructs the switch to allow the authenticating server to supply the privilege level of the user. See Server-supplied privilege level for more information.

If the primary authentication method fails (for example, all external authentication servers are unreachable), the secondary method will be used to authenticate users. In the above configuration, when no local usernames or passwords are configured, all users who connect to the switch are automatically granted manager-level permissions.

Most management interfaces permit three methods of authenticating users:

  • Local – uses locally created usernames and passwords.

  • RADIUS – uses an external RADIUS server.

  • TACACS+ – uses an external TACACS+ server.