You must enable javascript in order to view this page or you can go
here
to view the webhelp.
Search
Case sensitive
Contents
Search
Loading, please wait ...
Aruba 2920 Access Security Guide for ArubaOS-Switch 16.09
Home
About this guide
Applicable products
Switch prompts used in this guide
Security Overview
Introduction
About this guide
For more information
Access security features
Network security features
Getting started with access security
Physical security
Using the Management Interface wizard
Configuring security settings using the CLI wizard
WebAgent: Management Interface wizard
SNMP security guidelines
General SNMP access to the switch
SNMP access to the authentication configuration MIB
Precedence of security options
Precedence of port-based security options
Precedence of client-based authentication: Dynamic Configuration Arbiter (DCA)
Arbitrating client-specific attributes
Configuring Username and Password Security
Overview
Configuring password security
Configuring local password security
Setting passwords and usernames (CLI)
Removing password protection
Username and password length
General rules for usernames and passwords
Restrictions for the setmib command
Additional restrictions
Passwords implications when upgrading or downgrading software versions
Unable to use previous password
Setting passwords and usernames (WebAgent)
Configure SHA-256 format passwords
Saving security credentials in a config file
Benefits of saving security credentials
Enabling the storage and display of security credentials
Security settings that can be saved
Executing include-credentials or include-credentials store-in-config
The no include-credentials store-in-config option
Local manager and operator passwords
Password command options
SNMP security credentials
TACACS+ encryption key authentication
RADIUS shared-secret key authentication
The include-credentials radius-tacacs-only option
SSH client public-key authentication
X.509v3 certificate authentication for SSH
Displaying the status of include-credentials
Storage states when using include-credentials
Operating notes
Restrictions on enabling security credentials
SSH Re-Keying for SSH Server and SSH Client
Encrypting credentials in the configuration file
Enabling encrypt-credentials
Displaying the state of encrypt-credentials
Affected commands
Important operating notes
Interaction with include-credentials settings
Front panel security
When security is important
Front-panel button functions
Clear button
Reset button
Restoring the factory default configuration
Configuring front panel security
Disabling the clear password function of the Clear button
Re-enabling the Clear button and setting or changing the ‘reset-on-clear’ operation
Changing the operation Reset+Clear combination
Password recovery
Disabling or re-enabling the password recovery process
Password recovery process
Web and MAC Authentication
Overview
Web-based authentication
MAC authentication
Concurrent web-based and MAC authentication
Authorized and unauthorized client VLANs
RADIUS-based authentication
Wireless clients
How web-based and MAC authentication operate
Web-based authentication
Order of priority for assigning VLANs
MAC-based authentication
Operating rules and notes
Setup procedure for web-based/MAC authentication
Configuring the RADIUS server to support MAC authentication
Configuring the switch to access a RADIUS server
Radius service tracking
radius-server tracking
radius-server tracking user-name
Configuring web-based authentication
Overview
Configuration commands for web-based authentication
Controlled direction
Disable web-based authentication
Specifying the VLAN
Maximum authenticated clients
Specifies base address
Specifies lease length
Specifying the period
Specifying the number of authentication attempts
Specifying maximum retries
Specifying the time period
Specifying the re-authentication period
Specifying a forced reauthentication
Specifying the URL
Specifying the timeout
Show commands for web-based authentication
Configuring MAC authentication
Preparation for configuring MAC authentication
Configuration commands for MAC authentication
Configuring the global MAC authentication password
Configuring a MAC-based address format
Configuring other MAC-based commands
Configuring custom messages for failed logins
Web page display of access denied message
Viewing the show commands for MAC authentication
Viewing session information for MAC authenticated clients on a switch
Viewing detail on status of MAC authenticated client sessions
Viewing MAC authentication settings on ports
Viewing details of MAC Authentication settings on ports
Viewing MAC Authentication settings including RADIUS server-specific
Client status
Configuring MAC pinning
aaa port-access local-mac <PORT-LIST> mac-pin
aaa port-access mac-based <PORT-LIST> mac-pin
Captive Portal for ClearPass
Requirements
Best Practices
Limitations
Features
High Availability
Load balancing and redundancy
Captive Portal when disabled
Disabling Captive Portal
Configuring Captive Portal on ClearPass
Import the HPE RADIUS dictionary
Create enforcement profiles
Create a ClearPass guest self-registration
Configure the login delay
Configuring the switch
Configure the URL key
Configuring a certificate for Captive Portal usage
Display Captive Portal configuration
Show certificate information
Troubleshooting
Event Timestamp not working
Cannot enable Captive Portal
Unable to enable feature
Authenticated user redirected to login page
Unable to configure a URL hash key
authentication command
show command
Debug command
Local MAC Authentication
Overview
Concepts
Possible scenarios for deployment
Show commands
Configuration commands
Per-port attributes
Configuration examples
Configuration example 1
Configuration example 2
Configuration using mac-groups
Configuration without using mac-groups
Port-based MAC authentication
Overview
Operating notes
aaa port-access use-lldp-data
TACACS+ Authentication
Overview
General system requirements
General authentication setup procedure
Configuring TACACS+ on the switch
show authentication
Viewing the current TACACS+ server contact configuration
Configuring the switch authentication methods
Using the privilege-mode option for login
Authentication parameters
Configuring TACACS+ server
Configuring the TACACS+ server for single login
Configuring the switch TACACS+ server access
TACACS+ authorization and accounting commands
Device running a TACACS+ server application
Optional, global "encryption key"
Specifying how long the switch waits for a TACACS+ server to respond to an authentication request
Adding, removing, or changing the priority of a TACACS+ server
Configuring an encryption key
How authentication operates
General authentication process using a TACACS+ server
Local authentication process (TACACS+)
Using the encryption key
General operation
Encryption options in the switch
Controlling WebAgent access when using TACACS+ authentication
Messages related to TACACS+ operation
Operating notes
RADIUS Authentication, Authorization, and Accounting
Overview
Authentication Services
Accounting services
RADIUS-administered CoS and rate-limiting
RADIUS-administered commands authorization
SNMP access to the switch authentication configuration MIB
Switch operating rules for RADIUS
General RADIUS setup procedure
Configuring the switch for RADIUS authentication
Configuring authentication for the access methods that RADIUS protects
Enabling manager access privilege (optional)
Configuring the switch to access a RADIUS server
Configuring the switch global RADIUS parameters
Using multiple RADIUS server groups
Connecting a RADIUS server with a server group
Configuring the primary password authentication method for console, Telnet, SSH and WebAgent
Configuring the primary password authentication method for port-access, MAC-based, and web-based access
Viewing RADIUS server group information
Using SNMP to view and configure switch authentication features
Viewing and changing the SNMP access configuration
Local authentication process (RADIUS)
Controlling WebAgent access
Commands authorization
Enabling authorization
Viewing authorization information
Configuring commands authorization on a RADIUS server
Using vendor specific attributes (VSAs)
Example configuration using FreeRADIUS
Dynamic port access auth via RADIUS
Overview
Configuring the RADIUS VSAs
Viewing port-access information
Operating notes
VLAN assignment in an authentication session
Tagged and untagged VLAN attributes
Additional RADIUS attributes
MAC-based VLANs
Accounting services
Accounting service types
Operating rules for RADIUS accounting
Acct-Session-ID options in a management session
Unique Acct-Session-ID operation
Common Acct-Session-ID operation
Configuring RADIUS accounting
Steps for configuring RADIUS accounting
Viewing RADIUS statistics
General RADIUS statistics
RADIUS authentication statistics
RADIUS accounting statistics
Changing RADIUS-server access order
Creating local privilege levels
Configuring groups for local authorization
Configuring a local user for a group
Displaying command authorization information
Dynamic removal of authentication limits
Messages related to RADIUS operation
Security event log
Security user log access
Creating a security user
Security user commands
Authentication and Authorization through RADIUS
Authentication and Authorization through TACACS+
Restrictions
Event log wrap
Configuring concurrent sessions
For non-stackable switches
For stackable switches
Configuring concurrent sessions per user
For non-stackable switches
For stackable switches
Configuring concurrent sessions per user
Failed login attempts delay
User roles
Overview
Captive-portal commands
Overview
no aaa authentication captive-portal profile
Netservice and Netdestination Local user role
Policy commands
Overview
policy user
no policy user
policy resequence
Commands in the policy-user context
(policy-user)# class
User role configuration
aaa authorization user-role
Error log
captive-portal-profile
policy
reauth-period
VLAN commands
vlan-id
vlan-name
VLAN range commands
Applying User Derived Role with Local MAC Authentication
aaa port-access local-mac apply user-role
VXLAN show commands
show captive-portal profile
show user-role
show port-access clients
Monitoring Static IP Devices
ip client-tracker
ip client-tracker probe-delay
Tagged VLAN for user role
vlan-id-tagged
user-role vlan-id
Downloadable user-roles
aaa authorization user-role enable download
radius-server cppm identity
downloadable-role-delete
show user-role <XYZ>
show port-access clients
debug usertn
Netservice and Netdestination Downloadable User Role
IPv4 Access Control Lists (ACLs)
Options for applying IPv4 ACLs on the switch
Static ACLs
Dynamic port ACLs
Overview
Types of IPv4 ACLs
Standard ACL
Extended ACL
ACL applications
VACL applications
Static port ACL and RADIUS-assigned ACL applications
RADIUS-assigned (dynamic) port ACL applications
Multiple ACLs on an interface
Features common to all ACL applications
General steps for planning and configuring ACLs
IPv4 static ACL operation
Introduction
The packet-filtering process
Sequential comparison and action
Implicit Deny
Planning an ACL application
IPv4 traffic management and improved network performance
Security
Guidelines for planning the structure of a static ACL
IPv4 ACL configuration and operating rules
How an ACE uses a mask to screen packets for matches
What Is the difference between network (or subnet) masks and the masks used with ACLs?
Rules for defining a match between a packet and an ACE
Configuring and assigning an IPv4 ACL
General steps for implementing ACLs
Options for permit/deny policies
ACL configuration structure
Standard ACL structure
Extended ACL configuration structure
ACL configuration factors
The sequence of entries in an ACL is significant
Allowing for the Implied Deny function
A configured ACL has no effect until you apply it to an interface
You can assign an ACL name or number to an interface even if the ACL does not exist in the switch configuration
Using the CLI to create an ACL
Inserting or adding an ACE to an ACL
Using CIDR notation to enter the IPv4 ACL mask
Configuring standard ACLs
Configuring named, standard ACLs
Entering the IPv4 named ACL context
Configuring ACEs in a named, standard ACL
Creating numbered, standard ACLs
Configuring extended ACLs
Configuring named, extended ACLs
Configuring ACEs in named, extended ACLs
Including options for TCP and UDP traffic in extended ACLs
Options for ICMP traffic in extended ACLs
Option for IGMP in extended ACLs
Configuring numbered, extended ACLs
Creating or adding to an extended, numbered ACL
Controlling TCP and UDP traffic flow
Controlling ICMP traffic flow
Controlling IGMP traffic flow
Adding or removing an ACL assignment on an interface
Filtering IPv4 traffic inbound on a VLAN
Filtering inbound IPv4 traffic per port
Deleting an ACL
Editing an existing ACL
Using the CLI to edit ACLs
General editing rules
Sequence numbering in ACLs
Inserting an ACE in an existing ACL
Deleting an ACE from an existing ACL
Resequencing the ACEs in an ACL
Attaching a remark to an ACE
Operating notes for remarks
Viewing ACL configuration data
Viewing an ACL summary
Viewing the content of all ACLs on the switch
Viewing the VACL assignments for a VLAN
Viewing static port (and trunk) ACL assignments
Viewing the content of a specific ACL
Viewing all ACLs and their assignments in the switch startup-config and running-config files
Creating or editing an ACL offline
Monitoring static ACL performance
General ACL operating notes
ACL Grouping
Overview
Commands
IPv4 access-group (PACL)
IPv6 access-group (PACL)
MAC access-group (PACL)
IPv4 access-group (VACL)
IPv6 access-group (VACL)
MAC access-group (VACL)
Modify existing commands
show configuration
show statistics
show access-list
show access-list ports
show access-list vlan
Error messages
Netdestination and Netservice
Overview
netdestination host |position | network
netservice [tcp | udp | port]
show netdestination
RADIUS Services Support on Aruba Switches
Configuring
Configuring the switch to support RADIUS-assigned ACLs
Viewing
Viewing the currently active per-port CoS and rate-limiting configuration
Viewing CLI-configured rate-limiting and port priority for ports
Using
ACE syntax configuration options in a RADIUS server, using the standard attribute in an IPv4 ACL (Example)
Using VSA 63 to assign IPv6 and IPv4 ACLs
Using VSA 61 to assign IPv4 ACLs
Displaying the current RADIUS-assigned ACL activity on the switch
Overview
About RADIUS server support
RADIUS client and server requirements
RADIUS server configuration for CoS (802.1p priority) and rate-limiting
Applied rates for RADIUS-assigned rate limits
Per-port bandwidth override
Configuring and using dynamic (RADIUS-assigned) access control lists
RADIUS filter-id
Contrasting RADIUS-assigned and static ACLs
How a RADIUS server applies a RADIUS-assigned ACL to a client on a switch port
General ACL features, planning, and configuration
The packet-filtering process
Operating rules for RADIUS-assigned ACLs
Configuring an ACL in a RADIUS server
Nas-filter-Rule attribute options
ACE syntax in RADIUS servers
Configuration notes
Monitoring shared resources
Event log messages
RBAC
RBAC Overview
Limitations
Roles
Rules
Command rules
Feature rules
VLAN policy rules
Interface policy rules
Creating roles and assigning rules
Enabling authorization
Creating a role
Configuring command rules
Configuring VLAN policy
Configuring interface policy
Configuring feature policy
Displaying rules for predefined roles
Displaying predefined features
Troubleshooting
Cannot modify group name
Cannot delete a group
Unable to run a command
Unable to add a rule
aaa authorization group
Predefined features
Password Complexity
Password complexity overview
Password expiration periods
Requirements
Limitations
Configuring Password Complexity
Viewing the password configuration
Enable Password Complexity
Configure the Password Complexity parameters
Configure password minimum length
Configure password composition
Configure password complexity checks
password configuration commands
password configuration-control
password configuration
password minimum-length
password
aaa authentication local-user
password complexity
password composition
show password-configuration
Troubleshooting
Unable to enable Password Complexity
Unable to download the configuration file
Display messages
Configuring Secure Shell (SSH)
Overview
Client public-key authentication (login/operator level) with user password authentication (enable/manager level)
Switch SSH and user password authentication
Prerequisite for using SSH
Public key formats
Steps for configuring and using SSH for switch and client authentication
General operating rules and notes
Configuring the switch for SSH operation
Generating or erasing the switch public/private host key pair
crypto key generate
show crypto host-public-key
zeroize
Displaying the public key
Providing the switch public key to clients
Enabling SSH on the switch and anticipating SSH client contact behavior
ip ssh
Disabling SSH on the switch
Configuring the switch for SSH authentication
Option A: Configuring SSH access for password-only SSH authentication
Option B: Configuring the switch for client Public-Key SSH authentication
SSH client contact behavior
Disable username prompt for management interface authentication in the Quick Base system
Switch behavior with Telnet
Switch behavior with SSH
Switch behavior with WebUI
SSH client public-key authentication notes
Using client public-key authentication
Creating a client public-key text file
Replacing or clearing the public-key file
Enabling client public-key authentication
SSH client and secure sessions
Opening a secure session to switch
General operating rules and notes
Copying client key files
Copying the ssh-client-known-hosts file
Replacing or appending the ssh-client-known-hosts file
Copying the SSH client known hosts file to another location
Copying the host public key
Removing the SSH client key pair
Removing the SSH client known hosts file
Displaying open sessions
Messages related to SSH operation
Logging messages
Debug logging
Configuring Secure Shell (SSH) with two-factor authentication
Overview
Two-factor authentication configuration commands
aaa authentication ssh
aaa authentication ssh two-factor
aaa authentication ssh two-factor two-factor-type
aaa authentication ssh two-factor two-factor-type publickey-password
aaa authentication ssh two-factor two-factor-type certificate-password
Two-factor authentication restrictions
Configuring Secure Sockets Layer (SSL)
Overview
Server certificate authentication with user password authentication
Prerequisite for using SSL
Steps for configuring and using SSL for switch and client authentication
General operating rules and notes
Configuring the switch for SSL operation
Assigning a local login (operator) and enabling (manager) password
Using the WebAgent to configure local passwords
Generating the switch's server host certificate
To generate or erase the switch's server certificate with the CLI
Comments on certificate fields
Generate a self-signed host certificate with the WebAgent
Generate a CA-Signed server host certificate with the WebAgent
Enabling SSL on the switch and anticipating SSL browser contact behavior
SSL client contact behavior
Using the CLI interface to enable SSL
Using the WebAgent to enable SSL
Common errors in SSL setup
Configuring Advanced Threat Protection
Introduction
DHCP snooping
Enabling DHCP snooping
Enabling DHCP snooping on VLANs
Clearing DHCP snooping table overview
clear dhcp-snooping binding
clear dhcp-snooping statistics
Configuring DHCP snooping trusted ports
For DHCPv4 servers
Configuring authorized server addresses
Using DHCP snooping with option 82
Changing the remote-id from a MAC to an IP address
Disabling the MAC address check
DHCP binding database
DHCPv4 snooping max-binding
Enabling debug logging
DHCP operational notes
Log messages
IPv6 Network Defense
DSNOOPv6 and DIPLDv6
Configuring DHCPv6 snooping
Configuring traps for DHCPv6 snooping
Clearing DHCPv6 snooping statistics
Enabling debug logging for DHCPv6 snooping
DHCPv6 show commands
Dynamic ARP protection
Enabling dynamic ARP protection
Configuring trusted ports
Adding an IP-to-MAC binding to the DHCP database
Clearing the DHCP snooping binding table
Adding a static binding
Configuring additional validation checks on ARP packets
Verifying the configuration of dynamic ARP protection
Displaying ARP packet statistics
Monitoring dynamic ARP protection
Dynamic IP lockdown
Protection against IP source address spoofing
Prerequisite: DHCP snooping
Filtering IP and MAC addresses per-port and per-VLAN
Enabling Dynamic IP Lockdown
IPv4
IPv6
Operational notes
Adding an IP-to-MAC binding to the DHCP binding database
Potential issues with bindings
Adding a static binding
Verifying the dynamic IP lockdown configuration
For IPv4
For IPv6
Displaying the static configuration of IP-to-MAC bindings
For IPv4
For IPv6
Debugging dynamic IP lockdown
Using the instrumentation monitor
Operating notes
Configuring instrumentation monitor
Viewing the current instrumentation monitor configuration
Traffic/Security Filters and Monitors
Overview
Filter limits
Using port trunks with filter
Filter types and operation
Source-port filters
Operating rules for source-port filters
Name source-port filters
Operating rules for named source-port filters
Defining and configuring named source-port filters
Viewing a named source-port filter
Using named source-port filters
Static multicast filters
Protocol filters
Configuring traffic/security filters
Configuring a source-port traffic filter
Configuring a filter on a port trunk
Editing a source-port filter
Configuring a multicast or protocol traffic filter
Filtering index
Displaying traffic/security filters
Advanced Threat Detection
logging
logging filter
logging filter enable | disable
show logging filter
show syslog configuration
Configuring Port and User-Based Access Control (802.1X)
Overview
Why use port or user-based access control?
General features
User authentication methods
802.1X user-based access control
802.1X port-based access control
Alternative to using a RADIUS server
Accounting
General 802.1X authenticator operation
Example of the authentication process
VLAN membership priority
General operating rules and notes
General setup procedure for 802.1X access control
Overview: configuring 802.1X authentication on the switch
Configuring switch ports as 802.1X authenticators
Enable 802.1X authentication on selected ports
Enable the selected ports as authenticators and enable the (default) port-based authentication
Specify user-based authentication or return to port-based authentication
Reconfigure settings for port-access
Configuring the 802.1X authentication method
Enter the RADIUS host IP address(es)
Enable 802.1X authentication on the switch
Reset authenticator operation (optional)
Optional: Configure 802.1X Controlled Direction
Wake-on-LAN Traffic
Unauthenticated VLAN access (guest VLAN access)
Characteristics of mixed port access mode
Configuring mixed port access mode
802.1X Open VLAN mode
Introduction
VLAN membership priorities
Use models for 802.1X Open VLAN modes
Operating rules for authorized and unauthorized-client VLANs
Setting up and configuring 802.1X Open VLAN mode
Configuring general 802.1X operation
Configuring 802.1X Open VLAN mode
Inspecting 802.1X Open VLAN mode operation
802.1X Open VLAN operating notes
Option for authenticator ports: configure port-security to allow only 802.1X-authenticated devices
Port-Security
Configure the port access type
Configuring switch ports to operate as supplicants for 802.1X connections to other switches
Supplicant port configuration
Enabling a switch port as a supplicant
Configuring a supplicant switch port
Displaying 802.1X configuration, statistics, and counters
Show commands for port-access authenticator
Viewing 802.1X Open VLAN mode status
Show commands for port-access supplicant
Note on supplicant statistics
How RADIUS/802.1X authentication affects VLAN operation
VLAN assignment on a port
Operating notes
Example of untagged VLAN assignment in a RADIUS-based authentication session
Enabling the use of GVRP-learned dynamic VLANs in authentication sessions
EAP identifier compliance for 802.1x
Overview
aaa port-access authenticator eap-id-compliance
Messages related to 802.1X operation
Configuring and Monitoring Port Security
Overview
Port security
Basic operation
Eavesdrop Prevention
Disabling Eavesdrop Prevention
Feature interactions when Eavesdrop Prevention is disabled
MIB Support
Blocked unauthorized traffic
Trunk group exclusion
Planning port security
Port security command options and operation
Displaying port security settings
Configuring port security
Port security commands
Retention of static addresses
Learned addresses
Assigned/authorized addresses
Specifying authorized devices and intrusion responses
Adding an authorized device to a port
Removing a device from the “authorized” list for a port
Clear MAC address table
Configuring clearing of learned MAC addresses
MAC Lockdown
How MAC Lockdown works
Differences between MAC Lockdown and port security
MAC Lockdown operating notes
Limits
Event Log messages
Limiting the frequency of log messages
Deploying MAC Lockdown
Basic MAC Lockdown deployment
Problems using MAC Lockdown in networks with multiple paths
MAC Lockout
How MAC Lockout works
Port security and MAC Lockout
User-based lockout compliance
aaa authentication
aaa authentication unlock
show authentication
Console session lockout overview
aaa authentication console-lockout
Reading intrusion alerts and resetting alert flags
Notice of security violations
How the intrusion log operates
Keeping the intrusion log current by resetting alert flags
Checking for intrusions, listing intrusion alerts, and resetting alert flags (CLI)
Using the Event Log to find intrusion alerts (CLI)
Operating notes for port security
Proxy Web servers
"Prior to" entries in the Intrusion Log
Alert flag status for entries forced off of the Intrusion Log
LACP not available on ports configured for port security
Using Authorized IP Managers
Introduction
Defining authorized management stations
Overview of IP mask operation
Viewing and configuring IP Authorized managers (CLI)
Listing the switch’s current IP Authorized manager(s)
Configuring IP Authorized managers for the switch (CLI)
Configuring IP Authorized managers (WebAgent)
Web proxy servers
How to eliminate the web proxy server
Using a web proxy server to access the WebAgent
Building IP Masks
Configuring one station per Authorized manager IP entry
Configuring multiple stations per Authorized manager IP entry
Operating notes
Key Management System
Overview
Configuring key chain management
Creating and deleting key chain entries
Assigning a time-independent key to a chain
Assigning time-dependent keys to a chain
Certificate Manager
Configuration support
Trust anchor profile (crypto pki ta-profile)
Web User’s Interface
Switch identity profile
Local certificate enrollment – manual mode
Self-signed certificate enrollment
Self-signed certificate
Removal of certificates/CSRs
Zeroization
File transfer
Loading a local certificate
Debug logging
Certificate specific
Profile specific—TA profile
Show profile specific
Certificate details
Display PKI certificate
Web support
SSL screen
Panel hierarchy
Error messages
EST and its applications
Application Certificate Enrollment using EST
Overview
Configuration commands
EST server configuration commands
EST certificate enrollment command
Show commands
show est-server
show est-server config
show est-server status
show est-server ta-profile status
show run
EST enrollment of application certificates using CLI
Enrollment of application certificate through ZTP using Aruba Central
Enrollment of application certificate using AirWave ZTP
Re-enrollment of application certificate using EST
Operational notes
Troubleshooting an EST server connection
Server is not reachable, or CACERTS curl error
SSL connection error, or CACERTS request failed
HTTP 202 Retry-After response header from server
HTTP 401 is unauthorized
Debugging EST connection using logs
Secure Syslog over TLS
Syslog considerations
Configuring syslog server over TLS
Creating a certificate manually for syslog application
Configuration commands
Show command
Creating a syslog certificate using EST server
Secure Radius (RadSec)
Overview of RadSec
RadSec configuration
RadSec considerations
Certificate Manager considerations
Enabling TLS connection for RadSec
radius-server host tls port
radius-server host tls oobm
radius-server host tls clearpass
radius-server host tls dyn-authorization
radius-server host tls time-window
radius-server host tls time-window positive-time-window
radius-server host tls time-window plus-or-minus-time-window
radius-server tls timeout
radius-server tls connection-timeout
radius-server tls dead-time
radius-server tls dead-time infinite
show radius host
show radius
show radius accounting
show radius authentication
show radius host dyn-authorization
tls application
Scalability
Alarms/Timers
Operating notes
Deployment scenarios
Example of RadSec configuration
Troubleshooting a RadSec connection
RadSec TCP Socket Configuration
RadSec server connection
Switch certificates for RadSec are not available
RadSec negotiation failure
Unable to create RadSec TCP socket
RadSec server TLS/TCP connection
Connection error between RadSec server and TCP socket
RadSec server read timeout error
RadSec server write timeout error
RadSec server certificate issue due to wrong common name
RadSec server certificate has a wrong subject name
RadSec server CA unavailability
Debugging a RadSec connection using logs
Conformance to Suite-B Cryptography requirements
Configuration support
CRL configuration facts
OCSP configuration facts
Configure CRL for revocation check
Configure OCSP for revocation check
Retrieve CRL
Set TA profile to validate CRL and OCSP
Clear CRL
Create a certificate signing request
Create and enroll a self-signed certificate
Configure or remove the minimum levels of security minLos for TLS
Install authentication files
Remove authentication files
show crypto client-public-key
Remove the client public keys from configuration
Show details of TA profile
Websites
Support and other resources
Accessing Hewlett Packard Enterprise Support
Accessing updates
Customer self repair
Remote support
Warranty information
Regulatory information
Documentation feedback
ArubaOS-Switch RADIUS Vendor-Specific Attributes
Management access
Access control
Class of service
Bandwidth
Filtering
Configuring Secure Shell (SSH) with t...
Two-factor authentication configurati...
Next