Aruba R9G11A User guide

Category
Software
Type
User guide
AOS-CX 10.13 Security Guide
8320, 8325, 8400, 9300, 10000 Switch Series
November 2023
Edition: 1
|2
Copyright Information
© Copyright 2023 Hewlett Packard Enterprise Development LP.
This product includes code licensed under certain open source licenses which require source
compliance. The corresponding source for these components is available upon request. This offer is
valid to anyone in receipt of this information and shall expire three years following the date of the final
distribution of this product version by Hewlett Packard Enterprise Company. To obtain such source
code, please check if the code is available in the HPE Software Center at
https://myenterpriselicense.hpe.com/cwp-ui/software but, if not, send a written request for specific
software version and product for which you want the open source code. Along with the request, please
send a check or money order in the amount of US $10.00 to:
Hewlett Packard Enterprise Company
Attn: General Counsel
WW Corporate Headquarters
1701 E Mossy Oaks Rd Spring, TX 77389
United States of America.
Notices
The information contained herein is subject to change without notice. The only warranties for Hewlett
Packard Enterprise products and services are set forth in the express warranty statements
accompanying such products and services. Nothing herein should be construed as constituting an
additional warranty. Hewlett Packard Enterprise shall not be liable for technical or editorial errors or
omissions contained herein.
Confidential computer software. Valid license from Hewlett Packard Enterprise required for possession,
use, or copying. Consistent with FAR 12.211 and 12.212, Commercial Computer Software, Computer
Software Documentation, and Technical Data for Commercial Items are licensed to the U.S. Government
under vendor's standard commercial license.
Links to third-party websites take you outside the Hewlett Packard Enterprise website. Hewlett Packard
Enterprise has no control over and is not responsible for information outside the Hewlett Packard
Enterprise website.
Contents
Contents
Contents 3
About this document 12
Applicable products 12
Latest version available online 12
Command syntax notation conventions 12
About the examples 13
Identifying switch ports and interfaces 13
Identifying modular switch components 14
About security 15
About Authentication, Authorization, and Accounting (AAA) 15
Managing users and groups 16
Default user admin 16
Example of first login with password setting 16
Built-in user groups and their privileges 16
User-defined user groups 17
User name requirements 17
Password requirements 18
Per-user management interface enablement 18
Local per-user management interface enablement 18
Remote (TACACS+ or RADIUS) per-user management interface enablement 19
User and user group management tasks 20
Resetting the switch admin password using the Service OS console 21
Resetting the admin password by reverting the switch to factory defaults 22
User and group commands 23
password complexity 23
service export-password 27
show password-complexity 28
show user-group 28
show user-list 29
show user-list management-interface 31
show user information 32
user 33
user-group 36
user management-interface 40
user password 41
SSH server 44
SSH defaults 44
SSH server tasks 44
SSH server commands 45
show ssh host-key 45
show ssh server 46
show ssh server sessions 50
AOS-CX 10.13 Security Guide 3
Contents |4
ssh ciphers 51
ssh host-key 52
ssh host-key-algorithms 53
ssh key-exchange-algorithms 54
ssh known-host remove 56
ssh macs 56
ssh maximum-auth-attempts 57
ssh public-key-algorithms 58
ssh server allow-list 59
ssh server port 61
ssh server vrf 62
SSH client 63
SSH client commands 63
ssh (client login) 63
Local AAA 65
Local AAA defaults and limits 65
Supported platforms and standards 65
Scale 65
Local authentication 66
Password-based local authentication 66
SSH public key-based local authentication 66
Local authentication tasks 66
Local authorization 68
Local authorization tasks 69
Local accounting 69
Local accounting tasks 69
Local AAA commands 70
aaa accounting all-mgmt 70
aaa authentication console-login-attempts 71
aaa authentication limit-login-attempts 73
aaa authentication login 74
aaa authentication minimum-password-length 75
aaa authorization commands (local) 76
show aaa accounting 78
show aaa authentication 79
show aaa authorization 80
show authentication locked-out-users 82
show ssh authentication-method 82
show user 83
ssh password-authentication 84
ssh public-key-authentication 85
user authorized-key 85
Remote AAA with TACACS+ 88
Parameters for TACACS+ server 88
Default server groups 89
Supported platforms and standards 89
About global versus per-TACACS+ server passkeys (shared secrets) 90
Remote AAA TACACS+ server configuration requirements 90
User role assignment using TACACS+ attributes 91
TACACS+ server redundancy and access sequence 91
Single source IP address for consistent source identification to AAA servers 91
TACACS+ general tasks 92
AOS-CX 10.13 Security Guide | (832x, 8400, 9300, 10000 Switch Series) 5
TACACS+ authentication 92
About authentication fail-through 93
TACACS+ authentication tasks 93
TACACS+ authorization 94
Using local authorization as fallback from TACACS+ authorization 94
About authentication fail-through and authorization 94
TACACS+ authorization tasks 94
TACACS+ accounting 95
Sample accounting information on a TACACS+ server 95
Sample REST accounting information on a TACACS+ server 96
TACACS+ accounting tasks 96
Example: Configuring the switch for Remote AAA with TACACS+ 97
Remote AAA with RADIUS 100
Parameters for RADIUS server 100
Default server groups 101
Supported platforms and standards 102
About global versus per-RADIUS server passkeys (shared secrets) 103
Remote AAA RADIUS server configuration requirements 103
User role assignment using RADIUS attributes 103
RADIUS server redundancy and access sequence 104
Configuration task list 104
Single source IP address for consistent source identification to AAA servers 105
RADIUS general tasks 106
Per-port RADIUS server group configuration 107
RADIUS authentication 107
About authentication fail-through 107
RADIUS authentication tasks 108
Two-factor authentication 109
Configuring two-factor authentication (for local users) 109
Configuring two-factor authentication with SSH (for remote-only users) 110
Configuring two-factor authentication with HTTPS server and REST (for remote-only
users) 113
Two-factor authentication commands 116
aaa authorization radius 116
https-server authentication certificate 117
ssh certificate-as-authorized-key 118
ssh two-factor-authentication 119
Secure RADIUS (RadSec) 120
RadSec configuration 121
Deployment scenarios 121
RadSec example configuration 122
RADIUS accounting 124
Sample general accounting information 124
RADIUS accounting tasks 126
Example: Configuring the switch for Remote AAA with RADIUS 127
Remote AAA (TACACS+, RADIUS) commands 129
aaa accounting allow-fail-through 129
aaa accounting all-mgmt 129
aaa authentication allow-fail-through 132
aaa authentication login 133
aaa authorization allow-fail-through 135
aaa authorization commands 137
aaa group server 140
radius-server auth-type 141
Contents |6
radius-server host 142
radius-server host secure ipsec 145
radius-server host tls (RadSec) 150
radius-server host tls port-access 153
radius-server host tls tracking-method 154
radius-server key 155
radius-server retries 157
radius-server status-server interval 157
radius-server timeout 158
radius-server tls timeout (RadSec) 159
radius-server tracking 160
server 162
show aaa accounting 164
show aaa authentication 166
show aaa authorization 168
show aaa server-groups 170
show accounting log 172
show radius-server 175
show radius-server secure ipsec 181
show radius-server authentication statistics 182
show radius-server authentication statistics host 183
show tacacs-server 184
show tacacs-server statistics 187
show tech aaa 188
tacacs-server auth-type 194
tacacs-server host 195
tacacs-server key 197
tacacs-server timeout 198
tacacs-server tracking 199
RADIUS dynamic authorization 201
Requirements and tips 201
RADIUS dynamic authorization commands 201
radius dyn-authorization enable 201
radius dyn-authorization client 202
radius dyn-authorization port 204
show radius dyn-authorization 205
show radius dyn-authorization client 207
Traffic Insight 209
Protocol and feature details 209
Supported Platforms 209
Caveats for Traffic Insight 210
Configuring Traffic Insight 210
show running-config traffic-insight 211
show traffic-insight monitor-type 212
traffic insight 214
Client Insight 217
Supported Platforms 218
Prerequisites 218
Points to Note 218
Limitations 218
Feature Interoperability 219
Troubleshooting Client Insight 219
Client Insight Commands 219
AOS-CX 10.13 Security Guide | (832x, 8400, 9300, 10000 Switch Series) 7
client-insight enable 219
client-insight on-boarding event logs 220
diag-dump client-insight basic 221
show capacities client-insight-client-limit 223
show capacities-status client-insight-client-limit 224
show events -c client-insight 224
show tech client-insight 227
PKI 230
PKI concepts 230
Digital certificate 230
Certificate authority 230
Root certificate 231
Leaf certificate 231
Intermediate certificate 231
Trust anchor 231
OCSP 231
PKI on the switch 231
Trust anchor profiles 231
Leaf certificates 232
Mandatory matching of peer device hostname 232
PKI EST 232
EST usage overview 232
Prerequisites for using EST for certificate enrollment 233
EST profile configuration 233
Certificate enrollment 233
Certificate re-enrollment 233
Checking EST profile and certificate configuration 234
EST best practices 234
Example using EST for certificate enrollment 234
Example including the use of an intermediate certificate 240
Installing a self-signed leaf certificate (created inside the switch) 242
Installing a self-signed leaf certificate (created outside the switch) 243
Installing a certificate of a root CA 244
Installing a downloadable user role certificate 245
Installing a CA-signed leaf certificate (initiated in the switch) 246
Installing a CA-signed leaf certificate (created outside the switch) 247
PKI commands 248
crypto pki application 248
crypto pki certificate 250
crypto pki ta-profile 251
enroll self-signed 252
enroll terminal 252
import (CA-signed leaf certificate) 253
import (self-signed leaf certificate) 255
key-type 257
ocsp disable-nonce 258
ocsp enforcement-level 259
ocsp url 260
ocsp vrf 261
revocation-check ocsp 262
show crypto pki application 262
show crypto pki certificate 263
show crypto pki ta-profile 265
ta-certificate 267
subject 268
Contents |8
PKI EST commands 270
arbitrary-label 270
arbitrary-label-enrollment 271
arbitrary-label-reenrollment 272
crypto pki est-profile 273
enroll est-profile 274
reenrollment-lead-time 275
retry-count 276
retry-interval 276
show crypto pki est-profile 277
url 278
username 279
vrf 281
Port access 283
Port access MAC authentication 284
How MAC authentication works 285
How RADIUS server is used in MAC authentication 285
Supported platforms and standards 285
Scale 285
Supported RFCs and standards 286
Considerations and best practices 286
Port access configuration task list 287
Port access 802.1X and MAC authentication configuration example 287
Use cases 289
Use case 1: Faster onboarding of MAC authentication clients using concurrent
onboarding 289
Use case 2: PXE clients that download the supplicant 289
Port access 802.1X authentication commands 290
aaa authentication port-access dot1x authenticator 290
aaa authentication port-access dot1x authenticator auth-method 291
aaa authentication port-access dot1x authenticator cached-reauth 292
aaa authentication port-access dot1x authenticator cached-reauth-period 292
aaa authentication port-access dot1x authenticator discovery-period 293
aaa authentication port-access dot1x authenticator eapol-timeout 294
aaa authentication port-access dot1x authenticator initial-auth-response-timeout 295
aaa authentication port-access dot1x authenticator max-eapol-requests 296
aaa authentication port-access dot1x authenticator max-retries 297
aaa authentication port-access dot1x authenticator quiet-period 298
aaa authentication port-access dot1x authenticator radius server-group 299
aaa authentication port-access dot1x authenticator reauth 300
aaa authentication port-access dot1x authenticator reauth-period 300
clear dot1x authenticator statistics interface 301
show aaa authentication port-access dot1x authenticator interface client-status 302
show aaa authentication port-access dot1x authenticator interface port-statistics 304
Port access MAC authentication commands 305
aaa authentication port-access allow-lldp-auth [mac {source-mac|chassis-mac}] 305
aaa authentication port-access mac-auth 307
aaa authentication port-access mac-auth addr-format 308
aaa authentication port-access mac-auth auth-method 308
aaa authentication port-access mac-auth cached-reauth 309
aaa authentication port-access mac-auth cached-reauth-period 310
aaa authentication port-access mac-auth password 311
aaa authentication port-access mac-auth quiet-period 312
aaa authentication port-access mac-auth radius server-group 312
aaa authentication port-access mac-auth reauth 314
AOS-CX 10.13 Security Guide | (832x, 8400, 9300, 10000 Switch Series) 9
aaa authentication port-access mac-auth reauth-period 314
clear mac-auth statistics 315
show aaa authentication port-access mac-auth interface client-status 316
show aaa authentication port-access mac-auth interface port-statistics 318
Port access general commands 319
aaa authentication port-access allow-lldp-auth 319
aaa authentication port-access allow-cdp-auth 321
aaa authentication port-access auth-mode 321
aaa authentication port-access auth-precedence 322
aaa authentication port-access auth-priority 323
aaa authentication port-access auth-role 324
aaa authentication port-access client-auto-log-off final-authentication-failure 325
aaa authentication port-access client-limit 326
port-access allow-flood-traffic 327
port-access client-move 328
port-access event-log client 329
port-access fallback-role 330
port-access log-off client 331
port-access onboarding-method precedence 331
port-access onboarding-method concurrent 332
port-access reauthenticate interface 334
show aaa authentication port-access interface client-status 334
show port-access clients 336
show port-access clients detail 342
show port-access clients onboarding-method 350
Port access debugging and troubleshooting 352
Radius server reachability debugging and troubleshooting 352
Port access MAC authentication debugging and troubleshooting 353
Using show commands 353
Using debug commands 354
Port access 802.1X authentication debugging and troubleshooting 355
Using show commands 355
Using other commands 357
Port access FAQ 358
References 358
Port access security violation 358
Port access security violation commands 359
port-access security violation action 359
port-access security violation action shutdown auto-recovery 360
port-access security violation action shutdown recovery-timer 361
show interface 361
show port-access aaa violation interface 362
show port-access port-security violation client-limit-exceeded interface 363
Port access policy 364
Classes and actions supported by port access policies 365
RADIUS policies 365
Filter-ID 365
NAS-Filter-Rule 366
Aruba-NAS-Filter-Rule 367
Limitations 367
Port access policy commands 368
port-access policy 368
port-access policy copy 372
port-access policy resequence 373
port-access policy reset 373
clear port-access policy hitcounts 375
Contents |10
show port-access policy 377
show port-access policy hitcounts 379
Port access role 381
Operational notes 382
Downloadable user roles 382
Special roles 382
Critical role 383
Reject role 383
Pre-authentication role 383
Auth-role 384
Fallback role 384
Port access role commands 385
auth-mode 385
cached-reauth-period 385
client-inactivity timeout 386
description 387
mtu 388
port-access role 388
reauth-period 389
session timeout 390
show aaa authentication port-access interface client-status 391
show port-access role 392
stp-admin-edge-port 395
trust-mode 396
vlan 397
Supported RADIUS attributes 400
Attributes supported in 802.1X authentication 400
Attributes supported in MAC authentication 400
Attributes supported in dynamic authorization 401
Session authorization attributes supported in 802.1X and MAC authentication, and CoA 401
Standard session attributes supported 401
Vendor-Specific Attributes supported in session authorization 402
Description of VSAs 402
Attributes supported in RADIUS network accounting 403
Attributes supported in RADIUS server tracking 404
Port security 405
Port-security sticky MAC 405
Basic operation 406
Default port security operation 406
Intruder protection 406
General operation for port security 406
Blocking unauthorized traffic 407
Trunk group exclusion 407
Port security commands 407
port-access port-security 407
port-access port-security client-limit 408
port-access port-security mac-address 409
show port-access port-security interface client-status 410
show port-access port-security interface port-statistics 412
sticky-learn enable 412
sticky-learn mac 413
show port-access security violation sticky-mac-client-move interface 414
Fault Monitor 416
AOS-CX 10.13 Security Guide | (832x, 8400, 9300, 10000 Switch Series) 11
Fault monitoring conditions 416
Excessive broadcasts 416
Excessive multicasts 416
Excessive link flaps 416
Excessive oversize packets 416
Excessive jabbers 416
Excessive fragments 416
Excessive CRC errors 417
Excessive late collisions 417
Excessive collisions 417
Excessive TX drops 417
Excessive alignment errors 417
Excessive flow control watchdog triggers 417
Fault monitor commands 417
(Fault enabling/disabling) 417
action 419
apply fault-monitor profile 422
fault-monitor profile 423
show fault-monitor profile 424
show interface fault-monitor profile 425
show interface fault-monitor status 426
show running-config 427
threshold 429
vsx-sync (fault monitor) 431
Group based policy (GBP) 433
gbp enable 433
gbp role infra 434
Configuring enhanced security 436
Configuring enhanced security 436
Configuring remote logging using SSH reverse tunnel 437
CLI user session management commands 438
cli-session 438
Auditors and auditing tasks 441
Auditing tasks (CLI) 441
Auditing tasks (Web UI) 441
REST requests and accounting logs 442
Support and Other Resources 443
Accessing Aruba Support 443
Accessing Updates 444
Aruba Support Portal 444
My Networking 444
Warranty Information 444
Regulatory Information 444
Documentation Feedback 445
Chapter 1
About this document
About this document
This document describes features of the AOS-CX network operating system. It is intended for
administrators responsible for installing, configuring, and managing Aruba switches on a network.
Applicable products
This document applies to the following products:
nAruba 8320 Switch Series (JL479A, JL579A, JL581A)
nAruba 8325 Switch Series (JL624A, JL625A, JL626A, JL627A)
nAruba 8400 Switch Series (JL366A, JL363A, JL687A)
nAruba 9300 Switch Series (R9A29A, R9A30A, R8Z96A)
nAruba 10000 Switch Series (R8P13A, R8P14A)
Latest version available online
Updates to this document can occur after initial publication. For the latest versions of product
documentation, see the links provided in Support and Other Resources.
Command syntax notation conventions
Convention Usage
example-text Identifies commands and their options and operands, code examples,
filenames, pathnames, and output displayed in a command window. Items
that appear like the example text in the previous column are to be entered
exactly as shown and are required unless enclosed in brackets ([ ]).
example-text In code and screen examples, indicates text entered by a user.
Any of the following:
n<example-text>
n<example-text>
nexample-text
nexample-text
Identifies a placeholder—such as a parameter or a variable—that you must
substitute with an actual value in a command or in code:
nFor output formats where italic text cannot be displayed, variables
are enclosed in angle brackets (< >). Substitute the text—including
the enclosing angle brackets—with an actual value.
nFor output formats where italic text can be displayed, variables
might or might not be enclosed in angle brackets. Substitute the
text including the enclosing angle brackets, if any, with an actual
value.
|Vertical bar. A logical OR that separates multiple items from which you can
choose only one.
Any spaces that are on either side of the vertical bar are included for
AOS-CX 10.13 Security Guide 12
About this document |13
Convention Usage
readability and are not a required part of the command syntax.
{ } Braces. Indicates that at least one of the enclosed items is required.
[ ] Brackets. Indicates that the enclosed item or items are optional.
…or
...
Ellipsis:
nIn code and screen examples, a vertical or horizontal ellipsis indicates an
omission of information.
nIn syntax using brackets and braces, an ellipsis indicates items that can be
repeated. When an item followed by ellipses is enclosed in brackets, zero
or more items can be specified.
About the examples
Examples in this document are representative and might not match your particular switch or
environment.
The slot and port numbers in this document are for illustration only and might be unavailable on your
switch.
Understanding the CLI prompts
When illustrating the prompts in the command line interface (CLI), this document uses the generic term
switch, instead of the host name of the switch. For example:
switch>
The CLI prompt indicates the current command context. For example:
switch>
Indicates the operator command context.
switch#
Indicates the manager command context.
switch(CONTEXT-NAME)#
Indicates the configuration context for a feature. For example:
switch(config-if)#
Identifies the interface context.
Variable information in CLI prompts
In certain configuration contexts, the prompt may include variable information. For example, when in
the VLAN configuration context, a VLAN number appears in the prompt:
switch(config-vlan-100)#
When referring to this context, this document uses the syntax:
switch(config-vlan-<VLAN-ID>)#
Where <VLAN-ID> is a variable representing the VLAN number.
Identifying switch ports and interfaces
Physical ports on the switch and their corresponding logical software interfaces are identified using the
format:
member/slot/port
AOS-CX 10.13 Security Guide | (832x, 8400, 9300, 10000 Switch Series) 14
On the 83xx, 9300, and 10000 Switch Series
nmember: Always 1. VSF is not supported on this switch.
nslot: Always 1. This is not a modular switch, so there are no slots.
nport: Physical number of a port on the switch.
For example, the logical interface 1/1/4 in software is associated with physical port 4 on the switch.
If using breakout cables, the port designation changes to x:y, where x is the physical port and y is the lane when
split to 4 x 10G or 4 x 25G. For example, the logical interface 1/1/4:2 in software is associated with lane 2 on
physical port 4 in slot 1 on member 1.
On the 8400 Switch Series
nmember: Always 1. VSF is not supported on this switch.
nslot: Specifies physical location of a module in the switch chassis.
oManagement modules are on the front of the switch in slots 1/5 and 1/6.
oLine modules are on the front of the switch in slots 1/1 through 1/4, and 1/7 through 1/10.
nport: Physical number of a port on a line module
For example, the logical interface 1/1/4 in software is associated with physical port 4 in slot 1 on
member 1.
Identifying modular switch components
nPower supplies are on the front of the switch behind the bezel above the management modules.
Power supplies are labeled in software in the format: member/power supply:
omember: 1.
opower supply: 1 to 4.
nFans are on the rear of the switch and are labeled in software as: member/tray/fan:
omember: 1.
otray: 1 to 4.
ofan: 1 to 4.
nFabric modules are not labeled on the switch but are labeled in software in the format:
member/module:
omember: 1.
omember: 1 or 2.
nThe display module on the rear of the switch is not labeled with a member or slot number.
Chapter 2
About security
About security
This AOS-CX Switch provides the following security features:
nLocal user and group management.
nAuthentication, Authorization, and Accounting (AAA), either local (password or SSH public key-based),
or remote password-based TACACS+ or RADIUS.
nSSH server. SSH is a cryptographic protocol that encrypts all communication between devices.
nAbility to use enhanced security as described in Configuring enhanced security .
nMaking sensitive switch configuration information available for secure export/import between
switches. For information, see service export-password.
About Authentication, Authorization, and Accounting (AAA)
nAuthentication: identifies users, validates their credentials, and grants switch access.
nAuthorization: controls authenticated users command execution and switch interaction privileges.
nAccounting: collects and manages user session activity logs for auditing and reporting purposes.
Local AAA on your Aruba switch provides:
nAuthentication using local password or SSH public key.
nAuthorization using role-based access control (RBAC), and optionally, using user-defined local user
groups with command authorization rules defined per group.
nAccounting of user activity on the switch using accounting logs.
Remote AAA provides the following for your Aruba switch:
nAuthentication using remote AAA servers with either TACACS+ or RADIUS.
nAuthorization using remote AAA servers with TACACS+ fine-grained command authorization. Local
RBAC or local rule-based authorization is also possible.
nTransmission of locally collected accounting information to remote TACACS+ and RADIUS servers.
TACACS+ (Terminal Access Controller Access-Control System Plus) and RADIUS (Remote Authentication Dial-In
User Service) server software is readily available as either open source or from various vendors.
For switches that support multiple management modules such as the Aruba 8400, all AAA functionality discussed
only applies to the active management module. See also AAA on switches with multiple management modules in the
High Availability Guide.
AOS-CX 10.13 Security Guide 15
Chapter 3
Managing users and groups
Managing users and groups
Default user admin
A factory-default switch comes with a single user named admin.
The admin user:
nHas an empty password. Press Enter in response to the admin password prompt. At initial boot, you
are prompted to define a password for the admin user. Although empty (blank) passwords are
allowed, it is recommended that you use strong passwords for all production switches.
nIs a member of the administrators group.
nCannot be removed from the switch.
The switch admin user is distinct from the Service OS admin user. The Service OS acts as the bootloader and
recovery operating system. The Service OS has its own CLI.
Example of first login with password setting
switch login: admin
Password:
Please configure the 'admin' user account password.
Enter new password: ********
Confirm new password: ********
switch#
Built-in user groups and their privileges
The switch provides the following built-in user groups with corresponding roles. Each of these roles
comes with a set of privileges.
Group/Role Privileges
administrators Administrators have full privileges, including:
nFull CLI access.
nPerforming firmware upgrades.
nViewing switch configuration information, including sensitive information such as
passwords which are displayed as ciphertext.
nPerforming switch configuration.
nAdding/removing user accounts.
nConfiguring users accounts, including passwords. Once set, a password cannot be
deleted or set to empty.
AOS-CX 10.13 Security Guide 16
Managing users and groups |17
Group/Role Privileges
nREST API: All methods (GET, PUT, POST, DELETE) and switch resources are available.
The privilege level for administrators is 15.
operators Operators have no switch configuration privileges. Operators are restricted to:
nBasic display-only CLI access.
nViewing of nonsensitive switch configuration information.
nREST API: Other than the \login and \logout resources, only the GET method is
available.
The privilege level for operators is 1.
auditors Auditors are restricted to functions related to auditing only:
nCLI: Access to commands in the auditor context (auditor>) only.
nWeb UI: Access to the System > Log page only.
nREST API: POST method available for the \login and \logout resources. GET
method available for the following resources only:
oAudit log: /logs/audit
oEvent log: /logs/event
The privilege level for auditors is 19.
User-defined user groups
The switch enables you to create up to 29 user-defined local user groups, for the purpose of configuring
local authorization. Each of the 29 user-defined groups support up to 1024 CLI command authorization
rules that define what CLI commands can be executed by members of the group.
The local user groups with their command execution rules are useful for the following:
nProviding authorization for use with RADIUS servers.
nProviding fallback authorization for use with TACACS+ servers.
nProviding authorization when neither RADIUS or TACACS+ servers are used.
User name requirements
Specifies the user name. Requirements:
nMust start with a lowercase letter.
nCan contain numbers and lowercase letters.
nCan include only these three special characters: hyphens ( - ), dots ( . ), and underscores ( _ ).
nCan have a maximum of 32 characters.
nCannot be empty.
nCannot contain uppercase letters.
nCannot be: admin, root, or remote_user.
nCannot be Linux reserved names such as:
daemon,bin,sys,sync,proxy,www-data,backup,list,irc,gnats,nobody,systemd-bus-proxy,
sshd,messagebus,rpc,systemd-journal-gateway,systemd-journal-remote,systemd-journal-
AOS-CX 10.13 Security Guide | (832x, 8400, 9300, 10000 Switch Series) 18
upload,systemd-timesync,systemd-coredump,systemd-resolve,rpcuser,vagrant,opsd,
rdanet,_lldpd,rdaadmin,rdaweb,docker_container,tss.
Password requirements
Passwords must:
nContain only ASCII characters from hexadecimal 21 to hexadecimal 7E [\x21-\x7E] (decimal 33 to 126).
Spaces are not allowed. When the password is entered directly without prompting, the "?" symbol
(hexadecimal 3F [\x3F] (decimal 63)) is not permitted.
nContain at most 32 characters.
nContain at least the number of characters configured (optionally) for minimum-password-length.
Although empty passwords are supported, it is recommended that you use strong passwords for all production
switches.
Only an administrator can change the password of a user assigned to the operators role.
Per-user management interface enablement
By default, switch users are enabled for accessing the switch through all these available management
interfaces: ssh,telnet,https-server,console.
Optionally, one or more of the management interfaces can be disabled for specific users.
User accounts can be local or managed on remote TACACS+ or RADIUS servers.
Local per-user management interface enablement
Local per-user management interface enablement is performed with CLI command user management-
interface. CLI command show user-list management-interface is available for showing the current
configuration.
Example of disabling the SSH management interface for local user admin1:
switch(config)# no user admin1 management-interface ssh
switch(config)# show user-list management-interface
USER ENABLED MANAGEMENT INTERFACE(S)
------------------------------------------------------------
admin ssh,telnet,https-server,console
admin1 telnet,https-server,console
Example of disabling the telnet management interface for local user admin1:
switch(config)# no user admin1 management-interface telnet
switch(config)# show user-list management-interface
USER ENABLED MANAGEMENT INTERFACE(S)
------------------------------------------------------------
Managing users and groups |19
admin ssh,telnet,https-server,console
admin1 https-server,console
Example of re-enabling the SSH management interface for local user admin1:
switch(config)# user admin1 management-interface ssh
switch(config)# show user-list management-interface
USER ENABLED MANAGEMENT INTERFACE(S)
------------------------------------------------------------
admin ssh,telnet,https-server,console
admin1 ssh,https-server,console
Remote (TACACS+ or RADIUS) per-user management interface
enablement
For remote TACACS+ and RADIUS servers, per-user management interface enablement is performed by
configuring the Aruba VSA Aruba-User-Mgmt-Interface.
On the TACACS+ or RADIUS server, the Aruba VSA Aruba-User-Mgmt-Interface must be set to a
comma-separated list of management interface names for which login is permitted by the associated
user. Management interfaces omitted from the list are disabled for the associated user. A maximum of
four management interface names are allowed, with each management interface name given once.
Permitted management interface names (always lowercase) are as follows:
nssh
ntelnet
nhttps-server
nconsole
The VSA has a maximum length of 32 characters. The VSA is ignored by the switch if longer than 32
characters.
When a user login fails because of an attempt to use a management interface that is not allowed, an
event log is available indicating the enabled management interfaces as received in the TACACS+ or
RADIUS VSA.
When using a RADIUS server other than ClearPass Policy Manager (CPPM), before setting the Aruba-
User-Mgmt-Interface VSA, you must first define the VSA on the RADIUS server in file
/usr/share/freeradius/dictionary.aruba as follows:
ATTRIBUTE Aruba-User-Mgmt-Interface 69 string
Example RADIUS server VSA value that enables the two named management interfaces (ssh,telnet)
while disabling the two unnamed management interfaces (https-server,console):
Aruba-User-Mgmt-Interface = "ssh,telnet"
Example RADIUS server VSA value that enables all four management interfaces:
Aruba-User-Mgmt-Interface = "ssh,telnet,https-server,console"
AOS-CX 10.13 Security Guide | (832x, 8400, 9300, 10000 Switch Series) 20
Example TACACS+ server configuration for user admin1 with a VSA that enables management interfaces
ssh and console:
key = test
group = admin {
default service = permit
service = exec {
priv-lvl = 15
Aruba-User-Mgmt-Interface = ssh,console
}
}
user = admin1 {
member = admin
pap = cleartext testing
}
User and user group management tasks
User and user group management common tasks are as follows:
Task Command or
procedure Example
Creating a user user user jamie group administrators password
Changing a user
password
user password user jamie password
Removing a user user no user jamie
Setting a user account
password
user password user admin password
Resetting the admin
password using the
Service OS
(procedure)
Resetting the admin
password by reverting
the switch to factory
defaults
(procedure) erase startup-config
boot system
Showing a list of all
users
show user-list show user-list
Showing information
for the logged-in user
show user
information
show user information
Creating a user group user-group user-group admuser2
Adding command
authorization rules to a
user group
permit or deny (within
user-group)
10 deny cli command "show aaa .*"
20 permit cli command "show .*"
Adding comments to
rules in a user group
comment (within user-
group)
10 comment Deny all show aaa commands.
20 comment Permit all other show commands.
  • Page 1 1
  • Page 2 2
  • Page 3 3
  • Page 4 4
  • Page 5 5
  • Page 6 6
  • Page 7 7
  • Page 8 8
  • Page 9 9
  • Page 10 10
  • Page 11 11
  • Page 12 12
  • Page 13 13
  • Page 14 14
  • Page 15 15
  • Page 16 16
  • Page 17 17
  • Page 18 18
  • Page 19 19
  • Page 20 20
  • Page 21 21
  • Page 22 22
  • Page 23 23
  • Page 24 24
  • Page 25 25
  • Page 26 26
  • Page 27 27
  • Page 28 28
  • Page 29 29
  • Page 30 30
  • Page 31 31
  • Page 32 32
  • Page 33 33
  • Page 34 34
  • Page 35 35
  • Page 36 36
  • Page 37 37
  • Page 38 38
  • Page 39 39
  • Page 40 40
  • Page 41 41
  • Page 42 42
  • Page 43 43
  • Page 44 44
  • Page 45 45
  • Page 46 46
  • Page 47 47
  • Page 48 48
  • Page 49 49
  • Page 50 50
  • Page 51 51
  • Page 52 52
  • Page 53 53
  • Page 54 54
  • Page 55 55
  • Page 56 56
  • Page 57 57
  • Page 58 58
  • Page 59 59
  • Page 60 60
  • Page 61 61
  • Page 62 62
  • Page 63 63
  • Page 64 64
  • Page 65 65
  • Page 66 66
  • Page 67 67
  • Page 68 68
  • Page 69 69
  • Page 70 70
  • Page 71 71
  • Page 72 72
  • Page 73 73
  • Page 74 74
  • Page 75 75
  • Page 76 76
  • Page 77 77
  • Page 78 78
  • Page 79 79
  • Page 80 80
  • Page 81 81
  • Page 82 82
  • Page 83 83
  • Page 84 84
  • Page 85 85
  • Page 86 86
  • Page 87 87
  • Page 88 88
  • Page 89 89
  • Page 90 90
  • Page 91 91
  • Page 92 92
  • Page 93 93
  • Page 94 94
  • Page 95 95
  • Page 96 96
  • Page 97 97
  • Page 98 98
  • Page 99 99
  • Page 100 100
  • Page 101 101
  • Page 102 102
  • Page 103 103
  • Page 104 104
  • Page 105 105
  • Page 106 106
  • Page 107 107
  • Page 108 108
  • Page 109 109
  • Page 110 110
  • Page 111 111
  • Page 112 112
  • Page 113 113
  • Page 114 114
  • Page 115 115
  • Page 116 116
  • Page 117 117
  • Page 118 118
  • Page 119 119
  • Page 120 120
  • Page 121 121
  • Page 122 122
  • Page 123 123
  • Page 124 124
  • Page 125 125
  • Page 126 126
  • Page 127 127
  • Page 128 128
  • Page 129 129
  • Page 130 130
  • Page 131 131
  • Page 132 132
  • Page 133 133
  • Page 134 134
  • Page 135 135
  • Page 136 136
  • Page 137 137
  • Page 138 138
  • Page 139 139
  • Page 140 140
  • Page 141 141
  • Page 142 142
  • Page 143 143
  • Page 144 144
  • Page 145 145
  • Page 146 146
  • Page 147 147
  • Page 148 148
  • Page 149 149
  • Page 150 150
  • Page 151 151
  • Page 152 152
  • Page 153 153
  • Page 154 154
  • Page 155 155
  • Page 156 156
  • Page 157 157
  • Page 158 158
  • Page 159 159
  • Page 160 160
  • Page 161 161
  • Page 162 162
  • Page 163 163
  • Page 164 164
  • Page 165 165
  • Page 166 166
  • Page 167 167
  • Page 168 168
  • Page 169 169
  • Page 170 170
  • Page 171 171
  • Page 172 172
  • Page 173 173
  • Page 174 174
  • Page 175 175
  • Page 176 176
  • Page 177 177
  • Page 178 178
  • Page 179 179
  • Page 180 180
  • Page 181 181
  • Page 182 182
  • Page 183 183
  • Page 184 184
  • Page 185 185
  • Page 186 186
  • Page 187 187
  • Page 188 188
  • Page 189 189
  • Page 190 190
  • Page 191 191
  • Page 192 192
  • Page 193 193
  • Page 194 194
  • Page 195 195
  • Page 196 196
  • Page 197 197
  • Page 198 198
  • Page 199 199
  • Page 200 200
  • Page 201 201
  • Page 202 202
  • Page 203 203
  • Page 204 204
  • Page 205 205
  • Page 206 206
  • Page 207 207
  • Page 208 208
  • Page 209 209
  • Page 210 210
  • Page 211 211
  • Page 212 212
  • Page 213 213
  • Page 214 214
  • Page 215 215
  • Page 216 216
  • Page 217 217
  • Page 218 218
  • Page 219 219
  • Page 220 220
  • Page 221 221
  • Page 222 222
  • Page 223 223
  • Page 224 224
  • Page 225 225
  • Page 226 226
  • Page 227 227
  • Page 228 228
  • Page 229 229
  • Page 230 230
  • Page 231 231
  • Page 232 232
  • Page 233 233
  • Page 234 234
  • Page 235 235
  • Page 236 236
  • Page 237 237
  • Page 238 238
  • Page 239 239
  • Page 240 240
  • Page 241 241
  • Page 242 242
  • Page 243 243
  • Page 244 244
  • Page 245 245
  • Page 246 246
  • Page 247 247
  • Page 248 248
  • Page 249 249
  • Page 250 250
  • Page 251 251
  • Page 252 252
  • Page 253 253
  • Page 254 254
  • Page 255 255
  • Page 256 256
  • Page 257 257
  • Page 258 258
  • Page 259 259
  • Page 260 260
  • Page 261 261
  • Page 262 262
  • Page 263 263
  • Page 264 264
  • Page 265 265
  • Page 266 266
  • Page 267 267
  • Page 268 268
  • Page 269 269
  • Page 270 270
  • Page 271 271
  • Page 272 272
  • Page 273 273
  • Page 274 274
  • Page 275 275
  • Page 276 276
  • Page 277 277
  • Page 278 278
  • Page 279 279
  • Page 280 280
  • Page 281 281
  • Page 282 282
  • Page 283 283
  • Page 284 284
  • Page 285 285
  • Page 286 286
  • Page 287 287
  • Page 288 288
  • Page 289 289
  • Page 290 290
  • Page 291 291
  • Page 292 292
  • Page 293 293
  • Page 294 294
  • Page 295 295
  • Page 296 296
  • Page 297 297
  • Page 298 298
  • Page 299 299
  • Page 300 300
  • Page 301 301
  • Page 302 302
  • Page 303 303
  • Page 304 304
  • Page 305 305
  • Page 306 306
  • Page 307 307
  • Page 308 308
  • Page 309 309
  • Page 310 310
  • Page 311 311
  • Page 312 312
  • Page 313 313
  • Page 314 314
  • Page 315 315
  • Page 316 316
  • Page 317 317
  • Page 318 318
  • Page 319 319
  • Page 320 320
  • Page 321 321
  • Page 322 322
  • Page 323 323
  • Page 324 324
  • Page 325 325
  • Page 326 326
  • Page 327 327
  • Page 328 328
  • Page 329 329
  • Page 330 330
  • Page 331 331
  • Page 332 332
  • Page 333 333
  • Page 334 334
  • Page 335 335
  • Page 336 336
  • Page 337 337
  • Page 338 338
  • Page 339 339
  • Page 340 340
  • Page 341 341
  • Page 342 342
  • Page 343 343
  • Page 344 344
  • Page 345 345
  • Page 346 346
  • Page 347 347
  • Page 348 348
  • Page 349 349
  • Page 350 350
  • Page 351 351
  • Page 352 352
  • Page 353 353
  • Page 354 354
  • Page 355 355
  • Page 356 356
  • Page 357 357
  • Page 358 358
  • Page 359 359
  • Page 360 360
  • Page 361 361
  • Page 362 362
  • Page 363 363
  • Page 364 364
  • Page 365 365
  • Page 366 366
  • Page 367 367
  • Page 368 368
  • Page 369 369
  • Page 370 370
  • Page 371 371
  • Page 372 372
  • Page 373 373
  • Page 374 374
  • Page 375 375
  • Page 376 376
  • Page 377 377
  • Page 378 378
  • Page 379 379
  • Page 380 380
  • Page 381 381
  • Page 382 382
  • Page 383 383
  • Page 384 384
  • Page 385 385
  • Page 386 386
  • Page 387 387
  • Page 388 388
  • Page 389 389
  • Page 390 390
  • Page 391 391
  • Page 392 392
  • Page 393 393
  • Page 394 394
  • Page 395 395
  • Page 396 396
  • Page 397 397
  • Page 398 398
  • Page 399 399
  • Page 400 400
  • Page 401 401
  • Page 402 402
  • Page 403 403
  • Page 404 404
  • Page 405 405
  • Page 406 406
  • Page 407 407
  • Page 408 408
  • Page 409 409
  • Page 410 410
  • Page 411 411
  • Page 412 412
  • Page 413 413
  • Page 414 414
  • Page 415 415
  • Page 416 416
  • Page 417 417
  • Page 418 418
  • Page 419 419
  • Page 420 420
  • Page 421 421
  • Page 422 422
  • Page 423 423
  • Page 424 424
  • Page 425 425
  • Page 426 426
  • Page 427 427
  • Page 428 428
  • Page 429 429
  • Page 430 430
  • Page 431 431
  • Page 432 432
  • Page 433 433
  • Page 434 434
  • Page 435 435
  • Page 436 436
  • Page 437 437
  • Page 438 438
  • Page 439 439
  • Page 440 440
  • Page 441 441
  • Page 442 442
  • Page 443 443
  • Page 444 444
  • Page 445 445

Aruba R9G11A User guide

Category
Software
Type
User guide

Ask a question and I''ll find the answer in the document

Finding information in a document is now easier with AI