2. Computers & electronics
  3. Software
  4. Software manuals
  5. HPE
  6. ArubaOS-Switch Access Security
ArubaOS-Switch Access Security

HPE ArubaOS-Switch Access Security, 2530 Installation guide

  • Hello! I am an AI chatbot trained to assist you with the HPE ArubaOS-Switch Access Security Installation guide. I’ve already reviewed the document and can help you find the information you need or explain it in simple terms. Just ask your questions, and providing more details will help me assist you more effectively!
ArubaOS-Switch Access Security Guide
for YA/YB.16.03
Part Number: 5200-2904b
Published: August 2017
Edition: 3
© Copyright 2017 Hewlett Packard Enterprise Development LP
Notices
The information contained herein is subject to change without notice. The only warranties for Hewlett Packard
Enterprise products and services are set forth in the express warranty statements accompanying such products
and services. Nothing herein should be construed as constituting an additional warranty. Hewlett Packard
Enterprise shall not be liable for technical or editorial errors or omissions contained herein.
Confidential computer software. Valid license from Hewlett Packard Enterprise required for possession, use, or
copying. Consistent with FAR 12.211 and 12.212, Commercial Computer Software, Computer Software
Documentation, and Technical Data for Commercial Items are licensed to the U.S. Government under vendor's
standard commercial license.
Links to third-party websites take you outside the Hewlett Packard Enterprise website. Hewlett Packard Enterprise
has no control over and is not responsible for information outside the Hewlett Packard Enterprise website.
Acknowledgments
Intel®, Itanium®, Pentium®, Intel Inside®, and the Intel Inside logo are trademarks of Intel Corporation in the United
States and other countries.
Microsoft® and Windows® are either registered trademarks or trademarks of Microsoft Corporation in the United
States and/or other countries.
Adobe® and Acrobat® are trademarks of Adobe Systems Incorporated.
Java® and Oracle® are registered trademarks of Oracle and/or its affiliates.
UNIX® is a registered trademark of The Open Group.
Chapter 1 About this document....................................................................15
Chapter 2 Security Overview.........................................................................16
Introduction.............................................................................................................................................. 16
About this guide............................................................................................................................ 16
For more information.....................................................................................................................16
Access security features.......................................................................................................................... 16
Network security features........................................................................................................................ 24
Getting started with access security........................................................................................................ 24
Physical security........................................................................................................................... 24
Using the Management Interface wizard.......................................................................................25
Configuring security settings using the CLI wizard.............................................................25
WebAgent: Management Interface wizard......................................................................... 27
SNMP security guidelines............................................................................................................. 27
General SNMP access to the switch.................................................................................. 27
SNMP access to the authentication configuration MIB...................................................... 27
HPE PCM+ Identity-Driven manager (IDM)............................................................................................. 28
Chapter 3 Configuring Username and Password Security........................ 29
Overview.................................................................................................................................................. 29
Configuring password security...................................................................................................... 29
Configuring local password security........................................................................................................ 30
Setting passwords (Menu)............................................................................................................ 30
Deleting password protection............................................................................................. 30
Recovering from a lost manager password........................................................................31
Setting passwords and usernames (CLI)...................................................................................... 31
Removing password protection.......................................................................................... 31
Setting passwords and usernames (WebAgent)...........................................................................32
Saving security credentials in a config file............................................................................................... 32
Benefits of saving security credentials.......................................................................................... 32
Enabling the storage and display of security credentials.............................................................. 32
Security settings that can be saved.............................................................................................. 33
Local manager and operator passwords.......................................................................................33
Front panel security................................................................................................................................. 34
When security is important............................................................................................................34
Front-panel button functions......................................................................................................... 34
Clear button........................................................................................................................35
Reset button....................................................................................................................... 35
Restoring the factory default configuration.........................................................................35
Configuring front panel security.................................................................................................... 36
Disabling the clear password function of the Clear button................................................. 37
Re-enabling the Clear button and setting or changing the ‘reset-on-clear’ operation........ 38
Changing the operation Reset+Clear combination.............................................................39
Password recovery.................................................................................................................................. 40
Disabling or re-enabling the password recovery process............................................................. 40
Password recovery process.......................................................................................................... 41
Contents
Contents 3
Chapter 4 Web and MAC Authentication......................................................43
Overview.................................................................................................................................................. 43
Web-based authentication.............................................................................................................43
MAC authentication.......................................................................................................................43
Concurrent web-based and MAC authentication.......................................................................... 44
Authorized and unauthorized client VLANs...................................................................................44
RADIUS-based authentication...................................................................................................... 44
Wireless clients............................................................................................................................. 45
How web-based and MAC authentication operate...................................................................................45
Web-based authentication.............................................................................................................45
Order of priority for assigning VLANs.................................................................................46
MAC-based authentication............................................................................................................47
Operating rules and notes........................................................................................................................47
Setup procedure for web-based/MAC authentication.............................................................................. 49
Configuring the RADIUS server to support MAC authentication...................................................50
Configuring the switch to access a RADIUS server...................................................................... 50
Radius service tracking................................................................................................................. 51
radius-server tracking.........................................................................................................51
radius-server tracking user-name.......................................................................................52
Configuring web-based authentication.....................................................................................................52
Overview....................................................................................................................................... 53
Configuration commands for web-based authentication............................................................... 53
Controlled direction............................................................................................................ 53
Disable web-based authentication..................................................................................... 54
Specifying the VLAN.......................................................................................................... 54
Maximum authenticated clients.......................................................................................... 54
Specifies base address...................................................................................................... 55
Specifies lease length........................................................................................................ 55
Allowing client moves between specified ports.................................................................. 55
Specifying the period..........................................................................................................55
Specifying the number of authentication attempts............................................................. 55
Specifying maximum retries............................................................................................... 56
Specifying the time period.................................................................................................. 56
Specifying the re-authentication period.............................................................................. 56
Specifying a forced reauthentication.................................................................................. 56
Specifying the URL.............................................................................................................56
Specifying the timeout........................................................................................................ 57
Enabling or disabling SSL login..........................................................................................57
Configuring MAC authentication.............................................................................................................. 57
Preparation for configuring MAC authentication........................................................................... 57
Configuration commands for MAC authentication.........................................................................57
Configuring a MAC-based address format......................................................................... 57
Configuring other MAC-based commands......................................................................... 58
Show status and configuration of web-based authentication........................................................ 60
Show status and configuration of MAC-based authentication.......................................................61
Client status.................................................................................................................................. 61
Chapter 5 Local MAC Authentication........................................................... 63
Overview.................................................................................................................................................. 63
Concepts....................................................................................................................................... 63
Possible scenarios for deployment.......................................................................................................... 63
Show commands..................................................................................................................................... 64
Configuration commands......................................................................................................................... 65
4ArubaOS-Switch Access Security Guide for YA/YB.16.03
Per-port attributes......................................................................................................................... 66
Configuration examples................................................................................................................ 66
Configuration example 1.................................................................................................... 66
Configuration example 2.................................................................................................... 66
Configuration using mac-groups........................................................................................ 68
Configuration without using mac-groups............................................................................ 68
Chapter 6 Port-based MAC authentication.................................................. 70
Overview.................................................................................................................................................. 70
Operating notes....................................................................................................................................... 70
aaa port-access use-lldp-data..................................................................................................................70
Chapter 7 TACACS+ Authentication.............................................................72
Overview.................................................................................................................................................. 72
General system requirements..................................................................................................................72
General authentication setup procedure..................................................................................................73
Configuring TACACS+ on the switch....................................................................................................... 74
show authentication...................................................................................................................... 75
Viewing the current TACACS+ server contact configuration.........................................................75
Configuring the switch authentication methods.............................................................................76
Using the privilege-mode option for login........................................................................... 76
Authentication parameters................................................................................................. 77
Configuring TACACS+ server....................................................................................................... 79
Configuring the TACACS+ server for single login......................................................................... 80
Configuring the switch TACACS+ server access.......................................................................... 83
TACACS+ authorization and accounting commands......................................................... 84
Device running a TACACS+ server application..................................................................89
Optional, global "encryption key"........................................................................................90
Specifying how long the switch waits for a TACACS+ server to respond to an
authentication request........................................................................................................ 91
Adding, removing, or changing the priority of a TACACS+ server..................................... 91
Configuring an encryption key............................................................................................92
How authentication operates................................................................................................................... 93
General authentication process using a TACACS+ server........................................................... 93
Local authentication process (TACACS+).....................................................................................94
Using the encryption key...............................................................................................................94
General operation...............................................................................................................94
Encryption options in the switch......................................................................................... 95
Controlling WebAgent access when using TACACS+ authentication......................................................95
Messages related to TACACS+ operation............................................................................................... 95
Operating notes....................................................................................................................................... 96
Chapter 8 RADIUS Authentication, Authorization, and Accounting......... 97
Overview.................................................................................................................................................. 97
Authentication Services.................................................................................................................97
Accounting services...................................................................................................................... 97
SNMP access to the switch's authentication configuration MIB....................................................97
Switch operating rules for RADIUS..........................................................................................................97
General RADIUS setup procedure...........................................................................................................98
Configuring the switch for RADIUS authentication.................................................................................. 99
Configuring authentication for the access methods that RADIUS protects...................................99
Enabling manager access privilege (optional)............................................................................ 102
Configuring the switch to access a RADIUS server.................................................................... 102
Contents 5
Configuring the switch global RADIUS parameters.................................................................... 104
Using SNMP to view and configure switch authentication features....................................................... 106
Viewing and changing the SNMP access configuration..............................................................107
Local authentication process (RADIUS)................................................................................................ 109
Controlling WebAgent access................................................................................................................109
Commands authorization....................................................................................................................... 109
Enabling authorization.................................................................................................................110
Viewing authorization information................................................................................................110
Configuring commands authorization on a RADIUS server.........................................................111
Using vendor specific attributes (VSAs)............................................................................111
Example configuration on Cisco secure ACS for MS Windows........................................112
Example configuration using FreeRADIUS.......................................................................114
Additional RADIUS attributes................................................................................................................. 115
MAC-based VLANs................................................................................................................................ 115
Accounting services............................................................................................................................... 116
Accounting service types.............................................................................................................116
Operating rules for RADIUS accounting......................................................................................116
Configuring RADIUS accounting................................................................................................. 117
Steps for configuring RADIUS accounting........................................................................117
Viewing RADIUS statistics..................................................................................................................... 121
General RADIUS statistics.......................................................................................................... 121
RADIUS authentication statistics................................................................................................ 123
RADIUS accounting statistics..................................................................................................... 124
Changing RADIUS-server access order................................................................................................ 125
Chapter 9 RADIUS Services Support on HPE Switches........................... 127
RADIUS client and server requirements................................................................................................ 127
Optional PCM and HPE PMC IDM network management applications................................................. 127
RADIUS server configuration for CoS (802.1p priority) and rate-limiting...............................................128
Applied rates for RADIUS-assigned rate limits........................................................................... 130
Per-port bandwidth override............................................................................................. 131
Viewing the currently active per-port CoS and rate-limiting configuration...................................132
Viewing CLI-configured rate-limiting and port priority for ports.........................................134
Configuring and using dynamic (RADIUS-assigned) access control lists..............................................135
Overview of RADIUS-assigned, dynamic ACLs..........................................................................135
Traffic applications............................................................................................................136
Contrasting RADIUS-assigned and static ACLs......................................................................... 137
How a RADIUS server applies a RADIUS-assigned ACL to a client on a switch port................ 138
Multiple clients sharing the same RADIUS-assigned ACL............................................... 139
Effect of multiple ACL application types on an interface.................................................. 139
General ACL features, planning, and configuration.................................................................... 139
The packet-filtering process........................................................................................................ 140
Operating rules for RADIUS-assigned ACLs.............................................................................. 140
Configuring an ACL in a RADIUS server.................................................................................... 140
Nas-filter-rule options....................................................................................................... 141
ACE syntax in RADIUS servers.................................................................................................. 144
Using the standard attribute in an IPv4 ACL (example)................................................... 147
Using HPE VSA 63 to assign IPv6 and IPv4 ACLs (example)......................................... 149
Using HPE VSA 61 to assign IPv4 ACLs (example)........................................................ 150
Configuration notes.......................................................................................................... 151
Configuring the switch to support RADIUS-assigned ACLs........................................................151
Displaying the current RADIUS-assigned ACL activity on the switch......................................... 152
Event Log messages...................................................................................................................156
Causes of client deauthentication immediately after authenticating........................................... 156
Monitoring shared resources.......................................................................................................156
6ArubaOS-Switch Access Security Guide for YA/YB.16.03
RADIUS filter-id......................................................................................................................................157
Forcing reauthentication..............................................................................................................157
show access-list radius ..................................................................................................158
show access-list (NAS rule) and (filter-id) ..........................................................................158
Log messages.............................................................................................................................159
Chapter 10 Password Complexity.............................................................. 160
Password complexity overview.............................................................................................................. 160
Password expiration periods..................................................................................................................160
Requirements.........................................................................................................................................160
Limitations..............................................................................................................................................161
Configuring Password Complexity......................................................................................................... 161
Viewing the password configuration............................................................................................161
Enable Password Complexity..................................................................................................... 162
Configure the Password Complexity parameters........................................................................162
Configure password minimum length..........................................................................................163
Configure password composition................................................................................................ 163
Configure password complexity checks...................................................................................... 164
password configuration commands....................................................................................................... 164
password configuration-control.............................................................................................................. 165
password configuration.......................................................................................................................... 166
password minimum-length..................................................................................................................... 167
password ...............................................................................................................................................167
aaa authentication local-user................................................................................................................. 168
password complexity..............................................................................................................................169
password composition........................................................................................................................... 169
show password-configuration................................................................................................................ 170
Troubleshooting..................................................................................................................................... 171
Unable to enable Password Complexity..................................................................................... 171
Unable to download the configuration file................................................................................... 171
Validation rules............................................................................................................................171
Display messages....................................................................................................................... 174
Chapter 11 Configuring Secure Shell (SSH).............................................. 176
Overview................................................................................................................................................ 176
Client public-key authentication (login/operator level) with user password authentication
(enable/manager level)............................................................................................................... 176
Switch SSH and user password authentication.......................................................................... 176
Prerequisite for using SSH.....................................................................................................................177
Public key formats..................................................................................................................................177
Steps for configuring and using SSH for switch and client authentication............................................. 177
General operating rules and notes.........................................................................................................178
Configuring the switch for SSH operation.............................................................................................. 178
Generating or erasing the switch public/private host key pair.....................................................179
crypto key generate................................................................................................ 180
show crypto host-public-key............................................................................... 180
zeroize.......................................................................................................................... 181
Displaying the public key.............................................................................................................181
Providing the switch public key to clients.................................................................................... 182
Enabling SSH on the switch and anticipating SSH client contact behavior................................ 183
ip ssh.............................................................................................................................184
Disabling SSH on the switch....................................................................................................... 185
Configuring the switch for SSH authentication............................................................................185
Option A: Configuring SSH access for password-only SSH authentication..................... 186
Contents 7
Option B: Configuring the switch for client Public-Key SSH authentication..................... 186
SSH client contact behavior............................................................................................. 188
Disable username prompt for management interface authentication in the Quick Base system...........189
Switch behavior with Telnet.........................................................................................................189
Switch behavior with SSH........................................................................................................... 191
Switch behavior with WebUI........................................................................................................192
SSH client public-key authentication notes............................................................................................193
Using client public-key authentication......................................................................................... 194
Creating a client public-key text file.............................................................................................194
Replacing or clearing the public-key file......................................................................................196
Enabling client public-key authentication.................................................................................... 197
Messages related to SSH operation...................................................................................................... 197
Logging messages...................................................................................................................... 198
Debug logging............................................................................................................................. 199
Chapter 12 Configuring Secure Socket Layer (SSL).................................200
Overview................................................................................................................................................ 200
Server certificate authentication with user password authentication...........................................200
Prerequisite for using SSL..................................................................................................................... 201
Steps for configuring and using SSL for switch and client authentication..............................................201
General operating rules and notes.........................................................................................................201
Configuring the switch for SSL operation...............................................................................................201
Assigning a local login (operator) and enabling (manager) password........................................ 201
Using the WebAgent to configure local passwords.......................................................... 201
Generating the switch's server host certificate............................................................................202
To generate or erase the switch's server certificate with the CLI..................................... 202
Comments on certificate fields......................................................................................... 203
Generate a self-signed host certificate with the WebAgent..............................................203
Generate a CA-Signed server host certificate with the WebAgent...................................204
Enabling SSL on the switch and anticipating SSL browser contact behavior............................. 205
SSL client contact behavior..............................................................................................205
Using the CLI interface to enable SSL............................................................................. 206
Using the WebAgent to enable SSL.................................................................................206
Common errors in SSL setup.................................................................................................................207
Chapter 13 IPv4 Access Control Lists (ACLs)...........................................208
Options for applying IPv4 ACLs on the switch....................................................................................... 208
Static ACLs................................................................................................................................. 208
Overview................................................................................................................................................ 209
Types of IPv4 ACLs.....................................................................................................................209
Standard ACL...................................................................................................................209
Extended ACL.................................................................................................................. 209
ACL applications......................................................................................................................... 209
VACL applications............................................................................................................ 209
Static port ACL and RADIUS-assigned ACL applications................................................ 210
Multiple ACLs on an interface..................................................................................................... 210
For a packet to be permitted, it must have a match with a "permit" ACE in all
applicable ACLs assigned to an interface.........................................................................211
Exception for connection-rate filtering.............................................................................. 211
Features common to all ACL applications...................................................................................211
General steps for planning and configuring ACLs.......................................................................211
IPv4 static ACL operation...................................................................................................................... 212
Introduction................................................................................................................................. 212
The packet-filtering process........................................................................................................ 213
8ArubaOS-Switch Access Security Guide for YA/YB.16.03
Sequential comparison and action................................................................................... 213
Implicit Deny.....................................................................................................................213
Planning an ACL application..................................................................................................................215
IPv4 traffic management and improved network performance....................................................215
Security....................................................................................................................................... 215
Guidelines for planning the structure of a static ACL.................................................................. 216
IPv4 ACL configuration and operating rules................................................................................216
How an ACE uses a mask to screen packets for matches......................................................... 217
What Is the difference between network (or subnet) masks and the masks used with
ACLs?...............................................................................................................................217
Rules for defining a match between a packet and an ACE.............................................. 218
Configuring and assigning an IPv4 ACL................................................................................................ 222
General steps for implementing ACLs........................................................................................ 222
Options for permit/deny policies..................................................................................................222
ACL configuration structure.........................................................................................................222
Standard ACL structure....................................................................................................223
Extended ACL configuration structure..............................................................................224
ACL configuration factors............................................................................................................226
The sequence of entries in an ACL is significant............................................................. 226
Allowing for the Implied Deny function............................................................................. 228
A configured ACL has no effect until you apply it to an interface..................................... 228
You can assign an ACL name or number to an interface even if the ACL does not
exist in the switch configuration........................................................................................228
Using the CLI to create an ACL.................................................................................................. 228
Inserting or adding an ACE to an ACL............................................................................. 228
Using CIDR notation to enter the IPv4 ACL mask............................................................229
Configuring standard ACLs....................................................................................................................230
Configuring named, standard ACLs............................................................................................ 230
Entering the IPv4 named ACL context............................................................................. 230
Configuring ACEs in a named, standard ACL.................................................................. 231
Creating numbered, standard ACLs.................................................................................232
Configuring extended ACLs................................................................................................................... 234
Configuring named, extended ACLs........................................................................................... 234
Configuring ACEs in named, extended ACLs............................................................................. 235
Including options for TCP and UDP traffic in extended ACLs..................................................... 237
Configuring numbered, extended ACLs...................................................................................... 238
Creating or adding to an extended, numbered ACL.........................................................238
Controlling TCP and UDP traffic flow............................................................................... 241
Adding or removing an ACL assignment on an interface.......................................................................241
Filtering IPv4 traffic inbound on a VLAN..................................................................................... 241
Filtering inbound IPv4 traffic per port.......................................................................................... 242
Deleting an ACL.....................................................................................................................................243
Editing an existing ACL..........................................................................................................................243
Using the CLI to edit ACLs..........................................................................................................244
General editing rules................................................................................................................... 244
Sequence numbering in ACLs.................................................................................................... 244
Inserting an ACE in an existing ACL................................................................................ 245
Deleting an ACE from an existing ACL............................................................................ 246
Resequencing the ACEs in an ACL................................................................................. 247
Attaching a remark to an ACE..........................................................................................248
Operating notes for remarks.............................................................................................250
Viewing ACL configuration data.............................................................................................................251
Viewing an ACL summary...........................................................................................................251
Viewing the content of all ACLs on the switch.............................................................................252
Viewing the VACL assignments for a VLAN................................................................................253
Viewing static port (and trunk) ACL assignments........................................................................254
Viewing specific ACL configuration details..................................................................................254
Contents 9
Viewing all ACLs and their assignments in the routing switch startup-config and running-
config files................................................................................................................................... 258
Creating or editing an ACL offline.......................................................................................................... 258
Enable ACL “deny” or “permit” logging.................................................................................................. 260
Requirements for using ACL logging.......................................................................................... 260
ACL logging operation.................................................................................................................260
Enabling ACL logging on the switch............................................................................................261
Configuring logging timer............................................................................................................ 261
Monitoring static ACL performance.............................................................................................261
IPv6 counter operation with multiple interface assignments............................................ 264
General ACL operating notes................................................................................................................ 265
Chapter 14 Configuring Advanced Threat Protection.............................. 267
Introduction............................................................................................................................................ 267
DHCP snooping..................................................................................................................................... 267
Enabling DHCP snooping........................................................................................................... 268
Enabling DHCP snooping on VLANs.......................................................................................... 269
Configuring DHCP snooping trusted ports.................................................................................. 270
For DHCPv4 servers........................................................................................................ 270
For DHCPv6 servers........................................................................................................ 270
Configuring authorized server addresses................................................................................... 271
Using DHCP snooping with option 82......................................................................................... 271
Changing the remote-id from a MAC to an IP address.................................................... 272
Disabling the MAC address check................................................................................... 272
DHCP binding database..............................................................................................................273
DHCPv4 snooping max-binding.................................................................................................. 274
Enabling debug logging...............................................................................................................275
DHCP operational notes............................................................................................................. 275
Log messages.............................................................................................................................276
IPv6 Network Defense........................................................................................................................... 277
DSNOOPv6 and DIPLDv6.......................................................................................................... 277
Configuring DHCPv6 snooping........................................................................................ 277
Configuring traps for DHCPv6 snooping.......................................................................... 279
Clearing DHCPv6 snooping statistics ..............................................................................279
Enabling debug logging for DHCPv6 snooping................................................................ 279
DHCPv6 show commands............................................................................................... 279
Dynamic ARP protection........................................................................................................................280
Enabling dynamic ARP protection...............................................................................................281
Configuring trusted ports.............................................................................................................281
Adding an IP-to-MAC binding to the DHCP database.................................................................282
Clearing the DHCP snooping binding table......................................................................283
Adding a static binding..................................................................................................... 283
Configuring additional validation checks on ARP packets.......................................................... 283
Verifying the configuration of dynamic ARP protection............................................................... 284
Displaying ARP packet statistics.................................................................................................284
Monitoring dynamic ARP protection............................................................................................285
Dynamic IP lockdown.............................................................................................................................285
Protection against IP source address spoofing...........................................................................285
Prerequisite: DHCP snooping..................................................................................................... 285
Filtering IP and MAC addresses per-port and per-VLAN............................................................ 286
Enabling Dynamic IP Lockdown..................................................................................................287
IPv4.................................................................................................................................. 287
IPv6.................................................................................................................................. 287
Operational notes........................................................................................................................288
Adding an IP-to-MAC binding to the DHCP binding database.................................................... 288
10 ArubaOS-Switch Access Security Guide for YA/YB.16.03
Potential issues with bindings.......................................................................................... 289
Adding a static binding..................................................................................................... 289
Verifying the dynamic IP lockdown configuration........................................................................ 290
For IPv4............................................................................................................................290
For IPv6............................................................................................................................291
Displaying the static configuration of IP-to-MAC bindings.......................................................... 291
For IPv4............................................................................................................................291
For IPv6............................................................................................................................291
Debugging dynamic IP lockdown................................................................................................ 291
Differences between switch platforms.........................................................................................292
Using the instrumentation monitor......................................................................................................... 293
Operating notes...........................................................................................................................295
Configuring instrumentation monitor........................................................................................... 295
Viewing the current instrumentation monitor configuration......................................................... 297
Chapter 15 Traffic/Security Filters and Monitors...................................... 298
Overview................................................................................................................................................ 298
Filter limits................................................................................................................................... 298
Using port trunks with filter..........................................................................................................298
Filter types and operation...................................................................................................................... 298
Source-port filters........................................................................................................................299
Operating rules for source-port filters...............................................................................299
Name source-port filters..............................................................................................................300
Operating rules for named source-port filters...................................................................300
Defining and configuring named source-port filters..........................................................301
Viewing a named source-port filter...................................................................................302
Using named source-port filters....................................................................................... 302
Configuring traffic/security filters............................................................................................................307
Configuring a source-port traffic filter.......................................................................................... 308
Configuring a filter on a port trunk.................................................................................... 308
Editing a source-port filter........................................................................................................... 309
Configuring a multicast filter........................................................................................................310
Filtering index.............................................................................................................................. 311
Displaying traffic/security filters................................................................................................... 311
Chapter 16 Configuring Port and User-Based Access Control (802.1X).313
Overview................................................................................................................................................ 313
Why use port or user-based access control?..............................................................................313
General features......................................................................................................................... 313
User authentication methods...................................................................................................... 313
802.1X user-based access control................................................................................... 313
802.1X port-based access control....................................................................................314
Authenticating users.........................................................................................................314
Providing a path for downloading 802.1X supplicant software.........................................314
Authenticating one switch to another............................................................................... 315
Accounting........................................................................................................................315
General 802.1X authenticator operation................................................................................................ 315
Example of the authentication process....................................................................................... 315
VLAN membership priority.......................................................................................................... 316
General operating rules and notes.........................................................................................................316
General setup procedure for 802.1X access control..............................................................................317
Overview: configuring 802.1X authentication on the switch........................................................318
Configuring switch ports as 802.1X authenticators................................................................................318
Enable 802.1X authentication on selected ports.........................................................................319
Contents 11
Enable the selected ports as authenticators and enable the (default) port-based
authentication................................................................................................................... 319
Specify user-based authentication or return to port-based authentication....................... 319
Reconfigure settings for port-access...........................................................................................320
Configure the 802.1X authentication method..............................................................................322
Enter the RADIUS host IP address(es).......................................................................................323
Enable 802.1X authentication on the switch............................................................................... 324
Reset authenticator operation (optional)..................................................................................... 324
Optional: Configure 802.1X Controlled Direction........................................................................ 324
Wake-on-LAN Traffic...................................................................................................................325
Unauthenticated VLAN access (guest VLAN access).................................................................325
Characteristics of mixed port access mode......................................................................325
Configuring mixed port access mode............................................................................... 326
Configuring RADIUS port speed VSA......................................................................................... 326
Configuring the port.....................................................................................................................326
Viewing the port operation mode.................................................................................................327
802.1X Open VLAN mode..................................................................................................................... 329
Introduction................................................................................................................................. 329
VLAN membership priorities....................................................................................................... 329
Use models for 802.1X Open VLAN modes................................................................................330
Operating rules for authorized and unauthorized-client VLANs.................................................. 333
Setting up and configuring 802.1X Open VLAN mode................................................................337
Configuring general 802.1X operation..............................................................................337
Configuring 802.1X Open VLAN mode............................................................................ 338
Inspecting 802.1X Open VLAN mode operation.............................................................. 339
802.1X Open VLAN operating notes...........................................................................................339
Option for authenticator ports: configure port-security to allow only 802.1X-authenticated devices......340
Port-Security............................................................................................................................... 341
Configure the port access type.........................................................................................341
Configuring switch ports to operate as supplicants for 802.1X connections to other switches..............342
Supplicant port configuration.......................................................................................................342
Enabling a switch port as a supplicant............................................................................. 343
Configuring a supplicant switch port.................................................................................343
Displaying 802.1X configuration, statistics, and counters......................................................................344
Show commands for port-access authenticator.......................................................................... 344
Viewing 802.1X Open VLAN mode status...................................................................................344
Show commands for port-access supplicant...............................................................................347
Note on supplicant statistics.............................................................................................348
How RADIUS/802.1X authentication affects VLAN operation............................................................... 348
VLAN assignment on a port........................................................................................................ 348
Operating notes...........................................................................................................................349
Example of untagged VLAN assignment in a RADIUS-based authentication session............... 350
Enabling the use of GVRP-learned dynamic VLANs in authentication sessions........................ 353
Chapter 17 Configuring and Monitoring Port Security............................. 354
Overview................................................................................................................................................ 354
Port security........................................................................................................................................... 354
Basic operation........................................................................................................................... 354
Eavesdrop Prevention.................................................................................................................355
Blocked unauthorized traffic........................................................................................................355
Trunk group exclusion.................................................................................................................356
Planning port security..................................................................................................................356
Port security command options and operation............................................................................357
Displaying port security settings.......................................................................................357
Configuring port security............................................................................................................. 359
12 ArubaOS-Switch Access Security Guide for YA/YB.16.03
Port security commands...................................................................................................359
Retention of static addresses......................................................................................................361
Learned addresses...........................................................................................................362
Assigned/authorized addresses....................................................................................... 362
Specifying authorized devices and intrusion responses...................................................362
Adding an authorized device to a port..............................................................................363
Removing a device from the “authorized” list for a port....................................................364
MAC Lockdown......................................................................................................................................365
How MAC Lockdown works........................................................................................................ 366
Differences between MAC Lockdown and port security..............................................................366
MAC Lockdown operating notes................................................................................................. 367
Limits................................................................................................................................ 367
Event Log messages........................................................................................................367
Limiting the frequency of log messages........................................................................... 367
Deploying MAC Lockdown.......................................................................................................... 367
Basic MAC Lockdown deployment...................................................................................368
Problems using MAC Lockdown in networks with multiple paths.....................................369
MAC Lockout......................................................................................................................................... 370
How MAC Lockout works............................................................................................................ 370
Port security and MAC Lockout............................................................................................................. 371
Denial of Service packet filtering............................................................................................................371
Reading intrusion alerts and resetting alert flags...................................................................................371
Notice of security violations.........................................................................................................371
How the intrusion log operates....................................................................................................372
Keeping the intrusion log current by resetting alert flags............................................................ 372
Checking for intrusions, listing intrusion alerts, and resetting alert flags (Menu)............. 373
Checking for intrusions, listing intrusion alerts, and resetting alert flags (CLI).................375
Using the Event Log to find intrusion alerts (CLI)........................................................................376
Operating notes for port security............................................................................................................377
Identifying the IP address of an intruder..................................................................................... 377
Proxy Web servers......................................................................................................................377
"Prior to" entries in the Intrusion Log...........................................................................................377
Alert flag status for entries forced off of the Intrusion Log...........................................................378
LACP not available on ports configured for port security............................................................ 378
Chapter 18 Using Authorized IP Managers................................................379
Introduction............................................................................................................................................ 379
Defining authorized management stations.............................................................................................379
Overview of IP mask operation................................................................................................... 380
Viewing and configuring IP Authorized managers (Menu).......................................................... 380
Editing or deleting an Authorized manager entry (Menu).................................................381
Viewing and configuring IP Authorized managers (CLI)..............................................................381
Listing the switch’s current IP Authorized manager(s)..................................................... 381
Configuring IP Authorized managers for the switch (CLI)................................................ 382
Configuring IP Authorized managers (WebAgent).................................................................................383
Web proxy servers...................................................................................................................... 384
How to eliminate the web proxy server....................................................................................... 384
Using a web proxy server to access the WebAgent....................................................................384
Building IP Masks.................................................................................................................................. 385
Configuring one station per Authorized manager IP entry.......................................................... 385
Configuring multiple stations per Authorized manager IP entry.................................................. 385
Operating notes..................................................................................................................................... 388
Chapter 19 Key Management System........................................................ 389
Contents 13
Overview................................................................................................................................................ 389
Configuring key chain management...................................................................................................... 389
Creating and deleting key chain entries...................................................................................... 389
Assigning a time-independent key to a chain..............................................................................390
Assigning time-dependent keys to a chain.......................................................................391
Chapter 20 Secure Mode............................................................................. 394
Configuring secure mode.......................................................................................................................394
Chapter 21 Conformance to Suite-B Cryptography requirements.......... 395
Configuration support.............................................................................................................................395
CRL configuration facts...............................................................................................................395
OCSP configuration facts............................................................................................................396
Configure CRL for revocation check .......................................................................................... 396
Configure OCSP for revocation check ....................................................................................... 397
Retrieve CRL ........................................................................................................................................ 397
Set TA profile to validate CRL and OCSP..............................................................................................398
Clear CRL ............................................................................................................................................. 398
Create a certificate signing request....................................................................................................... 398
Create and enroll a self-signed certificate..............................................................................................399
Configure or remove the minimum levels of security minLos for TLS....................................................400
Install authentication files ......................................................................................................................400
Remove authentication files...................................................................................................................401
Remove the client public keys from configuration..................................................................................402
Show details of TA profile ......................................................................................................................402
Chapter 22 Websites.................................................................................... 404
Chapter 23 Support and other resources.................................................. 405
Accessing Hewlett Packard Enterprise Support.................................................................................... 405
Accessing updates.................................................................................................................................405
Customer self repair...............................................................................................................................405
Remote support..................................................................................................................................... 406
Warranty information..............................................................................................................................406
Regulatory information...........................................................................................................................406
Documentation feedback....................................................................................................................... 407
14 ArubaOS-Switch Access Security Guide for YA/YB.16.03
This switch software guide is intended for network administrators and support personnel, and applies to the switch
models listed on this page unless otherwise noted. This guide does not provide information about upgrading or
replacing switch hardware.
Applicable Products
Aruba 2530 Switch Series (J9772A, J9773A, J9774A, J9775A, J9776A, J9777A, J9778A, J9779A, J9780A,
J9781A, J9782A, J9783A, J9853A, J9854A, J9855A, J9856A, JL070A)
Chapter 1
About this document
Chapter 1 About this document 15
Introduction
This chapter provides an overview of the security features included on your switch. For detailed information on
individual features, see the references provided.
Before you connect your switch to a network, Hewlett Packard Enterprise strongly recommends that you review
the section Getting started with access security on page 24. It outlines potential threats for unauthorized
switch and network access, and provides guidelines on how to prepare the switch for secure network operation.
About this guide
This access security guide describes how to configure security features on your switch.
For an introduction to the standard conventions used in this guide, see “Getting Started” in the basic
operation guide for your switch.
For more information
For IPv6-specific security settings and features, see the IPv6 configuration guide for your switch.
For information on which product manual to consult for a specific software feature, see the Software feature index
– extended.
For the latest version of all HPE switch documentation, including Release Notes covering recently added features
and other software topics, visit the Hewlett Packard Enterprise Networking website at http://www.hpe.com/
support/manuals.
Access security features
This section provides an overview of the switch’s access security features, authentication protocols, and methods.
For more in-depth information, see the references provided (all chapter and page references are to this access
security guide unless a different manual name is indicated).
The Management Interface wizard provides a convenient step-by-step method to prepare the switch
for secure network operation. See Using the Management Interface wizard on page 25 for
details.
Chapter 2
Security Overview
16 ArubaOS-Switch Access Security Guide for YA/YB.16.03
Table 1: Access security and switch authentication features
Feature Default setting Security guidelines More information and
configuration details
Manager password no password Configuring a local
manager password is a
fundamental step in
reducing the possibility of
unauthorized access
through the switch's
WebAgent and console
(CLI and Menu) interfaces.
The manager password
can easily be set by any
one of the following
methods:
CLI: password
manager command, or
Management interface
wizard
WebAgent: the
password options
under the Security tab,
or Management
interface wizard
Menu interface:
Console passwords
option
• SNMP
Configuring local
password security on
page 30
Using the Management
Interface wizard on page
25
Using SNMP to view and
configure switch
authentication features
on page 106
Telnet and Web-browser
access (WebAgent) enabled The default remote
management protocols
enabled on the switch are
plain text protocols, which
transfer passwords in
open or plain text that is
easily captured.
To reduce the chances of
unauthorized users
capturing your passwords,
secure and encrypted
protocols such as SSH
and SSL (see below for
details) should be used for
remote access. This
enables you to employ
increased access security
while still retaining remote
client access.
Also, access security on
the switch is incomplete
Using the Management
Interface wizard on page
25
For more on Telnet and
the WebAgent, see
"Interface Access and
System Information" in the
management and
configuration guide.For
RADIUS accounting, see
RADIUS Authentication,
Authorization, and
Accounting on page 97
Table Continued
Chapter 2 Security Overview 17
Feature Default setting Security guidelines More information and
configuration details
without disabling Telnet
and the standard Web
browser access
(WebAgent). Among the
methods for blocking
unauthorized access
attempts using Telnet or
the WebAgent are the
following two CLI
commands:
no telnet-server
: This command blocks
inbound Telnet access.
no web-management
: This command
prevents use of the
WebAgent through http
(port 80) server
access.
If you choose not to
disable Telnet and the
WebAgent, you may want
to consider using RADIUS
accounting to maintain a
record of password-
protected access to the
switch.
Table Continued
18 ArubaOS-Switch Access Security Guide for YA/YB.16.03
Feature Default setting Security guidelines More information and
configuration details
SSH disabled SSH provides Telnet-like
functions through
encrypted, authenticated
transactions of the
following types:
client public-key
authentication: uses
one or more public
keys (from clients) that
must be stored on the
switch. Only a client
with a private key that
matches a stored
public key can gain
access to the switch.
switch SSH and user
password
authentication: this
option is a subset of
the client public-key
authentication, and is
used if the switch has
SSH enabled without a
login access configured
to authenticate the
client's key. In this
case, the switch
authenticates itself to
clients, and users on
SSH clients then
authenticate
themselves to the
switch by providing
passwords stored on a
RADIUS or TACACS+
server, or locally on the
switch.
secure copy (SC) and
secure FTP (SFTP): By
opening a secure,
encrypted SSH
session, you can take
advantage of SC and
SFTP to provide a
secure alternative to
TFTP for transferring
sensitive switch
information. For more
on SC and SFTP, see
Using the Management
Interface wizard on page
25
Configuring Secure
Shell (SSH) on page 176
Table Continued
Chapter 2 Security Overview 19
Feature Default setting Security guidelines More information and
configuration details
the section titled "Using
Secure Copy and
SFTP" in the "File
Transfers" appendix of
the management and
configuration guide for
your switch.
SSL disabled Secure Socket Layer
(SSL) and Transport Layer
Security (TLS) provide
remote Web browser
access (WebAgent) to the
switch via authenticated
transactions and
encrypted paths between
the switch and
management station
clients capable of
SSL/TLS operation. The
authenticated type
includes server certificate
authentication with user
password authentication.
Using the Management
Interface wizard on page
25
Configuring Secure
Socket Layer (SSL) on
page 200
SNMP public, unrestricted In the default
configuration, the switch is
open to access by
management stations
running SNMP
management applications
capable of viewing and
changing the settings and
status data in the switch
MIB (Management
Information Base). Thus,
controlling SNMP access
to the switch and
preventing unauthorized
SNMP access should be a
key element of your
network security strategy.
SNMP security
guidelines on page 27
Using the Management
Interface wizard on page
25 management and
configuration guide, see
“Using SNMP Tools to
manage the switch”.
Table Continued
20 ArubaOS-Switch Access Security Guide for YA/YB.16.03
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
/