Aruba R9G09A User guide

Type
User guide

This manual is also suitable for

AOS-CX 10.13 Security Guide
8100, 8360 Switch Series
November 2023
Edition: 1
|2
Copyright Information
© Copyright 2023 Hewlett Packard Enterprise Development LP.
This product includes code licensed under certain open source licenses which require source
compliance. The corresponding source for these components is available upon request. This offer is
valid to anyone in receipt of this information and shall expire three years following the date of the final
distribution of this product version by Hewlett Packard Enterprise Company. To obtain such source
code, please check if the code is available in the HPE Software Center at
https://myenterpriselicense.hpe.com/cwp-ui/software but, if not, send a written request for specific
software version and product for which you want the open source code. Along with the request, please
send a check or money order in the amount of US $10.00 to:
Hewlett Packard Enterprise Company
Attn: General Counsel
WW Corporate Headquarters
1701 E Mossy Oaks Rd Spring, TX 77389
United States of America.
Notices
The information contained herein is subject to change without notice. The only warranties for Hewlett
Packard Enterprise products and services are set forth in the express warranty statements
accompanying such products and services. Nothing herein should be construed as constituting an
additional warranty. Hewlett Packard Enterprise shall not be liable for technical or editorial errors or
omissions contained herein.
Confidential computer software. Valid license from Hewlett Packard Enterprise required for possession,
use, or copying. Consistent with FAR 12.211 and 12.212, Commercial Computer Software, Computer
Software Documentation, and Technical Data for Commercial Items are licensed to the U.S. Government
under vendor's standard commercial license.
Links to third-party websites take you outside the Hewlett Packard Enterprise website. Hewlett Packard
Enterprise has no control over and is not responsible for information outside the Hewlett Packard
Enterprise website.
Contents
Contents
Contents 3
About this document 15
Applicable products 15
Latest version available online 15
Command syntax notation conventions 15
About the examples 16
Identifying switch ports and interfaces 16
About security 18
About Authentication, Authorization, and Accounting (AAA) 18
Managing users and groups 19
Default user admin 19
Example of first login with password setting 19
Built-in user groups and their privileges 19
User-defined user groups 20
User name requirements 20
Password requirements 21
Per-user management interface enablement 21
Local per-user management interface enablement 21
Remote (TACACS+ or RADIUS) per-user management interface enablement 22
User and user group management tasks 23
Resetting the switch admin password using the Service OS console 24
Resetting the admin password by reverting the switch to factory defaults 25
User and group commands 26
password complexity 26
service export-password 30
show password-complexity 31
show user-group 31
show user-list 32
show user-list management-interface 34
show user information 35
user 36
user-group 39
user management-interface 43
user password 44
SSH server 47
SSH defaults 47
SSH server tasks 47
SSH server commands 48
show ssh host-key 48
show ssh server 49
show ssh server sessions 53
ssh ciphers 54
AOS-CX 10.13 Security Guide 3
Contents |4
ssh host-key 55
ssh host-key-algorithms 56
ssh key-exchange-algorithms 57
ssh known-host remove 59
ssh macs 59
ssh maximum-auth-attempts 60
ssh public-key-algorithms 61
ssh server allow-list 62
ssh server port 64
ssh server vrf 65
SSH client 66
SSH client commands 66
ssh (client login) 66
Local AAA 68
Local AAA defaults and limits 68
Supported platforms and standards 68
Scale 68
Local authentication 69
Password-based local authentication 69
SSH public key-based local authentication 69
Local authentication tasks 69
Local authorization 71
Local authorization tasks 72
Local accounting 72
Local accounting tasks 72
Local AAA commands 73
aaa accounting all-mgmt 73
aaa authentication console-login-attempts 74
aaa authentication limit-login-attempts 76
aaa authentication login 77
aaa authentication minimum-password-length 78
aaa authorization commands (local) 79
show aaa accounting 81
show aaa authentication 82
show aaa authorization 83
show authentication locked-out-users 85
show ssh authentication-method 85
show user 86
ssh password-authentication 87
ssh public-key-authentication 88
user authorized-key 88
Remote AAA with TACACS+ 91
Parameters for TACACS+ server 91
Default server groups 92
Supported platforms and standards 92
About global versus per-TACACS+ server passkeys (shared secrets) 93
Remote AAA TACACS+ server configuration requirements 93
User role assignment using TACACS+ attributes 94
TACACS+ server redundancy and access sequence 94
Single source IP address for consistent source identification to AAA servers 94
TACACS+ general tasks 95
TACACS+ authentication 95
AOS-CX 10.13 Security Guide | (8100, 8360 Switch Series) 5
About authentication fail-through 96
TACACS+ authentication tasks 96
TACACS+ authorization 97
Using local authorization as fallback from TACACS+ authorization 97
About authentication fail-through and authorization 97
TACACS+ authorization tasks 97
TACACS+ accounting 98
Sample accounting information on a TACACS+ server 98
Sample REST accounting information on a TACACS+ server 99
TACACS+ accounting tasks 99
Example: Configuring the switch for Remote AAA with TACACS+ 100
Remote AAA with RADIUS 103
Parameters for RADIUS server 103
Default server groups 104
Supported platforms and standards 105
About global versus per-RADIUS server passkeys (shared secrets) 105
Remote AAA RADIUS server configuration requirements 106
User role assignment using RADIUS attributes 106
RADIUS server redundancy and access sequence 107
Configuration task list 107
Single source IP address for consistent source identification to AAA servers 108
RADIUS general tasks 109
Per-port RADIUS server group configuration 109
RADIUS authentication 110
About authentication fail-through 110
RADIUS authentication tasks 111
Two-factor authentication 112
Configuring two-factor authentication (for local users) 112
Configuring two-factor authentication with SSH (for remote-only users) 113
Configuring two-factor authentication with HTTPS server and REST (for remote-only
users) 116
Two-factor authentication commands 119
aaa authorization radius 119
https-server authentication certificate 120
ssh certificate-as-authorized-key 121
ssh two-factor-authentication 122
RADIUS accounting 123
Sample general accounting information 124
RADIUS accounting tasks 125
Example: Configuring the switch for Remote AAA with RADIUS 126
Remote AAA (TACACS+, RADIUS) commands 129
aaa accounting allow-fail-through 129
aaa accounting all-mgmt 129
aaa authentication allow-fail-through 132
aaa authentication login 133
aaa authorization allow-fail-through 135
aaa authorization commands 137
aaa group server 140
radius-server auth-type 141
radius-server host 142
radius-server host secure ipsec 145
radius-server host tls port-access 150
radius-server host tls tracking-method 151
radius-server key 152
Contents |6
radius-server retries 153
radius-server status-server interval 154
radius-server timeout 155
radius-server tracking 156
server 158
show aaa accounting 159
show aaa authentication 161
show aaa authorization 164
show aaa server-groups 166
show accounting log 168
show radius-server 171
show radius-server secure ipsec 176
show radius-server authentication statistics 177
show radius-server authentication statistics host 178
show tacacs-server 179
show tacacs-server statistics 182
show tech aaa 183
tacacs-server auth-type 189
tacacs-server host 190
tacacs-server key 192
tacacs-server timeout 193
tacacs-server tracking 194
RADIUS dynamic authorization 196
Requirements and tips 196
RADIUS dynamic authorization commands 196
radius dyn-authorization enable 196
radius dyn-authorization client 197
radius dyn-authorization port 199
show radius dyn-authorization 200
show radius dyn-authorization client 201
IP Flow Information Export 204
Flow monitoring commands 204
flow record 204
flow exporter 206
flow monitor 208
ipv4|ipv6 flow monitor 209
show flow record 210
show flow exporter 212
show flow monitor 213
show tech ipfix 214
diag-dump ipfix basic 215
Traffic Insight 217
Protocol and feature details 217
Supported Platforms 217
Caveats for Traffic Insight 217
Configuring Traffic Insight 218
0Traffic insight commands 219
diag-dump traffic-insight basic 219
show capacities traffic-insight 220
show debug buffer module trafficinsight 220
show events traffic-insightd 221
show running-config traffic-insight 222
show tech traffic-insight 223
AOS-CX 10.13 Security Guide | (8100, 8360 Switch Series) 7
show traffic-insight monitor-type 223
traffic insight 224
Client Insight 227
Supported Platforms 228
Prerequisites 228
Points to Note 228
Limitations 228
Feature Interoperability 229
Troubleshooting Client Insight 229
Client Insight Commands 229
client-insight enable 229
client-insight on-boarding event logs 230
diag-dump client-insight basic 231
show capacities client-insight-client-limit 233
show capacities-status client-insight-client-limit 234
show events -c client-insight 234
show tech client-insight 237
PKI 240
PKI concepts 240
Digital certificate 240
Certificate authority 240
Root certificate 241
Leaf certificate 241
Intermediate certificate 241
Trust anchor 241
OCSP 241
PKI on the switch 241
Trust anchor profiles 241
Leaf certificates 242
Mandatory matching of peer device hostname 242
PKI EST 242
EST usage overview 242
Prerequisites for using EST for certificate enrollment 243
EST profile configuration 243
Certificate enrollment 243
Certificate re-enrollment 243
Checking EST profile and certificate configuration 244
EST best practices 244
Example using EST for certificate enrollment 244
Example including the use of an intermediate certificate 250
Installing a self-signed leaf certificate (created inside the switch) 252
Installing a self-signed leaf certificate (created outside the switch) 253
Installing a certificate of a root CA 254
Installing a downloadable user role certificate 255
Installing a CA-signed leaf certificate (initiated in the switch) 256
Installing a CA-signed leaf certificate (created outside the switch) 257
PKI commands 258
crypto pki application 258
crypto pki certificate 259
crypto pki ta-profile 260
enroll self-signed 261
enroll terminal 262
import (CA-signed leaf certificate) 263
import (self-signed leaf certificate) 265
Contents |8
key-type 267
ocsp disable-nonce 268
ocsp enforcement-level 269
ocsp url 270
ocsp vrf 271
revocation-check ocsp 271
show crypto pki application 272
show crypto pki certificate 273
show crypto pki ta-profile 275
ta-certificate 276
subject 278
PKI EST commands 279
arbitrary-label 279
arbitrary-label-enrollment 280
arbitrary-label-reenrollment 281
crypto pki est-profile 282
enroll est-profile 283
reenrollment-lead-time 284
retry-count 285
retry-interval 286
show crypto pki est-profile 287
url 288
username 289
vrf 291
MACsec 292
MACsec in AOS-CX 292
MACsec use cases 293
MACsec configuration (using 802.1X EAP TLS) 295
Configure the authenticator 295
Configure the supplicant 296
MACsec configuration (using pre-shared keys) 297
MACsec limitations 298
MACsec WANextension 299
MACsec best practices 299
Switch-to-Host MACsec Limitations 300
MACsec troubleshooting 301
MACsec commands 301
apply macsec policy 301
bypass 303
cipher-suite 304
clear macsec statistics 305
clear tag mode 306
confidentiality 307
include-sci-tag 308
macsec policy 309
macsec selftest 310
replay-protection 311
secure-mode 312
show macsec policy 313
show macsec selftest 314
show macsec statistics 315
show macsec status 317
MKA commands (MACsec) 319
apply mka policy 319
clear mka statistics 321
AOS-CX 10.13 Security Guide | (8100, 8360 Switch Series) 9
data-delay-protection 322
eapol-destination-mac 323
eapol-dot1q-tagged 324
eapol-eth-type 325
key-server-priority 325
mka policy 326
pre-shared-key 327
show mka policy 329
show mka statistics 330
show mka status 331
transmit-interval 332
Port access 334
Port access 802.1X authentication 334
Port access MAC authentication 335
How MAC authentication works 336
How RADIUS server is used in MAC authentication 336
Supported platforms and standards 337
Scale 337
Supported RFCs and standards 337
Port access configuration task list 337
Port access 802.1X and MAC authentication configuration example 337
Use cases 339
Use case 1: Faster onboarding of MAC authentication clients using concurrent
onboarding 339
Use case 2: PXE clients that download the supplicant 340
Port access 802.1X authentication commands 340
aaa authentication port-access dot1x authenticator 340
aaa authentication port-access dot1x authenticator auth-method 341
aaa authentication port-access dot1x authenticator cached-reauth 342
aaa authentication port-access dot1x authenticator cached-reauth-period 342
aaa authentication port-access dot1x authenticator discovery-period 343
aaa authentication port-access dot1x authenticator eap-tls-fragment 344
aaa authentication port-access dot1x authenticator eapol-timeout 345
aaa authentication port-access dot1x authenticator initial-auth-response-timeout 346
aaa authentication port-access dot1x authenticator macsec 347
aaa authentication port-access dot1x authenticator max-eapol-requests 348
aaa authentication port-access dot1x authenticator mka cak-length 348
aaa authentication port-access dot1x authenticator max-retries 349
aaa authentication port-access dot1x authenticator quiet-period 350
aaa authentication port-access dot1x authenticator radius server-group 351
aaa authentication port-access dot1x authenticator reauth 352
aaa authentication port-access dot1x authenticator reauth-period 353
clear dot1x authenticator statistics interface 354
show aaa authentication port-access dot1x authenticator interface client-status 354
show aaa authentication port-access dot1x authenticator interface port-statistics 356
Port access MAC authentication commands 357
aaa authentication port-access allow-lldp-auth [mac {source-mac|chassis-mac}] 358
aaa authentication port-access mac-auth 359
aaa authentication port-access mac-auth addr-format 360
aaa authentication port-access mac-auth auth-method 360
aaa authentication port-access mac-auth cached-reauth 361
aaa authentication port-access mac-auth cached-reauth-period 362
aaa authentication port-access mac-auth password 363
aaa authentication port-access mac-auth quiet-period 364
aaa authentication port-access mac-auth radius server-group 364
Contents |10
aaa authentication port-access mac-auth reauth 366
aaa authentication port-access mac-auth reauth-period 366
clear mac-auth statistics 367
show aaa authentication port-access mac-auth interface client-status 368
show aaa authentication port-access mac-auth interface port-statistics 370
Port access general commands 371
aaa authentication port-access allow-lldp-auth 371
aaa authentication port-access allow-cdp-auth 373
aaa authentication port-access auth-mode 373
aaa authentication port-access auth-precedence 375
aaa authentication port-access auth-priority 376
aaa authentication port-access auth-role 377
aaa authentication port-access client-auto-log-off final-authentication-failure 378
aaa authentication port-access client-limit 379
aaa authentication port-access client-limit multi-domain 379
aaa authentication port-access radius-override 380
port-access allow-flood-traffic 381
port-access auto-vlan 382
port-access client-move 383
port-access event-log client 384
port-access fallback-role 385
port-access log-off client 386
port-access onboarding-method precedence 387
port-access onboarding-method concurrent 388
port-access reauthenticate interface 389
show aaa authentication port-access interface client-status 390
show port-access clients 391
show port-access clients detail 397
show port-access clients onboarding-method 405
show port-access interface 406
Port access debugging and troubleshooting 408
Radius server reachability debugging and troubleshooting 408
Port access MAC authentication debugging and troubleshooting 409
Using show commands 409
Using debug commands 410
Port access 802.1X authentication debugging and troubleshooting 411
Using show commands 411
Using other commands 413
Port access FAQ 414
References 414
Multidomain authentication 414
Multidomain authentication requirements 415
Scenarios with Aruba-Port-Auth-Mode and Aruba-Device-Traffic-Class VSAs 415
Scenarios with device-traffic-class configuration in role 416
Port access security violation 417
Port access security violation commands 417
port-access security violation action 417
port-access security violation action shutdown auto-recovery 418
port-access security violation action shutdown recovery-timer 419
show interface 420
show port-access aaa violation interface 420
show port-access port-security violation client-limit-exceeded interface 421
Port access policy 422
Classes and actions supported by port access policies 423
RADIUS policies 423
Filter-ID 423
AOS-CX 10.13 Security Guide | (8100, 8360 Switch Series) 11
NAS-Filter-Rule 424
Aruba-NAS-Filter-Rule 425
Limitations 425
Port access policy commands 426
port-access policy 426
port-access policy copy 430
port-access policy resequence 431
port-access policy reset 431
clear port-access policy hitcounts 433
show port-access policy 435
show port-access policy hitcounts 437
Port access role 439
Operational notes 440
Downloadable user roles 440
Mixed roles 440
Important points to note 441
Limitations 441
Supported RADIUS attributes in mixed roles 441
Cached-critical role 441
Cached-critical role tasks 443
Restrictions 444
Troubleshooting 444
Special roles 445
Critical role 445
Reject role 445
Pre-authentication role 445
Auth-role 447
Fallback role 447
Port access role commands 447
associate macsec-policy 447
associate policy 448
auth-mode 449
cached-reauth-period 450
client-inactivity timeout 451
device-traffic-class 451
description 452
mtu 453
poe-priority 453
port-access role 454
reauth-period 455
session timeout 456
show aaa authentication port-access interface client-status 456
show port-access role 457
stp-admin-edge-port 461
trust-mode 462
vlan 462
Port access cached-critical role commands 464
aaa authentication port-access cached-critical-role (global) 464
aaa authentication port-access cached-critical-role (per interface) 466
port-access clear cached-client 467
show port-access cached-clients 468
show port-access cached-critical-role info 470
Port access VLAN groups 471
VLAN grouping limitations 472
VLAN group load balancing 472
Port access VLAN group commands 473
Contents |12
associate-vlan 473
port-access vlan-group 474
show running-config port-access vlan-group 474
Port access 802.1X supplicant authentication 476
Feature details 476
Sub-features 477
Supported platforms 478
802.1X supplicant policy configuration and considerations 478
Recommended configuration 479
Port access 802.1X supplicant commands 479
aaa authentication port-access dot1x supplicant(global) 479
aaa authentication port-access dot1x supplicant(port) 480
associate policy 481
canned-eap-success 482
clear dot1x supplicant statistics 483
discovery-timeout 484
eap-identity 485
eapol-force-multicast 487
eapol-method 488
eapol-protocol-version 489
eapol-source-mac 490
eapol-timeout 491
enable 492
enable 493
fail-mode 494
held-period 495
macsec 496
macsec-policy 497
max-retries 498
mka cak-length 499
policy (supplicant) 500
port-access dot1x supplicant restart 501
show aaa authentication port-access dot1x supplicant policy 502
show aaa authentication port-access dot1x supplicant statistics 504
show aaa authentication port-access dot1x supplicant status 506
start-mode 508
Troubleshooting 509
Prerequisites 509
Packet capture 510
FAQ 511
Configurable RADIUS attributes (port access) 512
Configurable RADIUS attribute commands 512
aaa radius-attribute group 512
nas-id request-type 513
nas-id value 514
nas-ip-addr request-type authentication 515
nas-ip-addr service-type user-management 516
tunnel-private-group-id request-type 517
tunnel-private-group-id value 518
Supported RADIUS attributes 520
Attributes supported in 802.1X authentication 520
Attributes supported in MAC authentication 520
Attributes supported in dynamic authorization 521
AOS-CX 10.13 Security Guide | (8100, 8360 Switch Series) 13
Session authorization attributes supported in 802.1X and MAC authentication, and CoA 521
Standard session attributes supported 521
Vendor-Specific Attributes supported in session authorization 522
Description of VSAs 522
Attributes supported in RADIUS network accounting 524
Attributes supported in RADIUS server tracking 524
Port security 525
Port-security sticky MAC 525
Basic operation 525
Default port security operation 526
Intruder protection 526
General operation for port security 526
Blocking unauthorized traffic 526
Trunk group exclusion 527
Port security commands 527
port-access port-security 527
port-access port-security client-limit 528
port-access port-security mac-address 529
show port-access port-security interface client-status 530
show port-access port-security interface port-statistics 531
sticky-learn enable 532
sticky-learn mac 533
show port-access security violation sticky-mac-client-move interface 534
Fault Monitor 536
Fault monitoring conditions 536
Excessive broadcasts 536
Excessive multicasts 536
Excessive link flaps 536
Excessive oversize packets 536
Excessive jabbers 536
Excessive fragments 536
Excessive CRC errors 537
Excessive TX drops 537
Fault monitor commands 537
(Fault enabling/disabling) 537
action 538
apply fault-monitor profile 541
fault-monitor profile 541
show fault-monitor profile 542
show interface fault-monitor profile 544
show interface fault-monitor status 545
show running-config 546
threshold 547
vsx-sync (fault monitor) 549
Group based policy (GBP) 550
GBP scenarios 550
Group Policy ID-based segmentation in the wired network 551
Group Policy ID-based segmentation between wired and wireless clients 552
Group Policy ID-based segmentation for multicast traffic 553
Multicast traffic limitations 554
GBP limitations 555
Group based policy commands 555
apply gbp role-access-list 555
Contents |14
gbp enable 556
gbp role 556
gbp role infra 558
gbp role-access-list 559
class gbp-ip 561
class gbp-ipv6 564
class gbp-mac 567
port-access gbp 569
port-access role associate gbp 571
clear port-access gbp hitcounts 572
show gbp role-mapping 572
show class 573
show port-access gbp 575
show port-access gbp hitcounts 575
Configuring enhanced security 578
Configuring enhanced security 578
Configuring remote logging using SSH reverse tunnel 579
CLI user session management commands 580
cli-session 580
Auditors and auditing tasks 583
Auditing tasks (CLI) 583
Auditing tasks (Web UI) 583
REST requests and accounting logs 584
Support and Other Resources 585
Accessing Aruba Support 585
Accessing Updates 586
Aruba Support Portal 586
My Networking 586
Warranty Information 586
Regulatory Information 586
Documentation Feedback 587
Chapter 1
About this document
About this document
This document describes features of the AOS-CX network operating system. It is intended for
administrators responsible for installing, configuring, and managing Aruba switches on a network.
Applicable products
This document applies to the following products:
nAruba 8100 Switch Series (R9W94A, R9W95A, R9W96A, R9W97A)
nAruba 8360 Switch Series (JL700A, JL701A, JL702A, JL703A, JL706A, JL707A, JL708A, JL709A, JL710A,
JL711A, JL700C, JL701C, JL702C, JL703C, JL706C, JL707C, JL708C, JL709C, JL710C, JL711C, JL704C, JL705C,
JL719C, JL718C, JL717C, JL720C, JL722C, JL721C )
Latest version available online
Updates to this document can occur after initial publication. For the latest versions of product
documentation, see the links provided in Support and Other Resources.
Command syntax notation conventions
Convention Usage
example-text Identifies commands and their options and operands, code examples,
filenames, pathnames, and output displayed in a command window. Items
that appear like the example text in the previous column are to be entered
exactly as shown and are required unless enclosed in brackets ([ ]).
example-text In code and screen examples, indicates text entered by a user.
Any of the following:
n<example-text>
n<example-text>
nexample-text
nexample-text
Identifies a placeholder—such as a parameter or a variable—that you must
substitute with an actual value in a command or in code:
nFor output formats where italic text cannot be displayed, variables
are enclosed in angle brackets (< >). Substitute the text—including
the enclosing angle brackets—with an actual value.
nFor output formats where italic text can be displayed, variables
might or might not be enclosed in angle brackets. Substitute the
text including the enclosing angle brackets, if any, with an actual
value.
|Vertical bar. A logical OR that separates multiple items from which you can
choose only one.
Any spaces that are on either side of the vertical bar are included for
readability and are not a required part of the command syntax.
AOS-CX 10.13 Security Guide 15
About this document |16
Convention Usage
{ } Braces. Indicates that at least one of the enclosed items is required.
[ ] Brackets. Indicates that the enclosed item or items are optional.
or
...
Ellipsis:
nIn code and screen examples, a vertical or horizontal ellipsis indicates an
omission of information.
nIn syntax using brackets and braces, an ellipsis indicates items that can be
repeated. When an item followed by ellipses is enclosed in brackets, zero
or more items can be specified.
About the examples
Examples in this document are representative and might not match your particular switch or
environment.
The slot and port numbers in this document are for illustration only and might be unavailable on your
switch.
Understanding the CLI prompts
When illustrating the prompts in the command line interface (CLI), this document uses the generic term
switch, instead of the host name of the switch. For example:
switch>
The CLI prompt indicates the current command context. For example:
switch>
Indicates the operator command context.
switch#
Indicates the manager command context.
switch(CONTEXT-NAME)#
Indicates the configuration context for a feature. For example:
switch(config-if)#
Identifies the interface context.
Variable information in CLI prompts
In certain configuration contexts, the prompt may include variable information. For example, when in
the VLAN configuration context, a VLAN number appears in the prompt:
switch(config-vlan-100)#
When referring to this context, this document uses the syntax:
switch(config-vlan-<VLAN-ID>)#
Where <VLAN-ID> is a variable representing the VLAN number.
Identifying switch ports and interfaces
Physical ports on the switch and their corresponding logical software interfaces are identified using the
format:
member/slot/port
On the 83xx, 9300, and 10000 Switch Series
AOS-CX 10.13 Security Guide | (8100, 8360 Switch Series) 17
nmember: Always 1. VSF is not supported on this switch.
nslot: Always 1. This is not a modular switch, so there are no slots.
nport: Physical number of a port on the switch.
For example, the logical interface 1/1/4 in software is associated with physical port 4 on the switch.
If using breakout cables, the port designation changes to x:y, where x is the physical port and y is the lane when
split to 4 x 10G or 4 x 25G. For example, the logical interface 1/1/4:2 in software is associated with lane 2 on
physical port 4 in slot 1 on member 1.
Chapter 2
About security
About security
This AOS-CX Switch provides the following security features:
nLocal user and group management.
nAuthentication, Authorization, and Accounting (AAA), either local (password or SSH public key-based),
or remote password-based TACACS+ or RADIUS.
nSSH server. SSH is a cryptographic protocol that encrypts all communication between devices.
nAbility to use enhanced security as described in Configuring enhanced security .
nMaking sensitive switch configuration information available for secure export/import between
switches. For information, see service export-password.
About Authentication, Authorization, and Accounting (AAA)
nAuthentication: identifies users, validates their credentials, and grants switch access.
nAuthorization: controls authenticated users command execution and switch interaction privileges.
nAccounting: collects and manages user session activity logs for auditing and reporting purposes.
Local AAA on your Aruba switch provides:
nAuthentication using local password or SSH public key.
nAuthorization using role-based access control (RBAC), and optionally, using user-defined local user
groups with command authorization rules defined per group.
nAccounting of user activity on the switch using accounting logs.
Remote AAA provides the following for your Aruba switch:
nAuthentication using remote AAA servers with either TACACS+ or RADIUS.
nAuthorization using remote AAA servers with TACACS+ fine-grained command authorization. Local
RBAC or local rule-based authorization is also possible.
nTransmission of locally collected accounting information to remote TACACS+ and RADIUS servers.
TACACS+ (Terminal Access Controller Access-Control System Plus) and RADIUS (Remote Authentication Dial-In
User Service) server software is readily available as either open source or from various vendors.
For switches that support multiple management modules such as the Aruba 8400, all AAA functionality discussed
only applies to the active management module. See also AAA on switches with multiple management modules in the
High Availability Guide.
AOS-CX 10.13 Security Guide 18
Chapter 3
Managing users and groups
Managing users and groups
Default user admin
A factory-default switch comes with a single user named admin.
The admin user:
nHas an empty password. Press Enter in response to the admin password prompt. At initial boot, you
are prompted to define a password for the admin user. Although empty (blank) passwords are
allowed, it is recommended that you use strong passwords for all production switches.
nIs a member of the administrators group.
nCannot be removed from the switch.
The switch admin user is distinct from the Service OS admin user. The Service OS acts as the bootloader and
recovery operating system. The Service OS has its own CLI.
Example of first login with password setting
switch login: admin
Password:
Please configure the 'admin' user account password.
Enter new password: ********
Confirm new password: ********
switch#
Built-in user groups and their privileges
The switch provides the following built-in user groups with corresponding roles. Each of these roles
comes with a set of privileges.
Group/Role Privileges
administrators Administrators have full privileges, including:
nFull CLI access.
nPerforming firmware upgrades.
nViewing switch configuration information, including sensitive information such as
passwords which are displayed as ciphertext.
nPerforming switch configuration.
nAdding/removing user accounts.
nConfiguring users accounts, including passwords. Once set, a password cannot be
deleted or set to empty.
AOS-CX 10.13 Security Guide 19
Managing users and groups |20
Group/Role Privileges
nREST API: All methods (GET, PUT, POST, DELETE) and switch resources are available.
The privilege level for administrators is 15.
operators Operators have no switch configuration privileges. Operators are restricted to:
nBasic display-only CLI access.
nViewing of nonsensitive switch configuration information.
nREST API: Other than the \login and \logout resources, only the GET method is
available.
The privilege level for operators is 1.
auditors Auditors are restricted to functions related to auditing only:
nCLI: Access to commands in the auditor context (auditor>) only.
nWeb UI: Access to the System > Log page only.
nREST API: POST method available for the \login and \logout resources. GET
method available for the following resources only:
oAudit log: /logs/audit
oEvent log: /logs/event
The privilege level for auditors is 19.
User-defined user groups
The switch enables you to create up to 29 user-defined local user groups, for the purpose of configuring
local authorization. Each of the 29 user-defined groups support up to 1024 CLI command authorization
rules that define what CLI commands can be executed by members of the group.
The local user groups with their command execution rules are useful for the following:
nProviding authorization for use with RADIUS servers.
nProviding fallback authorization for use with TACACS+ servers.
nProviding authorization when neither RADIUS or TACACS+ servers are used.
User name requirements
Specifies the user name. Requirements:
nMust start with a lowercase letter.
nCan contain numbers and lowercase letters.
nCan include only these three special characters: hyphens ( - ), dots ( . ), and underscores ( _ ).
nCan have a maximum of 32 characters.
nCannot be empty.
nCannot contain uppercase letters.
nCannot be: admin, root, or remote_user.
nCannot be Linux reserved names such as:
daemon,bin,sys,sync,proxy,www-data,backup,list,irc,gnats,nobody,systemd-bus-proxy,
sshd,messagebus,rpc,systemd-journal-gateway,systemd-journal-remote,systemd-journal-
  • Page 1 1
  • Page 2 2
  • Page 3 3
  • Page 4 4
  • Page 5 5
  • Page 6 6
  • Page 7 7
  • Page 8 8
  • Page 9 9
  • Page 10 10
  • Page 11 11
  • Page 12 12
  • Page 13 13
  • Page 14 14
  • Page 15 15
  • Page 16 16
  • Page 17 17
  • Page 18 18
  • Page 19 19
  • Page 20 20
  • Page 21 21
  • Page 22 22
  • Page 23 23
  • Page 24 24
  • Page 25 25
  • Page 26 26
  • Page 27 27
  • Page 28 28
  • Page 29 29
  • Page 30 30
  • Page 31 31
  • Page 32 32
  • Page 33 33
  • Page 34 34
  • Page 35 35
  • Page 36 36
  • Page 37 37
  • Page 38 38
  • Page 39 39
  • Page 40 40
  • Page 41 41
  • Page 42 42
  • Page 43 43
  • Page 44 44
  • Page 45 45
  • Page 46 46
  • Page 47 47
  • Page 48 48
  • Page 49 49
  • Page 50 50
  • Page 51 51
  • Page 52 52
  • Page 53 53
  • Page 54 54
  • Page 55 55
  • Page 56 56
  • Page 57 57
  • Page 58 58
  • Page 59 59
  • Page 60 60
  • Page 61 61
  • Page 62 62
  • Page 63 63
  • Page 64 64
  • Page 65 65
  • Page 66 66
  • Page 67 67
  • Page 68 68
  • Page 69 69
  • Page 70 70
  • Page 71 71
  • Page 72 72
  • Page 73 73
  • Page 74 74
  • Page 75 75
  • Page 76 76
  • Page 77 77
  • Page 78 78
  • Page 79 79
  • Page 80 80
  • Page 81 81
  • Page 82 82
  • Page 83 83
  • Page 84 84
  • Page 85 85
  • Page 86 86
  • Page 87 87
  • Page 88 88
  • Page 89 89
  • Page 90 90
  • Page 91 91
  • Page 92 92
  • Page 93 93
  • Page 94 94
  • Page 95 95
  • Page 96 96
  • Page 97 97
  • Page 98 98
  • Page 99 99
  • Page 100 100
  • Page 101 101
  • Page 102 102
  • Page 103 103
  • Page 104 104
  • Page 105 105
  • Page 106 106
  • Page 107 107
  • Page 108 108
  • Page 109 109
  • Page 110 110
  • Page 111 111
  • Page 112 112
  • Page 113 113
  • Page 114 114
  • Page 115 115
  • Page 116 116
  • Page 117 117
  • Page 118 118
  • Page 119 119
  • Page 120 120
  • Page 121 121
  • Page 122 122
  • Page 123 123
  • Page 124 124
  • Page 125 125
  • Page 126 126
  • Page 127 127
  • Page 128 128
  • Page 129 129
  • Page 130 130
  • Page 131 131
  • Page 132 132
  • Page 133 133
  • Page 134 134
  • Page 135 135
  • Page 136 136
  • Page 137 137
  • Page 138 138
  • Page 139 139
  • Page 140 140
  • Page 141 141
  • Page 142 142
  • Page 143 143
  • Page 144 144
  • Page 145 145
  • Page 146 146
  • Page 147 147
  • Page 148 148
  • Page 149 149
  • Page 150 150
  • Page 151 151
  • Page 152 152
  • Page 153 153
  • Page 154 154
  • Page 155 155
  • Page 156 156
  • Page 157 157
  • Page 158 158
  • Page 159 159
  • Page 160 160
  • Page 161 161
  • Page 162 162
  • Page 163 163
  • Page 164 164
  • Page 165 165
  • Page 166 166
  • Page 167 167
  • Page 168 168
  • Page 169 169
  • Page 170 170
  • Page 171 171
  • Page 172 172
  • Page 173 173
  • Page 174 174
  • Page 175 175
  • Page 176 176
  • Page 177 177
  • Page 178 178
  • Page 179 179
  • Page 180 180
  • Page 181 181
  • Page 182 182
  • Page 183 183
  • Page 184 184
  • Page 185 185
  • Page 186 186
  • Page 187 187
  • Page 188 188
  • Page 189 189
  • Page 190 190
  • Page 191 191
  • Page 192 192
  • Page 193 193
  • Page 194 194
  • Page 195 195
  • Page 196 196
  • Page 197 197
  • Page 198 198
  • Page 199 199
  • Page 200 200
  • Page 201 201
  • Page 202 202
  • Page 203 203
  • Page 204 204
  • Page 205 205
  • Page 206 206
  • Page 207 207
  • Page 208 208
  • Page 209 209
  • Page 210 210
  • Page 211 211
  • Page 212 212
  • Page 213 213
  • Page 214 214
  • Page 215 215
  • Page 216 216
  • Page 217 217
  • Page 218 218
  • Page 219 219
  • Page 220 220
  • Page 221 221
  • Page 222 222
  • Page 223 223
  • Page 224 224
  • Page 225 225
  • Page 226 226
  • Page 227 227
  • Page 228 228
  • Page 229 229
  • Page 230 230
  • Page 231 231
  • Page 232 232
  • Page 233 233
  • Page 234 234
  • Page 235 235
  • Page 236 236
  • Page 237 237
  • Page 238 238
  • Page 239 239
  • Page 240 240
  • Page 241 241
  • Page 242 242
  • Page 243 243
  • Page 244 244
  • Page 245 245
  • Page 246 246
  • Page 247 247
  • Page 248 248
  • Page 249 249
  • Page 250 250
  • Page 251 251
  • Page 252 252
  • Page 253 253
  • Page 254 254
  • Page 255 255
  • Page 256 256
  • Page 257 257
  • Page 258 258
  • Page 259 259
  • Page 260 260
  • Page 261 261
  • Page 262 262
  • Page 263 263
  • Page 264 264
  • Page 265 265
  • Page 266 266
  • Page 267 267
  • Page 268 268
  • Page 269 269
  • Page 270 270
  • Page 271 271
  • Page 272 272
  • Page 273 273
  • Page 274 274
  • Page 275 275
  • Page 276 276
  • Page 277 277
  • Page 278 278
  • Page 279 279
  • Page 280 280
  • Page 281 281
  • Page 282 282
  • Page 283 283
  • Page 284 284
  • Page 285 285
  • Page 286 286
  • Page 287 287
  • Page 288 288
  • Page 289 289
  • Page 290 290
  • Page 291 291
  • Page 292 292
  • Page 293 293
  • Page 294 294
  • Page 295 295
  • Page 296 296
  • Page 297 297
  • Page 298 298
  • Page 299 299
  • Page 300 300
  • Page 301 301
  • Page 302 302
  • Page 303 303
  • Page 304 304
  • Page 305 305
  • Page 306 306
  • Page 307 307
  • Page 308 308
  • Page 309 309
  • Page 310 310
  • Page 311 311
  • Page 312 312
  • Page 313 313
  • Page 314 314
  • Page 315 315
  • Page 316 316
  • Page 317 317
  • Page 318 318
  • Page 319 319
  • Page 320 320
  • Page 321 321
  • Page 322 322
  • Page 323 323
  • Page 324 324
  • Page 325 325
  • Page 326 326
  • Page 327 327
  • Page 328 328
  • Page 329 329
  • Page 330 330
  • Page 331 331
  • Page 332 332
  • Page 333 333
  • Page 334 334
  • Page 335 335
  • Page 336 336
  • Page 337 337
  • Page 338 338
  • Page 339 339
  • Page 340 340
  • Page 341 341
  • Page 342 342
  • Page 343 343
  • Page 344 344
  • Page 345 345
  • Page 346 346
  • Page 347 347
  • Page 348 348
  • Page 349 349
  • Page 350 350
  • Page 351 351
  • Page 352 352
  • Page 353 353
  • Page 354 354
  • Page 355 355
  • Page 356 356
  • Page 357 357
  • Page 358 358
  • Page 359 359
  • Page 360 360
  • Page 361 361
  • Page 362 362
  • Page 363 363
  • Page 364 364
  • Page 365 365
  • Page 366 366
  • Page 367 367
  • Page 368 368
  • Page 369 369
  • Page 370 370
  • Page 371 371
  • Page 372 372
  • Page 373 373
  • Page 374 374
  • Page 375 375
  • Page 376 376
  • Page 377 377
  • Page 378 378
  • Page 379 379
  • Page 380 380
  • Page 381 381
  • Page 382 382
  • Page 383 383
  • Page 384 384
  • Page 385 385
  • Page 386 386
  • Page 387 387
  • Page 388 388
  • Page 389 389
  • Page 390 390
  • Page 391 391
  • Page 392 392
  • Page 393 393
  • Page 394 394
  • Page 395 395
  • Page 396 396
  • Page 397 397
  • Page 398 398
  • Page 399 399
  • Page 400 400
  • Page 401 401
  • Page 402 402
  • Page 403 403
  • Page 404 404
  • Page 405 405
  • Page 406 406
  • Page 407 407
  • Page 408 408
  • Page 409 409
  • Page 410 410
  • Page 411 411
  • Page 412 412
  • Page 413 413
  • Page 414 414
  • Page 415 415
  • Page 416 416
  • Page 417 417
  • Page 418 418
  • Page 419 419
  • Page 420 420
  • Page 421 421
  • Page 422 422
  • Page 423 423
  • Page 424 424
  • Page 425 425
  • Page 426 426
  • Page 427 427
  • Page 428 428
  • Page 429 429
  • Page 430 430
  • Page 431 431
  • Page 432 432
  • Page 433 433
  • Page 434 434
  • Page 435 435
  • Page 436 436
  • Page 437 437
  • Page 438 438
  • Page 439 439
  • Page 440 440
  • Page 441 441
  • Page 442 442
  • Page 443 443
  • Page 444 444
  • Page 445 445
  • Page 446 446
  • Page 447 447
  • Page 448 448
  • Page 449 449
  • Page 450 450
  • Page 451 451
  • Page 452 452
  • Page 453 453
  • Page 454 454
  • Page 455 455
  • Page 456 456
  • Page 457 457
  • Page 458 458
  • Page 459 459
  • Page 460 460
  • Page 461 461
  • Page 462 462
  • Page 463 463
  • Page 464 464
  • Page 465 465
  • Page 466 466
  • Page 467 467
  • Page 468 468
  • Page 469 469
  • Page 470 470
  • Page 471 471
  • Page 472 472
  • Page 473 473
  • Page 474 474
  • Page 475 475
  • Page 476 476
  • Page 477 477
  • Page 478 478
  • Page 479 479
  • Page 480 480
  • Page 481 481
  • Page 482 482
  • Page 483 483
  • Page 484 484
  • Page 485 485
  • Page 486 486
  • Page 487 487
  • Page 488 488
  • Page 489 489
  • Page 490 490
  • Page 491 491
  • Page 492 492
  • Page 493 493
  • Page 494 494
  • Page 495 495
  • Page 496 496
  • Page 497 497
  • Page 498 498
  • Page 499 499
  • Page 500 500
  • Page 501 501
  • Page 502 502
  • Page 503 503
  • Page 504 504
  • Page 505 505
  • Page 506 506
  • Page 507 507
  • Page 508 508
  • Page 509 509
  • Page 510 510
  • Page 511 511
  • Page 512 512
  • Page 513 513
  • Page 514 514
  • Page 515 515
  • Page 516 516
  • Page 517 517
  • Page 518 518
  • Page 519 519
  • Page 520 520
  • Page 521 521
  • Page 522 522
  • Page 523 523
  • Page 524 524
  • Page 525 525
  • Page 526 526
  • Page 527 527
  • Page 528 528
  • Page 529 529
  • Page 530 530
  • Page 531 531
  • Page 532 532
  • Page 533 533
  • Page 534 534
  • Page 535 535
  • Page 536 536
  • Page 537 537
  • Page 538 538
  • Page 539 539
  • Page 540 540
  • Page 541 541
  • Page 542 542
  • Page 543 543
  • Page 544 544
  • Page 545 545
  • Page 546 546
  • Page 547 547
  • Page 548 548
  • Page 549 549
  • Page 550 550
  • Page 551 551
  • Page 552 552
  • Page 553 553
  • Page 554 554
  • Page 555 555
  • Page 556 556
  • Page 557 557
  • Page 558 558
  • Page 559 559
  • Page 560 560
  • Page 561 561
  • Page 562 562
  • Page 563 563
  • Page 564 564
  • Page 565 565
  • Page 566 566
  • Page 567 567
  • Page 568 568
  • Page 569 569
  • Page 570 570
  • Page 571 571
  • Page 572 572
  • Page 573 573
  • Page 574 574
  • Page 575 575
  • Page 576 576
  • Page 577 577
  • Page 578 578
  • Page 579 579
  • Page 580 580
  • Page 581 581
  • Page 582 582
  • Page 583 583
  • Page 584 584
  • Page 585 585
  • Page 586 586
  • Page 587 587

Aruba R9G09A User guide

Type
User guide
This manual is also suitable for

Ask a question and I''ll find the answer in the document

Finding information in a document is now easier with AI