Aruba 6000 User guide

Category
Software
Type
User guide

This manual is also suitable for

AOS-CX 10.13 Security Guide
4100i, 6000, 6100 Switch Series
November 2023
Edition: 1
|2
Copyright Information
© Copyright 2023 Hewlett Packard Enterprise Development LP.
This product includes code licensed under certain open source licenses which require source
compliance. The corresponding source for these components is available upon request. This offer is
valid to anyone in receipt of this information and shall expire three years following the date of the final
distribution of this product version by Hewlett Packard Enterprise Company. To obtain such source
code, please check if the code is available in the HPE Software Center at
https://myenterpriselicense.hpe.com/cwp-ui/software but, if not, send a written request for specific
software version and product for which you want the open source code. Along with the request, please
send a check or money order in the amount of US $10.00 to:
Hewlett Packard Enterprise Company
Attn: General Counsel
WW Corporate Headquarters
1701 E Mossy Oaks Rd Spring, TX 77389
United States of America.
Notices
The information contained herein is subject to change without notice. The only warranties for Hewlett
Packard Enterprise products and services are set forth in the express warranty statements
accompanying such products and services. Nothing herein should be construed as constituting an
additional warranty. Hewlett Packard Enterprise shall not be liable for technical or editorial errors or
omissions contained herein.
Confidential computer software. Valid license from Hewlett Packard Enterprise required for possession,
use, or copying. Consistent with FAR 12.211 and 12.212, Commercial Computer Software, Computer
Software Documentation, and Technical Data for Commercial Items are licensed to the U.S. Government
under vendor's standard commercial license.
Links to third-party websites take you outside the Hewlett Packard Enterprise website. Hewlett Packard
Enterprise has no control over and is not responsible for information outside the Hewlett Packard
Enterprise website.
Contents
Contents
Contents 3
About this document 15
Applicable products 15
Latest version available online 15
Command syntax notation conventions 15
About the examples 16
Identifying switch ports and interfaces 16
About security 18
About Authentication, Authorization, and Accounting (AAA) 18
Managing users and groups 19
Default user admin 19
Example of first login with password setting 19
Built-in user groups and their privileges 19
User-defined user groups 20
User name requirements 20
Password requirements 21
Per-user management interface enablement 21
Local per-user management interface enablement 21
Remote (TACACS+ or RADIUS) per-user management interface enablement 22
User and user group management tasks 23
Resetting the switch admin password using the Service OS console 24
Resetting the admin password by reverting the switch to factory defaults 25
User and group commands 26
password complexity 26
service export-password 30
show password-complexity 31
show user-group 31
show user-list 32
show user-list management-interface 34
show user information 34
user 36
user-group 39
user management-interface 43
user password 44
SSH server 47
SSH defaults 47
SSH server tasks 48
SSH server commands 48
show ssh host-key 49
show ssh server 50
show ssh server sessions 51
ssh ciphers 52
AOS-CX 10.13 Security Guide 3
Contents |4
ssh host-key 53
ssh host-key-algorithms 54
ssh key-exchange-algorithms 55
ssh known-host remove 56
ssh macs 57
ssh maximum-auth-attempts 58
ssh public-key-algorithms 59
ssh server allow-list 60
ssh server port 62
ssh server vrf 62
SSH client 64
SSH client commands 64
ssh (client login) 64
Local AAA 66
Local AAA defaults and limits 66
Supported platforms and standards 66
Scale 66
Local authentication 67
Password-based local authentication 67
SSH public key-based local authentication 67
Local authentication tasks 67
Local authorization 69
Local authorization tasks 70
Local accounting 70
Local accounting tasks 70
Local AAA commands 71
aaa accounting all-mgmt 71
aaa authentication console-login-attempts 72
aaa authentication limit-login-attempts 74
aaa authentication login 75
aaa authentication minimum-password-length 76
aaa authorization commands (local) 77
show aaa accounting 79
show aaa authentication 80
show aaa authorization 81
show authentication locked-out-users 83
show ssh authentication-method 83
show user 84
ssh password-authentication 85
ssh public-key-authentication 86
user authorized-key 86
Remote AAA with TACACS+ 89
Parameters for TACACS+ server 89
Default server groups 90
Supported platforms and standards 90
About global versus per-TACACS+ server passkeys (shared secrets) 91
Remote AAA TACACS+ server configuration requirements 91
User role assignment using TACACS+ attributes 92
TACACS+ server redundancy and access sequence 92
Single source IP address for consistent source identification to AAA servers 93
TACACS+ general tasks 93
TACACS+ authentication 94
AOS-CX 10.13 Security Guide | (4100i, 6000, 6100 Switch Series) 5
About authentication fail-through 94
TACACS+ authentication tasks 94
TACACS+ authorization 95
Using local authorization as fallback from TACACS+ authorization 95
About authentication fail-through and authorization 95
TACACS+ authorization tasks 96
TACACS+ accounting 96
Sample accounting information on a TACACS+ server 97
Sample REST accounting information on a TACACS+ server 97
TACACS+ accounting tasks 97
Example: Configuring the switch for Remote AAA with TACACS+ 98
Remote AAA with RADIUS 101
Parameters for RADIUS server 101
Default server groups 102
Supported platforms and standards 103
About global versus per-RADIUS server passkeys (shared secrets) 104
Remote AAA RADIUS server configuration requirements 104
User role assignment using RADIUS attributes 104
RADIUS server redundancy and access sequence 105
Configuration task list 105
Single source IP address for consistent source identification to AAA servers 106
RADIUS general tasks 107
Per-port RADIUS server group configuration 108
RADIUS authentication 108
About authentication fail-through 108
RADIUS authentication tasks 109
Two-factor authentication 110
Configuring two-factor authentication (for local users) 110
Configuring two-factor authentication with SSH (for remote-only users) 111
Configuring two-factor authentication with HTTPS server and REST (for remote-only
users) 114
Two-factor authentication commands 117
aaa authorization radius 117
https-server authentication certificate 118
ssh certificate-as-authorized-key 119
ssh two-factor-authentication 120
RADIUS accounting 121
Sample general accounting information 122
RADIUS accounting tasks 123
Example: Configuring the switch for Remote AAA with RADIUS 124
Remote AAA (TACACS+, RADIUS) commands 127
aaa accounting allow-fail-through 127
aaa accounting all-mgmt 127
aaa authentication allow-fail-through 130
aaa authentication login 131
aaa authorization allow-fail-through 133
aaa authorization commands 135
aaa group server 138
radius-server auth-type 139
radius-server host 140
radius-server host (ClearPass) 143
radius-server host secure ipsec 144
radius-server host tls port-access 149
radius-server host tls tracking-method 150
Contents |6
radius-server key 152
radius-server retries 153
radius-server status-server interval 154
radius-server timeout 154
radius-server tracking 155
server 157
show aaa accounting 159
show aaa authentication 161
show aaa authorization 163
show aaa server-groups 165
show accounting log 167
show radius-server 170
show radius-server secure ipsec 175
show tacacs-server 176
show tacacs-server statistics 178
show tech aaa 179
tacacs-server auth-type 185
tacacs-server host 186
tacacs-server key 188
tacacs-server timeout 189
tacacs-server tracking 190
Dynamic Segmentation 193
User-based tunneling 193
Protocol and feature details 194
UBT fallback role 195
Wake-on-LAN VLANs 195
Supported platforms and standards 196
Scale 196
Configuration task list 196
Points to remember 197
Use cases 200
Use case 1: Wired access firewall 201
Use case 2: Wired guest/device segmentation 201
Use case 3: Branch deployment 202
Debugging and troubleshooting 203
Show commands 203
Debug commands 206
FAQs 206
User-based tunneling commands 211
backup-controller ip 211
enable 212
ip source-interface 213
papi-security-key 214
primary-controller ip 215
sac-heartbeat-interval 216
show capacities ubt 217
show ip source-interface ubt 217
show running-config ubt 218
show ubt 219
show ubt information 221
show ubt statistics 223
show ubt state 227
show ubt users 230
uac-keepalive-interval 232
ubt 233
AOS-CX 10.13 Security Guide | (4100i, 6000, 6100 Switch Series) 7
ubt-client-vlan 234
ubt mode vlan-extend 235
wol-enable vlan 236
RADIUS dynamic authorization 239
Requirements and tips 239
RADIUS dynamic authorization commands 239
radius dyn-authorization enable 240
radius dyn-authorization client 240
radius dyn-authorization client tls (RadSec) 242
radius dyn-authorization port 244
show radius dyn-authorization 244
show radius dyn-authorization client 246
show radius dyn-authorization client tls (RadSec) 248
Client Insight 250
Supported Platforms 251
Prerequisites 251
Points to Note 251
Limitations 251
Feature Interoperability 252
Troubleshooting Client Insight 252
Client Insight Commands 252
client-insight enable 252
client-insight on-boarding event logs 253
diag-dump client-insight basic 254
show capacities client-insight-client-limit 256
show capacities-status client-insight-client-limit 257
show events -c client-insight 257
show tech client-insight 260
PKI 263
PKI concepts 263
Digital certificate 263
Certificate authority 264
Root certificate 264
Leaf certificate 264
Intermediate certificate 264
Trust anchor 264
OCSP 264
PKI on the switch 264
Trust anchor profiles 264
Leaf certificates 265
Mandatory matching of peer device hostname 265
PKI EST 265
EST usage overview 265
Prerequisites for using EST for certificate enrollment 266
EST profile configuration 266
Certificate enrollment 266
Certificate re-enrollment 267
Checking EST profile and certificate configuration 267
EST best practices 267
Example using EST for certificate enrollment 267
Example including the use of an intermediate certificate 273
Installing a self-signed leaf certificate (created inside the switch) 275
Installing a self-signed leaf certificate (created outside the switch) 276
Contents |8
Installing a certificate of a root CA 277
Installing a downloadable user role certificate 278
Installing a CA-signed leaf certificate (initiated in the switch) 279
Installing a CA-signed leaf certificate (created outside the switch) 280
PKI commands 281
crypto pki application 281
crypto pki certificate 283
crypto pki ta-profile 284
enroll self-signed 285
enroll terminal 285
import (CA-signed leaf certificate) 286
import (self-signed leaf certificate) 288
key-type 290
ocsp disable-nonce 291
ocsp enforcement-level 292
ocsp url 293
ocsp vrf 294
revocation-check ocsp 295
show crypto pki application 295
show crypto pki certificate 296
show crypto pki ta-profile 298
ta-certificate 300
subject 301
PKI EST commands 303
arbitrary-label 303
arbitrary-label-enrollment 304
arbitrary-label-reenrollment 305
crypto pki est-profile 306
enroll est-profile 307
reenrollment-lead-time 308
retry-count 309
retry-interval 310
show crypto pki est-profile 310
url 311
username 313
vrf 314
Captive portal (RADIUS) 316
Protocol and feature details 316
About captive portal (RADIUS) 317
Supported platforms 318
Configuration task lists 318
Switch configuration 318
ClarPass Policy Manager configuration 319
Profiles 319
Policies 321
Services 322
Guest page configuration 322
LUR(Local User Role) 324
DUR(Downloadable User Role) 324
RADIUSVSA(Vendor-Specific Attribute) 326
IPv4 Captive portal example configuration 326
Policy configuration 326
Captive portal configuration 327
User role configuration 327
IPv6 Captive portal example configuration 327
AOS-CX 10.13 Security Guide | (4100i, 6000, 6100 Switch Series) 9
Considerations and best practices 328
Use cases 328
Captive Portal 328
Private environments 329
Public environments 329
Integration with Aruba ClearPass 329
Captive portal (RADIUS) commands 329
aaa authentication port-access captive-portal-profile 329
show port-access captive-portal-profile 330
url 332
url-hash-key 333
Debugging and troubleshooting 334
Show commands 334
Frequently asked questions 335
Port access 337
Port access 802.1X authentication 337
Port access MAC authentication 338
How MAC authentication works 339
How RADIUS server is used in MAC authentication 339
Supported platforms and standards 340
Scale 340
Supported RFCs and standards 340
Considerations and best practices 340
Port access and Private VLAN interoperability considerations 341
Port access configuration task list 342
Port access 802.1X and MAC authentication configuration example 342
Use cases 344
Use case 1: Faster onboarding of MAC authentication clients using concurrent
onboarding 344
Use case 2: PXE clients that download the supplicant 345
Port access 802.1X authentication commands 345
aaa authentication port-access dot1x authenticator 345
aaa authentication port-access dot1x authenticator auth-method 346
aaa authentication port-access dot1x authenticator cached-reauth 347
aaa authentication port-access dot1x authenticator cached-reauth-period 348
aaa authentication port-access dot1x authenticator discovery-period 349
aaa authentication port-access dot1x authenticator eap-tls-fragment 349
aaa authentication port-access dot1x authenticator eapol-timeout 350
aaa authentication port-access dot1x authenticator initial-auth-response-timeout 351
aaa authentication port-access dot1x authenticator max-eapol-requests 352
aaa authentication port-access dot1x authenticator max-retries 353
aaa authentication port-access dot1x authenticator quiet-period 354
aaa authentication port-access dot1x authenticator radius server-group 355
aaa authentication port-access dot1x authenticator reauth 356
aaa authentication port-access dot1x authenticator reauth-period 356
clear dot1x authenticator statistics interface 357
show aaa authentication port-access dot1x authenticator interface client-status 358
show aaa authentication port-access dot1x authenticator interface port-statistics 360
Port access MAC authentication commands 361
aaa authentication port-access allow-lldp-auth [mac {source-mac|chassis-mac}] 361
aaa authentication port-access mac-auth 363
aaa authentication port-access mac-auth addr-format 363
aaa authentication port-access mac-auth auth-method 364
aaa authentication port-access mac-auth cached-reauth 365
aaa authentication port-access mac-auth cached-reauth-period 366
Contents |10
aaa authentication port-access mac-auth password 367
aaa authentication port-access mac-auth quiet-period 367
aaa authentication port-access mac-auth radius server-group 368
aaa authentication port-access mac-auth reauth 369
aaa authentication port-access mac-auth reauth-period 370
clear mac-auth statistics 371
show aaa authentication port-access mac-auth interface client-status 372
show aaa authentication port-access mac-auth interface port-statistics 373
Port access general commands 374
aaa authentication port-access allow-lldp-auth 374
aaa authentication port-access allow-cdp-auth 376
aaa authentication port-access auth-mode 377
aaa authentication port-access auth-precedence 379
aaa authentication port-access auth-priority 380
aaa authentication port-access auth-role 381
aaa authentication port-access client-auto-log-off final-authentication-failure 382
aaa authentication port-access client-limit 383
aaa authentication port-access client-limit multi-domain 383
aaa authentication port-access radius-override 384
port-access allow-flood-traffic 385
port-access auto-vlan 386
port-access client-move 387
port-access event-log client 388
port-access fallback-role 389
port-access log-off client 390
port-access onboarding-method precedence 391
port-access onboarding-method concurrent 392
port-access reauthenticate interface 393
show aaa authentication port-access interface client-status 394
show port-access clients 396
show port-access clients detail 401
show port-access clients onboarding-method 409
Port access debugging and troubleshooting 411
Radius server reachability debugging and troubleshooting 411
Port access MAC authentication debugging and troubleshooting 412
Using show commands 412
Using debug commands 413
Port access 802.1X authentication debugging and troubleshooting 414
Using show commands 414
Using other commands 416
Port access FAQ 417
References 417
Multidomain authentication 417
Multidomain authentication requirements 418
Scenarios with Aruba-Port-Auth-Mode and Aruba-Device-Traffic-Class VSAs 418
Scenarios with device-traffic-class configuration in role 419
Port access auto-VLAN 420
Support for voice VLAN 420
Auto-VLAN limitations 420
Port access security violation 421
Port access security violation commands 421
port-access security violation action 421
port-access security violation action shutdown auto-recovery 422
port-access security violation action shutdown recovery-timer 423
show interface 424
show port-access aaa violation interface 424
AOS-CX 10.13 Security Guide | (4100i, 6000, 6100 Switch Series) 11
show port-access port-security violation client-limit-exceeded interface 426
Port access policy 427
Classes and actions supported by port access policies 427
RADIUS policies 427
Filter-ID 428
NAS-Filter-Rule 428
Aruba-NAS-Filter-Rule 429
Limitations 429
Port access policy commands 430
port-access policy 430
port-access policy copy 434
port-access policy resequence 435
port-access policy reset 435
clear port-access policy hitcounts 437
show port-access policy 439
show port-access policy hitcounts 441
Port access role 442
Operational notes 444
Downloadable user roles 444
Mixed roles 444
Important points to note 445
Limitations 445
Supported RADIUS attributes in mixed roles 445
Cached-critical role 446
Cached-critical role tasks 447
Restrictions 448
Troubleshooting 449
Special roles 449
Critical role 449
Reject role 450
Pre-authentication role 450
Auth-role 451
Fallback role 451
Port access role commands 451
associate policy 451
auth-mode 452
cached-reauth-period 453
client-inactivity timeout 454
device-traffic-class 455
description 456
mtu 457
poe-allocate-by 457
poe-priority 458
port-access role 459
reauth-period 460
session timeout 460
show aaa authentication port-access interface client-status 461
show port-access role 462
stp-admin-edge-port 466
trust-mode 467
vlan 467
Port access cached-critical role commands 469
aaa authentication port-access cached-critical-role (global) 469
aaa authentication port-access cached-critical-role (per interface) 471
port-access clear cached-client 472
show port-access cached-clients 473
Contents |12
show port-access cached-critical-role info 475
Port access VLAN groups 476
VLAN grouping limitations 477
VLAN group load balancing 477
Port access VLAN group commands 478
associate-vlan 478
port-access vlan-group 479
show running-config port-access vlan-group 480
Port access 802.1X supplicant authentication 481
Feature details 481
Sub-features 482
Supported platforms 483
802.1X supplicant policy configuration and considerations 483
Recommended configuration 484
Port access 802.1X supplicant commands 484
aaa authentication port-access dot1x supplicant(global) 484
aaa authentication port-access dot1x supplicant(port) 485
associate policy 486
canned-eap-success 487
clear dot1x supplicant statistics 488
discovery-timeout 489
eap-identity 490
eapol-force-multicast 492
eapol-method 493
eapol-protocol-version 494
eapol-timeout 495
enable 496
enable 497
fail-mode 498
held-period 499
max-retries 500
policy (supplicant) 501
port-access dot1x supplicant restart 502
show aaa authentication port-access dot1x supplicant policy 503
show aaa authentication port-access dot1x supplicant statistics 505
show aaa authentication port-access dot1x supplicant status 507
start-mode 509
Troubleshooting 510
Prerequisites 510
Packet capture 511
FAQ 512
Configurable RADIUS attributes (port access) 513
Configurable RADIUS attribute commands 513
aaa radius-attribute group 513
nas-id request-type 514
nas-id value 515
nas-ip-addr request-type authentication 516
nas-ip-addr service-type user-management 517
tunnel-private-group-id request-type 518
tunnel-private-group-id value 519
vsa vendor 520
Supported RADIUS attributes 521
Attributes supported in 802.1X authentication 521
AOS-CX 10.13 Security Guide | (4100i, 6000, 6100 Switch Series) 13
Attributes supported in MAC authentication 521
Attributes supported in dynamic authorization 522
Session authorization attributes supported in 802.1X and MAC authentication, and CoA 522
Standard session attributes supported 522
Vendor-Specific Attributes supported in session authorization 523
Description of VSAs 523
Attributes supported in RADIUS network accounting 525
Attributes supported in RADIUS server tracking 525
Port security 526
Port-security sticky MAC 526
Basic operation 526
Default port security operation 526
Intruder protection 527
General operation for port security 527
Blocking unauthorized traffic 527
Trunk group exclusion 528
Port security commands 528
port-access port-security 528
port-access port-security client-limit 529
port-access port-security mac-address 530
show port-access port-security interface client-status 531
show port-access port-security interface port-statistics 532
sticky-learn enable 533
show port-access security violation sticky-mac-client-move interface 534
Fault Monitor 536
Fault monitoring conditions 536
Excessive broadcasts 536
Excessive multicasts 536
Excessive link flaps 536
Excessive oversize packets 536
Excessive jabbers 536
Excessive fragments 536
Excessive CRC errors 537
Excessive late collisions 537
Excessive collisions 537
Excessive TX drops 537
Excessive alignment errors 537
Fault monitor commands 537
(Fault enabling/disabling) 537
action 539
apply fault-monitor profile 541
fault-monitor profile 542
show fault-monitor profile 543
show interface fault-monitor profile 545
show interface fault-monitor status 545
show running-config 546
threshold 548
Device fingerprinting 551
Supported protocols 551
Configuring device fingerprinting 552
Device fingerprinting commands 552
cdp 552
client device-fingerprint apply-profile 553
Contents |14
client device-fingerprint client-limit 554
client device-fingerprint profile 555
dhcp 555
http user-agent 556
lldp (device fingerprinting) 557
show client device-fingerprint 558
show client device-fingerprint active 560
show client device-fingerprint profile 561
Configuring enhanced security 563
Configuring enhanced security 563
Configuring remote logging using SSH reverse tunnel 564
CLI user session management commands 565
cli-session 565
Auditors and auditing tasks 568
Auditing tasks (CLI) 568
Auditing tasks (Web UI) 568
REST requests and accounting logs 569
Support and Other Resources 570
Accessing Aruba Support 570
Accessing Updates 571
Aruba Support Portal 571
My Networking 571
Warranty Information 571
Regulatory Information 571
Documentation Feedback 572
Chapter 1
About this document
About this document
This document describes features of the AOS-CX network operating system. It is intended for
administrators responsible for installing, configuring, and managing Aruba switches on a network.
Applicable products
This document applies to the following products:
nAruba 4100i Switch Series (JL817A, JL818A)
nAruba 6000 Switch Series (R8N85A, R8N86A, R8N87A, R8N88A, R8N89A, R9Y03A)
nAruba 6100 Switch Series (JL675A, JL676A, JL677A, JL678A, JL679A)
Latest version available online
Updates to this document can occur after initial publication. For the latest versions of product
documentation, see the links provided in Support and Other Resources.
Command syntax notation conventions
Convention Usage
example-text Identifies commands and their options and operands, code examples,
filenames, pathnames, and output displayed in a command window. Items
that appear like the example text in the previous column are to be entered
exactly as shown and are required unless enclosed in brackets ([ ]).
example-text In code and screen examples, indicates text entered by a user.
Any of the following:
n<example-text>
n<example-text>
nexample-text
nexample-text
Identifies a placeholder—such as a parameter or a variable—that you must
substitute with an actual value in a command or in code:
nFor output formats where italic text cannot be displayed, variables
are enclosed in angle brackets (< >). Substitute the text—including
the enclosing angle brackets—with an actual value.
nFor output formats where italic text can be displayed, variables
might or might not be enclosed in angle brackets. Substitute the
text including the enclosing angle brackets, if any, with an actual
value.
|Vertical bar. A logical OR that separates multiple items from which you can
choose only one.
Any spaces that are on either side of the vertical bar are included for
readability and are not a required part of the command syntax.
AOS-CX 10.13 Security Guide 15
About this document |16
Convention Usage
{ } Braces. Indicates that at least one of the enclosed items is required.
[ ] Brackets. Indicates that the enclosed item or items are optional.
or
...
Ellipsis:
nIn code and screen examples, a vertical or horizontal ellipsis indicates an
omission of information.
nIn syntax using brackets and braces, an ellipsis indicates items that can be
repeated. When an item followed by ellipses is enclosed in brackets, zero
or more items can be specified.
About the examples
Examples in this document are representative and might not match your particular switch or
environment.
The slot and port numbers in this document are for illustration only and might be unavailable on your
switch.
Understanding the CLI prompts
When illustrating the prompts in the command line interface (CLI), this document uses the generic term
switch, instead of the host name of the switch. For example:
switch>
The CLI prompt indicates the current command context. For example:
switch>
Indicates the operator command context.
switch#
Indicates the manager command context.
switch(CONTEXT-NAME)#
Indicates the configuration context for a feature. For example:
switch(config-if)#
Identifies the interface context.
Variable information in CLI prompts
In certain configuration contexts, the prompt may include variable information. For example, when in
the VLAN configuration context, a VLAN number appears in the prompt:
switch(config-vlan-100)#
When referring to this context, this document uses the syntax:
switch(config-vlan-<VLAN-ID>)#
Where <VLAN-ID> is a variable representing the VLAN number.
Identifying switch ports and interfaces
Physical ports on the switch and their corresponding logical software interfaces are identified using the
format:
member/slot/port
On the 4100i Switch Series
AOS-CX 10.13 Security Guide | (4100i, 6000, 6100 Switch Series) 17
nmember: Always 1. VSF is not supported on this switch.
nslot: Always 1. This is not a modular switch, so there are no slots.
nport: Physical number of a port on the switch.
For example, the logical interface 1/1/4 in software is associated with physical port 4 on the switch.
On the 6000 and 6100 Switch Series
nmember: Always 1. VSF is not supported on this switch.
nslot: Always 1. This is not a modular switch, so there are no slots.
nport: Physical number of a port on the switch.
For example, the logical interface 1/1/4 in software is associated with physical port 4 on the switch.
Chapter 2
About security
About security
This AOS-CX Switch provides the following security features:
nLocal user and group management.
nAuthentication, Authorization, and Accounting (AAA), either local (password or SSH public key-based),
or remote password-based TACACS+ or RADIUS.
nSSH server. SSH is a cryptographic protocol that encrypts all communication between devices.
nAbility to use enhanced security as described in Configuring enhanced security .
nMaking sensitive switch configuration information available for secure export/import between
switches. For information, see service export-password.
About Authentication, Authorization, and Accounting (AAA)
nAuthentication: identifies users, validates their credentials, and grants switch access.
nAuthorization: controls authenticated users command execution and switch interaction privileges.
nAccounting: collects and manages user session activity logs for auditing and reporting purposes.
Local AAA on your Aruba switch provides:
nAuthentication using local password or SSH public key.
nAuthorization using role-based access control (RBAC), and optionally, using user-defined local user
groups with command authorization rules defined per group.
nAccounting of user activity on the switch using accounting logs.
Remote AAA provides the following for your Aruba switch:
nAuthentication using remote AAA servers with either TACACS+ or RADIUS.
nAuthorization using remote AAA servers with TACACS+ fine-grained command authorization. Local
RBAC or local rule-based authorization is also possible.
nTransmission of locally collected accounting information to remote TACACS+ and RADIUS servers.
TACACS+ (Terminal Access Controller Access-Control System Plus) and RADIUS (Remote Authentication Dial-In
User Service) server software is readily available as either open source or from various vendors.
For switches that support multiple management modules such as the Aruba 8400, all AAA functionality discussed
only applies to the active management module. See also AAA on switches with multiple management modules in the
High Availability Guide.
AOS-CX 10.13 Security Guide 18
Chapter 3
Managing users and groups
Managing users and groups
Default user admin
A factory-default switch comes with a single user named admin.
The admin user:
nHas an empty password. Press Enter in response to the admin password prompt. At initial boot, you
are prompted to define a password for the admin user. Although empty (blank) passwords are
allowed, it is recommended that you use strong passwords for all production switches.
nIs a member of the administrators group.
nCannot be removed from the switch.
The switch admin user is distinct from the Service OS admin user. The Service OS acts as the bootloader and
recovery operating system. The Service OS has its own CLI.
Example of first login with password setting
switch login: admin
Password:
Please configure the 'admin' user account password.
Enter new password: ********
Confirm new password: ********
switch#
Built-in user groups and their privileges
The switch provides the following built-in user groups with corresponding roles. Each of these roles
comes with a set of privileges.
Group/Role Privileges
administrators Administrators have full privileges, including:
nFull CLI access.
nPerforming firmware upgrades.
nViewing switch configuration information, including sensitive information such as
passwords which are displayed as ciphertext.
nPerforming switch configuration.
nAdding/removing user accounts.
nConfiguring users accounts, including passwords. Once set, a password cannot be
deleted or set to empty.
AOS-CX 10.13 Security Guide 19
Managing users and groups |20
Group/Role Privileges
nREST API: All methods (GET, PUT, POST, DELETE) and switch resources are available.
The privilege level for administrators is 15.
operators Operators have no switch configuration privileges. Operators are restricted to:
nBasic display-only CLI access.
nViewing of nonsensitive switch configuration information.
nREST API: Other than the \login and \logout resources, only the GET method is
available.
The privilege level for operators is 1.
auditors Auditors are restricted to functions related to auditing only:
nCLI: Access to commands in the auditor context (auditor>) only.
nWeb UI: Access to the System > Log page only.
nREST API: POST method available for the \login and \logout resources. GET
method available for the following resources only:
oAudit log: /logs/audit
oEvent log: /logs/event
The privilege level for auditors is 19.
User-defined user groups
The switch enables you to create up to 29 user-defined local user groups, for the purpose of configuring
local authorization. Each of the 29 user-defined groups support up to 1024 CLI command authorization
rules that define what CLI commands can be executed by members of the group.
The local user groups with their command execution rules are useful for the following:
nProviding authorization for use with RADIUS servers.
nProviding fallback authorization for use with TACACS+ servers.
nProviding authorization when neither RADIUS or TACACS+ servers are used.
User name requirements
Specifies the user name. Requirements:
nMust start with a lowercase letter.
nCan contain numbers and lowercase letters.
nCan include only these three special characters: hyphens ( - ), dots ( . ), and underscores ( _ ).
nCan have a maximum of 32 characters.
nCannot be empty.
nCannot contain uppercase letters.
nCannot be: admin, root, or remote_user.
nCannot be Linux reserved names such as:
daemon,bin,sys,sync,proxy,www-data,backup,list,irc,gnats,nobody,systemd-bus-proxy,
sshd,messagebus,rpc,systemd-journal-gateway,systemd-journal-remote,systemd-journal-
  • Page 1 1
  • Page 2 2
  • Page 3 3
  • Page 4 4
  • Page 5 5
  • Page 6 6
  • Page 7 7
  • Page 8 8
  • Page 9 9
  • Page 10 10
  • Page 11 11
  • Page 12 12
  • Page 13 13
  • Page 14 14
  • Page 15 15
  • Page 16 16
  • Page 17 17
  • Page 18 18
  • Page 19 19
  • Page 20 20
  • Page 21 21
  • Page 22 22
  • Page 23 23
  • Page 24 24
  • Page 25 25
  • Page 26 26
  • Page 27 27
  • Page 28 28
  • Page 29 29
  • Page 30 30
  • Page 31 31
  • Page 32 32
  • Page 33 33
  • Page 34 34
  • Page 35 35
  • Page 36 36
  • Page 37 37
  • Page 38 38
  • Page 39 39
  • Page 40 40
  • Page 41 41
  • Page 42 42
  • Page 43 43
  • Page 44 44
  • Page 45 45
  • Page 46 46
  • Page 47 47
  • Page 48 48
  • Page 49 49
  • Page 50 50
  • Page 51 51
  • Page 52 52
  • Page 53 53
  • Page 54 54
  • Page 55 55
  • Page 56 56
  • Page 57 57
  • Page 58 58
  • Page 59 59
  • Page 60 60
  • Page 61 61
  • Page 62 62
  • Page 63 63
  • Page 64 64
  • Page 65 65
  • Page 66 66
  • Page 67 67
  • Page 68 68
  • Page 69 69
  • Page 70 70
  • Page 71 71
  • Page 72 72
  • Page 73 73
  • Page 74 74
  • Page 75 75
  • Page 76 76
  • Page 77 77
  • Page 78 78
  • Page 79 79
  • Page 80 80
  • Page 81 81
  • Page 82 82
  • Page 83 83
  • Page 84 84
  • Page 85 85
  • Page 86 86
  • Page 87 87
  • Page 88 88
  • Page 89 89
  • Page 90 90
  • Page 91 91
  • Page 92 92
  • Page 93 93
  • Page 94 94
  • Page 95 95
  • Page 96 96
  • Page 97 97
  • Page 98 98
  • Page 99 99
  • Page 100 100
  • Page 101 101
  • Page 102 102
  • Page 103 103
  • Page 104 104
  • Page 105 105
  • Page 106 106
  • Page 107 107
  • Page 108 108
  • Page 109 109
  • Page 110 110
  • Page 111 111
  • Page 112 112
  • Page 113 113
  • Page 114 114
  • Page 115 115
  • Page 116 116
  • Page 117 117
  • Page 118 118
  • Page 119 119
  • Page 120 120
  • Page 121 121
  • Page 122 122
  • Page 123 123
  • Page 124 124
  • Page 125 125
  • Page 126 126
  • Page 127 127
  • Page 128 128
  • Page 129 129
  • Page 130 130
  • Page 131 131
  • Page 132 132
  • Page 133 133
  • Page 134 134
  • Page 135 135
  • Page 136 136
  • Page 137 137
  • Page 138 138
  • Page 139 139
  • Page 140 140
  • Page 141 141
  • Page 142 142
  • Page 143 143
  • Page 144 144
  • Page 145 145
  • Page 146 146
  • Page 147 147
  • Page 148 148
  • Page 149 149
  • Page 150 150
  • Page 151 151
  • Page 152 152
  • Page 153 153
  • Page 154 154
  • Page 155 155
  • Page 156 156
  • Page 157 157
  • Page 158 158
  • Page 159 159
  • Page 160 160
  • Page 161 161
  • Page 162 162
  • Page 163 163
  • Page 164 164
  • Page 165 165
  • Page 166 166
  • Page 167 167
  • Page 168 168
  • Page 169 169
  • Page 170 170
  • Page 171 171
  • Page 172 172
  • Page 173 173
  • Page 174 174
  • Page 175 175
  • Page 176 176
  • Page 177 177
  • Page 178 178
  • Page 179 179
  • Page 180 180
  • Page 181 181
  • Page 182 182
  • Page 183 183
  • Page 184 184
  • Page 185 185
  • Page 186 186
  • Page 187 187
  • Page 188 188
  • Page 189 189
  • Page 190 190
  • Page 191 191
  • Page 192 192
  • Page 193 193
  • Page 194 194
  • Page 195 195
  • Page 196 196
  • Page 197 197
  • Page 198 198
  • Page 199 199
  • Page 200 200
  • Page 201 201
  • Page 202 202
  • Page 203 203
  • Page 204 204
  • Page 205 205
  • Page 206 206
  • Page 207 207
  • Page 208 208
  • Page 209 209
  • Page 210 210
  • Page 211 211
  • Page 212 212
  • Page 213 213
  • Page 214 214
  • Page 215 215
  • Page 216 216
  • Page 217 217
  • Page 218 218
  • Page 219 219
  • Page 220 220
  • Page 221 221
  • Page 222 222
  • Page 223 223
  • Page 224 224
  • Page 225 225
  • Page 226 226
  • Page 227 227
  • Page 228 228
  • Page 229 229
  • Page 230 230
  • Page 231 231
  • Page 232 232
  • Page 233 233
  • Page 234 234
  • Page 235 235
  • Page 236 236
  • Page 237 237
  • Page 238 238
  • Page 239 239
  • Page 240 240
  • Page 241 241
  • Page 242 242
  • Page 243 243
  • Page 244 244
  • Page 245 245
  • Page 246 246
  • Page 247 247
  • Page 248 248
  • Page 249 249
  • Page 250 250
  • Page 251 251
  • Page 252 252
  • Page 253 253
  • Page 254 254
  • Page 255 255
  • Page 256 256
  • Page 257 257
  • Page 258 258
  • Page 259 259
  • Page 260 260
  • Page 261 261
  • Page 262 262
  • Page 263 263
  • Page 264 264
  • Page 265 265
  • Page 266 266
  • Page 267 267
  • Page 268 268
  • Page 269 269
  • Page 270 270
  • Page 271 271
  • Page 272 272
  • Page 273 273
  • Page 274 274
  • Page 275 275
  • Page 276 276
  • Page 277 277
  • Page 278 278
  • Page 279 279
  • Page 280 280
  • Page 281 281
  • Page 282 282
  • Page 283 283
  • Page 284 284
  • Page 285 285
  • Page 286 286
  • Page 287 287
  • Page 288 288
  • Page 289 289
  • Page 290 290
  • Page 291 291
  • Page 292 292
  • Page 293 293
  • Page 294 294
  • Page 295 295
  • Page 296 296
  • Page 297 297
  • Page 298 298
  • Page 299 299
  • Page 300 300
  • Page 301 301
  • Page 302 302
  • Page 303 303
  • Page 304 304
  • Page 305 305
  • Page 306 306
  • Page 307 307
  • Page 308 308
  • Page 309 309
  • Page 310 310
  • Page 311 311
  • Page 312 312
  • Page 313 313
  • Page 314 314
  • Page 315 315
  • Page 316 316
  • Page 317 317
  • Page 318 318
  • Page 319 319
  • Page 320 320
  • Page 321 321
  • Page 322 322
  • Page 323 323
  • Page 324 324
  • Page 325 325
  • Page 326 326
  • Page 327 327
  • Page 328 328
  • Page 329 329
  • Page 330 330
  • Page 331 331
  • Page 332 332
  • Page 333 333
  • Page 334 334
  • Page 335 335
  • Page 336 336
  • Page 337 337
  • Page 338 338
  • Page 339 339
  • Page 340 340
  • Page 341 341
  • Page 342 342
  • Page 343 343
  • Page 344 344
  • Page 345 345
  • Page 346 346
  • Page 347 347
  • Page 348 348
  • Page 349 349
  • Page 350 350
  • Page 351 351
  • Page 352 352
  • Page 353 353
  • Page 354 354
  • Page 355 355
  • Page 356 356
  • Page 357 357
  • Page 358 358
  • Page 359 359
  • Page 360 360
  • Page 361 361
  • Page 362 362
  • Page 363 363
  • Page 364 364
  • Page 365 365
  • Page 366 366
  • Page 367 367
  • Page 368 368
  • Page 369 369
  • Page 370 370
  • Page 371 371
  • Page 372 372
  • Page 373 373
  • Page 374 374
  • Page 375 375
  • Page 376 376
  • Page 377 377
  • Page 378 378
  • Page 379 379
  • Page 380 380
  • Page 381 381
  • Page 382 382
  • Page 383 383
  • Page 384 384
  • Page 385 385
  • Page 386 386
  • Page 387 387
  • Page 388 388
  • Page 389 389
  • Page 390 390
  • Page 391 391
  • Page 392 392
  • Page 393 393
  • Page 394 394
  • Page 395 395
  • Page 396 396
  • Page 397 397
  • Page 398 398
  • Page 399 399
  • Page 400 400
  • Page 401 401
  • Page 402 402
  • Page 403 403
  • Page 404 404
  • Page 405 405
  • Page 406 406
  • Page 407 407
  • Page 408 408
  • Page 409 409
  • Page 410 410
  • Page 411 411
  • Page 412 412
  • Page 413 413
  • Page 414 414
  • Page 415 415
  • Page 416 416
  • Page 417 417
  • Page 418 418
  • Page 419 419
  • Page 420 420
  • Page 421 421
  • Page 422 422
  • Page 423 423
  • Page 424 424
  • Page 425 425
  • Page 426 426
  • Page 427 427
  • Page 428 428
  • Page 429 429
  • Page 430 430
  • Page 431 431
  • Page 432 432
  • Page 433 433
  • Page 434 434
  • Page 435 435
  • Page 436 436
  • Page 437 437
  • Page 438 438
  • Page 439 439
  • Page 440 440
  • Page 441 441
  • Page 442 442
  • Page 443 443
  • Page 444 444
  • Page 445 445
  • Page 446 446
  • Page 447 447
  • Page 448 448
  • Page 449 449
  • Page 450 450
  • Page 451 451
  • Page 452 452
  • Page 453 453
  • Page 454 454
  • Page 455 455
  • Page 456 456
  • Page 457 457
  • Page 458 458
  • Page 459 459
  • Page 460 460
  • Page 461 461
  • Page 462 462
  • Page 463 463
  • Page 464 464
  • Page 465 465
  • Page 466 466
  • Page 467 467
  • Page 468 468
  • Page 469 469
  • Page 470 470
  • Page 471 471
  • Page 472 472
  • Page 473 473
  • Page 474 474
  • Page 475 475
  • Page 476 476
  • Page 477 477
  • Page 478 478
  • Page 479 479
  • Page 480 480
  • Page 481 481
  • Page 482 482
  • Page 483 483
  • Page 484 484
  • Page 485 485
  • Page 486 486
  • Page 487 487
  • Page 488 488
  • Page 489 489
  • Page 490 490
  • Page 491 491
  • Page 492 492
  • Page 493 493
  • Page 494 494
  • Page 495 495
  • Page 496 496
  • Page 497 497
  • Page 498 498
  • Page 499 499
  • Page 500 500
  • Page 501 501
  • Page 502 502
  • Page 503 503
  • Page 504 504
  • Page 505 505
  • Page 506 506
  • Page 507 507
  • Page 508 508
  • Page 509 509
  • Page 510 510
  • Page 511 511
  • Page 512 512
  • Page 513 513
  • Page 514 514
  • Page 515 515
  • Page 516 516
  • Page 517 517
  • Page 518 518
  • Page 519 519
  • Page 520 520
  • Page 521 521
  • Page 522 522
  • Page 523 523
  • Page 524 524
  • Page 525 525
  • Page 526 526
  • Page 527 527
  • Page 528 528
  • Page 529 529
  • Page 530 530
  • Page 531 531
  • Page 532 532
  • Page 533 533
  • Page 534 534
  • Page 535 535
  • Page 536 536
  • Page 537 537
  • Page 538 538
  • Page 539 539
  • Page 540 540
  • Page 541 541
  • Page 542 542
  • Page 543 543
  • Page 544 544
  • Page 545 545
  • Page 546 546
  • Page 547 547
  • Page 548 548
  • Page 549 549
  • Page 550 550
  • Page 551 551
  • Page 552 552
  • Page 553 553
  • Page 554 554
  • Page 555 555
  • Page 556 556
  • Page 557 557
  • Page 558 558
  • Page 559 559
  • Page 560 560
  • Page 561 561
  • Page 562 562
  • Page 563 563
  • Page 564 564
  • Page 565 565
  • Page 566 566
  • Page 567 567
  • Page 568 568
  • Page 569 569
  • Page 570 570
  • Page 571 571
  • Page 572 572

Aruba 6000 User guide

Category
Software
Type
User guide
This manual is also suitable for

Ask a question and I''ll find the answer in the document

Finding information in a document is now easier with AI