Aruba 2930 M/F Access Security Guide for ArubaOS-Switch 16.11
Aruba 2930MF Access Security Guide for AOS-S 16.11 Aruba 2930M/F Access Security Guide for AOS-S
16.11
© Copyright 2020 Hewlett Packard Enterprise Development LP
Notices
The information contained herein is subject to change without notice. The only warranties for Hewlett Packard Enterprise products and services are set forth in the express warranty statements accompanying such products and services. Nothing herein should be construed as constituting an additional warranty. Hewlett Packard Enterprise shall not be liable for technical or editorial errors or omissions contained herein. Confidential computer software. Valid license from Hewlett Packard Enterprise required for possession, use, or copying. Consistent with FAR 12.211 and 12.212, Commercial Computer Software, Computer Software Documentation, and Technical Data for Commercial Items are licensed to the U.S. Government under vendor's standard commercial license. Links to third-party websites take you outside the Hewlett Packard Enterprise website. Hewlett Packard Enterprise has no control over and is not responsible for information outside the Hewlett Packard Enterprise website.
Acknowledgments
Intel®, Itanium®, Pentium®, Xeon®, Intel Inside®, and the Intel Inside logo are trademarks of Intel Corporation in the U.S. and other countries. Microsoft® and Windows® are either registered trademarks or trademarks of Microsoft Corporation in the United States and/or other countries. Adobe® and Acrobat® are trademarks of Adobe Systems Incorporated. Java® and Oracle® are registered trademarks of Oracle and/or its affiliates. UNIX® is a registered trademark of The Open Group. All third-party marks are property of their respective owners.
Contents
Contents
About this guide
Applicable products Switch prompts used in this guide Terminology Change
Security Overview
Introduction Access security features Network Security Features Getting started with access security Precedence of security options
Configuring Username and Password Security
Overview Configuring local password security Configure SHA-256 format passwords Saving security credentials in a config file SSH Re-Keying for SSH Server and SSH Client Encrypting credentials in the configuration file Front panel security Password recovery
Virus throttling (connection-rate filtering)
Configuring connection-rate filtering Blocked hosts Configuring and applying connection-rate ACLs Connection-rate filtering Configuring connection-rate filtering for low risk networks Configuring connection-rate filtering for high risk networks
Web and MAC Authentication
Overview How web-based and MAC authentication operate Operating rules and notes Setup procedure for web-based/MAC authentication Using Password Authentication Protocol (PAP) for MAC Authentication Configuring web-based authentication Configuring MAC authentication
Captive Portal for ClearPass
Requirements Best Practices Limitations Features Captive Portal when disabled Configuring Captive Portal on ClearPass Configuring the switch
Aruba 2930M/F | Access Security Guide
Contents
3
10
10 10 11
12
12 12 16 19 23
26
26 27 30 33 45 45 49 55
58
58 62 63 70 75 76
77
77 79 81 82 91 93 101
118
118 119 119 119 119 120 122
3
Configuring a certificate for Captive Portal usage Display Captive Portal configuration Show certificate information Troubleshooting
Local MAC Authentication
Overview Possible scenarios for deployment Show commands Configuration commands
Port-based MAC authentication
Overview Operating notes aaa port-access use-lldp-data
TACACS+ Authentication and Accounting
Definition of terms Overview Configuring TACACS+ on the switch Controlling Web UI access when using TACACS+ authentication TACACS server order Event Messages Operating notes
RADIUS Authentication, Authorization, and Accounting
Overview Switch operating rules for RADIUS General RADIUS setup procedure Configuring the switch for RADIUS authentication Using SNMP to view and configure switch authentication features Local authentication process (RADIUS) Controlling WebAgent access Commands Authorization Dynamic port access auth via RADIUS VLAN assignment in an authentication session Additional RADIUS attributes MAC-based VLANs Accounting services
Accounting service types to track
Accounting controls Viewing RADIUS statistics Changing RADIUS-server access order Creating local privilege levels Dynamic removal of authentication limits Bypassing authentication Messages related to RADIUS operation Supress LLDP MED network policy TLV transmission Security event log Configuring FQDN support for RADIUS server Automatic certificate download with ClearPass Support for Framed IP Address in RADIUS requests Support for Sending Interface VLAN in RADIUS Requests
User roles
123 124 124 124
128
128 128 129 130
133
133 133 134
135
135 135 141 160 160 162 163
164
164 167 167 169 181 185 185 185 189 191 192 193 193
200
200 203 207 208 211 211 220 220 223 225 226 229 230
232
4
Aruba 2930M/F | Access Security Guide
Overview Captive-portal commands Policy commands User role configuration
show port-access clients show port-access clients detailed show user-role detailed VLAN range commands Applying User Derived Role with Local MAC Authentication VXLAN show commands Access Point Onboarding Scenario IP Phones as User-Based Tunneling Clients Downloadable user-roles
IPv4 Access Control Lists (ACLs)
Extended ACL Options for applying IPv4 ACLs on the switch IPv4 static ACL operation Planning an ACL application Configuring and assigning an IPv4 ACL Configuring standard ACLs Configuring extended ACLs Adding or removing an ACL assignment on an interface Deleting an ACL Editing an existing ACL Viewing ACL configuration data Creating or editing an ACL offline Monitoring static ACL performance General ACL operating notes
MAC ACLs
Overview MAC ACL configuration commands CLI command error messages
ACL Grouping
Overview Commands Mac-access-list creation syntax Modify existing commands
Netdestination and Netservice
Overview netdestination host |position | network netservice [tcp | udp | port] show netdestination Modifying Netdestination Entries
Infrastructure MACsec
Overview MACsec configuration commands Show commands Mutually exclusive commands with MACsec configuration on a port MACsec Log messages
Aruba 2930M/F | Access Security Guide
232 232 235 237 244 245 245 246 247 248 250 251 251
257
257 261 262 264 272 278 282 294 295 296 303 308 309 311
313
313 313 323
324
324 324 327 329
334
334 335 336 337 337
342
342 342 349 357 358
5
RADIUS Services Support on Aruba Switches
359
Overview
359
Configuring the switch to support RADIUS-assigned ACLs
379
Viewing the currently active per-port CoS and rate-limiting configuration
379
Viewing CLI-configured rate-limiting and port priority for ports
382
ACE syntax configuration options in a RADIUS server, using the standard attribute in an IPv4 ACL
(Example)
383
Using HPE VSA 63 to assign IPv6 and IPv4 ACLs (example)
384
Using HPE VSA 61 to assign IPv4 ACLs (example)
385
Displaying the current RADIUS-assigned ACL activity on the switch
386
Force client re-authorization
390
Critical and Open Authentication
aaa port-access aaa port-access open-auth data-vlan aaa port-access open-auth user-role show port-access clients Critical authentication Cached reauthentication Resilient 802.1x cached-reauth
392
393 393 394 394 395 399 404
RBAC
RBAC Overview Limitations Roles Rules Creating roles and assigning rules Displaying rules for predefined roles Displaying predefined features Troubleshooting aaa authorization group Predefined features
406
406 406 406 408 409 412 413 413 414 415
password complexity
Password complexity overview Password expiration periods Requirements Limitations Configuring Password Complexity password configuration commands password configuration-control password configuration password minimum-length show password-configuration password aaa authentication local-user password complexity password composition Troubleshooting
417
417 418 418 418 418 421 423 423 425 425 426 427 427 428 428
Configuring Secure Shell (SSH)
Overview Prerequisite for using SSH Public key formats Steps for configuring and using SSH for switch and client authentication
431
431 437 437 437
6
Aruba 2930M/F | Access Security Guide
SSH options
439
General operating rules and notes
439
Configuring the switch for SSH operation
440
Disable username prompt for management interface authentication in the Quick Base system
448
SSH client public-key authentication notes
453
SSH client and secure sessions
457
Messages related to SSH operation
461
Configuring SSH with two-factor authentication
464
Overview
464
Two-factor authentication configuration commands
464
Configuring Secure Sockets Layer
Overview Prerequisite for using SSL Steps for configuring and using SSL for switch and client authentication General operating rules and notes Configuring the switch for SSL operation Common errors in SSL setup
467
467 468 468 468 469 474
Configuring Advanced Threat Protection
475
Introduction
475
IPv6 Network Defense
475
Dynamic ARP protection
479
Dynamic IP lockdown
484
Using the instrumentation monitor
492
Traffic/Security Filters and Monitors
497
Overview
497
Filter types and operation
497
Configuring traffic/security filters
506
Configuring Port and User-Based Access Control (802.1X)
Overview General 802.1X authenticator operation General operating rules and notes General setup procedure for 802.1X access control Configuring switch ports as 802.1X authenticators Customer self repair 802.1X Open VLAN mode Option for authenticator ports: configure port-security to allow only 802.1X-authenticated devices Configuring switch ports to operate as supplicants for 802.1X connections to other switches Displaying 802.1X configuration, statistics, and counters How RADIUS/802.1X authentication affects VLAN operation EAP identifier compliance for 802.1x EAP-TLS fragmentation Messages related to 802.1X operation
516
516 518 519 519 521 529 530 538 539 542 551 556 557 561
Configuring and Monitoring Port Security
563
Overview
563
Port security
563
MAC Lockdown
577
MAC Lockout
581
User-based lockout compliance
583
Port security and MAC Lockout
585
Aruba 2930M/F | Access Security Guide
7
Reading intrusion alerts and resetting alert flags Operating notes for port security
Using Authorized IP Managers
Introduction Defining authorized management stations Configuring IP Authorized managers (WebAgent) Building IP Masks Operating notes
Key Management System
Overview Configuring key chain management
Device Fingerprinting
Prerequisites device-fingerprinting policy device-fingerprinting timer device-fingerprinting client-limit device-fingerprinting incoming-clients-only device-fingerprinting apply show device-fingerprinting profile-name show device-fingerprinting active show device-fingerprinting client-status show device-fingerprinting client-details Limitations Troubleshooting
Secure mode(FIPS)
Overview Troubleshooting
Certificate Manager
Configuration support Switch identity profile Local certificate enrollment -- manual mode Removal of certificates/CSRs Zeroization File transfer Loading a local certificate Debug logging Certificate specific Profile specific--TA profile Web support Error messages
EST and its applications
Application Certificate Enrollment using EST Secure Syslog over TLS Secure Radius (RadSec)
Conformance to Suite-B Cryptography requirements
Configuration support Retrieve CRL Set TA profile to validate CRL and OCSP
586 589
591
591 592 594 596 598
600
600 600
604
604 605 605 606 607 607 608 609 609 610 611 612
613
613 619
621
621 622 622 626 627 627 628 629 629 630 631 634
638
638 638 643
665
665 668 668
8
Aruba 2930M/F | Access Security Guide
Clear CRL Create a certificate signing request Create and enroll a self-signed certificate Configure or remove the minimum levels of security minLos for TLS Install authentication files Remove authentication files show crypto client-public-key Remove the client public keys from configuration Show details of TA profile
Support and other resources
Accessing Aruba Support Other useful sites Accessing updates Warranty information Regulatory information Documentation feedback
AOS-S RADIUS Vendor-Specific Attributes
Management access Access control Class of service Bandwidth Filtering
668 669 669 670 670 671 671 672 672
673
673 673 674 674 674 675
676
676 677 680 680 682
Aruba 2930M/F | Access Security Guide
9
Chapter 1 About this guide
About this guide
This guide provides information on how to configure access security features and user authentication.
Applicable products
This guide applies to these products:
n Aruba 2530 Switch Series (J9772A, J9773A, J9774A, J9775A, J9776A, J9777A, J9778A, J9779A, J9780A, J9781A, J9782A, J9783A, J9853A, J9854A, J9855A, J9856A, JL070A)
Switch prompts used in this guide
Examples in this guide are representative and may not match your particular switch/environment. Examples use simplified prompts as follows:
Prompt switch#
Explanation # indicates manager context (authority).
switch>
> indicates operator context (authority).
switch (config)#
(config) indicates the config context.
switch(vlanx)#
(vlan-x) indicates the vlan context of config, where x represents the VLAN ID. For example: switch(vlan-128)#.
switch(ethx)#
(eth-x) indicates the interface context of config, where x represents the interface. For example: switch(eth-48)#.
switch-Stack# Stack indicates that stacking is enabled.
switch-Stack (config)#
Stack(config) indicates the config context while stacking is enabled.
switch-Stack (stacking)#
Stack(stacking) indicates the stacking context of config while stacking is enabled.
switch-Stack (vlan-x)#
Stack(vlan-x) indicates the vlan context of config while stacking is enabled, where x represents the VLAN ID. For example: switch-Stack(vlan-128)#.
switch-Stack (eth-x/y)#
Stack(eth-x/y) indicates the interface context of config, in the form (eth-<member-instack>/<interface>). For example: switch(eth-1/48)#
Aruba 2930M/F | Access Security Guide
10
Terminology Change
As part of advancing HPE's commitment to racial justice, we are taking a much-needed step in overhauling HPE engineering terminology to reflect our belief system of diversity and inclusion. Some legacy products and publications may continue to include terminology that seemingly evokes bias against specific groups of people. Such content is not representative of our HPE culture and moving forward, Aruba will replace racially insensitive terms and instead use the following new language:
Usage Switch Security Switch Routing Smart Link Chassis Events, IPv6 Configuration, and Troubleshooting Switch Stack Switch Security, Configuration and Routing Route Type Type of Hackers
Old Language Master Master Master-Slave Master-Slave
Master-Slave Blacklist, Whitelist
Blackhole Route Black Hat, White Hat
New Language Main Main Router Primary-Secondary Management-Slot
Conductor-Member Denylist, Allowlist
Null Route Unethical, Ethical
11
Aruba 2930M/F | Access Security Guide
Chapter 2 Security Overview
Security Overview
Introduction
This chapter provides an overview of the security features included on your switch. Chapter Access security features outlines the access security and authentication features, while Network Security Features highlights the additional features designed to help secure and protect your network. For detailed information on individual features, see the references provided. Before you connect your switch to a network, Hewlett Packard Enterprise strongly recommends that you review the section Getting started with access security. It outlines potential threats for unauthorized switch and network access, and provides guidelines on how to prepare the switch for secure network operation.
About this guide
This access security guide describes how to configure security features on your switch.
For an introduction to the standard conventions used in this guide, see "Getting Started" in the basic operation guide for your switch.
For more information
For IPv6-specific security settings and features, see the IPv6 configuration guide for your switch. For information on which product manual to consult for a specific software feature, see the Software feature index extended. For the latest version of all Aruba switch documentation, including Release Notes covering recently added features and other software topics, visit the Hewlett Packard Enterprise Networking website at http://www.hpe.com/support/manuals.
Access security features
This section provides an overview of the switch access security features, authentication protocols, and methods. For more in-depth information, see the references provided (all chapter and page references are to this Access Security Guide for AOS-S unless a different manual name is indicated).
The Management Interface wizard provides a convenient step-by-step method to prepare the switch for secure network operation. See Using the Management Interface wizard for details.
Aruba 2930M/F | Access Security Guide
12
Table 1: Access security and switch authentication features
Feature
Default setting
Manager password no password
Telnet and web browser access (WebAgent)
enabled
SSH
enabled
Security guidelines
More information and configuration details
Configuring a local manager password is a fundamental step in reducing the possibility of unauthorized access through the switch WebAgent and console (CLI and Menu) interfaces. The manager password is set with any of the following methods:
n CLI: password manager command, or Management interface wizard
n WebAgent: the password options under the Security tab, or Management interface wizard
n Menu interface: Console passwords option
n SNMP
Configuring local password security on page 27
Using the Management Interface wizard on page 20
Using SNMP to view and configure switch authentication features on page 181
The default remote management protocols enabled on the switch are plain text protocols, which transfer passwords in open or plain text that is easily captured. To reduce the chances of unauthorized users capturing your passwords, secure and encrypted protocols such as SSH and SSL (see below for details) should be used for remote access. This enables you to employ increased access security while still retaining remote client access.
Also, access security on the switch is incomplete
without disabling Telnet and the standard web
browser access (WebAgent). Unauthorized
access can be blocked using these commands:
n no telnet-server: This command blocks inbound Telnet access.
n no web-management: This command prevents use of the WebAgent through http (port 80) server access.
If you choose not to disable Telnet and the WebAgent, you may want to consider using RADIUS accounting to maintain a record of password-protected access to the switch.
Using the Management Interface wizard on page 20
For more on Telnet and the WebAgent, see "Interface Access and System Information" in the management and configuration guide.For RADIUS accounting, see RADIUS Authentication, Authorization, and Accounting on page 164
SSH provides Telnet-like functions through encrypted, authenticated transactions of the following types:
n client public-key authentication: uses one or more public keys (from clients) that must be stored on the switch. Only a client with a private key that matches a stored public key can gain access to the switch.
Using the Management Interface wizard
Configuring Secure Shell (SSH) on page 431
13
Aruba 2930M/F | Access Security Guide
Feature
SSL SNMP Authorized IP managers
Default setting
disabled public, unrestricted
none
Security guidelines
More information and configuration details
n switch SSH and user password authentication: this option is a subset of the client public-key authentication, and is used if the switch has SSH enabled without a login access configured to authenticate the client key. In this case, the switch authenticates itself to clients, and users on SSH clients then authenticate themselves to the switch by providing passwords stored on a RADIUS or TACACS+ server, or locally on the switch.
n Secure copy (SC) and secure FTP (SFTP): By opening a secure, encrypted SSH session, you can take advantage of SC and SFTP to provide a secure alternative to TFTP for transferring sensitive switch information. For more on SC and SFTP, see the section titled "Using Secure Copy and SFTP" in the "File Transfers" appendix of the management and configuration guide for your switch.
Secure Sockets Layer (SSL) and Transport Layer Security (TLS) provide remote web browser access (WebAgent) to the switch through authenticated transactions and encrypted paths between the switch and management station clients capable of SSL/TLS operation. The authenticated type includes server certificate authentication with user password authentication.
Using the Management Interface wizard
Configuring Secure Shell (SSH) on page 431
In the default configuration, the switch is open to access by management stations running SNMP management applications capable of viewing and changing the settings and status data in the switch MIB (Management Information Base). Thus controlling SNMP access to the switch and preventing unauthorized SNMP access should be a key element of your network security strategy.
SNMP security guidelines
Using the Management Interface wizard on page 20 Management and Configuration Guide, see "Using SNMP Tools to manage the switch".
This feature uses IP addresses and masks to determine whether to allow management access to the switch across the network through the following:
n Telnet and other terminal emulation applications
n The WebAgent
n SNMP (with a correct community name)
Using Authorized IP Managers on page 591
Aruba 2930M/F | Access Security Guide
14
Feature
Default setting
Secure
disabled
Management VLAN
ACLs for Management Access Protection
none
TACACS+ Authentication
disabled
RADIUS Authentication
disabled
802.1X Access Control
none
Security guidelines
More information and configuration details
This feature creates an isolated network for managing the switches that offer this feature. When a secure management VLAN is enabled, CLI, Menu interface, and WebAgent access is restricted to ports configured as members of the VLAN.
Advanced Traffic Management Guide, see "Static Virtual LANs (VLANs)".
ACLs can also be configured to protect management access by blocking inbound IP traffic that has the switch itself as the destination IP address.
IPv4 Access Control Lists (ACLs) on page 257
This application uses a central server to allow or deny access to TACACS-aware devices in your network. TACACS+ uses username/password sets with associated privilege levels to grant or deny access through either the switch serial (console) port or remotely, with Telnet.
If the switch fails to connect to a TACACS+ server for the necessary authentication service, it defaults to its own locally configured passwords for authentication control. TACACS+ allows both login (read-only) and enable (read/write) privilege level access.
TACACS+ Authentication and Accounting on page 135
For each authorized client, RADIUS can be used to authenticate operator or manager access privileges on the switch through the serial port (CLI and Menu interface), Telnet, SSH, and Secure FTP/Secure Copy (SFTP/SCP) access methods.
RADIUS Authentication, Authorization, and Accounting on page 164
This feature provides port-based or user-based authentication through a RADIUS server to protect the switch from unauthorized access and to enable the use of RADIUS-based user profiles to control client access to network services. Included in the general features are the following:
Configuring Port and User-Based Access Control (802.1X)
n User-based access control supporting up to 32 authenticated clients per port.
n Port-based access control allowing authentication by a single client to open the port.
n Switch operation as a supplicant for point-topoint connections to other 802.1X-compliant switches.
15
Aruba 2930M/F | Access Security Guide
Feature
Web and MAC Authentication
Default setting
none
Security guidelines
More information and configuration details
These options are designed for application on the edge of a network to provide port-based security measures for protecting private networks and the switch itself from unauthorized access. Because neither method requires clients to run any special supplicant software, both are suitable for legacy systems and temporary access situations where introducing supplicant software is not an attractive option.
Both methods rely on using a RADIUS server for authentication. This simplifies access security management by allowing you to control access from a main database in a single server. It also means that the same credentials can be used for authentication, regardless of which switch or switch port is the current access point into the LAN. Web authentication uses a webpage login to authenticate users for access to the network. MAC authentication grants access to a secure network by authenticating device MAC addresses for access to the network.
Web and MAC Authentication on page 77
Network Security Features
This section outlines features and defense mechanisms for protecting access through the switch to the network.
Table 2: Network security default settings and security guidelines
Feature
Secure File Transfers
Traffic/Security Filters
Default setting
Security guidelines
More information and configuration details
not applicable
Secure Copy and SFTP provide a secure alternative to TFTP and auto-TFTP for transferring sensitive information such as configuration files and log information between the switch and other devices.
management and configuration guide, see "File Transfers" and "Using Secure Copy and SFTP".
none
These statically configured filters enhance inband security (and improve control over access to network resources) by forwarding or dropping inbound network traffic according to the configured criteria. Filter options include:
Traffic/Security Filters and Monitors.
n source-port filters
: Inbound traffic from a designated, physical source-port will be forwarded or dropped on a per-port (destination) basis. n multicast filters
Aruba 2930M/F | Access Security Guide
16
Feature
Default setting
Access Control Lists none (ACLs)
Port Security, MAC Lockdown, and MAC Lockout
none
Security guidelines
More information and configuration details
: Inbound traffic having a specified multicast MAC address will be forwarded to outbound ports or dropped on a per-port (destination) basis.
n protocol filters
: Inbound traffic having the selected frame (protocol) type will be forwarded or dropped on a per-port (destination) basis.
ACLs can filter traffic to or from a host, a group of hosts, or entire subnets. Layer 3 IP filtering with Access Control Lists (ACLs) enables you to improve network performance and restrict network use by creating policies for:
IPv4 Access Control Lists (ACLs)
n Switch Management Access:
Permits or denies in-band management access. This includes preventing the use of certain TCP or UDP applications (such as Telnet, SSH, WebAgent, and SNMP) for transactions between specific source and destination IP addresses.)
n Application Access Security:
Eliminating unwanted IP, TCP, or UDP traffic by filtering packets where they enter or leave the switch on specific interfaces.
NOTE: On ACL Security Use: ACLs can enhance network security by blocking selected IP traffic, and can serve as one aspect of maintaining network security. However, because ACLs do not provide user or device authentication, or protection from malicious manipulation of data carried in IP packet transmissions, they should not be relied upon for a complete security solution.
The features listed below provide device-based access security in the following ways:
n Port security: Enables configuration of each switch port with a unique list of the MAC addresses of devices that are authorized to access the network through that port. This enables individual ports
Configuring and Monitoring Port Security. See also Precedence of portbased security options.
17
Aruba 2930M/F | Access Security Guide
Feature
Default setting
Key Management System (KMS)
none
ICMP Rate-Limiting none
Spanning Tree Protection
none
Security guidelines
More information and configuration details
to detect, prevent, and log attempts by unauthorized devices to communicate through the switch. Some switch models also include eavesdrop prevention in the port security feature.
n MAC lockdown:
This "static addressing" feature is used as an alternative to port security to prevent station movement and MAC address "hijacking" by allowing a given MAC address to use only one assigned port on the switch. MAC lockdown also restricts the client device to a specific VLAN.
n MAC lockout:
This feature enables blocking of a specific MAC address so that the switch drops all traffic to or from the specified address.
KMS is available in several switch models and is designed to configure and maintain key chains for use with KMS-capable routing protocols that use time-dependent or time-independent keys. (A key chain is a set of keys with a timing mechanism for activating and deactivating individual keys.) KMS provides specific instances of routing protocols with one or more Send or Accept keys that must be active at the time of a request.
Key Management System
This feature helps defeat ICMP denial-of-service attacks by restricting ICMP traffic to percentage levels that permit necessary ICMP functions, but throttle additional traffic that may be due to worms or viruses (reducing their spread and effect).
management and configuration guide see "Port Traffic Controls" and "ICMP Rate-Limiting"
These features prevent your switch from malicious attacks or configuration errors:
n BPDU Filtering and BPDU Protection: Protects the network from denial-of-service attacks that use spoofing BPDUs by dropping incoming BPDU frames and/or blocking traffic through a port.
n STP Root Guard: Protects the STP root bridge from malicious attacks or configuration mistakes.
advanced traffic management guide see "Multiple Instance SpanningTree Operation".
Aruba 2930M/F | Access Security Guide
18
Feature
DHCP Snooping, Dynamic ARP Protection, and Dynamic IP Lockdown
Default setting
none
Security guidelines
More information and configuration details
These features provide the following additional protections for your network:
n DHCP Snooping: Protects your network from common DHCP attacks, such as address spoofing and repeated address requests.
n Dynamic ARP Protection: Protects your network from ARP cache poisoning.
n Dynamic IP Lockdown: Prevents IP source address spoofing on a perport and per-VLAN basis.
n Instrumentation Monitor: Helps identify a variety of malicious attacks by generating alerts for detected anomalies on the switch.
Configuring Advanced Threat Protection.
Getting started with access security
Aruba switches are designed as "plug and play" devices, allowing quick and easy installation in your network. In its default configuration the switch is open to unauthorized access of various types. When preparing the switch for network operation, therefore, Hewlett Packard Enterprise strongly recommends that you enforce a security policy to help ensure that the ease in getting started is not used by unauthorized persons as an opportunity for access and possible malicious actions. Since security incidents can originate with sources inside as well as outside of an organization, your access security provisions must protect against internal and external threats while preserving the necessary network access for authorized clients and users. It is important to evaluate the level of management access vulnerability existing in your network and take steps to ensure that all reasonable security precautions are in place. This includes both configurable security options and physical access to the switch. Switch management access is available through the following methods:
n Front panel access to the console serial port, see Physical Security
n Inbound Telnet access
n Web-browser access (WebAgent)
n SNMP access
For guidelines on locking down your switch for remote management access, see Using the Management Interface wizard.
19
Aruba 2930M/F | Access Security Guide
Physical Security
Physical access to the switch allows the following:
n Use of the console serial port (CLI and Menu interface) for viewing and changing the current configuration and for reading status, statistics, and log messages.
n Use of the switch Clear and Reset buttons for these actions: o Clearing (removing) local password protection o Rebooting the switch o Restoring the switch to the factory default configuration (and erasing any nondefault configuration settings)
Keeping the switch in a locked wiring closet or other secure space helps prevent unauthorized physical access. As additional precautions, you can do the following:
n Disable or re-enable the password-clearing function of the Clear button. n Configure the Clear button to reboot the switch after clearing any local usernames and passwords. n Modify the operation of the Reset+Clear button combination so that the switch reboots, but does not restore
the switch factory default settings. n Disable or re-enable password recovery.
Using the Management Interface wizard
The Management Interface wizard provides a convenient step-by-step method to prepare the switch for secure network operation. It guides you through the process of locking down the following switch operations or protocols:
n Setting local passwords n Restricting SNMP access n Enabling/disabling Telnet n Enabling/disabling SSH n Enabling/disabling remote Web management (WebAgent) n Restricting WebAgent access to SSL n Setting timeouts for SSH/Telnet sessions
The wizard can also be used to view the preconfigured defaults and see the current settings for switch access security. The wizard can be launched either through the CLI or the WebAgent.
The wizard security settings can also be configured using standard commands through the CLI, Menu, or WebAgent.
Configuring security settings using the CLI wizard
To configure the security settings using the CLI wizard, follow the steps below:
1. At the command prompt, enter setup mgmt-interfaces. The welcome banner appears and the first setup option is displayed (operator password). As you advance through the wizard, each setup option displays the current value in brackets [].
Aruba 2930M/F | Access Security Guide
20
Figure 1 Management Interface wizard configuration
2. When you enter the wizard, you have the following options: a. To update a setting, type in a new value, or press Enter to keep the current value. b. To quit the wizard without saving any changes, press CTRL-C at any time. c. To access online Help for any option, press ?. After you have gone through each setup option, the wizard displays the summary configuration together with a prompt to save the changes.
3. When the message appears asking if you want to save these changes, you have the following options: a. To save your changes, press Enter. b. To cancel any changes without saving, enter n and then press Enter. After pressing Enter, the wizard exits to the command line prompt.
CLI Wizard: Operating Notes and Restrictions
n Once a password has been configured on the switch, you cannot remove it using the CLI wizard. passwords can be removed by executing the no password command directly from the CLI.
n When you restrict SNMP access to SNMPv3 only, the options SNMPv2 community name and access level
21
Aruba 2930M/F | Access Security Guide
will not appear. n The wizard displays the first available SNMPv2 community and allows the user to modify the first community
access parameters. n The wizard creates a new SNMP community only when no communities have been configured on the switch.
WebAgent: Management Interface wizard
To use the Management Interface wizard from the WebAgent, follow the steps below:
1. In the navigation tree, select Security. 2. Click Security Wizard. The Welcome window appears. 3. Select a setup type:
a. Typical--provides a multiple page, step-by-step method to configure security settings, with on-screen instructions for each option.
b. Advanced--provides a single summary screen in which to configure all security settings at once.
See the WebAgent Online Help for detailed information about using the management interface wizard.
SNMP security guidelines
In the default configuration, the switch is open to access by management stations running SNMP, management applications capable of viewing and changing the settings and status data in the switch MIB. Thus, controlling SNMP access to the switch and preventing unauthorized SNMP access should be a key element of your network security strategy.
General SNMP access to the switch
The switch supports SNMP versions 1, 2c, and 3, including SNMP community and trap configuration. The default configuration supports versions 1 and 2c compatibility, which uses plain text and does not provide security options. Hewlett Packard Enterprise recommends you enable SNMP version 3 for improved security. SNMPv3 includes the ability to configure restricted access and to block all non-version 3 messages (which blocks version 1 and 2c unprotected operation). SNMPv3 security options include:
n Configuring device communities as a means for excluding management access by unauthorized stations n Configuring for access authentication and privacy n Reporting events to the switch CLI and to SNMP trap receivers n Restricting non-SNMPv3 agents to either read-only access or no access n Coexisting with SNMPv1 and v2c if necessary.
SNMP access to the authentication configuration MIB
A management station running an SNMP networked device management application can access the management information base (MIB) for read access to the switch status and read/write access to the switch authentication configuration (hpSwitchAuth). This means that the switch default configuration now allows SNMP access to security settings in hpSwitchAuth.
Aruba 2930M/F | Access Security Guide
22
If SNMP access to the hpSwitchAuth MIB is considered a security risk in your network, then you should implement the security precautions described in this procedure.
Downloading and booting enables SNMP access to the authentication configuration MIB (the default action). If SNMPv3 and other security safeguards are not in place, the switch authentication configuration MIB is exposed to unprotected SNMP access and you must use the command shown below to disable this access.
For details on this feature, see Using SNMP to view and configure switch authentication features on page 181. See "Configuring for Network Management Applications" in the Management and Configuration Guide for your switch.
Procedure
n If SNMP access to the authentication configuration (hpSwitchAuth) MIB described above is not desirable for your network, then immediately use the following command to disable this feature: snmp-server mib hpswitchauthmib excluded
n If you choose to leave the authentication configuration MIB accessible, then you must do the following to help ensure that unauthorized workstations cannot use SNMP tools to access the MIB: 1. Configure SNMP version 3 management and access security on the switch. 2. Disable SNMP version 2c on the switch.
Precedence of security options
This section explains how port-based security options, and client-based attributes used for authentication, get prioritized on the switch.
Precedence of port-based security options
Where the switch is running multiple security options, it implements network traffic security based on the OSI (Open Systems Interconnection model) precedence of the individual options, from the lowest to the highest. The following list shows the order in which the switch implements configured security features on traffic moving through a given port.
1. Disabled/Enabled physical port 2. MAC lockout (applies to all ports on the switch.) 3. MAC lockdown 4. Port security 5. Authorized IP managers 6. Application features at higher levels in the OSI model, such as SSH.
The above list does not address the mutually exclusive relationship that exists among some security features.
23
Aruba 2930M/F | Access Security Guide
Precedence of client-based authentication: Dynamic Configuration Arbiter (DCA)
The Dynamic Configuration Arbiter (DCA) is implemented to determine the client-specific parameters that are assigned in an authentication session. A client-specific authentication configuration is bound to the MAC address of a client device and may include the following parameters:
n Untagged client VLAN ID
n Tagged VLAN IDs
n Per-port CoS (802.1p) priority
n Per-port rate-limiting on inbound traffic
n Client-based ACLs
DCA allows client-specific parameters configured in any of the following ways to be applied and removed as needed in a specified hierarchy of precedence. When multiple values for an individual configuration parameter exist, the value applied to a client session is determined in the following order (from highest to lowest priority) in which a value configured with a higher priority overrides a value configured with a lower priority:
1. 802.1X authentication parameters (RADIUS-assigned)
2. Web or MAC authentication parameters (RADIUS-assigned)
3. Local, statically configured parameters
Although RADIUS-assigned settings are never applied to ports for unauthenticated clients, the DCA allows configuring and assigning client-specific port configurations to unauthenticated clients, provided that a client MAC address is known in the switch in the forwarding database. DCA arbitrates the assignment of attributes on both authenticated and unauthenticated ports. DCA does not support the arbitration and assignment of client-specific attributes on trunk ports.
Arbitrating client-specific attributes
In previous releases, client-specific authentication parameters for 802.1X Web, and MAC authentication are assigned to a port using different criteria. A RADIUS-assigned parameter is always given highest priority and overrides statically configured local passwords. 802.1X authentication parameters override Web or MAC authentication parameters. DCA stores client-specific authentication parameters and prioritizes them according to the following hierarchy of precedence:
1. RADIUS-assigned 1. 802.1X authentication
2. Web or MAC authentication
2. Statically (local) configured Client-specific configurations are applied on a per-parameter basis on a port. In a client-specific profile, if DCA detects that a parameter has configured values from two or more levels in the hierarchy of precedence described above, DCA decides which parameters to add or remove, or whether to fail the authentication attempt due to an inability to apply the parameters.
Aruba 2930M/F | Access Security Guide
24
In addition, DCA supports conflict resolution for QoS (port-based CoS priority) and rate-limiting (ingress) by determining whether to configure either strict or nonstrict resolution on a switchwide basis. For information on how to configure RADIUS-assigned and locally configured authentication settings, see: n RADIUS-assigned 802.1X authentication: Configuring Port and User-Based Access Control (802.1X)
n RADIUS-assigned Web or MAC authentication: Web and MAC Authentication
n RADIUS-assigned CoS, rate-limiting, and ACLs: "Configuring RADIUS Server Support for Switch Services"
n Statically (local) configured: Configuring Username and Password Security
25
Aruba 2930M/F | Access Security Guide
Chapter 3
Configuring Username and Password Security
Configuring Username and Password Security
Overview
Console access includes both the menu interface and the CLI. There are two levels of console access: manager and operator. For security, you can set a password pair (username and password) on each of these levels. Usernames are optional. Also, in the menu interface, you can configure passwords, but not usernames. To configure usernames, use the CLI or the WebAgent. Usernames and passwords for manager and operator access can also be configured using SNMP. See Using SNMP to view and configure switch authentication features. Usernames and passwords for manager and operator access can also be configured using the Management Interface Wizard. See Using the Management Interface wizard.
Level Manager:
Operator:
Actions Permitted
Access to all console interface areas. This is the default level. That is, if a manager password has not been set prior to starting the current console session, then anyone having access to the console can access any area of the console interface.
Access to the Status and Counters menu, the Event Log, and the CLI, but no Configuration capabilities.1 On the operator level, the configuration menus, Download OS, and Reboot Switch options in the Main Menu are not available.
Configuring Password Security
To set up password security:
Procedure
1. Set a Manager password pair (and an operator password pair, if applicable for your system). 2. Exit from the current console session. A Manager password pair will now be needed for full access to the
console.
If you do steps 1 and 2, above, then the next time a console session is started for either the menu interface or the CLI, a prompt appears for a password. Assuming you have protected both the manager and operator levels, the level of access to the console interface is determined by which password is entered in response to the prompt. If you set a manager password, you may also want to configure an inactivity timer. Doing this causes the console session to end after the specified period of inactivity, thus giving you added security against unauthorized console access.
1Allows use of the ping, link-test, show, menu, exit, and logout commands, plus the enable command if you can provide the manager password.
Aruba 2930M/F | Access Security Guide
26
If the console inactivity-timer expires, any outbound Telnet or SSH sessions open on the switch are terminated.
You can use either of the following to set the inactivity timer: n Menu Interface: System Information screen, Select option 2 -- Switch Configuration. n CLI: Use the command (and options) as follows:
console inactivity-timer <0|1|5|10|15|20|30|60|120>
If the switch has no a manager or operator password, anyone having access to the switch through either Telnet, the serial port, or the WebAgent can access the switch with full manager privileges. Also, if you configure only an operator password, entering the operator password enables full manager privileges.
The manager and operator passwords and (optional) usernames control access to the menu interface, CLI, and WebAgent. If you configure only a manager password (with no operator password), and in a later session the manager password is not entered correctly in response to a prompt from the switch, then the switch does not allow management access for that session. If the switch has a password for both the manager and operator levels, and neither is entered correctly in response to the switch password prompt, then the switch does not allow management access for that session. Passwords are case-sensitive.
Configuring local password security
Setting passwords and usernames (CLI)
You can now configure manager and operator passwords in one step.
Syntax
password <manager|operator|all|port-access> [user-name ASCII-STR] [<plaintext|sha1> ASCIISTR] no password <manager|operator|all|port-access> [user-name ASCII-STR] [<plaintext|sha1> ASCII-STR] Sets or clears a local username/password for a given access level. The command sets or changes existing password(s). If no password is provided in the command, you are prompted to enter the new password twice. The no form of the command removes specific local password protection.
port-access is available only if include-credentials is enabled.
<manager|operator|port-access|all>: Level of access
27
Aruba 2930M/F | Access Security Guide
manager
Configures access to the switch with manager-level privileges.
operator
Configures access to the switch with operator-level privileges.
port-access
Configures access to the switch through 802.1X authentication with operator-level privileges.
user-name <name>
The optional text string of the user name associated with the password. Username up to 64 characters.
<plaintext|sha1>
Format for the password entry, and the password itself (up to 64 characters). Specifies the type of algorithm (if any) used to hash the password. Valid values are plaintext or sha-1 The default type is plaintext, which is also the only type accepted for the port-access parameter.
Configuring manager and operator passwords
n Password entries appear as asterisks. n You must type the password entry twice.
switch(config)# password manager New password: ******* Please retype new password: ******* switch(config)# password operator New password: ******** Please retype new password: ********
Removing password protection
Removing password protection means to eliminate password security. This command prompts you to verify that you want to remove one or both passwords, then clears the indicated password(s). (This command also clears the username associated with a password you are removing.) For example, to remove the operator password (and username, if assigned) from the switch, you would do the following:
Syntax:
password no password Executing this command removes password protection from the operator level so anyone able to access the switch console can gain operator access without entering a username or password.
Syntax:
password all no password all This command removes both operator and manager password protection.
Removing a password and associated username from a switch
switch(config)#no password Password protection will be deleted, do you want to continue [y/n]? y
Aruba 2930M/F | Access Security Guide
28
switch(config)#
Username and password length
The limit on username and password length is 64 characters for the following authentication methods:
n Front-end--WEB User Interface, SSH, and Telnet n Back-end--RADIUS, TACACS+, and Local
General rules for usernames and passwords
Usernames and passwords are case-sensitive. ASCII characters in the range of 33-126 are valid, including:
n A through Z uppercase characters n a through z lower case characters n 0 through 9 numeric characters n Special characters ` ~ ! @ # $ % ^ & * ( ) - _ = + [ ] { } \ | ; : ` " , < > / ?.
The SPACE character is allowed to form a username or password pass-phrase. The username must be in quotes, for example "The little brown fox". A space is not allowed as part of a username without the quotes. A password that includes a space or spaces should not have quotes.
Restrictions for the setmib command
Usernames and passwords can be set using the CLI command setmib. They cannot be set using SNMP.
n Quotes are permitted for enclosing other characters, for example, a username or password of abcd can be enclosed in quotes "abcd" without the quotes becoming part of the username or password itself. Quotes can also be inserted between other characters of a username or password, for example, ab"cd. A pair of quotes enclosing characters followed by any additional characters is invalid, for example, "abc"d.
n Spaces are allowed in usernames and passwords. The username or password must be enclosed in quotes, for example, "one two three". A blank space or spaces between quotes is allowed, for example, " ".
Additional restrictions
Some authentication servers prevent the usage of special symbols such as the backslash (\) and quotes (" "). The switch allows the use of these symbols in configurable credentials, but using them can limit access for some users who can use different client software. See the vendor's documentation for specific information about these restrictions.
Passwords implications when upgrading or downgrading software versions
When you update software from a version that does not support long passwords to a version that does support long passwords, the existing usernames and passwords continue to be there and no further action is required. Before downgrading to a software version that does not include this feature, use one of the following procedures:
Procedure
n Reset the username and/or password to be no more than 16 characters in length, without using any special characters, from the CLI command password. Execute a CLI write memory command (required if the include-credentials feature has ever been enabled.)
29
Aruba 2930M/F | Access Security Guide
switch(config)#password manager New password: ******** Please retype new password: ******* switch(config)# write mem
n Execute the CLI command no password all. This clears all the passwords. Execute a CLI write memory command (required if the include-credentials feature has ever been enabled.)
switch(config)#no password all Password protections will be deleted, do you want to continue [y/n]? y switch(config)# write mem
n Clear the password by using the Clear button on the switch. Execute a CLI write memory command (required if the include-credentials feature has ever been enabled.)
Unable to use previous password
If you cannot access the switch after a software version downgrade, clear the password by using the Clear button on the switch to regain access. Then boot into a software version that supports long passwords, and perform one of the procedures in Passwords implications when upgrading or downgrading software versions .
Setting passwords and usernames (WebAgent)
In the WebAgent you can enter passwords and (optional) usernames. See the WebAgent online help for detailed information.
Configure SHA-256 format passwords
Syntax
password non-plaintext-sha256 no password non-plaintext-sha256
Description
Configure the password in SHA-256 format.
Limitations
n After password non-plaintext-sha256 is executed, the password cannot be converted back to plaintext; you must reconfigure the password.
n This feature is not applicable for passwords used in protocol handshaking (for example, SNMPv3, OSPF, and BFD).
n The SHA-256 password format is not supported when the password complexity feature is enabled. n If the passwords in the configuration are in SHA-256 format, downgrading to a version where this feature is not
supported results in the deletion of the passwords. It is recommended that you disable this feature and reconfigure the password before downgrading. n If the password non-plaintext-sha256 feature is enabled, you are not allowed to enter the password in SHA1 format.
The following three tables show the output from the show running-config command for each password storage format.
Aruba 2930M/F | Access Security Guide
30
Table 3: Passwords configured using the plaintext option
include credentials enabled
No
encrypt-credentials non-plaintext-
enabled
sha256 enabled
No
No
No
No
Yes
No
Yes
No
No
Yes
Yes
Yes
No
No
Yes
No
Yes
Yes
Yes
No
Yes
Yes
Yes
show running-config output (manager/operator/local-user)
password manager password operator aaa authentication local-user <username> group <groupname>
Manager and operator credentials are not displayed. aaa authentication local-user <username> group <groupname>
password manager password operator aaa authentication local-user <username> group <groupname>
Manager and operator credentials are not displayed. aaa authentication local-user <username> group <groupname>
password manager user-name <username> <SHA-1 password> password manager user-name <username> <SHA-1 password> aaa authentication local-user <username> group <groupname> password sha1 <SHA1 password>
password manager user-name <username>sha256 <SHA-256 password> password manager user-name <username>sha256 <SHA-256 password> aaa authentication local-user <username> group <groupname> password <SHA-256 password>
encrypted-password manager user-name <username> <encrypted SHA-1 password> encrypted-password manager user-name <username> <encrypted SHA-1 password> aaa authentication local-user <username> group <groupname> password sha1 <SHA1 password>
encrypted-password manager user-name <username> <encrypted SHA-256 password> encrypted-password manager user-name <username> <encrypted SHA-256 password> aaa authentication local-user <username> group <groupname> password sha 256 <SHA-256 password>
31
Aruba 2930M/F | Access Security Guide
Table 4: Passwords configured using the sha1 option
include credentials enabled
encrypt-credentials non-plaintext-
enabled
sha256 enabled
Yes
No
No
Yes
No
Yes
Yes
Yes
No
Yes
Yes
Yes
show running-config output (manager/operator/local-user)
password manager user-name <username> sha-1 <SHA-1 password> password operator user-name <username> sha-1 <SHA-1 password> aaa authentication local-user <username> group <groupname> password sha1 <SHA1 password>
Passwords cannot be configured using the sha1 option when non-plaintext sha256 is enabled.
encrypted-password manager user-name <username> <encrypted SHA-1 password> encrypted-password manager user-name <username> <encrypted SHA-1 password> aaa authentication local-user <username> group <groupname> password sha1 <SHA1 password>
Passwords cannot be configured using the sha1 option when non-plaintext sha256 is enabled.
Table 5: Passwords configured using the sha256 option
include credentials enabled
Yes
encrypt-credentials non-plaintext-
enabled
sha256 enabled
No
No
Yes
No
Yes
Yes
Yes
No
Yes
Yes
Yes
show running-config output (manager/operator/local-user)
Manager and operator credentials are not displayed because SHA-1 passwords are not available. aaa authentication local-user <username> group <groupname>
password manager user-name <username> sha256 <SHA-256 password> password manager user-name <username> sha256 <SHA-256 password> aaa authentication local-user <username> group <groupname> password sha 256 <SHA-256 password>
Manager and operator credentials are not displayed because SHA-1 passwords are not available. aaa authentication local-user <username> group <groupname>
encrypted-password manager user-name <username> <encrypted SHA-256 password>
Aruba 2930M/F | Access Security Guide
32
encrypted-password manager user-name <username> <encrypted SHA-256 password> aaa authentication local-user <username> group <groupname> password sha 256 <SHA-256 password>
Saving security credentials in a config file
You can store and view the following security settings in the running-config file associated with the current software image by entering the include-credentials command (formerly this information was stored only in internal flash memory):
n Local manager and operator passwords and (optional) usernames that control access to a management session on the switch through the CLI, menu interface, or WebAgent.
n SNMP security credentials used by network management stations to access a switch, including authentication and privacy passwords.
n Port-access passwords and usernames used as 802.1X authentication credentials for access to the switch. n TACACS+ encryption keys used to encrypt packets and secure authentication sessions with TACACS+
servers keys. n RADIUS shared secret (encryption) keys used to encrypt packets and secure authentication sessions with
RADIUS servers. n Secure Shell (SSH) public keys used to authenticate SSH clients that try to connect to the switch.
Benefits of saving security credentials
The benefits of including and saving security credentials in a configuration file are:
n After making changes to security parameters in the running configuration, you can experiment with the new configuration and, if necessary, view the new security settings during the session. After verifying the configuration, you can then save it permanently by writing the settings to the startup-config file.
n By permanently saving a switch security credentials in a configuration file, you can upload the file to a TFTP server or Xmodem host, and later download the file to the switches on which you want to use the same security settings without having to manually configure the settings (except for SNMPv3 user parameters) on each switch.
n By storing different security settings in different files, you can test different security configurations when you first download a new software version that supports multiple configuration files, by changing the configuration file used when you reboot the switch.
For more information about how to experiment with, upload, download, and use configuration files with different software versions, see:
n "Switch Memory and Configuration" in the Management and Configuration Guide. n Configuring Password Security on page 26.
Enabling the storage and display of security credentials
To enable the security settings, enter the include-credentials command.
Syntax:
33
Aruba 2930M/F | Access Security Guide
include-credentials [radius-tacacs-only|store-in-config] no include-credentials [radius-tacacs-only|store-in-config] Enables the inclusion and display of the currently configured manager and operator usernames and passwords, RADIUS shared secret keys, SNMP and 802.1X authenticator (port-access) security credentials, and SSH client public keys in the running configuration. (Earlier software releases store these security configuration settings only in internal flash memory and do not allow you to include and view them in the running-config file.) To view the currently configured security settings in the running configuration, enter one of the following commands:
n show running-config : Displays the configuration settings in the current running-config file.
n write terminal : Displays the configuration settings in the current running-config file.
For more information, see "Switch Memory and Configuration" in the basic operation guide. To view the current status of include-credentials on the switch, enter show include-credentials. See Displaying the status of include-credentials on page 41. The no form of the command disables only the display and copying of these security parameters from the running configuration, while the security settings remain active in the running configuration. Default: The security credentials described in Security settings that can be saved on page 34 are not stored in the running configuration. radius-tacacs-only When executed with the radius-tacacs-only option, only the RADIUS and TACACS security keys are included in the configuration when saving files remotely. The radius-tacacs-only option can be disabled with either command
n no include-credentials
n no include-credentials radius-tacacs-only
store-in-config: Stores passwords and SSH authorized keys in the configuration files. This happens automatically when include-credentials is enabled. no include-credentials store-in-config The no include-credentials store-in-config command disables include-credentials and removes credentials stored in the configuration files. The switch reverts to storing only a single set of passwords and SSH keys, regardless of which configuration file is booted.
Security settings that can be saved
The security settings that can be saved to a configuration file are:
n Local manager and operator passwords and usernames n SNMP security credentials, including SNMPv1 community names and SNMPv3 usernames, authentication,
and privacy settings n 802.1X port-access passwords and usernames n TACACS+ encryption keys n RADIUS shared secret (encryption) keys
Aruba 2930M/F | Access Security Guide
34
n Public keys of SSH-enabled management stations that are used by the switch to authenticate SSH clients that try to connect to the switch
Executing include-credentials or include-credentials store-in-config
When include-credentials or include-credentials store-in-config is executed for the first time (for example, on a new switch) or when you have successfully executed the no include-credentials store-inconfig command, the passwords and SSH keys are not currently stored in the configuration file (not activated). The following example shows the caution message displayed.
Caution message
switch(config)# include-credentials
**** CAUTION ****
You have invoked the command 'include-credentials'. This action will make changes to the password and SSH public-key storage.
It will affect *all* stored configurations, which might need to be updated. Those credentials will no longer be readable by older software revisions. It also may break some of your existing user scripts. Continue?[y/n] y
Erasing configurations with `include-credentials' enabled will erase stored passwords and security credentials. The system will reboot with the factory default configuration.
Proceed?[y/n]
This caution message can also appear if you have successfully executed the no include-credentials storein-config command.
The no include-credentials store-in-config option
The no include-credentials command disables include-credentials. Credentials continue to be stored in the active and inactive configurations, but are not displayed in the config file. When no include-credentials is used with the store-in-config option, include-credentials is disabled and the credentials stored in the config files are removed. The switch is restored to its default state and only stores one set of operator/manager passwords and SSH keys. If you choose to execute the no include-credentials store-in-config command, you are also presented with the option of setting new switch passwords. You are queried about retaining the current SSH authorized keys on the switch. If you enter "y", the currently active authorized key files are renamed to the pre-include-credentials names, for example: /file/mgr_auth_keys.2 -> /file/mgr_auth_keys /file/authorized_keys.2 -> /file/authorized_keys All remaining authorized keys files with an extension are deleted.
The no include-credentials store-in-config messages and options
switch(config)# no include-credentials store-in-config
This will remove any switch passwords and inactive SSH authorized keys from all configuration files. This will also restore the functionality to store only a single set of passwords and authorized keys on the switch. Do you want to continue (y/n)? y
The SSH authorized keys associated with the active configuration will be deleted.
35
Aruba 2930M/F | Access Security Guide
Would you like to retain these as the switch global SSH authorized keys (y/n)? y
Do you want to set new switch passwords (y/n)? y
operator username: admin operator password: ******** Confirm password: ******** manager username: GeorgeV manager password: ******** Confirm password: ********
Local manager and operator passwords
The information saved to the running-config file when the include-credentials command is entered includes: Syntax password manager [user-name <name>] <hash-type> <pass-hash> password operator [user-name <name>] <hash-type> <pass-hash>
where
n <name> is an alphanumeric string for the user name assigned to the manager or operator. n <hash-type> indicates the type of hash algorithm used: SHA-1 or plain text. n <pass-hash> is the SHA-1 authentication protocol's hash of the password or clear ASCII text.
For example, a manager username and password can be stored in a runningconfig file as follows: password manager user-name George SHA1 2fd4e1c67a2d28fced849ee1bb76e7391b93eb12 Use the write memory command to save the password configurations in the startup-config file. The passwords take effect when the switch boots with the software version associated with that configuration file.
If a startup configuration file includes other security credentials, but does not contain a manager or operator password, the switch will not have password protection and can be accessed through Telnet or the serial port of the switch with full manager privileges.
Password Command Options
The password command has the following options:
Syntax:
password <manager|operator|port-access> [user-name <name>] <plaintext> <password>> no password <manager|operator|port-access> [user-name <name>] <plaintext> <password>> Set or clear a local username/password for a given access level.
manager:
Configures access to the switch with manager-level privileges.
operator:
Configures access to the switch with operator-level privileges.
port-access:
Configures access to the switch through 802.1X authentication with operator-level privileges.
user-name <name> :
The optional text string of the user name associated with the password.
Aruba 2930M/F | Access Security Guide
36
<password>:
The clear ASCII text string of the password.
SNMP security credentials
SNMPv1 community names and write-access settings, and SNMPv3 usernames continue to be saved in the running configuration file even when you enter the include-credentials command. In addition, the following SNMPv3 security parameters are also saved: snmpv3 user <Name> [auth [<md5 | sha>] <Auth-Pass>]
[priv [<des | aes>] <Priv-Pass>] Parameters <Name> The name of an SNMPv3 management station. <md5 | sha> Selects the authentication method. <Auth-Pass>
Specifies the authentication password. <des | aes> Selects the privacy encryption method. <Priv-Pass> Specifies the privacy password used by a privacy protocol to encrypt SNMPv3 messages between the switch and the station. The following example shows the additional security credentials for SNMPv3 users that can be saved in a running-config file.
Security credentials saved in the running-config
snmpv3 user boris \ auth md5 "9e4cfef901f21cf9d21079debeca453" \ priv "82ca4dc99e782db1a1e914f5d8f16824"
snmpv3 user alan \ auth sha "8db06202b8f293e9bc0c00ac98cf91099708ecdf" \ priv "5bc4313e9fd7c2953aaea9406764fe8bb629a538"
Although you can enter an SNMPv3 authentication or privacy password in either clear ASCII text or the SHA-1 hash of the password, the password is displayed and saved in a configuration file only in hashed format, as shown in the preceding example. See Configuring for Network Management Applications in the management and configuration guide for your switch for more information about the configuration of SNMP security parameters.
TACACS+ encryption key authentication
You can use TACACS+ servers to authenticate users who request access to a switch through Telnet (remote) or console (local) sessions. TACACS+ uses an authentication hierarchy consisting of:
n Remote passwords assigned in a TACACS+ server
n Local manager and operator passwords configured on the switch.
37
Aruba 2930M/F | Access Security Guide
When you configure TACACS+, the switch first tries to contact a designated TACACS+ server for authentication services. If the switch fails to connect to any TACACS+ server, it defaults to its own locally assigned passwords for authentication control if it has been configured to do so. For improved security, you can configure a global or server-specific encryption key that encrypts data in TACACS+ packets transmitted between a switch and a RADIUS server during authentication sessions. The key configured on the switch must match the encryption key configured in each TACACS+ server application. (The encryption key is sometimes referred to as "shared secret" or "secret" key.) TACACS+ shared secret (encryption) keys can be saved in a configuration file by entering this command: switch(config)# tacacs-server key <keystring> The option <keystring> is the encryption key (in clear text) used for secure communication with all or a specific TACACS+ server.
RADIUS shared-secret key authentication
You can use RADIUS servers as the primary authentication method for users who request access to a switch through Telnet, SSH, console, or port access (802.1X). The shared secret key is a text string used to encrypt data in RADIUS packets transmitted between a switch and a RADIUS server during authentication sessions. Both the switch and the server have a copy of the key; the key is never transmitted across the network.
RADIUS shared secret (encryption) keys can be saved in a configuration file by entering this command:
switch(config)# radius-server key <keystring>
The option <keystring> is the encryption key (in clear text) used for secure communication with all or a specific RADIUS server.
The include-credentials radius-tacacs-only ption
This option allows you to execute include-credentials for only RADIUS and TACACS. The radius-tacacsonly option does not cause the switch to store authentication passwords and SSH keys in the configuration file.
Syntax:
include-credentials [radius-tacacs-only|store-in-config] no include-credentials [radius-tacacs-only|store-in-config] Enables the inclusion of passwords and security credentials in each configuration file when the file is saved onto a remote server or workstation. When is executed, include-credentials is disabled. Credentials continue to be stored in the active and inactive configuration files but are not displayed.
When executed with the radius-tacacs-only option, only the RADIUS and TACACS security keys are included in the configuration when saving files remotely.
The radius-tacacs-only option can be disabled with either command:
no include-credentials no include-credentials radius-tacacs-only
store-in-config: Stores passwords and SSH authorized keys in the configuration files. This happens automatically when include-credentials is enabled.
Aruba 2930M/F | Access Security Guide
38
The no include-credentials store-in-config command disables the include-credentials command and removes credentials stored in the configuration files. The switch reverts to storing only a single set of passwords and SSH keys, regardless of which configuration file is booted.
When include-credentials radius-tacacs-only is executed, a warning message displays.
Caution message displayed for the radius-tacacs-only option
switch(config)# include-credentials radius-tacacs-only **** CAUTION ****
This will insert possibly sensitive information in switch configuration files, and as a part of some CLI commands output. It is strongly recommended that you use SFTP rather than TFTP for transfer of the configuration over the network, and that you use the web configuration interface only with SSL enabled.
Erasing configurations with `include-credentials' enabled will erase stored passwords and security credentials. The system will reboot with the factory default configuration.
SSH client public-key authentication
Secure Shell version 2 (SSHv2) is used by switches to provide remote access to SSH-enabled management stations. Although SSH provides Telnet-like functions, unlike Telnet, SSH provides encrypted, two-way authenticated transactions. SSH client public-key authentication is one of the types of authentication used.
Client public-key authentication uses one or more public keys (from clients) that must be stored on the switch. Only a client with a private key that matches a public key stored on the switch can gain access at the manager or operator level. For more information about how to configure and use SSH public keys to authenticate SSH clients that try to connect to the switch, see Configuring Secure Shell (SSH).
The SSH security credential that is stored in the running configuration file is configured with the ip ssh publickey command used to authenticate SSH clients for manager or operator access, along with the hashed content of each SSH client public key.
Syntax:
ip ssh public-key <manager|operator> keystring Set a key for public-key authentication.
manager:
Allows manager-level access using SSH public-key authentication.
operator:
Allows operator-level access using SSH public-key authentication.
keystring:
39
Aruba 2930M/F | Access Security Guide
A legal SSHv2 (RSA or DSA) public key. The text string for the public key must be a single quoted token. If the keystring contains double-quotes, it can be quoted with single quotes ('keystring'). The following restrictions applies for a keystring.
n A keystring cannot contain both single and double quotes.
n A keystring cannot have extra characters, such as a blank space or a new line. However, to improve readability, you can add a backlash at the end of each line.
The ip ssh public-key command allows you to configure only one SSH client public key at a time. The ip ssh public-key command behavior includes an implicit append that never overwrites existing public-key configurations on a running switch.
If you download a software configuration file that contains SSH client publickey configurations, the downloaded public keys overwrite any existing keys, as happens with any other configured values.
To display the SSH public-key configurations (72 characters per line) stored in a configuration file, enter the show config or show running-config command. The following example shows the SSH public keys configured for manager access, along with the hashed content of each SSH client public key, that are stored in a configuration file.
SSH public keys
... include-credentials ip ssh public-key manager "ssh-dss \ AAAAB3NzaC1kc3MAAACBAPwJHSJmTRtpZ9BUNC+ZrsxhMuZEXQhaDME1vc/ \ EvYnTKxQ31bWvr/bT7W58NX/YJ1ZKTV2GZ2QJCicUUZVWjNFJCsa0v03XS4 \ BhkXjtHhz6gD701otgizUOO6/Xzf4/J9XkJHkOCnbHIqtB1sbRYBTxj3NzA \ K1ymvIaU09X5TDAAAAFQCPwKxnbwFfTPasXnxfvDuLSxaC7wAAAIASBwxUP \ pv2scqPPXQghgaTkdPwGGtdFW/+K4xRskAnIaxuG0qLbnekohi+ND4TkKZd \ EeidgDh7qHusBhOFXM2g73RpE2rNqQnSf/QV95kdNwWIbxuusBAzvfaJptd \ gca6cYR4xS4TuBcaKiorYj60kk144E1fkDWieQx8zABQAAAIEAu7/1kVOdS \ G0vE0eJD23TLXvu94plXhRKCUAvyv2UyK+piG+Q1el1w9zsMaxPA1XJzSY/ \ imEp4p6WXEMcl0lpXMRnkhnuMMpaPMaQUT8NJTNu6hqf/LdQ2kqZjUuIyV9 \ LWyLg5ybS1kFLeOt0oo2Jbpy+U2e4jh2Bb77sX3G5C0= spock@sfc.gov" \ ip ssh public-key manager `ssh-rsa \ AAAAB3NzaC1yc2EAAAADAQABAAAAgQDyO9RDD52JZP8k2F2YZXubgwRAN0R \ JRs1Eov6y1RK3XkmgVatzl+mspiEmPS4wNK7bX/IoXNdGrGkoE8tPkxlZOZ \ oqGCf5Zs50P1nkxXvAidFs55AWqOf4MhfCqvtQCe1nt6LFh4ZMig+YewgQG \ M6H1geCSLUbXXSCipdPHysakw== "TectiaClientKey [1024-bit rsa, \ nobody@testmachine, Mon Aug 15 2005 14:47:34]"' ip ssh public-key manager "ssh-rsa \ AAAAB3NzaC1yc2EAAABIwAAAIEA1Kk9sVQ9LJOR6XO/hCMPxbiMNOK8C/ay \ +SQ10qGw+K9m3w3TmCfjh0ud9hivgbFT4F99AgnQkvm2eVsgoTtLRnfF7uw \ NmpzqOqpHjD9YzItUgSK1uPuFwXMCHKUGKa+G46A+EWxDAIypwVIZ697QmM \ qPFj1zdI4sIo5bDett2d0= joe@hpe.com" ...
If a switch configuration contains multiple SSH client public keys, each public key is saved as a separate entry in the configuration file. You can configure up to 10 SSH client public keys on a switch.
X.509v3 certificate authentication for SSH
This feature supports user-authentication in SSH using X.509v3-based certificates.
Syntax
aaa authentication ssh {enable | login | client} <primary-method> [<backup-method>]
Aruba 2930M/F | Access Security Guide
40
Description Configure the authentication mechanism used to control SSH access to the switch. The X.509 certificate authentication for the SSH server works only when both enable and login options are configured to use certificate as the primary authentication method.
Parameters
n enable: Configure access to the privileged mode commands. n login: Configure login access to the switch. n client: Configure SSH client authentication for the switch.
Example
Use the X.509 certificate for SSH client authentication. To disable this feature, use none as the primary authentication method.
switch# aaa authentication ssh client certificate none
Displaying the status of include-credentials
The show include-credentials command provides the current status of include-credentials on the switch.
Syntax:
show include-credentials Displays information about the passwords and SSH keys stored in the configuration.
Stored in configuration -- yes:
The passwords and SSH keys are stored in the configuration. Include-credentials was executed.
Stored in configuration -- no:
There is only one set of operator/manager passwords and one set of SSH keys for the switch.
Enabled in active configuration:
Include-credentials is either enabled or disabled.
RADIUS/TACACS only:
Displayed when the option is configured.
Output for show include credentials command
switch(config)# show include-credentials
Stored in Configuration
: Yes
Enabled in Active Configuration : N/A
RADIUS/TACACS Only
: Yes
Storage states when using include-credentials
The following table shows the states of several access types when the factory default settings are in effect or when include-credentials is enabled or not enabled.
41
Aruba 2930M/F | Access Security Guide
Table 6: Switch storage states
Type
Manager/Operator passwords & port access
Factory default
Includecredentials enabled
n Single set for switch
n Not displayed in config
n Not copied with config to file server
n One set per stored config
n Displayed in config
n Copied with the config to file server
Includecredentials disabled but active
No includecredentials executed (factory default)
n One set per stored config
n Not displayed in config
n Not copied with config to file server
n Single set for switch
n Not displayed in config
n Not copied with config to file server
SSH Public Key
n Single set for switch
n Not displayed in config
n Not copied with config to file server
n One set per stored config
n Displayed in config
n Copied with the config to file server
n One set per stored config
n Not displayed in config
n Not copied with config to file server
n Single set for switch
n Not displayed in config
n Not copied with config to file server
SNMPv3 auth and priv
n One set per stored config
n Not displayed in config
n Not copied with config to file server
n One set per stored config
n Displayed in config
n Copied with the config to file server
n One set per stored config
n Not displayed in config
n Not copied with config to file server
n One set per stored config
n Not displayed in config
n Not copied with config to file server
SNTP auth
n One set per stored config
n Not displayed in config
n Not copied with config to file server
n One set per stored config
n Displayed in config
n Copied with the config to file server
n One set per stored config
n Not displayed in config
n Not copied with config to file server
n One set per stored config
n Not displayed in config
n Not copied with config to file server
RADIUS & TACACS keystrings
n One set per stored config
n Displayed in config
n Not copied with config to file server
n One set per stored config
n Displayed in config
n Not copied with config to file server
n One set per stored config
n Not displayed in config
n Not copied with config to file server
n One set per stored config
n Displayed in config
n Not copied with config to file server
Aruba 2930M/F | Access Security Guide
42
Type
Factory default
Includecredentials enabled
Includecredentials disabled but active
No includecredentials executed (factory default)
n When the no include-credentials store-in-config command is executed, the switch is restored to its default state and only stores one set of operator/manager passwords and SSH keys.
n In the Factory Default state, the comments 'password operator' and/or 'password manager' are displayed to indicate passwords are configured. No indication is displayed for the state Include-Credentials disabled but Active.
Operating Notes
n When you first enter the include-credentials command to save the additional security credentials to the running configuration, these settings are moved from internal storage on the switch to the running-config file.You are prompted by a warning message to perform a write memory operation to save the security credentials to the startup configuration. The message reminds you that if you do not save the current values of these security settings from the running configuration, they will be lost the next time you boot the switch and will revert to the values stored in the startup configuration.
n When you boot a switch with a startup configuration file that contains the include-credentials command, any security credentials that are stored in internal flash memory are ignored and erased. The switch will load only the security settings in the startup configuration file.
n Security settings are no longer automatically saved internally in flash memory and loaded with the startup configuration when a switch boots up. The configuration of all security credentials requires that you use the write memory command to save them in the startup configuration in order for them to not be lost when you log off. A warning message reminds you to permanently save a security setting.
n After you enter the include-credentials command, the currently configured manager and operator usernames and passwords, RADIUS shared secret keys, SNMP and 802.1X authenticator (portaccess) security credentials, and SSH client public keys are saved in the running configuration.Use the no include-credentials command to disable the display and copying of these security parameters from the running configuration using the show running-config and copy running-config commands without disabling the configured security settings on the switch. After you enter the include-credentials command, you can toggle between the non-display and display of security credentials in show and copy command output by alternately entering the no include-credentials and include-credentials commands.
After you permanently save security configurations to the current startup-config file using the write memory command, you can view and manage security settings with the following commands:
43
Aruba 2930M/F | Access Security Guide
n show config : Displays the configuration settings in the current startup-config file. n copy config <source-filename> config <target-filename> : Makes a local copy of an existing
startup-config file by copying the contents of the startup-config file in one memory slot to a new startup-config file in another, empty memory slot. n copy config tftp: Uploads a configuration file from the switch to a TFTP server. n copy tftp config: Downloads a configuration file from a TFTP server to the switch. n copy config xmodem: Uploads a configuration file from the switch to an Xmodem host. n copy xmodem config: Downloads a configuration file from an Xmodem host to the switch.
For more information, see "Transferring startup-config files to or from a remote server" in the management and configuration guide. The switch can store up to three configuration files. Each configuration file contains its own security credentials and these security configurations can differ. It is the responsibility of the system administrator to ensure that the appropriate security credentials are contained in the configuration file that is loaded with each software image and that all security credentials in the file are supported. If you have already enabled the storage of security credentials (including local manager and operator passwords) by entering the include credentials command, the reset-on-clear option is disabled. When you press the Clear button on the front panel, the manager and operator usernames and passwords are deleted from the running configuration. However, the switch does not reboot after the local passwords are erased. (The reset-on-clear option normally reboots the switch when you press the Clear button.)For more in formation, see Configuring front panel security.
Restrictions on enabling security credentials
The following restrictions apply when you enable security credentials to be stored in the running configuration with the include-credentials command:
n The private keys of an SSH host cannot be stored in the running configuration. Only the public keys used to authenticate SSH clients can be stored. An SSH host's private key is only stored internally, for example, on the switch or on an SSH client device.
n SNMPv3 security credentials saved to a configuration file on a switch cannot be used after downloading the file on a different switch. The SNMPv3 security replaceables in the file are only supported when loaded on the same switch for which they were configured. This is because when SNMPv3 security credentials are saved to a configuration file, they are saved with the engine ID of the switch as shown here: snmpv3 engine-id 00:00:00:0b:00:00:08:00:09:01:10:01 If you download a configuration file with saved SNMPv3 security credentials on a switch, when the switch loads the file with the current software version the SNMPv3 engine ID value in the downloaded file must match the engine ID of the switch in order for the SNMPv3 users to be configured with the authentication and privacy passwords in the file. (To display the engine ID of a switch, enter the show snmpv3 engine-id command. To configure authentication and privacy passwords for SNMPv3 users, enter the snmpv3 user command.)If the engine ID in the saved SNMPv3 security settings in a downloaded configuration file does not match the engine ID of the switch:
o The SNMPv3 users are configured, but without the authentication and privacy passwords. You must manually configure these passwords on the switch before the users can have SNMPv3 access with the privileges you want.
o Only the snmpv3 user< user_name> credentials from the SNMPv3 settings in a downloaded configuration
Aruba 2930M/F | Access Security Guide
44
file are loaded on the switch, for example: snmpv3 user boris snmpv3 user alan
n You can store 802.1X authenticator (port access) credentials in a configuration file. However, 802.1X supplicant credentials cannot be stored.
SSH Re-Keying for SSH Server and SSH Client
Syntax
ip ssh rekey {time <MINUTES> | volume <SIZE>} no ip ssh rekey
Description
Enable SSH key re-exchange. The no form of the command disables SSH rekeying and sets the time to default value of 10 minutes.
Command context
config
Parameters
time <MINUTES> Specifies the number of minutes for rekey initiation. Range: 10 to 60 minutes. Default: 10 minutes. volume <SIZE> Specifies the volume size in KB for rekey initiation. Range: 100 KB to 1048576 KB. Default: 1048576 KB.
Examples
Initiate rekeying every 45 minutes: switch(config)# ip ssh rekey time 45
Reset the configured time to the default value (10 minutes): switch(config)# no ip ssh rekey time
Initiate rekeying after every 2000 KB of data is transferred: switch(config)# ip ssh rekey volume 2000
Reset the configured volume to the default value (1048576 KB): switch(config)# no ip ssh rekey volume
Encrypting credentials in the configuration file
A security risk is present when credentials used for authentication to remote devices such as RADIUS or TACACS+ servers are displayed in the configuration file in plain text. The encrypt-credentials command allows the storing, displaying, and transferring of credentials in encrypted form.
45
Aruba 2930M/F | Access Security Guide
When the encrypt-credentials feature is enabled, the affected credentials will be encrypted using aes-256-cbc encryption. By default, a fixed, hard-coded 256-bit key that is common to all networking devices is used. This allows transfer of configurations with all relevant credentials and provides much more security than plaintext passwords in the configuration. Additionally, you can set a separate, 256-bit pre-shared key, however, you must now set the pre-shared key on the destination device before transferring the configuration. The pre-shared key on the destination device must be identical to the pre-shared key on the source device or the affected security credentials will not be usable. This key is only accessible using the CLI, and is not visible in any file transfers.
It is expected that plaintext passwords will continue to be used for configuring the switch. The encrypted credentials option is available primarily for the backup and restore of configurations.
Only the aes-256-cbc encryption type is available.
Enabling encrypt-credentials
To enable encrypt-credentials, enter this command.
Syntax:
encrypt-credentials [pre-shared-key <plaintext|hex>] no encrypt-credentials [pre-shared-key <plaintext|hex>] When encrypt-credentials is enabled without any parameters, it enables the encryption of relevant security parameters in the configuration. The no form of the command disables the encrypt-credentials feature. If specified with pre-shared-key option, clears the preshared-key used to encrypt credentials. pre-shared-key: When specified, sets the pre-shared-key that is used for all AES encryption. If no key is set, an switch default AES key is used. Default: switch default AES key plaintext: Set the key using plaintext. hex: Set the key as a 64 hexadecimal character string (32 bytes). You must enter 64 hexadecimal digits to set this key. When encrypt-credentials is enabled without any parameters, a caution message displays advising you about the effect of the feature with prior software versions, and actions that are recommended. All versions of the command force a configuration save after encrypting or re-encrypting sensitive data in the configuration.
Enabling encrypt-credentials with caution message
switch(config)#encrypt-credentials
**** CAUTION ****
This will encrypt all passwords and authentication keys.
The encrypted credentials will not be understood by older software versions. The resulting config file cannot be used by older software versions. It may also break some of your existing user scripts.
Before proceeding, please save a copy of your current config file, and associate the current config file with the older software version saved in flash memory. See "Best Practices for Software Updates" in the Release Notes.
A config file with `encrypt-credentials' may prevent previous software versions
Aruba 2930M/F | Access Security Guide
46
from booting. It may be necessary to reset the switch to factory defaults. To prevent this, remove the encrypt-credentials command or use an older config file. Save config and continue [y/n]? y
Creating a pre-shared-key in plaintext
switch(config)#encrypt-credentials pre-shared-key plaintext SecretKey1 Save config and continue [y/n]? y
Creating a pre-shared key in hex
switch(config)# encrypt-credentials pre-shared-key hex 1234567891234567891234567891234567891234567891234567891234567891 Save config and continue [y/n]? y
Displaying the state of encrypt-credentials
To display whether encrypt-credentials is enabled or disabled, enter the show encrypt-credentials command. This command is available only from the manager context.
Status of encrypt-credentials when the pre-shared key has not been set
switch(config)# show encrypt-credentials
Encryption : Disabled Pre-shared Key: None
Status of encrypt-credentials when the pre-shared key has been set
switch(config)# show encrypt-credentials
Encryption : Disabled Pre-shared Key: 055d7b3b6bc22d18d29533ba2b549b3991bc23b7cbfc8e5769bdcc9ec748af27
Affected commands
Several commands will have encryption available for configuration.
Table 7: Affected commands
Existing command
New equivalent option
switch(config)# radius-server key secret1
switch(config)# radius-server encrypted-key U2FsdGVkX18XWadTeFN+bxHxKA/q+s5cV1NiYvx+TuA=
switch(config)# radius-server host 10.0.0.1 key secret1
switch(config)# radius-server host 10.0.0.1 encrypted-key U2FsdGVkX18XWadTeFN+bxHxKA q+s5cV1NiYvx+TuA=
switch(config)# tacacs-server key secret1 switch(config)# tacacs-server encrypted-key
47
Aruba 2930M/F | Access Security Guide
Existing command
New equivalent option U2FsdGVkX18XWadTeFN+bxHxKA/q+s5cV1NiYvx+TuA=
switch(config)# tacacs-server host 10.0.0.1 key secret1
switch(config)# tacacs-server host 10.0.0.1 encrypted-key U2FsdGVkX18XWadTeFN+bxHxKA/ q+s5cV1NiYvx+TuA=
switch(config)# key-chain example key 1 key-string secret1
switch(config)# key-chain example key 1 encrypted-key U2FsdGVkX18XWadTeFN+bxHxKA/ q+s5cV1NiYvx+TuA=
switch(config)# aaa port-access supplicant 24 secret secret1
switch(config)# aaa port-access supplicant 24 identity id1 encrypted-secret secret1 U2FsdGVkX18XWadTeFN+bxHxKA/q+s5cV1NiYvx+TuA=
switch(config)# sntp authentication key-id 33 authentication-mode md5 key-value secret1
switch(config)# sntp authentication key-id 33 authentication-mode md5 encrypted-key U2FsdGVkX18XWadTeFN+bxHxKA/q+s5cV1NiYvx+TuA=
switch(config)# password manager plaintext secret1
switch(config)# encrypted-password manager U2FsdGVkX18XWadTeFN+bxHxKA/q+s5cV1NiYvx+TuA=
Important operating notes
n Hewlett Packard Enterprise recommends that when executing an encrypted-<option> command, you copy and paste the encrypted parameter from a known encrypted password that has been generated on the same switch or another switch with the same pre-shared key (whether user-specified or a default key). If an incorrectly encrypted parameter is used, it is highly likely that the decrypted version will contain incorrect characters, and neither key will function correctly or be displayed in any show command.
Interaction with include-credentials settings
The following table shows the interaction between include-credentials settings and encrypt-credentials settings when displaying or transferring the configuration.
Aruba 2930M/F | Access Security Guide
48
Table 8: Interactions between credential settings
Include-credentials active
Include-credentials enabled
Yes
Yes
Yes
Yes
Yes
Yes
Yes
Yes
Encrypt-credentials enabled Yes Yes Yes Yes
Resulting behavior for sensitive data Hidden (default) 1 Shown, encrypted n/a n/a Hidden Shown, encrypted Shown, plaintext Shown, encrypted
Front panel security
The front panel security features provide the ability to independently enable or disable some of the functions of the two buttons located on the front of the switch for clearing the password (Clear button) or restoring the switch to its factory default configuration (Reset+Clear buttons together). The ability to disable password recovery is also provided for situations which require a higher level of switch security. The front-panel security features are designed to prevent malicious users from:
n Resetting the password(s) by pressing the Clear button n Restoring the factory default configuration by using the Reset+Clear button combination. n Gaining management access to the switch by having physical access to the switch itself
When Security is Important
Some customers require a high level of security for information. For example, the Health Insurance Portability and Accountability Act (HIPAA) of 1996 requires that systems handling and transmitting confidential medical records must be secure. It used to be assumed that only system and network administrators would be able to get access to a network switch because switches were typically placed in secure locations under lock and key. For some customers this is no longer true. Others simply want the added assurance that even if someone did manage to get to the switch that data would still remain secure.
1Notes for RADIUS/TACACS keys when the Include-Credentials settings are in the Factory Default state:
n In the Factory Default state, the RADIUS/TACACS keys will be displayed with show config commands but will not be transferred to the file server.
n In the Factory Default state, the RADIUS/TACACS keys will be copied to a switch stored configuration file (one per stored configuration).
49
Aruba 2930M/F | Access Security Guide
If you do not invoke front panel security on the switch, user defined passwords can be deleted by pushing the Clear button on the front panel. This function exists so that if customers forget the defined passwords they can still get back into the switch and reset the passwords. This does, however, leave the switch vulnerable when it is located in an area where non-authorized people have access to it. passwords could easily be cleared by pressing the Clear button. Someone who has physical access to the switch can be able to erase the passwords (and possibly configure new passwords) and take control of the switch. As a result of increased security concerns, customers now have the ability to stop someone from removing passwords by disabling the Clear and/or Reset buttons on the front of the switch.
Front-panel button functions
Clear button
Pressing the Clear button alone for one second resets the password(s) configured on the switch. Figure 2 Clear button
Reset button
Pressing the Reset button alone for one second causes the switch to reboot. Figure 3 Reset button
Restoring the factory default configuration
You can also use the Reset button together with the Clear button (Reset+Clear) to restore the factory default configuration for the switch.
Procedure
1. Press and hold the Reset button.
Aruba 2930M/F | Access Security Guide
50
2. While holding the Reset button, press and hold the Clear button.
3. Release the Reset button and wait for about one second for the Self-Test LED to start flashing.
4. When the Self-Test LED begins flashing, release the Clear button.
This process restores the switch configuration to the factory default settings.
Configuring front panel security
Using the front-panel-security command from the global configuration context in the CLI you can:
n Disable or re-enable the password-clearing function of the Clear button. Disabling the Clear button means that pressing it does not remove local password protection from the switch. (This action affects the Clear button when used alone, but does not affect the operation of the Reset+Clear combination described under Restoring the factory default configuration on page 50.)
n Configure the Clear button to reboot the switch after clearing any local usernames and passwords. This provides an immediate, visual means (plus an Event Log message) for verifying that any usernames and passwords in the switch have been cleared.
n Modify the operation of the Reset+Clear combination so that the switch still reboots, but does not restore the switch's factory default configuration settings. (Use of the Reset button alone, to simply reboot the switch, is not affected.)
n Disable or re-enable Password Recovery.
Syntax:
show front-panel-security Displays the current front panel security settings. clear password: Shows the status of the Clear button on the front panel of the switch. Enabled means that pressing the Clear button erases the local usernames and passwords configured on the switch (and thus removes local password
51
Aruba 2930M/F | Access Security Guide
protection from the switch.) Disabled means that pressing the Clear button does not remove the local usernames and passwords configured on the switch. Default: Enabled reset-on-clear:
Shows the status of the option enabled or disabled. When reset-on-clear is disabled and the commandclear password is enabled, then pressing the Clear button erases the local usernames and passwords from the switch. When reset-on-clear command is enabled, pressing the Clear button erases the local usernames and passwords from the switch and reboots the switch. Enabling reset-on-clear automatically enables the clearpassword command. Default: Disabled.
If you have stored security credentials (including the local manager and operator usernames and passwords) to the running config file by entering the include-credentials command, the reset-onclear option is ignored. If you press the Clear button on the front panel, the manager and operator usernames and passwords are deleted from the startup configuration file, but the switch does not reboot.
factory reset: Shows the status of the system Reset button on the front panel of the switch. Enabled means that pressing the system Reset button reboots the switch and also enables the system Reset button to be used with the Clear button. See Restoring the factory default configuration on page 50 to reset the switch to its factory-default configuration. Default: Enabled. password recovery: Shows whether the switch is configured with the ability to recover a lost password. See Password recovery on page 55. Default: Enabled.
Disabling this option removes the ability to recover a password on the switch. Disabling this option is an extreme measure and is not recommended unless you have the most urgent need for high security. If you disable password-recovery and then lose the password, you will have to use the Reset and Clear buttons, see Restoring the factory default configuration on page 50 to reset the switch to factory default configuration and create a new password.
Executing the show front-panel-security command produces the following output when the switch is configured with the default front panel security settings:
The default front-panel security settings
switch(config)# show front-panel-security
Clear Password
- Enabled
Reset-on-clear
- Disabled
Factory Reset
- Enabled
Disabling the clear password function of the Clear button
Syntax
front-panel-security password-clear no front-panel-security password-clear In the factory default configuration, pressing the Clear button on the switch front panel erases any local usernames and passwords configured on the switch. This command disables the password clear function of the Clear button, so that pressing it has no effect on any local usernames and passwords.
Aruba 2930M/F | Access Security Guide
52
For redundant management systems, this command only affects the active management module. Default: enabled.
Although the Clear button does not erase passwords when disabled, you can still use it with the Reset button, Reset+Clear, to restore the switch to its factory default configuration, as described under Restoring the factory default configuration on page 50.
This command displays a Caution message in the CLI. If you want to proceed with disabling the Clear button, type [Y]; otherwise type [N]. For example: Figure 4 Disabling the Clear button and displaying the new configuration
Re-enabling the Clear button and setting or changing the `reset-on-clear' operation
Syntax
front-panel-security password-clear reset-on-clear no front-panel-security password-clear reset-on-clear This command does both of the following:
n Re-enables the password clearing function of the Clear button on the switch front panel. n Specifies whether the switch reboots if the Clear button is pressed.
To re-enable the password clear function, you must also specify whether to enable or disable the reset-onclear option. Defaults:
n password-clear: Enabled. n reset-on-clear: Disabled.
To enable password-clear with reset-on-clear disabled:
Syntax
front-panel-security password-clear reset-on-clear no front-panel-security password-clear reset-on-clear To enable password-clear with reset-on-clear also enabled:
Syntax
front-panel-security password-clear reset-on-clear Either form of the command enables password-clear.
53
Aruba 2930M/F | Access Security Guide
If you disable password-clear and also disable the password-recovery option, you can still recover from a lost password by using the Reset+Clear button combination at reboot. Although the Clear button does not erase passwords when disabled, you can still use it with the Reset button (Reset+Clear) to restore the switch to its factory default configuration. You can then get access to the switch to set a new password.
For example, suppose password-clear is disabled and you want to restore it to its default configuration (enabled, with reset-on-clear disabled).
Figure 5 Re-enabling the Clear button' default operation
Changing the operation Reset+Clear combination
In their default configuration, using the Reset+Clear buttons in the combination described under Restoring the factory default configuration on page 50 replaces the switch current startup-config file with the factory default startup-config file, then reboots the switch and removes local password protection.
Anyone with physical switch access can use this button combination to replace the switch current configuration with the factory default configuration, and render the switch accessible without the need to input a username or password.
You can use the factory-reset command to prevent the Reset+Clear combination from being used for this purpose.
Syntax
front-panel-security factory-reset no front-panel-security factory-reset Disables or re-enables the following functions associated with using the Reset+Clear buttons in the combination described under Restoring the factory default configuration on page 50:
n Replacing the current startup-config file with the factory default startup-config file n Clearing any local usernames and passwords configured on the switch
Default: Both functions enabled.
The Reset+Clear button combination always reboots the switch, regardless of whether the no form of the command has been used to disable the above two functions. Also, if you disable factory-reset, you cannot disable the password-recovery option, and the reverse.
Aruba 2930M/F | Access Security Guide
54
Figure 6 Example of disabling the factory reset option
Password recovery
The password recovery feature is enabled by default and provides a method for regaining management access to the switch (without resetting the switch to its factory default configuration) in the event that the system administrator loses the local manager username (if configured) or password. Using password recovery requires:
n password-recovery enabled (the default) on the switch prior to an attempt to recover from a lost username/password situation
n Contacting your Hewlett Packard Enterprise Customer Care Center to acquire a one-time-use password
Disabling or re-enabling the password recovery process
Disabling the password recovery process means that the only method for recovering from a lost manager username (if configured) and password is to reset the switch to its factory-default configuration, removing any non-default configuration settings.
Disabling password-recovery requires that factory-reset be enabled, and locks out the ability to recover a lost manager username and password on the switch. In this event, there is no way to recover from a lost manager username/password situation without resetting the switch to its factory default configuration. This can disrupt network operation and make it necessary to temporarily disconnect the switch from the network to prevent unauthorized access and other problems while it is being reconfigured. Also, with factory-reset enabled, unauthorized users can use the Reset+Clear button combination to reset the switch to factory default configuration and gain management access to the switch.
Syntax
front-panel-security password-recovery no front-panel-security password-recovery Enables or disables the ability to recover a lost password. When enabled, the switch allows management access through the password recovery process described below. This provides a method for recovering from lost manager usernames and passwords. When disabled, the password recovery process is disabled and the only way to regain management access to the switch is to use the Reset+Clear button combination. See Restoring the factory default configuration on page 50 to restore the switch to its factory default configuration. Default: Enabled.
55
Aruba 2930M/F | Access Security Guide
n To disable password-recovery: n You must have physical access to the front panel of the switch. n Factory-reset must be enabled (the default)
Steps for disabling password-recovery:
Procedure
1. Use show front-panel-security to determine whether the factory-reset parameter is enabled. If it is disabled, use the front-panel-security factory-reset command to enable it.
2. Press and release the Clear button on the front panel of the switch. 3. Within 60 seconds of pressing the Clear button, enter the following command: front-panel-security
password-recovery 4. Do one of the following after the CAUTION message appears:
a. If you want to complete the command, press [Y]. b. If you want to abort the command, press [N].
Example of disabling password recovery:
switch(config)#no front--panel--security password--recovery **** CAUTION ****
Disabling the clear button without password recovery prevents switch passwords from being reset. If the switch password is lost, restoring the default factory configuration will be required to regain access!
Continue with disabling password recovery [y/n]?
Password recovery process
If you lose the manager username/password, but password-recovery is enabled, then you can use the password recovery process to gain management access to the switch with an alternate password supplied by Networking Support.
Disabled password-recovery locks out the ability to recover a manager username/password pair on the switch. The only way to recover from this is to use the Reset +Clear button combination described under Restoring the factory default configuration on page 50. This disrupts network operation and necessitates temporarily disconnecting the switch from the network to prevent unauthorized access and other problems while it is being reconfigured.
To recover a lost password:
Procedure
1. Note the switch base MAC address. It is shown on the label located on the upper right front corner of the switch.
2. Contact Networking Support for further assistance. Using the switch MAC address, Networking Support will generate and provide a "one-time use" alternate password to gain management access to the switch. Once you gain access, configure a new password.
Aruba 2930M/F | Access Security Guide
56
The alternate password provided by Networking Support is valid only for a single login attempt. You cannot use the same "one-time-use" password if you lose the password a second time. Because the password algorithm is randomized based upon your switch MAC address, the password will change as soon as you use the "one-time-use" password provided by Networking Support.
57
Aruba 2930M/F | Access Security Guide
Chapter 4 Virus throttling (connection-rate filtering)
Virus throttling (connection-rate filtering)
Configuring connection-rate filtering
Viewing the connection-rate configuration
Use the following command to view the basic connection-rate configuration. To view connection-rate ACLs and/or any other switch configuration details, use show config or show running.
Syntax
show connection-rate-filter Displays the current global connection-rate status (enabled/disabled) and sensitivity setting, and the current perport configuration. This command does not display the current (optional) connection-rate ACL configuration.
Figure 7 Displaying the connection-rate status, sensitivity, and per-port configuration
To view the complete connection-rate configuration, including any ACLs, use show config (for the startupconfig file) or show running (for the running-config file). See Applying connection-rate ACLs on page 72.
Aruba 2930M/F | Access Security Guide
58
Figure 8 Connection-rate filtering configuration in the startup-config file
Enabling global connection-rate filtering and sensitivity
Use the commands in this section to enable connection-rate filtering on the switch and to apply the filtering on a per-port basis.
Syntax
connection-rate-filter sensitivity < low | medium | high | aggressive > no connection-rate-filter
This command: n Enables connection-rate filtering. n Sets the global sensitivity level at which the switch interprets a given host attempt to connect to a series of
different devices as a possible attack by a malicious agent residing in the host. Options for configuring sensitivity include: low Sets the connection-rate sensitivity to the lowest possible sensitivity, which allows a mean of 54 destinations in less than 0.1 seconds, and a corresponding penalty time for Throttle mode (if configured) of less than 30 seconds.
59
Aruba 2930M/F | Access Security Guide
medium Sets the connection-rate sensitivity to allow a mean of 37 destinations in less than 1 second, and a corresponding penalty time for Throttle mode (if configured) between 30 and 60 seconds. high Sets the connection-rate sensitivity to allow a mean of 22 destinations in less than 1 second, and a corresponding penalty time for Throttle mode (if configured) between 60 and 90 seconds. aggressive Sets the connection-rate sensitivity to the highest possible level, which allows a mean of 15 destinations in less than 1 second, and a corresponding penalty time for Throttle mode (if configured) between 90 and 120 seconds. no connection-rate-filter This command disables connection-rate filtering on the switch.
The sensitivity settings configured on the switch determine the Throttle mode penalty periods.
Configuring per-port filtering
Syntax
filter connection-rate <port-list> {notify-only | throttle | block} no filter connection-rate <port-list> Configures the per-port policy for responding to detection of a relatively high number of inbound IP connection attempts from a given source. The level at which the switch detects such traffic depends on the sensitivity setting configured by the connection-rate-filter sensitivity command.
You can use connection-rate ACLs to create exceptions to the configured filtering policy.
The no form of the command disables connection-rate filtering on the ports in # <port-list>. The notify-only option can be used if the switch detects a relatively high number of IP connection attempts from a specific host, notify-only generates an Event Log message and sends a similar message to any SNMP trap receivers configured on the switch. The throttle command can be used if the switch detects a relatively high number of IP connection attempts from a specific host, this option generates the notify-only messaging and blocks all inbound traffic from the offending host for a penalty period. After the penalty period, the switch allows traffic from the offending host to resume, and re-examines the traffic. If the suspect behavior continues, the switch again blocks the traffic from the offending host and repeats the cycle. The block command can be used if the switch detects a relatively high number of IP connection attempts from a specific host, this option generates the notify-only messaging and also blocks all inbound traffic from the offending host.
Aruba 2930M/F | Access Security Guide
60
Table 9: Throttle mode penalty periods
Throttle mode (sensitivity)
Frequency of IP connection requests from the same source
Mean number of new destination hosts in the frequency period
Penalty period
Low
<0.1 second
54
<30 seconds
Medium
<1.0 second
37
30 - 60 seconds
High
<1.0 second
22
60 - 90 seconds
Aggressive
<1.0 second
15
90 - 120 seconds
Example of a Basic Connection-Rate Filtering Configuration Figure 9 Sample network
Basic configuration
Suppose that in the sample network, the administrator wanted to enable connection-rate filtering and configure the following response to high connection-rate traffic on the switch:
n Ports B1 -- B3: Throttle traffic from the transmitting hosts. n Port B4: Respond with notify-only to identify the transmitting hosts. n Ports B9, D1, and D2: Block traffic from the transmitting hosts.
61
Aruba 2930M/F | Access Security Guide
This example illustrates the configuration steps and resulting startup-config file:
Blocked hosts
Listing currently-blocked hosts
Syntax
show connection-rate-filter < all-hosts | blocked-hosts | throttled-hosts > all-hosts Lists, by VLAN membership, all hosts currently detected in a throttling or blocking state, along with a state indicator. blocked-hosts Lists, by VLAN membership, the hosts currently blocked by connection-rate action. throttled-hosts Lists, by VLAN membership, the hosts currently in a throttling state due to connection-rate action.
Figure 10 Example of listing hosts in any connection-rate state
Aruba 2930M/F | Access Security Guide
62
Figure 11 Example of listing hosts blocked by connection-rate filtering
Unblocking currently-blocked hosts
If a host becomes blocked by triggering connection-rate filtering on a port configured to block high connection rates, the host remains blocked on all ports on the switch even if you change the per-port filtering configuration. To help prevent a malicious host from automatically regaining access to the network, the source IP address block imposed by connection-rate filtering does not age-out. When a host becomes blocked the switch generates a event log message and sends the message to any configured SNMP trap receivers. An example of an event log message is:
Src IP xxx.xxx.xxx.xxx blocked
Before unblocking a host that was blocked by connection-rate filtering, Hewlett Packard Enterprise recommends inspecting the host with current antivirus tools and removing all potentially malicious agents. If a trusted host frequently triggers connection-rate blocking with legitimate, high connection-rate traffic, consider either changing the sensitivity level on the associated port or configuring a connection-rate ACL to create a filtering exception for the host.
Syntax
connection-rate-filter unblock < all | host | ip-addr > all: Unblocks all hosts currently blocked due to action by connection-rate filtering on ports where block mode has been configured. host < ip-addr >: Unblocks the single host currently blocked due to action by connection-rate filtering on ports where block mode has been configured. ip-addr < mask >: Unblocks traffic from any host in the specified subnet currently blocked due to action by connection-rate filtering on ports where block mode has been configured.
There is also an option to unblock any host belonging to a specific VLAN using the vlan <vid> connection-rate-filter unblock command.
For a complete list of options for unblocking hosts, see Unblocking a currently blocked host on page 72.
Configuring and applying connection-rate ACLs
Configuring a connection-rate ACL using source IP address criteria
Syntax
ip access-list connection-rate-filter < crf-list-name >
63
Aruba 2930M/F | Access Security Guide
Creates a connection-rate-filter ACL and puts the CLI into the ACE context: switch(config-crf-nacl)#
If the ACL already exists, this command simply puts the CLI into the ACE context.
Syntax
< filter | ignore > ip < any | host ip-addr | ip-addr mask-length >
Used in the ACE context to specify the action of the connection-rate ACE and the source IP address of the traffic that the ACE affects. < filter | ignore >
The filter option assigns policy filtering to traffic with source IP address (SA) matching the source address in the ACE. The ignore option specifies bypassing policy filtering for traffic with an SA that matches the source address in the ACE. ip < any | host ip-addr | ip-addr mask-length >
Specifies the SA criteria for traffic addressed by the ACE. any Applies the ACEs action (filter or ignore) to traffic having any SA. host ip-addr Applies the ACEs action (filter or ignore) to traffic having the specified host SA. ip-addr mask-length Applies the ACEs action (filter or ignore) to traffic having an SA within the range defined by either: <src-ip-addr/cidr-mask-bits> or <src-ip-addr <mask>>
Use this criterion for traffic received from either a subnet or a group of IP addresses. The mask can be in either dotted-decimal format or CIDR format with the number of significant bits.
Configuring a connection-rate ACL using UDP/TCP criteria
Syntax
ip access-list connection-rate-filter crf-list-name
Creates a connection-rate-filter ACL and puts the CLI into the ACE context. switch(config-crf-nacl)#
If the ACL already exists, this command simply puts the CLI into the ACE context.
Aruba 2930M/F | Access Security Guide
64
Syntax
< filter | ignore | < udp | tcp > < any > < filter | ignore | < udp | tcp > < host ip-addr > [ udp/tcp-options ] < filter | ignore | < udp | tcp > ip-addr mask-length [ udp/tcp-options ]
Used in the ACE context (above) to specify the action of the connection-rate ACE (filter or ignore), and the UDP/TCP criteria and SA of the IP traffic that the ACE affects. < filter | ignore >
filter This option assigns a policy of filtering (dropping) IP traffic having an SA that matches the source address criteria in the ACE.
ignore This option specifies a policy of allowing IP traffic having an SA that matches the source address criteria in the ACE. < udp | tcp > < any | host > ip-addr | ip-addr mask-length
Applies the filter or ignore action to either TCP packets or UDP packets having the specified SA.
any Applies the ACEs action (filter or ignore) to IP traffic having any SA.
host <ip-addr> Applies the ACEs action (filter or ignore) to IP traffic having the specified host SA.
ip-addr <mask-length> Applies the ACEs action (filter or ignore) to IP traffic having an SA within the range defined by either: <src-ip-addr/cidr-mask-bits> or <src-ip-addr <mask>>
Use this criterion for traffic received from either a subnet or a group of IP addresses. The mask can be in either dotted-decimal format or CIDR format with the number of significant bits.
[udp/tcp-options] destination-port <tcp-data> [ source-port <tcp-data> ] source-port <tcp-data> [ destination-port <tcp-data> ] destination-port <udp-data> [ source-port <udp-data> ] source-port <udp-data> [ destination-port <udp-data> ]
tcp-data: operator tcp-port-#
65
Aruba 2930M/F | Access Security Guide
udp-data: operator udp-port-#
operator < eq | gt | lt | neq | range >
eq <port-nbr-or-name> "Equal To": To have a match with the ACE entry, the TCP or UDP source-port number in a packet must be equal to the specified port number.
gt <port-nbr-or-name> "Greater Than": To have a match with the ACE entry, the TCP or UDP source-port number in a packet must be greater than the specified port number.
lt <port-nbr-or-name> "Less Than": To have a match with the ACE entry, the TCP or UDP source-port number in a packet must be less than the specified port number.
neq <port-nbr-or-name> "Not Equal": To have a match with the ACE entry, the TCP or UDP source-port number in a packet must not be equal to the specified port number.
range <start-port-nbr/name><end-port-nbr/name> To have a match with the ACE entry, the TCP or UDP source-port number in a packet must be in the range <start-port-nbr/name> <end-port-nbr/name>.
tcp-data or udp-data
TCP or UDP Port Number or (Well-Known) Port Name:
Use the TCP or UDP port number required for the desired match. The switch also accepts certain well-known TCP or UDP port names as alternates to their corresponding port numbers:
TCP/UDP-PORT: Specify port by number.
bootpc Bootstrap Protocol, client (68)
bootps Bootstrap Protocol, server (67)
dns Domain Name Service (53)
ntp Network Time Protocol (123)
radius Remote Authentication Dial-In User Service (1812)
Aruba 2930M/F | Access Security Guide
66
radius-old Remote Authentication Dial-In User Service (1645)
rip Routing Information Protocol (520)
snmp Simple Network Management Protocol (161)
snmp-trap Simple Network Management Protocol (162)
tftp Trivial File Transfer Protocol (69)
Figure 12 Examples of connection-rate ACEs using UDP/TCP criteria
Applying connection-rate ACLs
To apply a connection-rate ACL, use the access group command described below.
This command differs from the access group command for non-connection-rate ACLs.
Syntax
vlan <vid> ip access-group <crf-list-name> connection-rate-filter no vlan <vid> ip access-group <crf-list-name> connection-rate-filter This command applies a connection-rate access control list (ACL) to inbound traffic on ports in the specified VLAN that are configured for connection-rate filtering. A connection-rate ACL does not apply to ports in the VLAN that are not configured for connection-rate filtering. The no form of the command removes the connection-rate ACL assignment from the VLAN.
67
Aruba 2930M/F | Access Security Guide
n The switch allows only one connection-rate ACL assignment per VLAN. If a connection-rate ACL is already assigned to a VLAN, assigning another to the same VLAN overwrites the first ACL with the second.
n A connection-rate ACL can be in addition to any standard or extended ACLs already assigned to the VLAN.
Using an ACL in a connection-rate configuration example
This example adds connection-rate ACLs to the example in Viewing the connection-rate configuration . Figure 13 Sample network
In the basic example, the administrator configured connection-rate blocking on port D2. However:
n The administrator has elevated the connection-rate sensitivity to high.
n The server at IP address 15.45.50.17 frequently transmits a relatively high rate of legitimate connection requests, which now triggers connection-rate blocking of the server's IP address on port D2. This causes periodic, unnecessary blocking of access to the server.
The administrator needs to maintain blocking protection from the "Company Intranet" while allowing access to the server at 15.45.50.17. Because the server is carefully maintained as a trusted device, the administrator's solution is to configure a connection-rate ACL that causes the switch to ignore (circumvent) connection-rate filtering for inbound traffic from the server, while maintaining the filtering for all other inbound traffic on port D2. The configuration steps include:
1. Create the connection-rate ACL with a single entry: a. Use the IP address of the desired server. b. Include a CIDR notation of "32" for the ACL mask. (Which means the mask allows only traffic whose
Aruba 2930M/F | Access Security Guide
68
source IP address (SA) exactly matches the specified IP address.) c. The ACL automatically includes the implicit
filter ACE as the last entry, which means that any traffic that is not from the desired server is subject to filtering by the connection-rate policy configured on port D2. 2. Assigning the ACL to the VLAN through which traffic from the server enters the switch.
Figure 14 Creating and assigning a connection rate ACL
Figure 15 Example of switch configuration display with a connection-rate ACL
69
Aruba 2930M/F | Access Security Guide
Connection-rate filtering
Features and Benefits
Connection-rate filtering is a countermeasure tool you can use in your incident-management program to help detect and manage worm-type IT security threats received in inbound IP traffic. Major benefits of this tool include:
n Behavior-based operation that does not require identifying details unique to the code exhibiting the worm-like operation.
n Handles unknown worms. n Needs no signature updates. n Protects network infrastructure by slowing or stopping IP traffic from hosts exhibiting high connection-rate
behavior. n Allows network and individual switches to continue to operate, even when under attack. n Provides Event Log and SNMP trap warnings when worm-like behavior is detected. n Gives IT staff more time to react before the threat escalates to a crisis.
When configured on a port, connection-rate filtering is triggered by IPv4 traffic received inbound with a relatively high rate of IP connection attempts. As stated previously, connection-rate filtering is triggered by inbound IP traffic exhibiting a relatively highincidence of IP connection attempts from a single source.
Figure 16 Example of protecting a network from agents using a high IP connection rate to propagate
General operation
Connection-rate filtering enables notification of worm-like behavior detected in inbound IP traffic and, depending on how you configure the feature, also throttles or blocks such traffic. This feature also provides a method for allowing legitimate, high connection-rate traffic from a given host while still protecting your network from possibly malicious traffic from other hosts.
Filtering options
In the default configuration, connection-rate filtering is disabled. When enabled on a port, connection-rate filtering monitors inbound IP traffic for a high rate of connection requests from any given host on the port. If a host appears
Aruba 2930M/F | Access Security Guide
70
to exhibit the worm-like behavior of attempting to establish a large number of outbound IP connections in a short period of time, the switch responds in one of the following ways, depending on how connection-rate filtering is configured:
n Notify only (of potential attack): While the apparent attack continues, the switch generates an Event Log notice identifying the offending host's source IP address and (if a trap receiver is configured on the switch) a similar SNMP trap notice).
n Throttle: In this case, the switch temporarily blocks inbound IP traffic from the offending host source IP address for a "penalty" period and generates an Event Log notice of this action and (if a trap receiver is configured on the switch) a similar SNMP trap notice. When the "penalty" period expires the switch reevaluates the traffic from the host and continues to block this traffic if the apparent attack continues. (During the re-evaluation period, IP traffic from the host is allowed.)
n Block: This option blocks all IP traffic from the host. When a block occurs, the switch generates an Event Log notice and (if a trap receiver is configured on the switch) a similar SNMP trap notice. Note that a network administrator must explicitly re-enable a host that has been previously blocked.
Sensitivity to connection rate detection
The switch includes a global sensitivity setting that enables adjusting the ability of connection-rate filtering to detect relatively high instances of connection-rate attempts from a given source.
Application options
For the most part, normal network traffic is distinct from the traffic exhibited by malicious agents. However, when a legitimate network host generates multiple connections in a short period of time, connection-rate filtering can generate a "false positive" and treat the host as an infected client. Lowering the sensitivity or changing the filter mode can reduce the number of false positives. Conversely, relaxing filtering and sensitivity provisions lowers the switch ability to detect worm-generated traffic in the early stages of an attack, and should be carefully investigated and planned to ensure that a risky vulnerability is not created. As an alternative, you can use connection-rate ACLs (access control lists) or selective enabling to allow legitimate traffic.
Selective enable
This option involves applying connection-rate filtering only to ports posing a significant risk of attack. For ports that are reasonably secure from attack, then there can be little benefit in configuring them with connection-rate filtering.
Connection-rate Access Control Lists (ACLs)
The basic connection-rate filtering policy is configured per-port as notify-only, throttle, and block. A connection-rate ACL creates exceptions to these per-port policies by creating special rules for individual hosts, groups of hosts, or entire subnets. Thus, you can adjust a connection-rate filtering policy to create and apply an exception to configured filters on the ports in a VLAN. Note that connection-rate ACLs are useful only if you need to exclude inbound traffic from your connection-rate filtering policy. For example, a server responding to network demand can send a relatively high number of legitimate connection requests. This can generate a false positive by exhibiting the same elevated connection-rate behavior as a worm. Using a connection-rate ACL to apply an exception for this server allows you to exclude the trusted server from connection-rate filtering and thereby keep the server running without interruption.
Use connection-rate ACLs only when you need to exclude an IP traffic source (including traffic with specific UDP or TCP criteria) from a connection-rate filtering policy. Otherwise, the ACL is not necessary.
71
Aruba 2930M/F | Access Security Guide
Operating rules
n Connection-rate filtering does not operate on IPv6 traffic. n Connection-rate filtering is triggered by inbound IP traffic exhibiting high rates of IP connections to new hosts.
After connection-rate filtering has been triggered on a port, all traffic from the suspect host is subject to the configured connection-rate policy (notify-only, throttle, or block). n When connection-rate filtering is configured on a port, the port cannot be added to, or removed from, a port trunk group. Before this can be done, connection-rate filtering must be disabled on the port. n Where the switch is throttling or blocking inbound IP traffic from a host, any outbound traffic destined for that host is still permitted. n Once a throttle has been triggered on a port--temporarily blocking inbound IP traffic--it cannot be undone during operation: the penalty period must expire before traffic is allowed from the host.
Unblocking a currently blocked host
A hostblocked by connection-rate filtering remains blocked until explicitly unblocked by one of the following methods:
n Using the connection-rate-filter unblock command, see Listing currently-blocked hosts on page 62. n Rebooting the switch. n Disabling connection-rate filtering using the no
connection-rate-filter command. n Deleting a VLAN removes blocks on any hosts on that VLAN.
Changing a port setting from block to throttle, notify-only, or to no filter connection-rate, does not unblock a currently blocked host. Similarly, applying a connection-rate ACL does not unblock a currently blocked host. See the above list for the correct methods to use to unblock a host.
Applying connection-rate ACLs
To apply a connection-rate ACL, use the access group command described below.
This command differs from the access group command for non-connection-rate ACLs.
Syntax
vlan <vid> ip access-group <crf-list-name> connection-rate-filter no vlan <vid> ip access-group <crf-list-name> connection-rate-filter This command applies a connection-rate access control list (ACL) to inbound traffic on ports in the specified VLAN that are configured for connection-rate filtering. A connection-rate ACL does not apply to ports in the VLAN that are not configured for connection-rate filtering. The no form of the command removes the connection-rate ACL assignment from the VLAN.
Aruba 2930M/F | Access Security Guide
72
n The switch allows only one connection-rate ACL assignment per VLAN. If a connection-rate ACL is already assigned to a VLAN, assigning another to the same VLAN overwrites the first ACL with the second.
n A connection-rate ACL can be in addition to any standard or extended ACLs already assigned to the VLAN.
Connection-rate ACL operation
A connection-rate ACL applies to inbound traffic on all ports configured for connection-rate filtering in the assigned VLAN, and creates an exception to the connection-rate filter policy configured on each port. A connection-rate ACL has no effect on ports in the VLAN that are not configured for connection-rate filtering. A connection-rate ACL accepts inbound, legitimate traffic from trusted sources without filtering the traffic for the configured connection-rate policy. You can configure an ACL to assign policy filtering (filter) for traffic from some sources and no policy filtering (ignore) for traffic from other sources. However, the implicit filter invoked as the last entry in any connection-rate ACL ensures that any traffic not specifically excluded from policy filtering (by the ignore command) is filtered by the configured policy for the port on which that traffic entered the switch.
Figure 17 Connection-rate ACL applied to traffic received through a given port
Connection-Rate ACL operating notes
n ACE Types: A connection-rate ACL allows you to configure two types of ACEs (Access Control Entries):
o ignore <source-criteria>
This ACE type directs the switch to permit all inbound traffic meeting the configured <source-criteria> without filtering the traffic through the connection-rate policy configured on the port through which the traffic entered the switch. For example, ignore host 15.45.120.70 tells the switch to permit traffic from the host
73
Aruba 2930M/F | Access Security Guide
at 15.45.120.70 without filtering this host's traffic through the connection-rate policy configured for the port on which the traffic entered the switch. o filter <source-criteria>
This ACE type does the opposite of an ignore entry. That is, all inbound traffic meeting the configured source-criteria must be filtered through the connection-rate policy configured for the port on which the traffic entered the switch. This option is most useful in applications where it is easier to use filter to specify suspicious traffic sources for screening than to use ignore to specify exceptions for trusted traffic sources that don't need screening. For example, if the host at 15.45.127.43 requires connection-rate screening, but all other hosts in the VLAN do not, you would configure and apply a connection-rate ACL with filter ip host 15.45.127.43 as the first ACE and ignore ip any as the second ACE. In this case, the traffic from host 15.45.127.43 would be screened, but traffic from all other hosts on the VLAN would be permitted without connection-rate screening.
n Implicit ACE
A connection-rate ACL includes a third, implicit filter ip any ACE which is automatically the last ACE in the ACL. This implicit ACE does not appear in displays of the ACL configuration, but is always present in any connection-rate ACL you configure. For example, assume that a port is configured with a connection-rate policy and is in a VLAN configured with a connection-rate ACL. If there is no match between an incoming packet and the ACE criteria in the ACL, then the implicit filter ip any sends the packet for screening by the connection-rate policy configured on that port. To preempt the implicit filter ip any in a given connectionrate ACL, you can configure ignore IP any as the last explicit ACE in the connection-rate ACL. The switch then ignores (permit) traffic that is not explicitly addressed by other ACEs configured sequentially earlier in the ACL without filtering the traffic through the existing connection-rate policy.
n Monitoring Shared Resources
Active instances of throttling or blocking a client that is generating a high rate of connection requests uses internal routing switch resources that are shared with several other features. The routing switch provides ample resources for all features. However, if the internal resources become fully subscribed, new instances of throttling or blocking cannot be initiated until the necessary resources are released from other uses. (Event Log messages and SNMP traps are not affected.) For information on determining current resource availability and usage, see the appendix titled "Monitoring Resources" in the management and configuration guide for your switch.
Using CIDR notation to enter the ACE mask
You can use Classless Inter-Domain Routing (CIDR) notation to enter ACE masks. The switch interprets the bits specified with CIDR notation as the IP address bits in an ACE and the corresponding IP address bits in a packet. The switch then converts the mask to inverse notation for ACE use.
Table 10: CIDR notation for masks
IP address used in an ACL with CIDR notation
Resulting ACL mask
Meaning
10.38.240.125/15
0.1.255.255
The leftmost 15 bits must match; the remaining bits are wildcards.
10.38.240.125/20
0.0.15.255
The leftmost 20 bits must match; the remaining bits are wildcards.
Aruba 2930M/F | Access Security Guide
74
IP address used in an ACL with CIDR notation
10.38.240.125/21
Resulting ACL mask 0.0.7.255
10.38.240.125/24
0.0.0.255
10.38.240.125/32
0.0.0.0
Meaning
The leftmost 21 bits must match; the remaining bits are wildcards.
The leftmost 24 bits must match; the remaining bits are wildcards.
All bits must match.
Connection-rate log and trap messages
See the Event Log message reference guide for information about Event Log messages.
Configuring connection-rate filtering for low risk networks
As stated earlier, connection-rate filtering is triggered only by inbound IP traffic generating a relatively high number of new IP connection requests from the same host.
Procedure
1. Enable notify-only mode on the ports you want to monitor. 2. Set global sensitivity to low. 3. If SNMP trap receivers are available in your network, use the snmp-server command to configure the
switch to send SNMP traps. 4. Monitor the Event Log or (if configured) the available SNMP trap receivers to identify hosts exhibiting high
connection rates. 5. Check any hosts that exhibit relatively high connection rate behavior to determine whether malicious code
or legitimate use is the cause of the behavior. 6. Hosts demonstrating high, but legitimate connection rates, such as heavily used servers, can trigger a
connection-rate filter. Configure connection rate ACLs to create policy exceptions for trusted hosts. (Exceptions can be configured for these criteria: a. A single source host or group of source hosts b. A source subnet c. Either of the above with TCP or UDP criteria
For more on connection rate ACLs, see Application options on page 71. 7. Increase the sensitivity to Medium and repeat steps 5 and 6.
On networks that are relatively infection-free, sensitivity levels above Medium are not recommended.
8. (Optional.) Enable throttle or block mode on the monitored ports.
On a given VLAN, to unblock the hosts that have been blocked by the connection-rate feature,
75
Aruba 2930M/F | Access Security Guide
use the vlan <vid> connection-rate filter unblock command.
9. Maintain a practice of carefully monitoring the Event Log or configured trap receivers for any sign of high connectivity-rate activity that could indicate an attack by malicious code.
Configuring connection-rate filtering for high risk networks
This procedure is similar to the general steps required for a relatively attack free network, except for policies suggested for managing hosts exhibiting high connection rates. This allows better network performance for unaffected hosts and helps to identify hosts that can require updates or patches to eliminate malicious code.
1. Configure connection-rate filtering to throttle on all ports. 2. Set global sensitivity to medium. 3. If SNMP trap receivers are available in your network, use the snmp-server command to configure the
switch to send SNMP traps. 4. Monitor the Event Log or the available SNMP trap receivers (if configured on the switch) to identify hosts
exhibiting high connection rates. 5. Check any hosts that exhibit relatively high connection rate behavior to determine whether malicious code
or legitimate use is the cause of the behavior. 6. On hosts you identify as needing attention to remove malicious behavior:
a. To immediately halt an attack from a specific host, group of hosts, or a subnet, use the per-port block mode on the appropriate ports.
b. After gaining control of the situation, you can use connection-rate ACLs to more selectively manage traffic to allow receipt of normal traffic from reliable hosts.
Aruba 2930M/F | Access Security Guide
76
Chapter 5 Web and MAC Authentication
Web and MAC Authentication
Overview
Web and MAC authentication are designed for employment on the "edge" of a network to provide port-based security measures for protecting private networks and a switch from unauthorized access. Because neither method requires clients to run special supplicant software (unlike 802.1X authentication), both web and MAC authentication are suitable for legacy systems and temporary access situations where introducing supplicant software is not an attractive option. Only a web browser (for web-based authentication) or a MAC address (for MAC authentication) is required. Both web and MAC authentication methods rely on a RADIUS server to authenticate network access. This simplifies access security management by allowing the control of access from a main database in a single server. Up to three RADIUS servers can be used for backup in case access to the primary server fails. It also means the same credentials can be used for authentication, regardless of which switch or switch port is the current access point into the LAN. On a port configured for web-based or MAC authentication, the switch operates as a port-access authenticator using a RADIUS server and the CHAP protocol. Inbound traffic is processed by the switch alone, until authentication occurs. Some traffic from the switch to an unauthorized client is supported (for example, broadcast or unknown destination packets) before authentication occurs.
Web-based authentication
The web-based authentication method uses a web page login to authenticate users for access to the network. When a client connects to the switch and opens a web browser, the switch automatically presents a login page.
A proxy server is not supported for use by a browser on a client device that accesses the network through a port configured for web-based authentication.
In the login page, a client enters a username and password, which the switch forwards to a RADIUS server for authentication. After authenticating a client, the switch grants access to the secured network. Besides a web browser, the client needs no special supplicant software.
MAC authentication
The MAC authentication method grants access to a secure network by authenticating devices for access to the network. When a device connects to the switch, either by direct link or through the network, the switch forwards the device's MAC address to the RADIUS server for authentication. The RADIUS server uses the device MAC address as the username and password, and grants or denies network access in the same way that it does for clients capable of interactive logons. The process does not use either a client device configuration or a logon session. MAC authentication is well-suited for clients not capable of providing interactive logons, such as telephones, printers, and wireless access points. Also, because most RADIUS servers allow for authentication to depend on the source switch and port through which the client connects to the network, you can use MAC authentication to "lock" a particular device to a specific switch and port.
Aruba 2930M/F | Access Security Guide
77
802.1X port-access, web-based authentication, and MAC authentication can be configured at the same time on the same port. The client limit is 256 clients per port for MAC-auth and Web-auth; the client limit for 802.1X is 32 clients per port. The MAC-auth and Web-auth limit of 256 clients only applies when there are fewer than 16,384 authentication clients on the entire switch. After the limit of 16,384 clients is reached, no additional authentication clients are allowed on any port for any method. The default is one client.
Web-based and/or MAC authentication and MAC lockdown, MAC lockout, and port-security are mutually exclusive on a given port. If you configure any of these authentication methods on a port, you must disable LACP on the port.
Concurrent web-based and MAC authentication
Web-based authentication and MAC authentication can be configured at the same time on a port. It is assumed that MAC authentication will use an existing MAC address. The following conditions apply for concurrent authentication:
n A specific MAC address cannot be authenticated by both web and MAC authentication at the same time. n Each new web-based/MAC authentication client always initiates a MAC authentication attempt. This same
client can also initiate web-based authentication at any time before the MAC authentication succeeds. If either authentication succeeds then the other authentication (if in progress) is ended. No further web-based/MAC authentication attempts are allowed until the client is de-authenticated. n Web-based and MAC authentications are not allowed on the same port if an unauthenticated (guest) VLAN is enabled for MAC authentication. An unauthenticated VLAN cannot be enabled for MAC authentication if webbased and MAC authentication are both enabled on the port. n Hitless reauthentication must be of the same type (MAC) that was used for the initial authentication. Nonhitless reauthentication can be of any type.
The remaining web-based/MAC functionality, including interactions with 802.1X, remains the same. web and MAC authentication can be used for different clients on the same port. Normally, MAC authentication finishes much sooner than web authentication. However, if web authentication completes first, MAC authentication ceases, even though MAC authentication could succeed. There is no guarantee that MAC authentication ends before web-based authentication begins for the client. Concurrent web-based and MAC authentication is backward compatible with all existing user configurations.
Authorized and unauthorized client VLANs
Web-based and MAC Authentication provides a port-based solution in which a port belongs to one untagged VLAN at a time. The switch supports up to 32 simultaneous client sessions per port. All authenticated client sessions operate in the same untagged VLAN. To simultaneously support multiple client sessions in different VLANs for a network application, design the system so clients request network access on different switch ports. In the default configuration, the switch blocks access to all clients that the RADIUS server does not authenticate. However, you can configure an individual port to provide limited network services and access to unauthorized clients by using an "unauthorized" VLAN for each session. The unauthorized VLAN ID assignment can be the same for all ports, or different, depending on the services and access you plan to allow for unauthenticated clients. You configure access to an optional, unauthorized VLAN when you configure web-based and MAC authentication on a port.
78
Aruba 2930M/F | Access Security Guide
RADIUS-based authentication
In web-based and MAC authentication, you use a RADIUS server to temporarily assign a port to a static VLAN to support an authenticated client. When a RADIUS server authenticates a client, the switch-port membership during the client's connection is determined according to the following hierarchy:
Procedure
1. A RADIUS-assigned VLAN. 2. An authorized VLAN specified in the web-based or MAC authentication configuration for the subject port. 3. A static, port-based, untagged VLAN to which the port is configured. A RADIUS-assigned VLAN has
priority over switch-port membership in any VLAN.
Wireless clients
You can allow wireless clients to move between switch ports under web-based/MAC authentication control. Clients can move from one web-authorized port to another or from one MAC-authorized port to another. This capability allows wireless clients to move from one access point to another without having to reauthenticate.
How web-based and MAC authentication operate
Before gaining access to the network, a client first presents authentication credentials to the switch. The switch then verifies the credentials with a RADIUS authentication server. Successfully authenticated clients receive access to the network, as defined by the System Administrator. Clients who fail to authenticate successfully receive no network access or limited network access as defined by the System Administrator.
Web-based authentication
The web-based authentication method uses a web page login to authenticate users for access to the network. When a client connects to the switch and opens a web browser, the switch automatically presents a login page.
A proxy server is not supported for use by a browser on a client device that accesses the network through a port configured for web-based authentication.
In the login page, a client enters a username and password, which the switch forwards to a RADIUS server for authentication. After authenticating a client, the switch grants access to the secured network. Besides a web browser, the client needs no special supplicant software.
Order of priority for assigning VLANs
The assigned VLAN is determined, in order of priority, as follows:
Procedure
1. If there is a RADIUS-assigned VLAN, then, for the duration of the client session, the port belongs to this VLAN and temporarily drops all other VLAN memberships.
2. If there is no RADIUS-assigned VLAN, then, for the duration of the client session, the port belongs to the authorized VLAN (auth-vid if configured) and temporarily drops all other VLAN memberships.
3. If neither 1 or 2, above, apply, but the port is an untagged member of a statically configured, port-based VLAN, then the port remains in this VLAN.
Aruba 2930M/F | Access Security Guide
79
4. If neither 1, 2, or 3, above, apply, then the client session does not have access to any statically configured, untagged VLANs and client access is blocked.
The assigned port VLAN remains in place until the session ends. Clients can be forced to reauthenticate after a fixed period of time (reauth-period) or at any time during a session (reauthenticate). An implicit logoff period can be set if there is no activity from the client after a given amount of time (logoff-period). In addition, a session ends if the link on the port is lost, requiring reauthentication of all clients. Also, if a client moves from one port to another and client moves have not been enabled (client-moves) on the ports, the session ends and the client must reauthenticate for network access. At the end of the session the port returns to its pre-authentication state. Any changes to the port's VLAN memberships made while it is an authorized port take affect at the end of the session. A client can not be authenticated due to invalid credentials or a RADIUS server timeout. The max-retries parameter specifies how many times a client can enter their credentials before authentication fails. The servertimeout parameter sets how long the switch waits to receive a response from the RADIUS server before timing out. The max-requests parameter specifies how many authentication attempts can result in a RADIUS server timeout before authentication fails. The switch waits a specified amount of time (quiet-period) before processing any new authentication requests from the client. Network administrators can assign unauthenticated clients to a specific static, untagged VLAN (unauth-vid), to provide access to specific (guest) network resources. If no VLAN is assigned to unauthenticated clients the port is blocked and no network access is available. Should another client successfully authenticate through that port any unauthenticated clients on the unauth-vid are dropped from the port.
MAC-based authentication
When a client connects to a MAC authentication enabled port traffic is blocked. The switch immediately submits the client's MAC address (in the format specified by the addr-format) as its certification credentials to the RADIUS server for authentication.
If the client is authenticated and the maximum number of MAC addresses allowed on the port (addr-limit) has not been reached, the port is assigned to a static, untagged VLAN for network access.
The assigned VLAN is determined, in order of priority, as follows:
Procedure
1. If there is a RADIUS-assigned VLAN, then, for the duration of the client session, the port belongs to this VLAN and temporarily drops all other VLAN memberships.
2. If there is no RADIUS-assigned VLAN, then, for the duration of the client session, the port belongs to the authorized VLAN (if configured) and temporarily drops all other VLAN memberships.
3. If neither 1 or 2, above, apply, but the port is an untagged member of a statically configured, port-based VLAN, then the port remains in this VLAN.
4. If neither 1, 2, or 3, above, apply, then the client session does not have access to any statically configured, untagged VLANs and client access is blocked.
The assigned port VLAN remains in place until the session ends. Clients may be forced to reauthenticate after a fixed period of time (reauth-period) or at any time during a session (reauthenticate). An implicit logoff period can be set if there is no activity from the client after a given amount of time (logoff-period). In addition, a session ends if the link on the port is lost, requiring reauthentication of all clients. Also, if a client moves from one port to another and client moves have not been enabled (addr-moves) on the ports, the session ends and the
80
Aruba 2930M/F | Access Security Guide
client must reauthenticate for network access. At the end of the session the port returns to its pre-authentication state. Any changes to the port's VLAN memberships made while it is an authenticated port take affect at the end of the session.
A client may not be authenticated due to invalid credentials or a RADIUS server timeout. The server-timeout parameter sets how long the switch waits to receive a response from the RADIUS server before timing out. The maxrequests parameter specifies how many authentication attempts may result in a RADIUS server timeout before authentication fails. The switch waits a specified amount of time (quiet-period) before processing any new authentication requests from the client.
Network administrators may assign unauthenticated clients to a specific static, untagged VLAN (unauth-vid), to provide access to specific (guest) network resources. If no VLAN is assigned to unauthenticated clients the port remains in its original VLAN configuration. Should another client successfully authenticate through that port any unauthenticated clients are dropped from the port.
Operating rules and notes
n The switch supports concurrent 802.1X, web andMAC authentication operation on a port (with up to 32 clients allowed). However, concurrent operation of web and MAC authentication with other types of authentication on the same port is not supported. That is, the following authentication types are mutually exclusive on a given port: l Web-based and/or MAC authentication (with or without 802.1X) l MAC lockdown l MAC lockout l Port-Security
n Order of Precedence for Port Access Management (highest to lowest): 1. MAC lockout
2. MAC lockdown or Port Security
3. Port-based Access Control (802.1X) or web-based authentication or MAC authentication
When configuring a port for web-based or MAC authentication, be sure that a higher precedent port access management feature is not enabled on the port. For example, be sure that Port Security is disabled on a port before configuring the port for web-based or MAC authentication. If Port Security is enabled on the port this misconfiguration does not allow web-based or MAC authentication to occur.
n VLANs: If your LAN does not use multiple VLANs, then you do not need to configure VLAN assignments in your RADIUS server or consider using either authorized or unauthorized VLANs. If your LAN does use multiple VLANs, then some of the following factors can apply to your use of web-based authentication and MAC-authentication: l Web-based authentication and MAC-authentication operate only with port-based VLANs. Operation with protocol VLANs is not supported, and clients do not have access to protocol VLANs during web-based authentication and MAC authentication sessions. l A port can belong to one, untagged VLAN during any client session. Where multiple authenticated clients can simultaneously use the same port, they must all be capable of operating on the same VLAN. l During an authenticated client session, the following hierarchy determines a port's VLAN membership:
Aruba 2930M/F | Access Security Guide
81
1. If there is a RADIUS-assigned VLAN, then, for the duration of the client session, the port belongs to this VLAN and temporarily drops all other VLAN memberships.
2. If there is no RADIUS-assigned VLAN, then, for the duration of the client session, the port belongs to the authorized VLAN (if configured) and temporarily drops all other VLAN memberships.
3. If neither 1 or 2, above, apply, but the port is an untagged member of a statically configured, portbased VLAN, then the port remains in this VLAN.
4. If neither 1, 2, or 3, above, apply, then the client session does not have access to any statically configured, untagged VLANs and client access is blocked.
l After an authorized client session begins on a given port, the port's VLAN membership does not change. If other clients on the same port become authenticated with a different VLAN assignment than the first client, the port blocks access to these other clients until the first client session ends.
l The optional "authorized" VLAN (auth-vid) and "unauthorized" VLAN (unauth-vid) you can configure for web-based or MAC authentication must be statically configured VLANs on the switch. Also, if you configure one or both of these options, any services you want clients in either category to access must be available on those VLANs.
n Where a given port's configuration includes an unauthorized client VLAN assignment, the port will allow an unauthenticated client session only while there are no requests for an authenticated client session on that port. In this case, if there is a successful request for authentication from an authorized client, the switch terminates the unauthorized-client session and begins the authorized-client session.
n When a port on the switch is configured for web-based or MAC authentication and is supporting a current session with another device, rebooting the switch invokes a re-authentication of the connection.
n When a port on the switch is configured as a web-based or MAC authenticator, it blocks access to a client that does not provide the proper authentication credentials. If the port configuration includes an optional, unauthorized VLAN (unauth-vid), the port is temporarily placed in the unauthorized VLAN if there are no other authorized clients currently using the port with a different VLAN assignment. If an authorized client is using the port with a different VLAN or if there is no unauthorized VLAN configured, the unauthorized client does not receive access to the network.
n Web-based or MAC authentication and LACP cannot both be enabled on the same port.
n Web-based/MAC authentication and LACP are not supported at the same time on a port. The switch automatically disables LACP on ports configured for web or MAC authentication.
n Use the show port-access web-based command to display session status, port-access configuration settings, and statistics for web-based authentication sessions.
n When spanning tree is enabled on a switch that uses 802.1X, web-based authentication, or MAC authentication, loops can go undetected. For example, spanning tree packets that are looped back to an edge port will not be processed because they have a different broadcast/multicast MAC address from the clientauthenticated MAC address. To ensure that client-authenticated edge ports get blocked when loops occur, you should enable loop protection on those ports. See "Multiple instance spanning-tree operation" in the advanced traffic management guide for your switch.
Setup procedure for web-based/MAC authentication
Before you configure web-based/MAC authentication, follow these guidelines:
Procedure
82
Aruba 2930M/F | Access Security Guide
1. Configure a local username and password on the switch for both the operator (login) and manager (enable) access levels. (While this is not required for a Web- or MAC-based configuration, Hewlett Packard Enterprise recommends that you use a local user name and password pair, at least until your other security measures are in place, to protect the switch configuration from unauthorized access.)
2. Determine the switch ports that you want to configure as authenticators. Note that before you configure web-based or MAC authentication on a port operating in an LACP trunk, you must remove the port from the trunk.
3. To display the current configuration of 802.1X, web-based, and MAC authentication on all switch ports, enter the show port-access config command.
Output for the show port-access config command
switch(config)#show port-access config
Port-access authenticator activated [No] : No Allow RADIUS-assigned dynamic (GVRP) VLANs [No] : No
Supplicant Authenticator Web-Auth Mac-Auth LMA-Auth Ctrl
Port Enabled Enabled
Enabled Enabled Enabled Dir
---- --------- ------------ -------- -------- -------- -----
C1 No
Yes
No
No
No
In
C2 No
Yes
No
No
No
Both
C3 No
Yes
No
No
No
Both
C4 No
Yes
No
No
Yes
Both
...
Mixed Speed Mode VSA MBV ---- ---- --No Yes Yes Yes Yes Yes No No Yes No Yes Yes
4. Determine whether any VLAN assignments are needed for authenticated clients.
a. If you configure the RADIUS server to assign a VLAN for an authenticated client, this assignment overrides any VLAN assignments configured on the switch while the authenticated client session remains active. The VLAN must be statically configured on the switch.
b. If there is no RADIUS-assigned VLAN, the port can join an "Authorized VLAN" for the duration of the client session. This must be a port-based, statically configured VLAN on the switch.
c. If there is neither a RADIUS-assigned VLAN or an "authorized VLAN" for an authenticated client session on a port, the port's VLAN membership remains unchanged during authenticated client sessions. Configure the port for the VLAN in which you want it to operate during client sessions.
When configuring a RADIUS server to assign a VLAN, you can use either the VLAN's name or VID. For example, if a VLAN configured in the switch has a VID of 100 and is named vlan100, you could configure the RADIUS server to use either "100" or "vlan100" to specify the VLAN.
5. For clients that the RADIUS server does not authenticate, determine whether to use the optional "unauthorized VLAN" mode. This VLAN must be statically configured on the switch. If you do not configure an "unauthorized VLAN", the switch simply blocks access to unauthenticated clients trying to use the port.
6. Determine the authentication policy you want on the RADIUS server and configure the server. Based on your switches RADIUS application information, include the following in the policy for each client or client device: n The CHAP-RADIUS authentication method n An encryption key n One of the following:
l Include the user name and password for each authorized client if you are configuring web-based authentication.
Aruba 2930M/F | Access Security Guide
83
l Enter the device MAC address in both the username and password fields of the RADIUS policy configuration for that device if you are configuring MAC authentication. To allow a particular device to receive authentication only through a designated port and switch, include this in your policy.
7. Determine the IP address of the RADIUS server(s) you choose to support web-based or MAC authentication.
Configuring the RADIUS server to support MAC authentication
On the RADIUS server, configure the client device authentication in the same way that you would any other client, except:
n Configure the client device's (hexadecimal) MAC address as both username and password. Be careful to configure the switch to use the same format that the RADIUS server uses. Otherwise, the server will deny access. The switch provides four format options: l aabbccddeeff (the default format) l aabbcc-ddeeff l aa-bb-cc-dd-ee-ff l aa:bb:cc:dd:ee:ff l AABBCCDDEEFF l AABBCC-DDEEFF l AA-BB-CC-DD-EE-FF l AA:BB:CC:DD:EE:FF
n If the device is a switch or other VLAN capable device, use the base MAC address assigned to the device, and not the MAC address assigned to the VLAN through which the device communicates with the authenticator switch. The switch applies a single MAC address to all VLANs configured in the switch. Thus, for a given switch, the MAC address is the same for all VLANs configured on the switch. (See "Static Virtual LANs (VLANs)" in the Advanced Traffic Management Guide for your switch.)
Configuring the switch to access a RADIUS server
Configuring a RADIUS server to support web-based authentication and MAC Authentication require the following minimal commands: (See RADIUS Authentication, Authorization, and Accounting on page 164 for information on other RADIUS command options.)
Syntax:
radius-server no radius-server [host <ip-addresss>]
Adds a server to the RADIUS configuration or, when no is used, deletes a server from the configuration. You can configure up to three RADIUS server addresses. The switch uses the first server it successfully accesses. (See RADIUS Authentication, Authorization, and Accounting on page 164). [key <global-key-string>] Specifies the global encryption key the switch uses with servers for which the switch does not have a server specific key assignment (below). This key is optional if all RADIUS server addresses configured in the switch include a server-specific encryption key. The tilde (~) character is allowed in the string, for example, radius server key aruba~switch. It is not backward compatible; the "~" character is lost if you use a software version that does not support the "~" character.
84
Aruba 2930M/F | Access Security Guide
(Default: Null.)
Syntax:
radius-server host <ip-address> key <server-specific key-string> no radius-server host <ip-address> key
Optional.
Specifies an encryption key for use during authentication (or accounting) sessions with the specified server. This key must match the encryption key used on the RADIUS server. Use this command only if the specified server requires a different encryption key than configured for the global encryption key, above. The tilde (~) character is allowed in the string. It is not backward compatible; the "~" character is lost if you use a software version that does not support the "~" character.
The no form of the command removes the key configured for a specific server.
For example, to configure the switch to access a RADIUS server at IP address 192.168.32.11 using a server specific shared secret key of `1A7rd':
Configure the switch to access a RADIUS server
switch(config)# radius-server host 192.168.32.11 switch(config)# radius-server host 192.168.32.11 key 1A7rd switch(config)# show radius
Status and Counters - General RADIUS Information
Deadtime(min) : 0 Timeout(secs) : 5 Retransmit Attempts : 3 Global Encryption Key : Dynamic Authorization UDP Port :
Auth Acct DM/ Time
Server IP Addr Port Port CoA Window Encryption Key
--------------- ---- ---- --- ------ ---------------------
192.168.32.11 1812 1813
1A7rd
RADIUS service tracking
RADIUS service tracking determines the availability of RADIUS servers configured on the switch. RADIUS service tracking minimizes the wait time for clients when authentication has failed and they are placed in the unauth-vid (Guest VLAN). The wait time for both unauthenticated clients and previously authenticated clients is reduced when RADIUS service tracking is enabled. This feature is disabled by default. For more information, see the Switch Access Security Guide for your switch.
radius-server tracking
Syntax
radius-server tracking [enable | disable] [interval <SECONDS>]
Description
Enables or disables the RADIUS server tracking timer in minutes.
Command context
config
Parameters
Aruba 2930M/F | Access Security Guide
85
interval <SECONDS>
Specifies the number of seconds assigned as a RADIUS tracker. Range for this interval is 60-86400 seconds.
show radius
Use the show radius command to display RADIUS tracking information.
switch# show radius Status and Counters - General RADIUS Information *Server once reachable will be not be considered alive Deadtime (minutes) : Infinite Timeout (seconds) : 5 Retransmit Attempts : 3 Global Encryption Key : Dynamic Authorization UDP Port : 3799 Source IP Selection : Outgoing Interface Tracking : Enabled
CPPM Identity : Auth Acct DM/ Time | Server IP Addr Port Port CoA Window |Encryption Key OOBM --------- --------- ------- ------- ---- ---- ----------- -------------- -------
#switch show runnig-config radius-server dead-time infinite radius-server tracking interval 60
show radius (stacked switch)
Use the show radius command to display RADIUS tracking information on a stacked switch.
Stack(switch)# show radius
Status and Counters - General RADIUS Information
Dead RADIUS server are preceded by *
Deadtime (minutes) Timeout (seconds) Retransmit Attempts Global Encryption Key
: Infinite :5 :2 :
Dynamic Authorization UDP Port : 3799
Source IP Selection
: Outgoing Interface
Tracking
: Enabled
Tracking Period (seconds)
: 300
CPPM Identity
:
Auth Acct DM/ Time | Encryption Key OOBM
Server IP Addr Port Port CoA Window |
---------------- ----- ----- ---- ------ --------------- ----- +
20.1.1.100
1812 1813 No 300 | procurve
No
*20.1.1.129
1812 1813 No 300 | procurve
No
radius-server tracking user-name
Syntax
radius-server tracking user-name <USER-NAME> no radius-server tracking user-name <USER-NAME>
Description
86
Aruba 2930M/F | Access Security Guide
Configures the dummy user-name used to track the availability of the RADIUS servers. By default, the radiustracking-user user name is used.
Parameters
tracking Tracks the availability of the RADIUS servers. user-name Sets the username that will be used to track the RADIUS servers.
Specifiers
<USER-NAME> Enter the username.
RADIUS server dead time
The RADIUS server dead time feature helps the client access request be serviced faster. RADIUS server dead time functions by skipping the client access request to a dead server then requesting access to the next active RADIUS server. The longevity to skip this dead server is controlled by a configuration value in minutes. Once the RADIUS server is marked as dead by the switch, it will not send any access requests to the RADIUS server, even if the server comes line within the configured time. Using the command radius-server dead-tome infinite, once the dead server comes alive, if tracked through radius tracking, switch will send access request to that time again.
radius-server dead-time
Syntax
radius-server dead-time [infinite | minutes]
Description
Enables the RADIUS Server dead-time to a specific time (minutes) or to infinity.
Restrictions
If radius tracking is enabled, only infinite is allowed for dead-time. For example, the command (config)# radius-server dead-time 120 returns an error message Dead-time value can't be configured when RADIUS service tracking feature is enabled. RADIUS tracking must be configured to track infinitely unavailable RADIUS server.
Command context
manager
Parameters
INFINITE Selects infinite dead time.
MINUTES Specifies the dead time value in minutes. Length: 1 mins to 1440 mins.
Examples
Aruba 2930M/F | Access Security Guide
87
Use the show radius command to display dead time.
show radius
Status and Counters - General RADIUS Information
*
Server once reachable will be not be considered alive
Deadtime (minutes)
: Infinite
Timeout (seconds)
:5
Retransmit Attempts
:3
Global Encryption Key
:
Dynamic Authorization UDP Port : 3799
Source IP Selection
: Outgoing Interface
Tracking
: Enabled
CPPM Identity
:
Auth Acct DM/ Time | Server IP Addr Port Port CoA Window | Encryption Key | OOBM --------- ---- ------ ----- --- ------ + ---------------- --------
show radius
Syntax
show radius
Description
Shows RADIUS status and statistics information.
Command context
config
Example
switch(config)# show radius
Status and Counters - General RADIUS Information
Dead RADIUS server are preceded by *
Deadtime (minutes)
:0
TLS Dead Time (minutes)
:0
Timeout (seconds)
:5
TLS Timeout (seconds)
:5
Retransmit Attempts
:2
TLS Connection Timeout (seconds) : 5
Global Encryption Key
: procurve
Dynamic Authorization UDP Port : 2000
Source IP Selection
: Outgoing Interface
Tracking
: Enabled
Request Packet Count
:1
Track Dead Servers Only
: Disabled
Tracking Period (seconds)
: 500
ClearPass Identity
: admin
Auth Acct DM/ Time | Server IP Addr Port Port CoA Window | Encryption Key --------------- ----- ----- --- ------ + -----------------192.168.1.252 2083 2083 No 300 |
OOBM No
88
Aruba 2930M/F | Access Security Guide
RADIUS Tracking enhancements
Password support for RADIUS tracking
With password support available for RADIUS tracking, the password is shared along with the user name. To get an Access-Accept packet, the user name and password must be configured in the RADIUS server.
radius-server tracking user-name password
Syntax
radius-server tracking user-name <USER-NAME> password <PASSWORD> no radius-server tracking user-name <USER-NAME> password <PASSWORD>
Description
Sets the password to track the RADIUS servers. The no form of this command deletes the configured password.
Command context
config
Parameters
USER-NAME Enter the user name. PASSWORD Enter the password.
Usage
n Radius-server tracking user-name password command supports both encrypt-credentials and include-credentials authentication modes.
n In the enhanced security mode, the password is displayed using asterisks.
For more information on enhanced security mode, see the Secure mode section in the Access Security Guide of your switch.
Example
If encrypt-credentials is enabled, password is displayed in the encrypted form in the show running-config output.
switch(config)#show running-config radius-server tracking user-name "username"
Track dead servers only
When RADIUS tracking is enabled with the radius-server tracking enable command, tracking is done for all the RADIUS servers that are configured. When the radius-server tracking dead-server-only command is executed, only nonfunctional (dead) servers are tracked. If there is no response, a RADIUS server is considered nonfunctional with one of the following reasons:
Aruba 2930M/F | Access Security Guide
89
n Route does not exist from switch to server. n Invalid or No key configured. n Network issues.
Switch detects that the server is nonfunctional when server-timeout occurs during dot1x/macauth/webauth authentication with RADIUS server.
radius-server tracking dead-servers-only
Syntax
radius-server tracking dead-servers-only no radius-server tracking dead-servers-only
Description
If the RADIUS tracking is enabled, this command tracks only nonfunctional servers. The no form of this command tracks all the servers.
Command context
config
Examples
switch(config)# show radius Status and Counters - General RADIUS Information
Dead RADIUS server are preceded by *
Deadtime (minutes)
:0
Timeout (seconds)
:5
Retransmit Attempts
:3
Global Encryption Key
:
Dynamic Authorization UDP Port : 3799
Source IP Selection
: Outgoing Interface
Tracking
: Enabled
Request Packet Count
:2
Track Dead Servers Only
: Enabled
Tracking Period (seconds)
: 300
CPPM Identity
:
Auth Acct DM/ Time | Server IP Addr Port Port CoA Window | --------------- ----- ----- --- ------ +
switch(config)#show running-configradius-server tracking dead-servers-only
Number of tracking request packets
The number of packets to be sent for RADIUS tracking can be customized. Currently, up to five packets are allowed. radius-server tracking request-packet-count
Syntax
90
Aruba 2930M/F | Access Security Guide
radius-server tracking request-packet-count <PACKET-COUNT> no radius-server tracking request-packet-count <PACKET-COUNT>
Description
Allows configuration of the number of request packets to be sent for RADIUS tracking. The no form of this command resets the packet count value to the default of three.
Command context
config
Parameter
PACKET-COUNT Number of request packets to be sent for tracking. Default value is 3. Values allowed are 1 to 5.
Examples
switch(config)# show radius Status and Counters - General RADIUS Information
Dead RADIUS server are preceded by *
Deadtime (minutes)
:0
Timeout (seconds)
:5
Retransmit Attempts
:3
Global Encryption Key
:
Dynamic Authorization UDP Port : 3799
Source IP Selection
: Outgoing Interface
Tracking
: Enabled
Request Packet Count
:2
Track Dead Servers Only
: Enabled
Tracking Period (seconds)
: 300
CPPM Identity
:
Auth Acct DM/ Time | Server IP Addr Port Port CoA Window | --------------- ----- ----- --- ------ +
switch(config)#show running-config radius-server tracking req-packet-count 2
Using Password Authentication Protocol (PAP) for MAC Authentication
The Password Authentication Protocol (PAP) provides a simple method for the peer to establish its identity. PAP is considered a weak authentication method as the password details of the client are sent over to the authentication server using a one-way hash function, which is prone to repeated trail attacks. Password of the client is appended with the authentication servers secret password and a hash output is generated. This data is sent over a RADIUS packet to the authentication server. Limitations
n PAP support for 802.1x clients is not available.
n PAP as default method for MAC Authentication is not supported.
Aruba 2930M/F | Access Security Guide
91
n PAP as a backup method to CHAP is not supported. Supported features n Provides authorized and cached reauthentication support. n Provides server group support for PAP-RADIUS.
aaa authentication mac-based pap-radius
Syntax
aaa authentication mac-based pap-radius no aaa authentication mac-based pap-radius
Description
Configures the RADIUS server with PAP support for MAC authentication. The no form of this command disables the PAP support for MAC.
Command context
config
Example
switch(config)#aaa authentication mac-based
chap-radius peap-mschapv2 pap-radius
Use RADIUS server with CHAP. Use RADIUS server with PEAP-MSChapv2. Use RADIUS server with PAP.
switch(config)# aaa authentication mac-based pap-radius
switch(config)#show authentication
Status and Counters - Authentication Information Authorized enabled as backup for secondary login are preceded by *
Login Attempts : 3 Lockout Delay : 0 Respect Privilege : Disabled Bypass Username For Operator and Manager Access : Disabled
| Login
Login
Login
Access Task | Primary
Server Group Secondary
-------------- + ----------- ------------ ----------
Console
| Local
None
Telnet
| Local
None
Port-Access | Local
None
Webui
| Local
None
SSH
| Local
None
Web-Auth
| ChapRadius radius
None
MAC-Auth
| PapRadius radius
None
SNMP
| Local
None
Local-MAC-Auth | Local
None
REST
| Local
None
| Enable
Enable
Enable
Access Task | Primary
Server Group Secondary
-------------- + ----------- ------------ ----------
Console
| Local
None
Telnet
| Local
None
Webui
| Local
None
92
Aruba 2930M/F | Access Security Guide
SSH REST
| Local | Local
None None
Configuring web-based authentication
Overview
You can add, modify, and delete netdestination entries which are used by one or more alias-based class filters or ACLs. Any changes made to the netdestination entries are applied only when netedit-update command is executed. This feature is supported only on command line interface.
Configuration commands for web-based authentication
Controlled directions
Syntax
aaa port-access <port-list> [controlled-directions <both|in> mixed-mode|port-speed-vsa|mbv <enable|disable>] After you enable web-based-based authentication on specified ports, you can use the aaa port-access controlled-directions command to configure how a port transmits traffic before it successfully authenticates a client and enters the authenticated state. both: (Default) Incoming and outgoing traffic is blocked on a port configured for web-based authentication before authentication occurs. in: Incoming traffic is blocked on a port configured for web-based authentication before authentication occurs. Outgoing traffic with unknown destination addresses is flooded on unauthenticated ports configured for webbased authentication. mixed-mode: Set if unauthenticated and authenticated users are allowed on the same port. port-speed-vsa: Determines if the port speed VSA is allowed and used on a port. mbv <enable|disable>: Allows configuration of MBV (MAC-based VLANs) on a port. MBV allows multiple clients on different untagged VLANs to authenticate on the same port.
Requirements
As implemented in 802.1X authentication, the disabling of incoming traffic and transmission of outgoing traffic on a web-based Authenticated egress port in an unauthenticated state (using the aaa port-access controlleddirection in command) is supported only if the 802.1s Multiple Spanning Tree Protocol (MSTP) or 802.1w Rapid Spanning Tree Protocol (RSTP) is enabled on the switch. MSTP and RSTP improve resource utilization while maintaining a loop-free network. The port is configured as an edge port in the network using the spanning-tree edge-port command.
Notes
n For information on how to configure the prerequisites for using the aaa port-access controlled-direction in command, see "Multiple instance spanning-tree operations" in the advanced traffic management guide for your switch.
n To display the currently configured controlled direction value for web-based authenticated ports, enter the show port-access web-based config command.
Aruba 2930M/F | Access Security Guide
93
n The aaa port-access controlled-direction in command allows Wake-on-LAN traffic to be transmitted on a web-based authenticated egress port that has not yet transitioned to the authenticated state; the controlled-direction both setting prevents Wake-on-LAN traffic to be transmitted on a web-based authenticated egress port until authentication occurs. The Wake-on-LAN feature is used by network administrators to remotely power on a sleeping workstation (for example, during early morning hours to perform routine maintenance operations, such as patch management and software updates).
n Using the aaa port-access controlled-direction in command, you can enable the transmission of Wake-on-LAN traffic on unauthenticated egress ports that are configured for any of the following port-based security features: l 802.1X authentication l MAC authentication l Web-based authentication Because a port can be configured for more than one type of authentication to protect the switch from unauthorized access, the last setting you configure with the aaa port-access controlled-direction command is applied to all authentication methods configured on the switch. For information about how to configure and use 802.1X authentication, see Configuring Port and User-Based Access Control (802.1X) on page 516.
n When a web-based authenticated port is configured with the controlled-direction in setting, eavesdrop prevention is not supported on the port.
Per Port Initial Role
Use the command aaa port-access <port-list> initial-role <role-name> to configure initial role at per port level.
aaa port-access initial-role
Syntax
aaa port-access <port-list> initial-role <role-name>
Description
Configure initial role at per port level.
Command context
config
Parameters
port-list Specify the list of ports. role-name Provide the name for the initial role.
Usage
The priority is as follows:
94
Aruba 2930M/F | Access Security Guide
n Per port initial role takes the highest priority (when configured) n Global initial role (when configured) n Default denyall user role
Examples
switch(config)# aaa port-access 1/1
controlled-direction Configure how traffic is controlled on non-authenticated
ports: in both directions (ingress and egress) or
ingress only.
critical-auth
Configure critical-auth VLAN for authentication failed
ports due to non-reachable authentication server.
initial-role
Configure an initial-role for a given port-range.
mbv
Allows configuration of MBV (MAC-based VLANs) on a port.
mixed
Set if unauthenticated and authenticated users are
allowed on the same port.
open-auth
Configure open-auth VLAN for non-authenticated ports.
port-speed-vsa
Set if port speed VSA processing is enabled on the port.
Disable web-based authentication
Syntax:
aaa port-access web-based <port-list> no aaa port-access web-based <port-list> Enables web-based authentication on the specified ports. Use the no form of the command to disable web-based authentication on the specified ports.
Specifying the VLAN
Syntax:
aaa port-access web-based <port-list> [auth-vid <vid>] no aaa port-access web-based <port-list> [auth-vid <vid>] Specifies the VLAN to use for an authorized client. The Radius server can override the value (accept-response includes a vid). If auth-vid is 0, no VLAN changes occur unless the RADIUS server supplies one. Use the no form of the command to set the auth-vid to 0. (Default: 0)
Maximum authenticated clients
Syntax
aaa port-access web-based <port-list> [client-limit <1-256>] Specifies the maximum number of authenticated clients to allow on the port. (Default: 1)
On switches where Web-based authentication and 802.1X can operate concurrently, this limit includes the total number of clients authenticated through both methods. The limit of 256 clients only applies when there are fewer than 16,384 authentication clients on the entire switch. After the limit of 16,384 clients is reached, no additional authentication clients are allowed on any port for any method.
Specifies base address
Syntax:
Aruba 2930M/F | Access Security Guide
95
aaa port-access web-based [dhcp-addr <ip-address/mask>] Specifies the base address/mask for the temporary IP pool used by DHCP. The base address can be any valid IP address (not a multicast address). Valid mask range value is <255.255.240.0 - 255.255.255.0>. (Default: 192.168.0.0/255.255.255.0)
Specifies lease length
Syntax:
aaa port-access web-based [dhcp-lease <5-25>] Specifies the lease length, in seconds, of the temporary IP address issued for Web-Auth login purposes. (Default: 10 seconds)
Specifying the period
Syntax:
aaa port-access web-based <port-list> [logoff-period]<60-9999999>] Specifies the period, in seconds, that the switch enforces for an implicit logoff. This parameter is equivalent to the MAC age interval in a traditional switch sense. If the switch does not see activity after a logoff-period interval, the client is returned to its pre-authentication state. (Default: 300 seconds)
Specifying the number of authentication attempts
Syntax:
aaa port-access web-based <port-list> [max-requests] <1-10>] Specifies the number of authentication attempts that must time-out before authentication fails. (Default: 2)
Specifying maximum retries
Syntax:
aaa port-access web-based <port-list> [max-retries] <1-10>] Specifies the number of the number of times a client can enter their user name and password before authentication fails. This allows the reentry of the user name and password if necessary. (Default: 3)
Specifying the time period
Syntax:
aaa port-access web-based <port-list> [quiet-period] <1-65535>] Specifies the time period (in seconds) the switch uses before sending an authentication request for a client that failed authentication. (Default: 60 seconds)
Specifying the re-authentication period
Syntax:
aaa port-access web-based <port-list> [reauth-period] <0-9999999>] Specifies the time period, in seconds, the switch enforces on a client to re-authenticate. When set to 0, reauthentication is disabled. (Default: 300 seconds)
Specifying a forced reauthentication
Syntax:
aaa port-access web-based <port-list> [reauthenticate]
96
Aruba 2930M/F | Access Security Guide
Forces a re-authentication of all attached clients on the port.
Specifying the URL
Syntax:
aaa port-access web-based <port-list> [redirect-url <url>] no aaa port-access web-based <port-list> [redirect-url] Specifies the URL that a user is redirected to after a successful login. Any valid, fully-formed URL can be used, for example, http://welcome-server/welcome.htm or http://192.22.17.5. Hewlett Packard Enterprise recommends that you provide a redirect URL when using web authentication.
The redirect-url command accepts only the first 103 characters of the allowed 127 characters.
Use the no form of the command to remove a specified redirect URL. (Default: There is no default URL. Browser behavior for authenticated clients can not be acceptable.)
Specifying the timeout
Syntax:
aaa port-access web-based <port-list> [server-timeout <1-300>] Specifies the period, in seconds, the switch waits for a server response to an authentication request. Depending on the current max-requests value, the switch sends a new attempt or ends the authentication session. (Default: 300 seconds) If RADIUS server response is not received and server timeout occurs, a new authentication request is send based on the configuration of max-requests. Default value of max-requests is 3.
Show commands for web-based authentication
show port-access web-based command
Syntax:
show port-access web-based [port-list] Displays the status of all ports or specified ports that are enabled for web-based authentication. The information displayed for each port includes:
n Number of authorized and unauthorized clients. n VLAN ID number of the untagged VLAN used. If the switch supports MAC (untagged) VLANs, MACbased is
displayed to show that multiple untagged VLANs are configured for authentication sessions. n If tagged VLANs (statically configured or RADIUS-assigned) are used (Yes or No.) n If client-specific per-port CoS (Class of Service) values are configured (Yes or No) or the numerical value of the
CoS (802.1p priority) applied to all inbound traffic. For client-specific per-port CoS values, enter the show port-access web-based clients detailed command. n If per-port rate-limiting for inbound traffic is applied (Yes or No) or the percentage value of the port's available bandwidth applied as a rate-limit value. n If RADIUS-assigned ACLs are applied.
Information on ports not enabled for web authentication is not displayed. Example:
Aruba 2930M/F | Access Security Guide
97
switch (config)#show port-access web-based
Port Access Web-Based Status
Auth
Unauth Untagged Tagged Port
% In RADIUS
Port Clients Clients VLAN
VLANs COS
Limit ACL
----- -------- -------- -------- ------ -------- ------ ------
1
1
1
4006
Yes 70000000 100 Yes
2
2
0
MACbased No
Yes
Yes Yes
3
4
0
1
Yes No
No
No
show port-access web-based clients command
Syntax:
show port-access web-based clients [port-list] Displays the session status, name, and address for each web-authenticated client on the switch. The IP address displayed is taken from the DHCP binding table (learned through the DHCP Snooping feature). If DHCP snooping is not enabled on the switch, n/a (not available) is displayed for a client's IP address. If a web-authenticated client uses an IPv6 address, n/a - IPv6 is displayed. If DHCP snooping is enabled but no MAC-to-IP address binding for a client is found in the DHCP binding table, n/a - no info is displayed. Example:
switch(config)#show port-access web-based clients
Port Access Web-Based Client Status
Port Client Name MAC Address IP Address
Session Status
----- ------------ ------------- --------------- -------------
1
webuser1
0010b5-891a9e 192.192.192.192 Authenticated
1
webuser2
001560-b3ea48 n/a - no info Authenticating
1
webuser3
000000-111111 n/a - IPv6
Authenticating
3
webuser4
000000-111112 n/a
Authenticating
show port-access web-based clients detailed command
Syntax:
show port-access web-based clients <port-list> detailed Displays detailed information on the status of web-based authenticated client sessions on specified switch ports. This syntax shows session status, name, and address for each web-based authenticated client on the switch. The IP address displayed is taken from the DHCP binding table, learned through DHCP snooping. The following can appear if the client's IP address is not available: n/a -- DHCP snooping is not enabled on the switch; n/a is displayed for a client's IP address. n/a-IPv6 -- a web-based authenticated client uses an IPv6 address. n/a-no info -- DHCP snooping is enabled but no MAC-to-IP address binding for a client is found in the DHCP binding table. Example:
98
Aruba 2930M/F | Access Security Guide
switch(config)#show port-access web-based clients 1 detailed
Port Access Web-Based Client Status Detailed
Client Base Details :
Port
:1
Session Status : authenticated
Username
: webuser1
IP
: n/a
Session Time(sec) : 6
MAC Address
: 0010b5-891a9e
Access Policy Details :
COS Map
: 11111111
In Limit %
Untagged VLAN : 4006
Out Limit %
Tagged VLANs : 1, 3, 5, 6, 334, 2566
RADIUS-ACL List :
deny in udp from any to 10.2.8.233 CNT
Hit Count: 0
permit in udp from any to 10.2.8.233 CNT
Hit Count: 0
deny in tcp from any to 10.2.8.233 CNT
Hit Count: 0
permit in tcp from any to 10.2.8.233 CNT
Hit Count: 0
permit in tcp from any to 0.0.0.0/0 CNT
Hit Count: 0
: 98 : 100
show port-access web-based config command
Syntax:
show port-access web-based config [port-list] Displays the currently configured web-based authentication settings for all switch ports or specified ports, including:
n Temporary DHCP base address and mask. n Support for RADIUS-assigned dynamic VLANs (Yes or No). n Controlled direction setting for transmitting Wake-on-LAN traffic on egress ports. n Authorized and unauthorized VLAN IDs.
If the authorized or unauthorized VLAN ID value is 0, the default VLAN ID is used unless overridden by a RADIUS-assigned value. Example:
switch(config)#show port-access web-based config
Port Access Web-Based Configuration
DHCP Base Address : 192.168.0.0 DHCP Subnet Mask : 255.255.255.0 DHCP Lease Length : 10 Allow RADIUS-assigned dynamic (GVRP) VLANs [No] : No Access Denied Message : System Default
Client Client Logoff Re-Auth Unauth Auth
Cntrl
Port Enabled Limit Moves Period Period VLAN ID VLAN ID Dir
----- -------- ------ ------ ------- ------- -------- -------- -----
1
Yes
1
No
300
0
0
0
both
Aruba 2930M/F | Access Security Guide
99
2
Yes
1
No
300
0
0
0
in
show port-access web-based config detailed command
Syntax:
show port-access web-based config <port-list> detailed Displays more detailed information on the currently configured web-based authentication settings for specified ports. Example:
switch(config)#show port-access web-based config 1 detailed
Port Access Web-Based Detailed Configuration
Port
:1
Client Limit : 1
Logoff Period : 300
Web-based enabled : Yes
Client Moves
: No
Re-Auth Period : 0
Unauth VLAN ID : 0
Auth VLAN ID
:0
Max Requests : 3 Server Timeout : 30
Quiet Period
: 60
Max Retries : 3 Redirect URL :
SSL Enabled
: No
show port-access web-based config auth-server command
Syntax:
show port-access web-based config [port-list] auth-server Displays the currently configured web authentication settings for all switch ports or specified ports and includes RADIUS server-specific settings, such as:
n Timeout waiting period. n Number of timeouts supported before authentication login fails. n Length of time (quiet period) supported between authentication login attempts.
Example: switch (config)#show port-access web-based config auth-server
Port Access Web-Based Configuration
Client Client Logoff Re-Auth Max Quiet Server
Port Enabled Limit Moves Period Period Req Period Timeout
----- -------- ------ ------ ------- -------- ---- ------- --------
1
Yes
1
No
300
0
3 60
30
2
No
1
No
300
0
3 60
30
...
show port-access web-based config web-server command
100
Aruba 2930M/F | Access Security Guide
Syntax:
show port-access web-based config [port-list] web-server Displays the currently configured Web Authentication settings for all ports or specified ports, including webspecific settings for password retries, SSL login status, and a redirect URL, if specified.
Configuring MAC authentication
Preparation for configuring MAC authentication
Before you configure MAC authentication:
Procedure
1. Configure a local username and password on the switch. 2. Ensure that the VLANs are configured on the switch and that the appropriate port assignments have been
made if you plan to use multiple VLANs with MAC authentication. 3. Ping the switch console interface to ensure that the switch is able to communicate with the RADIUS
server you are configuring to support MAC authentication. 4. Configure the switch with the correct IP address and encryption key to access the RADIUS server. 5. Configure the switch for MAC authentication with the ports you will be using. 6. Test both the authorized and unauthorized access to your system to ensure that MAC authentication
works properly on the ports you have chosen to configure for port-access.
Configuration commands for MAC authentication
Configuring the global MAC authentication password
MAC authentication requires that only a single entry containing the username and password is placed in the user database with the device's MAC address. This creates an opportunity for malicious device spoofing. The global password option configures a common MAC authentication password to use for all MAC authentications sent to the RADIUS server. This makes spoofing more difficult.
It is important that when implementing the global MAC authentication password option, that the user database on the RADIUS server has this password as the password for each device performing MAC authentication.
Syntax: aaa port-access mac-based password <password-value> no aaa port-access mac-based password <password-value>
Specifies the global password to be used by all MAC authenticating devices.
The no form of the command disables the feature.
Configuring a global MAC authentication password
switch(config)#aaa port-access mac-based password secretMAC1
switch(config)#show port-access mac-based config
Port Access MAC-Based Configuration
MAC Address Format : no-delimiter
Password
: secretMAC1
Unauth Redirect Configuration URL :
Aruba 2930M/F | Access Security Guide
101
Unauth Redirect Client Timeout (sec) : 1800 Unauth Redirect Restrictive Filter : Disabled Total Unauth Redirect Client Count : 0
Client Client Logoff Re-Auth Unauth Auth Cntrl
Port Enabled Limit Moves Period Period VLAN ID VLAN ID Dir
----- ------- ------ ------ ------- ------- ------- ------- -----
1
No
1
No
300
0
0
0
both
2
No
1
No
300
0
0
0
both
3
No
1
No
300
0
0
0
both
4
No
1
No
300
0
0
0
both
5
No
1
No
300
0
0
0
both
6
No
1
No
300
0
0
0
both
7
No
1
No
300
0
0
0
both
8
No
1
No
300
0
0
0
both
The password value will display in an exported config file when include-credentials is enabled.
Configuring a MAC Address Format for Username
Syntax:
aaa port-access mac-based addr-format <no-delimiter|single-dash|multi-dash|multi-colon| nodelimiter-uppercase|single-dash-uppercase| multi-dash-uppercase|multi-colon-uppercase> Specifies the MAC address format of the username used in the RADIUS request message. This format must match the format used to store the MAC addresses in the RADIUS server. Default: no-delimiter no-delimiter: specifies an aabbccddeeff format. single-dash: specifies an aabbcc-ddeeff format. multi-dash: specifies an aa-bb-cc-dd-ee-ff format. multi-colon: specifies an aa:bb:cc:dd:ee:ff format. no-delimiter-uppercase: specifies an AABBCCDDEEFF format. single-dash-uppercase: specifies an AABBCC-DDEEFF format multi-dash-uppercase: specifies an AA-BB-CC-DD-EE-FF format multi-colon-uppercase: specifies an AA:BB:CC:DD:EE:FF format.
Configuring a MAC Address Format for Calling and Called Station IDs
Syntax
aaa port-access station-id addr-format multi-dash-uppercase no aaa port-access station-id addr-format multi-dash-uppercase Specifies that the MAC address is in upper case with octet values separated by multi-dash in the Calling Station ID and Called Station ID of the RADIUS access request message. multi-dash-uppercase: specifies an AA-BB-CC-DD-EE-FF format The no form of the command changes the MAC address format to lower case.
Creating a custom delimiter for a MAC address
A custom MAC delimiter can be configured which instructs all switches to accept MAC addresses only in the specified format.
102
Aruba 2930M/F | Access Security Guide
mac-delimiter
Syntax
mac-delimiter {default | colon | hyphen | oui-nic | none} no mac-delimiter {colon | hyphen | oui-nic}
Description
Configures a custom delimiter for all MAC address. The no form of the command returns the MAC delimiter to its default which is to use no delimiter, displaying MAC addresses as XXXXXXXXXXXX.
Command context
config
Parameters
default MAC will be in traditional PVOS style which is XXXXXXXXXXXX. colon Specifies the MAC delimiter format as XX:XX:XX:XX:XX:XX. hyphen Specifies the MAC delimiter format as XX-XX-XX-XX-XX-XX. oui-nic Specifies the MAC delimiter format as XXXXXX-XXXXXX. none Specifies the MAC address without a delimiter.
Usage
n The MAC address is case insensitive. The format of the MAC delimiter can be accepted in lowercase, upper case, or mixed case.
n Use the show running-config command to display the MAC address in the configured format.
Examples
By using the command mac-delimiter hyphen, the MAC delimiter is now configured as hyphen. To verify the change to MAC delimiter, use show mac-address.
switch(config)# mac-delimiter hyphen
switch(config)# show mac-address Status and Counters - Port Address Table MAC Address Port VLAN ----------------- ------------------------------- ---68-b5-99-a2-91-80 1 1 68-b5-99-a2-91-98 1 1
By using the command mac-delimiter colon, the MAC delimiter is now configured as colon. To verify the change to MAC delimiter, use show mac-address.
Aruba 2930M/F | Access Security Guide
103
switch(config)# mac-delimiter colon
switch(config)# show mac-address Status and Counters - Port Address Table MAC Address Port VLAN ----------------- ------------------------------- ---68:b5:99:a2:91:80 1 1 68:b5:99:a2:91:98 1 1
By using the command mac-delimiter oui-nic, the MAC delimiter is now configured with one hyphen (XXXXXX-XXXXXX). To verify the change to MAC delimiter, use show mac-address.
switch(config)# mac-delimiter oui-nic
switch(config)# show mac-address Status and Counters - Port Address Table MAC Address Port VLAN ----------------- ------------------------------- ---68b599-a29180 1 1 68b599-a29198 1 1
By using the command mac-delimiter default, the MAC delimiter configuration is set to default. To verify the change to MAC delimiter, use show mac-address.
switch(config)# mac-delimiter default
switch(config)# show mac-address Status and Counters - Port Address Table MAC Address Port VLAN ----------------- ------------------------------- ---68b599a29180 1 1 68b599a29198 1 1
By using the command mac-delimiter none, the MAC delimiter configuration is set to default. To verify the change to MAC delimiter, use show mac-address.
switch(config)# mac-delimiter none
switch(config)# show mac-address Status and Counters - Port Address Table MAC Address Port VLAN ----------------- ------------------------------- ---68b599-a29180 1 1 68b599-a29198 1 1 <<<< Set to default
Configuring other MAC-based commands
Enabling/disabling MAC authentication
Syntax:
aaa port-access mac-based <port-list> no aaa port-access mac-based <port-list> Enables MAC authentication on specified ports. Use the no form of the command to disable MAC authentication on specified ports.
Enabling/disabling MAC-based VLAN authentication
Syntax
aaa port-access <port-list> mbv < enable | disable >
104
Aruba 2930M/F | Access Security Guide
Enables or disables MAC authentication on specified ports.
Specifying the maximum number of authenticated MACs allowed on a port
Syntax:
aaa port-access mac-based <port-list> [addr-limit <1-256>] Specifies the maximum number of authenticated MACs to allow on the port. Default: 1 The limit of 256 clients only applies when there are fewer than 16,384 authentication clients on the entire switch. After the limit of 16,384 clients is reached, no additional authentication clients are allowed on any port for any method.
Allowing addresses to move without re-authentication
Syntax:
aaa port-access mac-based <port-list> [addr-moves] no aaa port-access mac-based <port-list> [addr-moves] Allows client moves between the specified ports under MAC authenticated control. When enabled, the switch allows addresses to move without requiring a re-authentication. When disabled, the switch does not allow moves and when one occurs, the user will be forced to re-authenticate. At least two ports (from ports and to ports) must be specified. Use the no form of the command to disable MAC address moves between ports under MAC authenticated control. Default: Disabled no moves allowed
Specifying the VLAN for an authorized client
Syntax:
aaa port-access mac-based <port-list> [auth-vid <vid>] no aaa port-access mac-based <port-list> [auth-vid] Specifies the VLAN to use for an authorized client. The RADIUS server can override the value (accept response includes avid). If auth-vid is 0, no VLAN changes occur unless the RADIUS server supplies one. Use the no form of the command to set the auth-vid to 0. Default:0
Specifying the time period enforced for implicit logoff
Syntax:
aaa port-access mac-based <port-list> [logoff-period] <60-9999999>] no aaa port-access mac-based <port-list> [logoff-period] <60-9999999>] Specifies the period, in seconds, that the switch enforces for an implicit logoff. This parameter is equivalent to the MAC age interval in a traditional switch sense. If the switch does not see activity after a logoff-period interval, the client is returned to its pre-authentication state. Default: 300 seconds
Specifying how many authentication attempts can time-out before failure
Syntax:
Aruba 2930M/F | Access Security Guide
105
aaa port-access mac-based <port-list> [max-requests <1-10>] no aaa port-access mac-based <port-list> [max-requests <1-10>] Specifies the number of authentication attempts that must time-out before authentication fails. Default: 2
Specifying how long the switch waits before processing a request from a MAC address that failed authentication
Syntax:
aaa port-access mac-based <port-list> [quiet-period <1-65535>] no aaa port-access mac-based <port-list> [quiet-period <1-65535>] Specifies the time period (in seconds) that the switch waits before processing an authentication request from a MAC address that failed authentication. Default: 60 seconds
Specifying time period enforced on a client to re-authenticate
Syntax:
aaa port-access mac-based <port-list> [reauth-period <0-9999999>] no aaa port-access mac-based <port-list> [reauth-period <0-9999999>] Specifies the time period (in seconds) that the switch enforces on a client to re-authenticate. The client remains authenticated while the re-authentication occurs. When set to 0, re-authentication is disabled. Default: 300 seconds
Forcing re-authentication of clients
Syntax:
aaa port-access mac-based <port-list> [reauthenticate] no aaa port-access mac-based <port-list> [reauthenticate] Forces a re-authentication of all attached clients on the port.
Specifying how long the switch waits for a server response
Syntax:
aaa port-access mac-based <port-list> [server-timeout <1-300>] no aaa port-access mac-based <port-list> [server-timeout <1-300>] Specifies the period, in seconds, the switch waits for a server response to an authentication request. If there is no response within the configured time frame, the switch assumes that the authentication attempt has timed out. Depending on the current max-requests value, the switch sends a new request or ends the authentication session. Default: 300 seconds If RADIUS server response is not received and server timeout occurs, a new authentication request is send based on the configuration of max-requests. Default value of max-requests is 3.
Setting the period of time the switch waits before moving the port to the VLAN for unauthenticated clients
Syntax:
aaa port-access mac-based <port-list> [unauth-period] Sets the period of time the switch waits before moving the port to the VLAN for unauthenticated clients.
106
Aruba 2930M/F | Access Security Guide
Specifying the VLAN to use when authentication fails
Syntax
aaa port-access mac-based [e] <port-list> [ unauth-vid <vid> ] no aaa port-access mac-based [e] <port-list> [unauth-vid <vid>] aaa port-access mac-based [e] <port-list> [ unauth-vid] no aaa port-access mac-based [e] <port-list> [ unauth-vid ] Specifies the VLAN to use for a client that fails authentication. If unauth-vid syntax is 0, no VLAN changes occur. Use the no form of the command for setting the unauth-vid to 0. Default: 0
Configuring custom messages for failed logins
This feature allows administrators to configure custom messages that are displayed when authentication with the RADIUS server fails. The messages are appended to existing internal web pages that display during the authentication process. Messages can be configured using the CLI, or centrally using the RADIUS server, and can provide a description of the reason for a failure as well as possible steps to take to resolve the authentication issue. There is no change to the current web-based authentication functionality.
Syntax:
aaa port-access web-based access-denied-message <<access-denied-str>|radius-response> no aaa port-access web-based access-denied-message <<access-denied-str>|radius-response> Specifies the text message (ASCII string) shown on the web page after an unsuccessful login attempt. The message must be enclosed in quotes. The no form of the command means that no message is displayed upon failure to authenticate. Default: The internal web page is used. No message will be displayed upon authentication failure. access-denied-str: The text message that is appended to the end of the web page when there is an unsuccessful authentication request. The string can be up to 250 ASCII characters. radius-response: Use the text message provided in the RADIUS server response to the authentication request.
Configuring an access denied message on the switch
switch(config)#aaa port-access web-based access-denied-message "Please contact your system administrator to obtain authentication privileges."
Output showing the custom access denied message
switch(config)#show port-access web-based config
Port Access Web-based Configuration
DHCP Base Address
: 192.168.0.0
DHCP Subnet Mask
: 255.255.248.0
DHCP Lease Length
: 10 seconds
Allow RADIUS-assigned dynamic (GVRP) VLANs[No]: Yes
Access Denied Message : Custom:
Please contact your system administrator to obtain authentication
privileges.
|
Client Client Logoff Re-auth Unauth Auth Ctrl
Port | Enabled Limit Moves Period Period VLAN ID VLAN ID Dir
---- + ------- ------- ------- --------- --------- ------- ------- -----
1 | Yes
1
No
300
60
1
2
both
Aruba 2930M/F | Access Security Guide
107
2 | Yes
18
No
999999999 999999999 0
0
both
3 | Yes
22
No
999999999 999999999 4096 4096 both
Access denied message when radius-response is configured
switch(config)#show port-access web-based config
Port Access Web-based Configuration
DHCP Base Address
: 192.168.0.0
DHCP Subnet Mask
: 255.255.248.0
DHCP Lease Length
: 10 seconds
Allow RADIUS-assigned dynamic (GVRP) VLANs[No]: Yes
Access Denied Message : Retrieved from Radius
|
Client Client Logoff Re-auth Unauth Auth Ctrl
Port | Enabled Limit Moves Period Period VLAN ID VLAN ID Dir
---- + ------- ------- ------- --------- --------- ------- ------- -----
1 | Yes
1
No
300
60
1
2
both
2 | Yes
18
No
300
999999999 0
0
both
3 | Yes
22
No
300
999999999 4096 4096 both
Unauthenticated clients can be assigned to a specific static, untagged VLAN (unauth-vid), to provide access to specific (guest) network resources. If no VLAN is assigned to unauthenticated clients, the port is blocked and no network access is available.
Web page display of access denied message
Example of webpage when unauth-vid is configured
Example of webpage when unauth-vid is not configured
The show running-config command displays the client information, including the configured access denied message. Running configuration output displaying access denied message
switch(config)#show running-config Running configuration:
; Configuration Editor; Created on release #XX.15.XX
hostname "Switch" web-management ssl
108
Aruba 2930M/F | Access Security Guide
qos dscp-map 000000 priority 0 vlan 1
name "DEFAULT_VLAN" untagged 1-14,19-24 ip address dhcp-bootp no untagged 15-18 exit vlan 100 name "auth-vid" untagged 15-18 ip address dhcp-bootp exit radius-server host 10.0.13.118 key 'secret' aaa authentication port-access eap-radius snmp-server community "public" Unrestricted aaa port-access web-based 5 aaa port-access web-based 5 auth-vid 100 aaa port-access web-based 5 unauth-vid 1 aaa port-access web-based dhcp-addr 172.18.0.0 255.255.255.0 aaa port-access web-based access-denied-message "Please contact your system administrator to obtain authentication privileges." 1
n Access denied message
Running configuration output when RADIUS response is configured
switch(config)#show running-config
Running configuration:
; J9627A Configuration Editor; Created on release #XX.15.XX
hostname "Switch" web-management ssl qos dscp-map 000000 priority 0 vlan 1
name "DEFAULT_VLAN" untagged 1-14,19-24 ip address dhcp-bootp no untagged 15-18 exit vlan 100 name "auth-vid" untagged 15-18 ip address dhcp-bootp exit radius-server host 10.0.13.118 key 'secret' aaa authentication port-access eap-radius snmp-server community "public" Unrestricted aaa port-access web-based 5 aaa port-access web-based 5 auth-vid 100 aaa port-access web-based 5 unauth-vid 1 aaa port-access web-based dhcp-addr 172.18.0.0 255.255.255.0 aaa port-access web-based access-denied-message radius-response 2
n RADIUS response
1Access denied message 2RADIUS response
Aruba 2930M/F | Access Security Guide
109
Viewing the show commands for MAC authentication
Syntax:
show port-access mac-based [port-list] Displays the status of all ports or specified ports that are enabled for MAC authentication. The information displayed for each port includes:
n Number of authorized and unauthorized clients. n VLAN ID number of the untagged VLAN used. If the switch supports MAC (untagged) VLANs, MACbased is
displayed to show that multiple untagged VLANs are configured for authentication sessions. n If tagged VLANs (statically configured or RADIUS-assigned) are used (Yes or No.)
n If client-specific per-port CoS (Class of Service) values are configured (Yes or No) or the numerical value of the CoS (802.1p priority) applied to all inbound traffic. For client-specific per-port CoS values, enter the show port-access web-based clients detailed command.
n If per-port rate-limiting for inbound traffic is applied (Yes or No) or the percentage value of the port's available bandwidth applied as a rate-limit value.
n If RADIUS-assigned ACLs are applied.
Information on ports not enabled for MAC authentication is not displayed.
Output for the show port-access mac-based command
switch(config)#show port-access mac-based Port Access MAC-Based Status
Auth Unauth Untagged Tagged Port
% In RADIUS Cntl
Port Clients Clients VLAN
VLANs COS
Limit ACL Dir
---- ------- ------- -------- ------ -------- ------ ------ ------
11
1
2003
Yes 70000000 100 Yes both
22
0
MACbased No
Yes
Yes Yes both
34
0
1
Yes No
No
No
both
Viewing session information for MAC authenticated clients on a switch
Syntax:
show port-access mac-based clients [port-list] Displays the session status, name, and address for each MAC authenticated client on the switch. The IP address displayed is taken from the DHCP binding table (learned through the DHCP Snooping feature). If DHCP snooping is not enabled on the switch, n/a (not available) is displayed for a client's IP address. If a MAC-authenticated client uses an IPv6 address, n/a - IPv6 is displayed. If DHCP snooping is enabled but no MAC-to-IP address binding for a client is found in the DHCP binding table, n/a- no info is displayed.
Output for the show port-access mac-based clients command
switch(config)# show port-access mac-based clients
Port Access MAC-Based Client Status
110
Aruba 2930M/F | Access Security Guide
Port MAC Address IP Address
Session Status
---- ------------- --------------------------------------- -------------
1 001321-eb8063 2001:fecd:ba23:cd1f:dcb1:1010:9234:4088 unauthenticated
1 000000-111112 192.192.192.192
authenticated
2 000000-111111 n/a
authenticating
Output for the show port-access mac-based clients command with a specific port
switch(config)#show port-access mac-based clients 2 Port Access MAC-Based Client Status
Port MAC Address IP Address
Mode Client Status
----- ------------- -------------------------------- ---- -------------
2
000000-000010 n/a
User authenticated
2
000000-000100 n/a
User authenticated
2
000000-000200 n/a
User authenticated
2
000000-000300 n/a
User authenticated
2
000000-000400 n/a
User authenticated
2
000000-000500 n/a
User authenticated
2
000000-000600 n/a
User authenticated
2
000000-000700 n/a
User authenticated
2
000000-000800 n/a
User authenticated
2
000000-000900 n/a
User authenticated
2
000000-000a00 n/a
User authenticated
2
000000-000b00 n/a
User authenticated
2
000000-000c00 n/a
User authenticated
2
000000-000d00 n/a
User authenticated
2
000000-000e00 n/a
User authenticated
2
000000-000f00 n/a
User authenticated
2
000000-001000 n/a
User authenticated
2
000000-001100 n/a
User authenticated
2
000000-001200 n/a
User authenticated
2
000000-001300 n/a
User authenticated
2
000000-001400 n/a
User authenticated
2
000000-001500 n/a
User authenticated
2
000000-001600 n/a
User authenticated
2
000000-001700 n/a
User authenticated
2
000000-001800 n/a
User authenticated
2
000000-001900 n/a
User authenticated
Viewing detail on status of MAC authenticated client sessions
Syntax:
show port-access mac-based clients <port-list> detailed Displays detailed information on the status of MAC authenticated client sessions on specified ports. This syntax shows session status, name, and address for each web-based authenticated client on the switch. The IP address displayed is taken from the DHCP binding table, learned through DHCP snooping. The following can appear if the client's IP address is not available: n/a -- DHCP snooping is not enabled on the switch; n/a is displayed for a client's IP address. n/a-IPv6 -- a web-based authenticated client uses an IPv6 address. n/a-no info -- DHCP snooping is enabled but no MAC-to-IP address binding for a client is found in the DHCP binding table.
Output for the show port-access mac-based clients detailed command
switch(config)#show port-access mac-based clients 1 detailed
Port Access MAC-Based Client Status Detailed
Aruba 2930M/F | Access Security Guide
111
Client Base Details :
Port
:1
Session Status : authenticated
Username
: client1
IP
: n/a
Session Time(sec) : 6
MAC Address
: 0010b5-891a9e
Access Policy Details :
COS Map
: 12345678
In Limit % : 98
Untagged VLAN : 4006
Out Limit % : 100
Tagged VLANs : 1, 3, 5, 6, 334, 4001
RADIUS-ACL List :
deny in udp from any to 10.2.8.233 CNT
Hit Count: 0
permit in udp from any to 10.2.8.233 CNT
Hit Count: 0
deny in tcp from any to 10.2.8.233 CNT
Hit Count: 0
permit in tcp from any to 10.2.8.233 CNT
Hit Count: 0
permit in tcp from
Output for the show port-access mac-based clients command with a specific port (detailed)
switch(config)#show port-access mac-based clients 2 detailed
Port Access MAC-Based Client Status Detailed
Client Base Details : Port : 2 Client Status : authenticated MAC Address : 000000-000010 IP : n/a
Session Time : 65 seconds Session Timeout : 0 seconds
Access Policy Details : COS Map : Not Defined Untagged VLAN : 1 Tagged VLANs : No Tagged VLANs Port Mode : 1000FDx RADIUS ACL List : permit in ip from any to 10.10.10.20
In Limit Kbps : Not Set Out Limit Kbps : Not Set
Auth Mode : User-based
Client Base Details : Port : 2 Client Status : authenticated MAC Address : 000000-000100 IP : n/a
Session Time : 64 seconds Session Timeout : 0 seconds
Access Policy Details : COS Map : Not Defined Untagged VLAN : 1 Tagged VLANs : No Tagged VLANs Port Mode : 1000FDx RADIUS ACL List : permit in ip from any to 10.10.10.20
In Limit Kbps : Not Set Out Limit Kbps : Not Set
Auth Mode : User-based
Client Base Details : Port : 2 Client Status : authenticated MAC Address : 000000-000200 IP : n/a
Session Time : 65 seconds Session Timeout : 0 seconds
Access Policy Details :
112
Aruba 2930M/F | Access Security Guide
COS Map : Not Defined Untagged VLAN : 1 Tagged VLANs : No Tagged VLANs Port Mode : 1000FDx RADIUS ACL List : permit in ip from any to 10.10.10.20 ...
In Limit Kbps : Not Set Out Limit Kbps : Not Set
Auth Mode : User-based
Viewing MAC authentication settings on ports
Syntax:
show port-access mac-based config [port-list] Displays the currently configured MAC authentication settings for all switch ports or specified ports, including:
n MAC address format n Support for RADIUS-assigned dynamic VLANs (Yes or No) n Controlled direction setting for transmitting Wake-on-LAN traffic on egress ports n Authorized and unauthorized VLAN IDs
If the authorized or unauthorized VLAN ID value is 0, the default VLAN ID is used unless overridden by a RADIUS-assigned value.
Output for the show port-access mac-based Configuration command
switch(config)#show port-access mac-based config Port Access MAC-Based Configuration
MAC Address Format : no-delimiter Allow RADIUS-assigned dynamic (GVRP) VLANs [No] : No
Client Client Logoff Re-Auth Unauth Auth Cntrl
Port Enabled Limit Moves Period Period VLAN ID VLAN ID Dir
----- -------- ------ ------ ------ ------- -------- ------- ----
1
No
1
No
300 0
0
0
both
2
Yes
1
No
300 0
0
0
in
Viewing details of MAC Authentication settings on ports
Syntax:
show port-access mac-based config <port-list> detailed Displays more detailed information on the currently configured MAC authentication settings for specified ports.
Output for the show port-access mac-based config detail command
switch(config)#show port-access mac-based config 1 detailed Port Access MAC-Based Detailed Configuration
Port
:1
Client Limit : 1
Logoff Period : 300
Web-based enabled : Yes
Client Moves
: No
Re-Auth Period : 0
Unauth VLAN ID : 0
Auth VLAN ID
:0
Aruba 2930M/F | Access Security Guide
113
Max Requests : 3 Server Timeout : 30
Quiet Period
: 60
Viewing MAC Authentication settings including RADIUS server-specific
Syntax:
show port-access mac-based config [port-list] auth-server Displays the currently configured web authentication settings for all switch ports or specified ports and includes RADIUS server-specific settings, such as:
n Timeout waiting period. n Number of timeouts supported before authentication login fails. n Length of time (quiet period) supported between authentication login attempts.
Output for the show port-access mac-based config auth-server command
switch(config)#show port-access mac-based config auth-server
Port Access MAC-Based Configuration
Client Client Logoff Re-Auth Max Quiet Server
Port Enabled Limit Moves Period Period Req Period Timeout
----- ------- ------ ------ ------- -------- ---- ------- --------
1
No
1
No
300
0
3 60
30
2
No
1
No
300
0
3 60
30
3
Yes
1
No
300
0
3 60
30
...
Client status
The table below shows the possible client status information that can be reported by a web-based or MAC-based `show... clients' command.
Reported status authenticated authenticating rejected-no vlan
rejected-unauth vlan
Available network connection Authorized VLAN Switch only No network access
Unauthorized VLAN only
Possible explanations
Client authenticated. Remains connected until logoff-period or reauth-period expires.
Pending RADIUS request.
n Invalid credentials supplied. n RADIUS Server difficulties. See
log file. n If unauth-vid is specified it cannot
be successfully applied to the port. An authorized client on the port has precedence.
n Invalid credentials supplied. n RADIUS Server difficulties. See
log file.
114
Aruba 2930M/F | Access Security Guide
Reported status timed out-no vlan
timed out-unauth vlan unauthenticated
Available network connection No network access
Unauthorized VLAN only Switch only
Possible explanations
RADIUS request timed out. If unauthvid is specified it cannot be successfully applied to the port. An authorized client on the port has precedence. Credentials resubmitted after quiet-period expires.
RADIUS request timed out. After the quiet-period expires credentials are resubmitted when client generates traffic.
Waiting for user credentials.
Configuring MAC pinning
MAC pinning allows administrators to persist authenticated clients by disabling the logoff period associated with the client. The feature is available for clients that use MAC Auth or Local MAC Authentication. During port-flaps and switch reboot, the pinned authenticated client entries will be de-authenticated until those clients reauthenticate. MAC pinning is disabled by default and can be enabled on a per-port basis or enabled on range of ports. The primary use case for using MAC pinning is for legacy devices such as printers or medical devices that remain silent on the network resulting in de-authentication of those clients.
Restrictions
n This feature is mutually exclusive with port-security learn-mode configurations. Learn-mode can only be set as continuous when MAC pinning is enabled on LMA or MAC-based port. If MAC pinning is enabled, portsecurities learn mode can be set to continuous and port-access.
n MAC pinning is mutually exclusive with port-security learn-mode configurations. When MAC pinning is enabled, port-security learn-mode configurations must be set as continuous.
Configuration use cases
n When a client enables LMA with MAC pinning and 802.1x authentication on a port, the MAC address is pinned. If that client tries to authenticate through the 802.1x authentication method, MAC pinning will not function. When MAC pinning is nonfunctional, the client is de-authenticated from LMA and reauthenticated through 802.1x which takes precedence over LMA authentication. The client must check the concurrent auth with the default logoff period of 300 sec.
n When a client enables LMA with MAC-pinning and MAC-based authentication on a port, the MAC-address is pinned through the LMA authentication. If that same client tries to authentication through MAC-based authentication, the LMA authentication takes precedence. No MAC-based authentication clients will be added and MAC-pinning will stay in effect.
n When a client enables LMA with MAC pinning and 802.1x authentication on a port with a logoff period, the client is authenticated through LMA and the MAC address is pinned. The client is then authenticated through both LMA and 802.1x. Once the 802.1x authentication completes, the client must de-authenticate from LMA. The client then configures the logoff period and checks the concurrent Auth between LMA and Dot1x.
n When LMA with MAC pinning has been enabled on a port and the port is powered down, or power cycles, the client is de-authenticated. When the port is powered up, the client will be reauthenticated when reachable.
Aruba 2930M/F | Access Security Guide
115
n If MAC pinning is disabled on a port, the clients are subjected to log off period behavior when the client is removed from the port.
n The Disconnect-Request message from the RADIUS server is applied to all the clients whose MAC addresses are pinned. The clients will be disconnected as per RFC 3576.
n The reauth-period configuration is applicable for the clients whose MAC addresses are pinned. Upon reauth-period expiry, the client will be reauthenticated. If the reauthentication is successful, then the client continues as authenticated client. If the server is not reachable, or reauthentication fails, then the client is removed from the authenticated client list.
aaa port-access local-mac <PORT-LIST> mac-pin
Syntax
aaa port-access local-mac <PORT-LIST> mac-pin no aaa port-access local-mac <PORT-LIST> mac-pin
Description
Enables MAC pinning configuration on a port or list of ports for LMA-based authentication methods. The no form of this command disables MAC pinning on the port or list or ports.
Command context
config
Parameters
<PORT-LIST> Specifies the port or list of ports that will be configured for MAC pinning.
Examples
MAC pinning configuration:
switch (config)# aaa port-access local-mac 1 aaa port-access mac-based 2-9 aaa port-access mac-based 2-9 mac-pin aaa port-access local-mac 1 mac-pin
aaa port-access mac-based <PORT-LIST> mac-pin
Syntax
aaa port-access mac-based <PORT-LIST> mac-pin no aaa port-access mac-based <PORT-LIST> mac-pin
Description
Enables MAC pinning on a port or list of ports for MAC based authentication methods. The no form of this command disables MAC pinning on a port or list of ports for MAC based authentication methods.
Command context
config
Parameters
116
Aruba 2930M/F | Access Security Guide
<PORT-LIST>
Specifies the port or list of ports that will be configured for MAC pinning.
Examples
Configuration of MAC pinning for MAC based authentication.
switch (config) # aaa port-access mac-based 1 aaa port-access mac-based 1 mac-pin aaa port-access mac-based 2-9 aaa port-access mac-based 2-9 mac-pin
Using MAC pinning in User Roles
Instead of using MAC pinning on a per-port basis which limits where the devices are added, a colorless port configuration is achieved by configuring MAC pinning in local, or downloadable user roles. By adding MAC Pinning to user roles, the same port can have a client whose MAC never ages out (as long as the link is up), and other clients whose MACs are not pinned to the MAC table.
To enable MAC Pinning in User Roles, set the logoff-period to zero seconds instead of executing the mac-pin CLI. The following example shows the configuration of a printer user role by setting logoff-period to zero:
switch(config)# show user-role PRINTER
User Role Information
Name
: PRINTER
Type
: local
Reauthentication Period (seconds) : 0
Logoff Period (seconds)
:0
Untagged VLAN
:1
Tagged VLAN
:
Captive Portal Profile
:
Policy
:
Tunnelednode Server Redirect
: Disabled
Secondary Role Name
:
Aruba 2930M/F | Access Security Guide
117
Chapter 6 Captive Portal for ClearPass
Captive Portal for ClearPass
The Captive Portal feature allows the support of the ClearPass Policy Manager into the AOS-S product line. The switch provides configuration to allow you to enable or disable the Captive Portal feature. By default, Captive Portal is disabled to avoid impacting existing installations as this feature is mutually exclusive with the following web-based authentication mechanisms: Web Authentication, EWA, MAFR, and BYOD Redirect. Captive Portal is user-based, rather than port or VLAN-based, therefore the configuration is on a switch global basis. AOS-S supports the following authentication types on the switch with RADIUS for Captive Portal:
n Media Access Control (MAC) n 802.1X
Once you enable Captive Portal, the redirect functionality is triggered only if a redirect URL attribute is provided as part of the RADIUS Access-Accept response from an authentication request of type 802.1X or MAC. The redirect enables the client to self-register or directly login with valid credentials via the ClearPass. Upon subsequent reauthentication, it provides access to the network per the ClearPass configured policies that are communicated via the RADIUS attributes. The redirect feature offers:
n Client self-registration n Client direct login with valid credentials via ClearPass Captive Portal n On-boarding n Ability to quarantine devices to remedy their status
Requirements
The requirements to enable the Password Complexity feature are as follows:
n The manager's password must be configured. It can be done using the password manager command. n The minimum length of the password must be set to a value greater than or equal to the sum-of-compositions
value. Since the sum of the default value of compositions is 8, the minimum length of the password must be at least 8. This can be set using the password minimum-length command. n The WebUI and REST interface must be disabled. Only the CLI can be used to configure the password.
The requirements to configure the password are as follows:
n Password consists of a minimum of eight characters using at least two characters from each of the four character sets: uppercase letters, lowercase letters, numbers, and special characters.
n Password cannot be the same value or the reverse form of the associated user ID. n Password cannot have three consecutive identical characters. n Password cannot be empty. n The new password must differ from the old password by at least four characters.
Aruba 2930M/F | Access Security Guide
118
Best Practices
n Use the Port Bounce VSA via a CoA message, instead of the Disconnect message, to cause the second RADIUS authentication to occur during the Captive Portal exchange. This is the more reliable method for forcing a re-DHCP for the client.
n Configure Captive Portal such that the first ACCESS_ACCEPT returns a rate limit VSA to reduce the risk of DoS attacks. This configuration enables rate limiting for the HTTP/HTTPS ACL for traffic sent to ClearPass.
n Do not use the keyword cpy in any other NAS-Filter-Rules. The keyword cpy in the enforcement profile attributes is specific to ClearPass use. It is only supported with the deny attribute. If you configure the cpy keyword to permit, no ACL will be applied.
Limitations
n This feature is not supported on SNMP, REST, and next Gen UI. n You cannot edit netservices. n Configuration backup and restore are not supported by netedit-update command. n When net edit is in progress, ctrl+c is disabled. n netedit-update command is not a part of the AirWave template.
Features
High Availability
Captive Portal includes support for High Availability (HA). The Captive Portal configurations (such as enablement, authenticated clients, and redirect URLs) are replicated to standby or other members. If the feature is enabled and a failover occurs, clients in the process of onboarding are still redirected to Captive Portal, and authenticated clients continue to have the same access to the network. Clients that are in the process of authenticating via MAC or 802.1X authentication will not be replicated to the standby. Replication of client data is only done when MAC or 802.1X authentication has resulted in a successful authentication.
Load balancing and redundancy
The following options are available to create load balancing and provide redundancy for ClearPass:
n Virtual IP use for a ClearPass server cluster n ClearPass servers configured in the switch RADIUS server group n External load balancer
Captive Portal when disabled
By default, Captive Portal is disabled. If the Captive Portal feature is disabled and the switch receives a redirect URL attribute from the RADIUS server as part of the Access-Accept, it will view the redirect as an error. The authentication success will be overridden, the session will be flushed, and the switch will send the Accounting Start and Accounting Stop messages to indicate the client is no longer authenticated.
119
Aruba 2930M/F | Access Security Guide
The Captive Portal feature may be disabled while there are in flight authentication requests. These are authentication sessions that have not finished the final authentication with the switch. The switch flushes all sessions with a redirect URL associated with them when Captive Portal is disabled. Fully authenticated sessions are not impacted when Captive Portal is disabled. If ClearPass deems these sessions to be invalid, a RADIUS Disconnect can be sent to flush all these sessions.
Disabling Captive Portal
To disable Captive Portal, enter one of the following: switch(config)# aaa authentication captive-portal disable
switch(config)# no aaa authentication captive-portal enable
Configuring Captive Portal on ClearPass
Import the HPE RADIUS dictionary
For ClearPass versions 6.5.*, you must update the HPE RADIUS dictionary. To import the dictionary in ClearPass, follow these steps:
Procedure
1. Go to Administration -> Dictionaries -> RADIUS and click Import. 2. Select the XML HPE RADIUS Dictionary from your Hard Drive. 3. Click Import.
Create enforcement profiles
Create the Bounce Host-Port profile and the Guest Login profile only if they do not already exist.
For the Bounce Host-Port profile, configure Captive Portal so that the RADIUS CoA message that includes the Port Bounce VSA is sent to force the second RADIUS re-authentication after the user registers their device and makes it known.
Procedure
1. In ClearPass, go to Configuration -> Enforcement -> Profiles 2. Click Add. 3. Enter the Profile Name: HPE Bounce Host-Port 4. Enter the Description: Custom-defined profile to bounce host port (HPE). 5. Select the type RADIUS_CoA. 6. Select the action CoA. 7. Add all of the attributes required for a CoA message, and specify the port bounce duration (valid values are
between 0 and 60). This is the amount of time in seconds the port will be held in the down state. The recommended setting is 12 seconds.
Aruba 2930M/F | Access Security Guide
120
8. Repeat Step 2 to Step 6 to configure the Guest Login profile that will be sent as part of the first RADIUS Access-Accept and enforce the redirect to the Captive Portal on ClearPass. For this profile, select RADIUS as the type and Accept as the action.
9. Add all of the NAS-Filter-Rule attributes specified below, replacing the IP address in the first two NASFilter-Rule attributes with your ClearPass address. Add the HPE-Captive-Portal-URL attribute to specify the redirect URL, replacing the IP address with your ClearPas address. This will cause the client to be redirected to the Captive Portal on ClearPass. You can add other attributes, such as a VLAN to isolate onboarding clients, or a rate limit to help prevent DoS attacks.
The HPE-Captive-Portal-URL value must be a URL normalized string. The scheme and host must be in lower case, for example http://www.example.com/.
Create a ClearPass guest self-registration
Procedure
1. From the Customize Guest Registration window, select Server-initiated as the Login Method. 2. Optionally, under Security Hash, select the level of checking to apply to the redirect URL.
121
Aruba 2930M/F | Access Security Guide
Configure the login delay
Enter the Login Delay value. The value must be greater than the HPE-Port-Bounce-Host attribute. In this example, we set the login delay value to 20 seconds.
Configuring the switch
Once you have configured Captive Portal, you can configure the switch. To configure the switch, you must first configure the switch as a RADIUS client, then configure the ports that will be used for Captive Portal, as follows:
Procedure
1. Configure the switch as a RADIUS client. In this example, the ClearPass IP address is 10.73.4.136 and secret is the secret key shared with the RADIUS server: a. switch(config)# radius-server host 10.73.4.136 key "secret" b. switch(config)# radius-server host 10.73.4.136 dyn-authorization c. switch(config)# radius-server host 10.73.4.136 time-window 0
Make sure to set your time-window to 0. See Event Timestamp not working on page 124.
2. Configure the ports that will be used for Captive Portal. In this example, the commands enable ports B3-B5 for MAC Authentication:
Aruba 2930M/F | Access Security Guide
122
a. switch(config)# aaa authentication port-access chap-radius b. switch(config)# aaa port-access mac-based B3-B5
3. If you configured the Security Hash to Deny login on validation error in Create a ClearPass guest self-registration on page 121, configure the URL key. See Configure the URL key on page 123.
4. Configure the certificate. See Configuring a certificate for Captive Portal usage on page 123 5. Enable Captive portal:
switch(config)# aaa authentication captive-portal enable
By default, Captive Portal is disabled. Once enabled, you are redirected to the URL supplied via the HPECaptive-Portal-URL VSA. Captive Portal is enabled on a global/switch wide basis.
Configure the URL key
You can optionally configure a URL hash key to provide some security for the Captive Portal exchange with ClearPass. The key is a shared secret between ClearPass and the switch. When configured, the switch generates a HMAC-SHA1 hash of the entire redirect URL, and appends the hash to the URL to be sent to ClearPass as part of the HTTP redirect. If ClearPass is configured to check the hash, it will generate the hash of the URL using its version of the URL hash key and compare against the value provided by the switch. The action taken by ClearPass upon a match or mismatch is determined by what is configured on ClearPass. ClearPass provides the following options:
n Do not check - login will always be permitted n Deny login on validation error - login will not be permitted
The URL hash key is globally configured and will be used for all redirects to Captive Portal. This key is not configured on a per ClearPass or RADIUS server basis. If the key is not specified, the hash is not added to the URL. The URL hash key is an ASCII string with a maximum length of 64 characters. The URL key supports the FIPS certification feature encrypt-credentials and can optionally be encrypted for more robust security. This option is only available when the global encrypt-credentials is enabled. To configure a plain text captive-portal URL key:
switch(config)# aaa authentication captive-portal url-hash-key plaintext <KEY>
To configure an encrypted captive-portal URL key when encrypt-credentials is enabled:
switch(config)# aaa authentication captive-portal url-hash-key encrypted <ENCRYPTED-KEY>
To clear a captive-portal URL key:
switch(config)# no aaa authentication captive-portal url-hash-key
Configuring a certificate for Captive Portal usage
HTTPS support requires the use of a certificate. If a certificate for Captive Portal does not exist, the certificate designated for all use is used instead. To create a certificate signing request for Captive Portal, enter:
switch(config)# crypto pki create-csr certificate-name <cert-name> usage captive-portal
To create a self-signed certificate for Captive Portal, enter:
123
Aruba 2930M/F | Access Security Guide
switch(config)# crypto pki enroll-self-signed certificate-name
Display Captive Portal configuration
To display the Captive Portal configuration settings, enter the show captive-portal command: switch(config)# show captive-portal Captive Portal Configuration Redirection Enabled : Yes URL Hash Key Configured : No
Show certificate information
To view the certificate information, enter: switch(config)# show crypto pki local-certificate
Name
Usage
Expiration Parent/ Profile
-------------------- --------------- -------------- --------------------
cp
Captive Portal 2016/08/14 default
Troubleshooting
Event Timestamp not working
Symptom
The client gets a credentials request on the web browser even though the valid credentials were already provided, or the client is not redirected to the Captive Portal.
Cause
n ClearPass 6.5.x does not support the sending of Event Timestamp in automated workflows (manual via Access Tracker works).
n The switch will reject CoA requests when the time on ClearPass is ahead of the switch time by even a second.
Action
Set the time-window security feature in PVOS to 0: radius-server host<CLEARPASS-IP> time-window 0
Cannot enable Captive Portal
Symptom
When running the aaa authentication captive-portal enable command, getting the following error message:
Captive portal cannot be enabled when BYOD redirect, MAC authentication failure redirect, or web-based authentication are enabled.
Aruba 2930M/F | Access Security Guide
124
Cause
The failure is due to a mutual exclusion restriction.
Action
1. Check which one of the following are enabled: BYOD redirect, MAC authentication failure redirect, or webbased authentication.
2. Disabled the enabled authentication method found in step 1. 3. Run the aaa authentication captive-portal enable command.
Unable to enable feature
One of the following messages is displayed:
n
BYOD redirect cannot be enabled when captive portal is enabled.
n
MAC authentication failure redirect cannot be enabled when captive portal is enabled.
n
Web-based authentication cannot be enabled when captive portal is enabled.
n
V1 compatibility mode cannot be enabled when captive portal is enabled.
Cause
You cannot enable these features when Captive Portal is already enabled. They are mutually exclusive.
Action
You can either disable Captive Portal or avoid enabling these features.
Authenticated user redirected to login page
Symptom
User is redirected back to the login page to submit credentials even after getting fully authenticated.
Solution 1 Cause
The status is not changed to Known.
Action
After the client submits the credentials, the ClearPass service must change the Endpoint Status to Known.
Solution 2 Cause
The cache value is set.
Action
125
Aruba 2930M/F | Access Security Guide
Clear the ClearPass Cache Timeout of the Endpoint Repository.
Unable to configure a URL hash key
Symptom
The following message is displayed: Key exceeds the maximum length of 64 characters.
Cause
The URL hash key is not valid.
Action
Select a key that is 64 or less ASCII text. For example: switch(config)# aaa authentication captive-portal url-hash-key plaintext "8011A89FEAE0234BCCA"
authentication command
Use the following authentication commands to configure ClearPass Captive Portal.
Command
Description
aaa authentication captive-portal enable
Enables redirection to a Captive Portal server for additional client authentication.
aaa authentication captive-portal disable or no aaa authentication captive-portal enable
Disables redirection to a Captive Portal server for additional client authentication.
aaa authentication captive-portal url-hashkey
Configures a hash key used to verify the integrity of the portal URL.
Show command
Use the following show commands to view the various configurations and certificates.
Command show running-config show config show ip show captive-portal
Description Shows the running configuration. Shows the saved configuration. Shows the switch IP addresses. Captive portal configuration.
Aruba 2930M/F | Access Security Guide
126
Command show port-access clients [port] [detailed]
show radius authentication
show radius dyn-authorization show radius accounting show crypto pki local-certificate [summary]
Description
Consolidated client view; the detailed option shows the Access Policy that is applied. The IP address is only displayed if dhcpsnooping is enabled. For the summary view (without the detailed option), only the untagged VLAN is displayed.
Displays NAS identifier and data on the configured RADIUS server and switch interactions with this server.
Statistics for Radius CoA and Disconnect.
Statistics for Radius accounting.
Installed certificates.
Debug command
Use the debug command to help you debug your issues.
Command debug security captive-portal debug security port-access mac-based debug security port-access authenticator debug security radius-server debug destination session debug destination logging debug destination buffer
Description Enables debug logging for the Captive Portal subsystem. Enables debug logging for the MAC-auth sub-system.
Enables debug logging for the 802.1X authenticator sub-system. Enables debug logging for the Radius sub-system.
Prints debug messages to terminal.
Sends debug messages to the syslog server.
Prints debug messages to a buffer in memory.
127
Aruba 2930M/F | Access Security Guide
Chapter 7 Local MAC Authentication
Local MAC Authentication
Overview
You can add, modify, and delete netdestination entries which are used by one or more alias-based class filters or ACLs. Any changes made to the netdestination entries are applied only when netedit-update command is executed. This feature is supported only on command line interface.
Concepts
LMA solves dynamic assignment of per client (mac-address) attributes without having to create RADIUS infrastructure. It also allows the user to define authentication polices based on the MAC OUI and MAC/mask, which simplifies management of devices by removing the need to create a policy on a per device basis. LMA is an addition to existing client authentication methods. Users can configure multiple authentication methods (802.1X, LMA, Mac auth (radius), web-auth (radius)) on a single port concurrently. When multiple authentication methods are configured on a single port the precedence of authentication methods is (right to left): 802.1X -> LMA -> web auth/Mac auth. This means: n When 802.1X and LMA are enabled on a port, the policy configured for 802.1X takes precedence over LMA. n When LMA and Mac-auth (radius) are enabled on a port, the policy configured for LMA takes precedence over
Mac-auth radius. n When only LMA is enabled on a port, client access is subjected to the LMA profile configuration. LMA supports defining configuration profiles called LMA profiles and mac-groups, which significantly reduce the number of configuration entries during Authentication. There are two types of profiles: n applied a profile applied to a mac-group n provisioned a profile not applied to a group, however the user can use this profile later LMA mac-groups group different types of mac entities - mac-address, mac-mask and mac-oui.
Possible scenarios for deployment
The following are examples of possible scenarios where LMA can be deployed. 1. In the following scenario multiple clients are connected to a hub that is tagged to vlan "A" and untagged to vlan "B". The hub is attached to a switch port that is tagged to vlan "A" and untagged to vlan "B". LMA authenticates clients and upon authentication places them in appropriate VLANs.
Aruba 2930M/F | Access Security Guide
128
2. In the following scenario, a client is daisy-chained to an IP Phone, which is connected to a tagged vlan port on a switch. The client is authenticating across an untagged vlan. When LMA is enabled on a port and the client connected to it fails to authenticate, the client is assigned attributes configured for the switch's unauth feature. If the client is authenticated, the switch overrides existing attributes with LMA attributes.
Show commands
LMA supports the following show commands:
n show mac group information switch#show port-access local-mac mac-group
n show default (factory-shipped) mac-group switch#show port-access local-mac mac-group <mac-group-name>
n show profile information switch#show port-access local-mac profile switch#show port-access local-mac profile provisioned [Note: profiles which are not applied to any mac-group]
n show LMA active clients and applied profiles switch#show port-access local-mac active
n show LMA configuration switch#show port-access local-mac config switch#show port-access local-mac config <port-number> detailed [Note: per port]
n show LMA enabled ports
129
Aruba 2930M/F | Access Security Guide
switch#show port-access local-mac switch#show port-access local-mac <port-number> [Note: per port] n show per port local mac client details switch#show port-access local-mac <port-number> client [detailed]
n show mac-entry and mac-group association switch#show port-access local-mac association
Configuration commands
Per-port attributes
LMA per-port attributes are used to apply attributes for the clients authenticated through LMA profiles. Switches support different per-port values for different authentication methods (802.1X, mac-based and web-based) configured on the same port.
n Configure unauthenticated period switch(config)#aaa port-access local-mac 1 unauth-period 300
n Configure quiet period switch(config)#aaa port-access local-mac 1 quiet-period 70
n Configure logoff period switch(config)#aaa port-access local-mac 1 logoff-period 400
n Configure AuthVid switch(config)#aaa port-access local-mac 1 auth-vid 10
n Configure UnauthVid switch(config)#aaa port-access local-mac 1 unauth-vid 12
n Configure address limit on a port switch(config)#aaa port-access local-mac 1 addr-limit 2
n Re-authenticate clients on a port switch(config)#aaa port-access local-mac 1 reauthenticate
n Unconfigure LMA on a port switch(config)#no aaa port-access local-mac 1
Configuration examples
Configuration example 1
n In this example, a PC is directly connected to a switch. In addition: l The corporate PC MAC is 002622bba7ac, and it should end up in VLAN 2 (Notebook of network administrator) l The rest of the corporate PC series MAC is 00:26:22:bb:* and 00:26:22:bc:*, and it should end up in VLAN 3
l Corporate IP Phones example MAC is 00:80:11:*, and it should end up in VLAN 5 tagged
Aruba 2930M/F | Access Security Guide
130
Configuration example 2
n In this example, PCs are connected to a meeting room 2615 switch series, which is connected to a switch (Local MAC authentication happens here). In addition: l Authentication of the 2615, example MAC is 00:10:80:* and it should end up in VLAN 15 tagged (management traffic) l Corporate PC MAC is: 002622bba7ac, and it should end up in VLAN 2 (Notebook of network administrator) l Rest of the corporate PC Series MAC is: 002622bb* and 00:26:22:bc:*, and it should end up in VLAN 3 l Guest PCs: unknown MAC, and it should end up in Guest VLAN 99 l Corporate IP Phones, example MAC: 00:80:11:*, and it should end up in VLAN 5 tagged l WLAN APs, example MAC: 00:80:12:*, and it should end up in VLAN 10 untagged, 12-14 tagged (10 management, 12-14 SSIDs with local break-out)
For further authentication of any OUIs, predefined in SwitchOS, group default is not allowed.
1. Create 5 LMA profilesThere is no need to create profiles for Guest PCs as you don't know the MACs. Configure unauth-vid (explained in step 3 below) so that such a client fails the authentication and is put into guest VLAN. aaa port-access local-mac profile "corp-switch-prof" vlan tagged 15 (for 2615 switches) aaa port-access local-mac profile "corp-pc-prof" vlan untagged 2 (for corporate PCs) aaa port-access local-mac profile "rest-pc-prof" vlan untagged 3 (for the rest of corporate PCs) aaa port-access local-mac profile "corp-phone-prof" vlan tagged 5 (for corporate ip phones) aaa port-access local-mac profile "wlan-ap-prof" vlan untagged 10 tagged 12-14 (for WLAN APs)
2. Associate MACs to these profiles aaa port-ac local-mac apply profile corp-switch-prof mac-oui 001080 aaa port-ac local-mac apply profile corp-pc-prof mac-addr 002622bba7ac aaa port-ac local-mac apply profile rest-pc-prof mac-mask 002622bb/32 mac-mask 002622bc/32 aaa port-ac local-mac apply profile corp-phone-prof mac-oui 008011 aaa port-ac local-mac apply profile "wlan-ap-prof" mac-oui 008012
3. Configure guest VLAN aaa port-ac local-mac <ports> unauth-vid 99
4. Enable LMA on ports aaa port-ac local-mac <ports>
Configuration using mac-groups
1. Create 3 LMA profiles aaa port-access local-mac profile "corp-pc-prof" vlan untagged 2 (for corporate PCs) aaa port-access local-mac profile "rest-pc-prof" vlan untagged 3 (for the rest of PCs) aaa port-access local-mac profile "corp-phone-prof" vlan tagged 5
131
Aruba 2930M/F | Access Security Guide
(for phones) 2. Create 3 different mac-groups
aaa port-ac local-mac mac-group "corp-pc-grp" mac-addr 002622bba7ac (for corporate PCs) aaa port-ac local-mac mac-group "rest-pc-grp" mac-mask 002622bb/32 002622bc/32 (for the rest of PCs) aaa port-ac local-mac mac-group "corp-phone-grp" mac-oui 008011 (for phones) 3. Associate groups to profiles aaa port-ac local-mac apply profile corp-pc-prof mac-group corp-pc-grp aaa port-ac local-mac apply profile rest-pc-prof mac-group rest-pc-grp aaa port-ac local-mac apply profile corp-phone-prof mac-group corp-phone-grp
4. Enable LMA on ports aaa port-ac local-mac-auth <ports>
Configuration without using mac-groups
1. Create 3 LMA profiles aaa port-access local-mac profile "corp-pc-prof" vlan untagged 2 (for corporate PCs) aaa port-access local-mac profile "rest-pc-prof" vlan untagged 3 (for the rest of PCs) aaa port-access local-mac profile "corp-phone-prof" vlan tagged 5 (for phones)
2. Associate hosts directly to profiles aaa port-ac local-mac apply profile corp-pc-prof mac-addr 002622bba7ac aaa port-ac local-mac apply profile rest-pc-prof mac-mask 002622bb/32 aaa port-ac local-mac apply profile rest-pc-prof mac-mask 002622bc/32 aaa port-ac local-mac apply profile corp-phone-prof mac-oui 008011
3. Enable LMA on ports aaa port-ac local-mac-auth <ports>
Aruba 2930M/F | Access Security Guide
132
Chapter 8 Port-based MAC authentication
Port-based MAC authentication
Overview
You can add, modify, and delete netdestination entries which are used by one or more alias-based class filters or ACLs. Any changes made to the netdestination entries are applied only when netedit-update command is executed. This feature is supported only on command line interface.
Operating notes
1. All existing devices being authenticated with client-based MAC authentication can still be authenticated as usual, until a device with port-based policy is authenticated.
2. A client being authenticated through MAC authentication with a port-based policy will have the connected authenticator port open to all clients without the need of separate authentication.
3. The enhanced MAC authentication will still be able to coexist with web authentication and 802.1X authentication in switch configuration. However it will introduce new dynamic behavior, as defined below: a. When a client is authenticated by MAC Authentication with port-based policy. i. If 802.1X authentication is in the client-based mode, all 802.1X clients are removed. With MAC Authentication, only the MAC authenticated client will be accepted and the port will be open. ii. If 802.1X is in port-based mode, the port is open to all. The ACCESS-ACCEPT (server) for the MAC Authentication client will be rejected with an expectation that the following packets from the client can go through because the port has been opened by 802.1X.
b. When a client is authenticated as an 802.1X client and the authenticator port has been open by a MAC Authentication client with port-based policy the ACCESS_ACCEPT for the 802.1X client will be rejected appropriately.
c. When Web authentication and MAC authentication coexist on a switch port, the handling of Web Authentication client will follow the cases of 802.1X client-based mode, for example, 3.a.1. and 3.b.
4. The MAC Authentication Client/Address Limits will be adhered to. If the current number of authenticated clients are at the configured port client/address limit, then additional clients are not accepted (exceptions are clients with client-limit port based policy to increase client-limit). This existing design decision is meant to avoid any DoS of our NAC/AAA solution as any additional authentication requests on this port are pointless as the limit has been hit.
5. A new read-only MIB object will be added to query the authentication mode of a MAC authentication client. 6. When a port is in port-based MAC authentication mode, port-security (port-access mode) blocks traffic
from the subsequent users. 7. If a client being MAC authenticated with port-based policy has other assigned policies, (such as NAS-
Filter-Rule, Filter-ID, Bandwidth-Max-Ingress/Egress) the port-based policy is then applied only to this client not for any subsequent clients accessing the port in port-mode.
Aruba 2930M/F | Access Security Guide
133
aaa port-access use-lldp-data
Syntax
aaa port-access use-lldp-data no aaa port-access use-lldp-data
Description
Authenticate clients using information from their LLDP packets
Usage
no aaa port-access use-lldp-data
show port-access config
switch(config)#show port-access config Port Access Status Summary Port-access authenticator activated [No] : No Allow RADIUS-assigned dynamic (GVRP) VLANs [No] : No Use LLDP data to authenticate [No] : Yes
134
Aruba 2930M/F | Access Security Guide
Chapter 9 TACACS+ Authentication and Accounting
TACACS+ Authentication and Accounting
Definition of terms
Term AAA
NAS
Source IP Identity TACACS+
Definition
Authentication, Authorization, and Accounting services. This is typically provided by a single protocol (For example, RADIUS, TACACS+).
Network Access Server is an industry term for devices that provide authorization services by communicating with AAA server. For example, Aruba switches
Ability to specify the outgoing IP on switch generated packets to ease network service deployment (for example, RADIUS/TACACS+ using a single address to connect to NAS).
Terminal Access Controller Access-Control System
Overview
You can add, modify, and delete netdestination entries which are used by one or more alias-based class filters or ACLs. Any changes made to the netdestination entries are applied only when netedit-update command is executed. This feature is supported only on command line interface.
TACACS+ authentication process
TACACS+ authentication setup
To test the TACACS+ service before fully implementing it. Depending on the process and parameter settings you use to set up and test TACACS+ authentication in your network, you could accidentally lock all users, including yourself, out of access to a switch. While recovery is simple, it can pose an inconvenience that can be avoided. To prevent an unintentional lockout on the switch, use a procedure that configures and tests TACACS+ protection for one access type (for example, Telnet access), while keeping the other access type (console, in this case) open in case the Telnet access fails due to a configuration problem.
If a complete access lockout occurs on the switch as a result of a TACACS+ configuration, see "Troubleshooting TACACS+ Operation" in the Management and Configuration Guide for your switch.
Procedure
1. Familiarize yourself with the requirements for configuring your TACACS+ server application to respond to requests from the switch (see Access Security Guide for more information). To know if you have to configure an encryption key, see Encryption options in the switch on page 156.
Aruba 2930M/F | Access Security Guide
135
2. Determine the following: a. The IP addresses of the TACACS+ servers you want the switch to use for authentication. If you will use more than one server, determine which server is your first-choice for authentication services. b. The encryption key, if any, for allowing the switch to communicate with the server. c. The number of log-in attempts you allow before closing a log-in session. The default is 3. d. The period you want the switch to wait for a reply to an authentication request before trying another server. e. The user name/password pairs you want the TACACS+ server to use for controlling access to the switch. f. The privilege level you want for each user name/password pair administered by the TACACS+ server for controlling access to the switch. g. The user name/password pairs you want to use for local authentication (one pair each for operator and manager levels).
3. Plan and enter the TACACS+ server configuration needed to support TACACS+ operation for Telnet access (login and enable) to the switch. This includes the user name/password sets for logging in at the operator (read-only) privilege level and the sets for logging in at the manager (read/write) privilege level.
When a TACACS+ server authenticates an access request from a switch, it includes a privilege level code for the switch to use in determining which privilege level to grant to the terminal requesting access. The switch interprets a privilege level code of "15" as authorization for the manager (read/write) privilege level access. Privilege level codes of 14 and lower result in operator (read-only) access.
4. If you are a first-time user of the TACACS+ service, it is recommended that you configure only the minimum feature set required by the TACACS+ application to provide service in your network environment. After a successful deployment of minimum feature set, configure for additional features.
5. Ensure that the switch has the correct local user name and password for manager access. (If the switch cannot find any designated TACACS+ servers, the local manager and operator user name/password pairs are always used as the secondary access control method.)
Ensure that the switch has a local manager password. Otherwise, if authentication through a
TACACS+ server fails for any reason, unauthorized users can access through the console port,
Telnet, SSH, or REST.
6. Using a terminal device connected to the switch console port, configure the switch for TACACS+ authentication only for Telnet login access and Telnet enable access. At this stage, do not configure TACACS+ authentication for console access to the switch, as you may need to use the console for access if the configuration for the Telnet method needs debugging.
7. Ensure that the switch is configured to operate on your network and can communicate with your firstchoice TACACS+ server. At a minimum, this requires IP addressing and a successful ping test from the switch to the server.
136
Aruba 2930M/F | Access Security Guide
8. On a remote terminal device, use Telnet to attempt to access the switch. If the attempt fails, use the console access to check the TACACS+ configuration on the switch. If you make changes in the switch configuration, check Telnet access again. If Telnet access still fails, check the configuration in your TACACS+ server application for mis-configurations or missing data which could affect the server's interoperation with the switch.
9. After your testing shows that Telnet access using the TACACS+ server is working properly, configure your TACACS+ server application for console access. Then test the console access. If access problems occur, check for and correct any problems in the switch configuration, and then test console access again. If problems persist, check your TACACS+ server application for mis-configurations or missing data which could affect the console access.
10. When you are confident that TACACS+ access through both Telnet and the switch console operates properly, use the write memory command to save the switch running-config file to flash.
General authentication process using a TACACS+ server
Authentication through a TACACS+ server operates generally as described below. For specific operating details, see the documentation you received with your TACACS+ server application.
Figure 18 Using a TACACS+ Server for Authentication
After either switch detects an operator's logon request from a remote or directly connected terminal, the following events occur:
Procedure
1. The switch queries the first-choice TACACS+ server for authentication of the request. n If the switch does not receive a response from the first-choice TACACS+ server, it attempts to query a secondary server, second-choice and third-choice. If the switch does not receive a response from any TACACS+ server, then it uses its own local user name/password pairs to authenticate the logon request, see Local authentication process on page 138. n If a TACACS+ server recognizes the switch, it forwards a user name prompt to the requesting terminal via the switch.
2. When the requesting terminal responds to the prompt with a user name, the switch forwards it to the TACACS+ server.
3. After the server receives the user name input, the requesting terminal receives a password prompt from the server via the switch.
Aruba 2930M/F | Access Security Guide
137
4. When the requesting terminal responds to the prompt with a password, the switch forwards it to the TACACS+ server and one of the following actions occurs:
a. If the user name/password pair received from the requesting terminal matches a user name/password pair previously stored in the server, the server passes access permission through the switch to the terminal.
b. If the user name/password pair entered at the requesting terminal does not match a user name/password pair previously stored in the server, access is denied. In this case, the terminal is again prompted to enter a user name and repeat steps 2 through 4 In the default configuration, the switch allows up to three attempts to authenticate a login session. If the requesting terminal exhausts the attempt limit without a successful TACACS+ authentication, the login session is terminated and the operator at the requesting terminal must initiate a new session before trying again.
Local authentication process
When the switch is configured to use TACACS+, it reverts to local authentication only if one of these two conditions are met:
n Local is the authentication option for the access method being used. n The switch is configured to query one or more TACACS+ servers for a primary authentication request, but has
not received a response, and Local is the configured secondary option.
For local authentication, the switch uses the operator-level and manager-level user name/password sets previously configured locally on the switch. These are the user names and passwords you configure using the CLI password command, or the WebAgent.
n If the operator at the requesting terminal correctly enters the user name/password pair for either access level (operator or manager), access is granted on the basis of which user name/password pair was used. For example, consider configuring Telnet primary access for TACACS+ and Telnet secondary access for local. If a TACACS+ access attempt fails, you can still get either the operator or manager level access by entering the correct user name/password pair for the level you want to enter.
n If the user name/password pair entered at the requesting terminal does not match local user name/password pair previously configured in the switch, access is denied. In this case, the terminal is again prompted to enter a user name/password pair. In the default configuration, the switch allows up to three attempts. If the requesting terminal exhausts the attempt limit without a successful authentication, the login session is terminated and the operator at the requesting terminal must initiate a new session before trying again.
Authentication parameters
Table 11: AAA Authentication Parameters
Name
console, Telnet, SSH, web, portaccess, or REST
enable
Default Range Function
n/a
n/a
Specifies the access method used when authenticating. TACACS+
authentication only uses the console, Telnet or SSH access
methods.
n/a
n/a
Specifies the manager (read/write) privilege level for the access
method being configured.
138
Aruba 2930M/F | Access Security Guide
Name
Default Range Function
login <privilegemode>
privilege- n/a mode disabled
login: Specifies the operator (read-only) privilege level for the access method being configured.The privilege-mode option enables TACACS+ for a single login. The authorized privilege level (operator or manager) is returned to the switch by the TACACS+ server.
local - or - tacacs
local
n/a
Specifies the primary method of authentication for the access method being configured. local: Use the user name/password pair configured locally in the switch for the privilege level being configured tacacs: Use a TACACS+ server.
local - or - none
none
n/a
Specifies the secondary (backup) type of authentication being configured. local: The user name/password pair configured locally in the switch for the privilege level being configured.none: No secondary type of authentication for the specified method/privilege path. (Available only if the primary method of authentication for the access being configured is local.)
NOTE: If you do not specify this parameter in the command line, the switch automatically assigns the secondary method as follows:
n If the primary method is tacacs, the only secondary method is local.
n If the primary method is local, the default secondary method is none.
num-attempts
3
1 - 10
In a given session, specifies how many attempts at entering the correct user name/password pair are allowed before access is denied and the session terminated.
Table 12: Primary/secondary authentication table
Access method and privilege level
Console -- Login
Authentication options
Primary
Secondary
local
none*
tacacs
local
Effect on access methods
Local user name/password access only.
If TACACS+ server is unavailable, uses local user name/password access.
Aruba 2930M/F | Access Security Guide
139
Access method and privilege level
Console -- Enable
Authentication options
Primary
Secondary
local
none
tacacs
local
REST -- Login
local tacacs
none local
REST -- Enable
local tacacs
none local
Telnet -- Login Telnet -- Enable SSH -- Login
local tacacs
tacacs local tacacs
tacacs local tacacs
none* local
none none local
none none local
Effect on access methods
Local user name/password access only.
If TACACS+ server is unavailable, uses local user name/password access.
Local user name/password access only. If TACACS+server is unavailable, uses local user name/password access.
Local user name/password access only. If TACACS+ server is unavailable, uses local user name/password access.
Local user name/password access only.
If TACACS+ server is unavailable, uses local user name/password access.
If TACACS+ server is unavailable, denies access.
Local user name/password access only.
If TACACS+ server is unavailable, uses local user name/password access.
If TACACS+ server is unavailable, denies access.
Local user name/password access only.
140
Aruba 2930M/F | Access Security Guide
Access method and privilege level
Authentication options
Primary
Secondary
SSH -- Enable
local tacacs
none local
Effect on access methods
If TACACS+server is unavailable, uses local user name/password access.
Local user name/password access only. If TACACS+ server is unavailable, uses local user name/password access.
Regarding the use of local for login primary access:
During local authentication (which uses passwords configured in the switch instead of in a TACACS+ server), the switch grants read-only access if you enter the operator password, and read-write access if you enter the manager password. For example, authenticating the switch with Telnet Login Primary as Local and Telnet Enable Primary as TACACS+. When you attempt to Telnet to the switch, you are prompted for a local password. If you enter the switch local manager password (or, if there is no local manager password configured in the switch) you can bypass the TACACS+ server authentication for Telnet Enable Primary and go directly to read-write (manager) access. Thus, for either the Telnet or console access method, it is recommended not to configure Login Primary for Local authentication while configuring Enable Primary for TACACS+. If you want to enable Primary log-in attempts to go to a TACACS+ server, configure both Login Primary and Enable Primary for TACACS+ authentication instead of configuring Login Primary to Local authentication.
Configuring TACACS+ on the switch
Access options
Following is a set of access options and the corresponding commands to configure them:
console login (operator or read-only) access, primary using TACACS+ server and secondary access using local.
switch (config)# aaa authentication console login tacacs local
console enable (manager or read/write) access, primary using TACACS+ server and secondary using local.
switch (config)# aaa authentication console enable tacacs local
Telnet login (operator or read-only) access, primary using TACACS+ server and secondary using local.
switch (config)# aaa authentication Telnet login tacacs local
Aruba 2930M/F | Access Security Guide
141
Telnet enable (manager or read/write) access, primary using TACACS+ server and secondary using local.
switch (config)# aaa authentication telnet enable tacacs local
ssh login (operator or read-only) access, primary using TACACS+ server and secondary using local.
switch (config)# aaa authentication ssh login tacacs local
ssh enable (operator or read-only) access, primary using TACACS+ server and secondary using local.
switch (config)# aaa authentication ssh enable tacacs local
rest login (operator or read-only) access, primary using TACACS+ server and secondary using local.
switch (config)# aaa authentication rest login tacacs local
rest enable (operator or read-only) access, primary using TACACS+ server and secondary using local.
switch (config)# aaa authentication rest enable tacacs local
deny access and close the session after failure of two consecutive user name/password pairs
switch (config)# aaa authentication num-attempts 2
Before you begin
If you are new to TACACS+ authentication, it is recommended that you configure your TACACS+ servers before configuring authentication on the switch.
Selecting the access method for configuration
The aaa authentication command configures access control for the following access methods:
n Console n Telnet n SSH n Web n Port-access (802.1X) n REST
However, TACACS+ authentication is only used with the console, Telnet, REST, or SSH access methods. The command specifies whether to use a TACACS+ server or the switch local authentication, or (for some secondary scenarios) no authentication. This means that if the primary method fails, authentication is denied. The command also reconfigures the number of access attempts to allow in a session if the first attempt uses an incorrect user name/password pair.
Configuring the switch authentication method
Syntax
142
Aruba 2930M/F | Access Security Guide
aaa authentication <console|telnet|ssh|web|port-access|rest> login tacacs Selects the access method for configuration.
Parameters
<enable>
Example: aaa authentication ssh enable tacacs local
The server grants privileges at the manager privilege level. <login [privilege-mode]>
Example: aaa authentication login privilege-mode
The server grants privileges at the operator privilege level. If the privilege-mode option is entered, TACACS+ is enabled for a single login. The authorized privilege level (operator or manager) is returned to the switch by the TACACS+ server. Default: Single login disabled. <local|tacacs|radius> Selects the type of security access: local Authenticates with the manager and operator password you configure in the switch. tacacs Authenticates with a password and other data configured on a TACACS+ server. radius Authenticates with a password and other data configured on a RADIUS server. [<local|none>] If the primary authentication method fails, determines whether to use the local password as a secondary method or to disallow access.
Example
switch(config)# aaa accounting authentication authorization port-access
server-group
Configure the accounting service on the device. Configure authentication parameters on the switch. Configure authorization parameters on the switch. Configure 802.1X (Port Based Network Access), MAC address based network access, or web authentication-based network access or the MACsec Key Agreement (MKA) protocol, or 802.1X-2010 support on the device. Configure the RADIUS server, NAS-ID for the RADIUS server group.
switch(config)# aaa authentication
lockout-delay
The number of seconds after repeated login failures
before a user may again attempt login.
login
Specify that switch respects the authentication server's
privilege level.
mac-based
Configure authentication mechanism used to control
mac-based port access to the switch.
num-attempts
The number of login attempts allowed.
port-access
Configure authentication mechanism used to control
access to the network.
rest
Configure authentication mechanism used to control REST
access to the switch.
ssh
Configure authentication mechanism used to control SSH
access to the switch.
telnet
Configure authentication mechanism used to control
Telnet access to the switch.
unlock
Unlock the user locked out from SSH/Telnet/Console
access.
Aruba 2930M/F | Access Security Guide
143
user-based-lockout web web-based
Locking users based on the username for other access excluding the console access. Configure authentication mechanism used to control web access to the switch. Configure authentication mechanism used to control web-based port access to the switch.
switch(config)# aaa authentication ssh
client
Configure SSH client authentication for the switch.
enable
Configure access to the privileged mode commands.
login
Configure login access to the switch.
switch(config)# aaa authentication ssh login
local
Use local switch user/password database.
tacacs
Use TACACS+ server.
radius
Use RADIUS server.
peap-mschapv2
Use RADIUS server with PEAP-MSChapv2.
public-key
Use local switch public key authentication database.
certificate
Use the X.509 certificate.
two-factor
Use the two-factor authentication method.
switch(config)# aaa authentication ssh login tacacs
local
Use local switch user/password database.
none
Do not use backup authentication methods.
authorized
Allow access without authentication.
server-group
Specify the server group to use.
two-factor-type
Use the certificate or public key for the first
authentication method and username/password for the
second authentication method.
Syntax
aaa authentication num-attempts <1-10> Specifies the maximum number of login attempts allowed in the current session. Default is 3.
Configuring the TACACS+ server
Syntax
tacacs-server host <IP-ADDR | IPV6 ADDR | FDQN> key <KEY-STR> Configure a TACACS+ server for authentication, authorization and accounting. A maximum of 3 TACACS+ servers can be configured.
Parameters
tacacs-server
Configures a TACACS+ server for Authentication, Authorization and Accounting.
host
Configures the FDQN, IPv4, or IPv6 address of a TACACS+ server.
key
Configures the global authentication key for all TACACS+ servers.
Example
switch(config)# tacacs-server host 192.168.12.138 key procurve oobm
144
Aruba 2930M/F | Access Security Guide
Configuring the switch TACACS+ server access
The tacacs-server command configures the following parameters:
n The host FDQN or IP addresses for up to three TACACS+ servers; one first-choice and up to two backups. Designating backup servers provides for a continuation of authentication services in case the switch is unable to contact the first-choice server. If a TACACS+ server is configured with FQDN, the FQDN is resolved to an IPv4 address.
n An optional encryption key that helps to improve security, and must match the encryption key used in your TACACS+ server application. In some applications, the term "secret key" or "secret" may be used instead of "encryption key". If you need only one encryption key for the switch to use in all attempts to authenticate through a TACACS+ server, configure a global key. However, if the switch is configured to access multiple TACACS+ servers having different encryption keys, you can configure the switch to use different encryption keys for different TACACS+ servers.
n The time out value in seconds for attempts to contact a TACACS+ server. If the switch sends an authentication request, but does not receive a response within the period specified by the timeout value, the switch resends the request to the next server in its Server IP Addr list, if any. If the switch still fails to receive a response from any TACACS+ server, it reverts to whatever secondary authentication method was configured using the aaa authentication command (local or none). See Selecting the access method for configuration on page 142.
Syntax
tacacs-server host <IP-ADDR | IPV6-ADDR | FDQN> [key <KEY-STR>] | [oobm] Adds a TACACS+ server and optionally assigns a server-specific encryption key. If the switch is configured to access multiple TACACS+ servers having different encryption keys, you can configure the switch to use different encryption keys for different TACACS+ servers.
switch(config)# tacacs-server dead-time help Usage: no tacacs-server dead-time <Minutes>
Description
Configure the dead time for unavailable TACACS+ servers. When a server stops responding, the switch ignores it for this amount of time and proceeds immediately to the next backup. This improves response time because the switch does not wait for connections to time out before contacting the next backup server. The default value of zero disables skipping unavailable servers. no tacacs-server host <IP-ADDR | IPV6-ADDR | FDQN> Removes a TACACS+ server assignment (including its server-specific encryption key, if any). tacacs-server key <KEY-STR> Configures an optional global encryption key. Keys configured in the switch must match the encryption keys configured in the TACACS+ servers that the switch attempts to use for authentication. no tacacs-server key
Removes the optional global encryption key. This does not affect any server-specific encryption key assignments. tacacs-server timeout <1-255> Changes the wait period for a TACACS server response. Default: 5 seconds.
Aruba 2930M/F | Access Security Guide
145
n It is recommended that you configure, test, and troubleshoot authentication using telnet access before configuring authentication from a console port access. This prevents accidentally locking yourself out of the switch.
n Encryption keys configured in the switch must match the encryption keys configured in the TACACS+ servers it is attempting to use for authentication. A switch uses a global encryption key only with servers with no server-specific key. A global key is more useful where the TACACS+ servers in use all have an identical key, and server-specific keys are necessary where different TACACS+ servers have different keys. If TACACS+ server "X" has no encryption key assigned, then configuring either a global encryption key or a server-specific key in the switch for server "X" blocks authentication support from server "X".
ip source-interface
Syntax
ip source-interface {radius|sntp|syslog|tacacs|telnet|tftp|sflow|tunneled-nodeserver| radsec} {<IP-ADDR> | vlan <VLAN-ID> | loopback <LOOPBACK-ID>}
no ip source-interface {radius|sntp|syslog|tacacs|telnet|tftp|sflow|tunneled-nodeserver| radsec} {<IP-ADDR> | vlan <VLAN-ID> | loopback <LOOPBACK-ID>}
Description
Define source IP address selection policy for the application protocols. The no form of the command is to revert application protocols to its default (original) behavior, when the IP address of the outgoing interface is used as the source.
Example
switch(config)# ip source-interface
radius
The RADIUS protocol.
sntp
The SNTP protocol.
syslog
The syslog protocol.
tacacs
The TACACS+ protocol.
telnet
The Telnet protocol.
tftp
The TFTP protocol.
sflow
The sFlow protocol.
tunneled-node-server The Tunneled Node Server protocol.
radsec
The RADIUS protocol using TLS over TCP.
all
All protocols above.
ipv6 source-interface
Syntax
ipv6 source-interface ipv6 source-interface {<PROTOCOL-ID | all>} {<loopback <ID> | vlan <VLAN-ID> | < IPV6ADDR>>}}
Description
146
Aruba 2930M/F | Access Security Guide
Define source IP address selection policy for the application protocols. Use 'no' form of the command to revert application protocols to the default (original) behavior, when IP address of the outgoing interface is used as the source.
Configuring cipher text for TACACS+ key
To improve security, when entering a TACACS+ key, the key displayed is obfuscated. When the feature is active, masking of plaintext keys is supported for configuration commands where sensitive information is entered. Show commands are shown in plaintext. Enabling the CLI command hide-sensitive-data supports the masking of the sensitive information. This command is disabled by default.
Configuring dead time
Syntax
tacacs-server dead-time <minutes> no tacacs-server dead-time <minutes> Configures the dead time for unavailable TACACS+ servers. When a server stops responding, the switch ignores this for a given amount of time and proceeds immediately to the next backup. Configuring the dead time improves server response time as the switch no longer has to wait for connections to time out before contacting the next backup server. The default value of zero disables skipping unavailable servers.
dead-time
The dead time for unavailable TACACS+ servers.
0-1440
The server unavailability time in minutes (default is 0).
Enabling authorization for commands
Syntax
aaa authorization commands <radius|local|tacacs|auto|none> no aaa authorization commands <radius|local|tacacs|auto|none> aaa authorization commands access-level <manager|all> no aaa authorization commands access-level <manager|all> Configure command authorization. For each command issued by the user, an authorization request is sent to the server. Command authorization can be applied to all commands or only manager-level commands:
Parameters
aaa
Configure the switch Authentication, Authorization, and Accounting features.
commands
Configure command authorization.
local
Authorize commands using local groups. Locally authenticated clients goes through local authorization. No authentication is performed for RADIUS/TACACS+ authenticate clients.
radius
Aruba 2930M/F | Access Security Guide
147
Authorize commands using RADIUS. Locally authenticated clients go through local authorization. RADIUS authenticated clients go through RADIUS authorization. No authorization is performed for TACACS+ authenticated clients.
none
Do not require authorization for command access.
tacacs
Authorize commands using TACACS+. TACACS+ authenticated clients go through TACACS+ authorization. No authorization is performed for RADIUS/locally authenticated users.
auto
Authorize commands with the same protocol used for authentication. Uses the same method as Authentication and Authorization. For example local/radius/tacacs authenticated clients will go through local/radius/tacacs authorization respectively.
access-level
Configure command authorization level.
manager
Allow authorization only for manager level commands.
all
Allow authorization for all commands. This is the default option.
aaa accounting
Syntax
aaa accounting <exec|network|system|commands> <start-stop|stop-only|intermim-update> <radius|syslog|tacacs> no aaa accounting <exec|network|system|commands> <start-stop|stop-only|intermim-update> <radius|syslog|tacacs> Configure the accounting service on the device. Accounting can be configured for EXEC sessions, network connection, commands and system. The accounting data is collected by a RADIUS, SYSLOG, or TACACS+ server.
Network accounting is not supported through TACACS+ and SYSLOG. session-id accounting is not supported for TACACS+.
Parameters
Accounting
Configures the accounting service on the device.
Commands
Configures command type of accounting.
Exec
Configures Exec type of accounting.
148
Aruba 2930M/F | Access Security Guide
Network
Configures network type of accounting.
Session-id
Configures accounting sessions identification scheme.
RADIUS
Uses RADIUS for accounting.
TACACS
Uses TACACS+ for accounting.
syslog
Uses syslog for accounting.
show authorization
Syntax
show authorization group <groupname> Show authorization configuration.
Parameters
<groupname> The group name.
switch(config)# show authorization Status and Counters - Authorization Information Access Level Requiring Authorization: Manager
Type
| Method
-------- + -------
Commands | tacacs
Show all accounting configurations
Syntax
show accounting sessions Show accounting configuration parameters. If sessions is specified, the command will show accounting data for all active sessions.
Accounting
Show Accounting configuration parameters.
show accounting
switch(config)# show accounting Status and Counters - Accounting Information Interval(min) : 0 Suppress Empty User : No Sessions Identification : Common
Aruba 2930M/F | Access Security Guide
149
Type
| Method Mode
Server Group
-------- + ------ -------------- ------------
Network | None
Exec
| None
System | tacacs Start-Stop
tacacs
Commands | None
Show current authentication configurations
Syntax
show authentication
Description
This command lists the number of login attempts the switch allows in a single login session, and the primary/secondary access methods configured for each type of access.
show authentication
switch(config)# show authentication Status and Counters - Authentication Information
login Attempts : 3 Lockout Delay : 0 Respect Privilege : Disabled Bypass Username For Operator and Manager Access : Disabled
| Login
Access Task | Primary
-------------- + -----------
Console
| Local
Telnet
| Local
Port-Access | Local
Webui
| Local
SSH
| Two-factor
Web-Auth
| ChapRadius
MAC-Auth
| ChapRadius
SNMP
| Local
Local-MAC-Auth | Local
Login
Login
Server Group Secondary
------------ ----------
None
None
None
None
None
radius
None
radius
None
None
None
Enable
| Enable
Access Task | Primary
-------------- + -----------
Console
| Local
Telnet
| Local
Webui
| Local
SSH
| Two-factor
Enable
Server Group Secondary
------------ ----------
None
None
None
tacacs
None
show authentication two-factor
switch(config)# show authentication
last-login
Show, for each switch user, information about the last
successful login and unsuccessful login attempts.
locked-out-users
Show, all the users which are in locked state.
two-factor
Show, for the two-factor, first and second
authentication methods
switch(config)# show authentication two-factor
| Login
Login
Access Task | First
Second
-------------- + ----------- ------------
SSH
| public-key
local
150
Aruba 2930M/F | Access Security Guide
| Enable
Access Task | First
-------------- + -----------
SSH
| public-key
| Login
Access Task | First
-------------- + -----------
SSH
| certificate
| Enable
Access Task | First
-------------- + -----------
SSH
| certificate
Enable Second -----------local
Login Second -----------local
Enable Second -----------local
Show key information
Use the show running-config command to display the key information.
switch(config) show running-config
Running configuration:
; JL074A Configuration Editor; Created on release #KB.xx.xx.0000x ; Ver #14:0f.6f.f8.1d.fb.7f.bf.bb.ff.7c.59.fc.7b.ff.ff.fc.ff.ff.3f.ef:60
hostname "Aruba-3810M-48G-PoEP-1-slot" module 1 type jl074x module 2 type jl074y tacacs-server host 1001::1 key "tacacskey" snmp-server community "public" unrestricted oobm
ip address dhcp-bootp ipv6 enable ipv6 address dhcp full exit vlan 1 name "DEFAULT_VLAN" untagged 1-48 ip address dhcp-bootp ipv6 enable ipv6 address dhcp full exit
show tacacs
Syntax
show tacacs [host <IP-ADDR | IPV6-ADDR>]
Description
Show TACACS status and statistics information.
Command context
config
Example
The following shows TACACS server when ordering sequence is enabled.
Aruba 2930M/F | Access Security Guide
151
switch(config)# show tacacs
Status and Counters - TACACS Information
Deadtime(min) : 0 Timeout : 5 Ordering-sequence Enabled : Yes Source IP Selection : Outgoing Interface Encryption Key :
Server IP Addr Opens Closes Aborts Errors Pkts Rx Pkts Tx OOBM
--------------- ------ ------ ------ ------ ------- ------- ----
10.2.97.10
0
0
0
0
0
0
No
10.2.97.11
0
0
0
0
0
0
No
10.2.97.12
0
0
0
0
0
0
No
The following example shows the deletion of server 10.2.97.11 and reordered, using the no form of the tacacsserver host 10.2.7.11 command. As per the ordering sequence, host 10.2.97.12 takes the place of 10.2.97.11.
switch(config)# show tacacs
Status and Counters - TACACS Information
Deadtime(min) : 0 Timeout : 5 Ordering-sequence Enabled : Yes Source IP Selection : Outgoing Interface Encryption Key :
Server IP Addr Opens Closes Aborts Errors Pkts Rx Pkts Tx OOBM
--------------- ------ ------ ------ ------ ------- ------- ----
10.2.97.10
0
0
0
0
0
0
No
10.2.97.12
0
0
0
0
0
0
No
The following example shows a server 10.2.97.13 being added with tacacs-server host 10.2.97.13 command. This newly added server takes the place of 10.2.97.12.
switch(config)# show tacacs
Status and Counters - TACACS Information
Deadtime(min) : 0 Timeout : 5 Ordering-sequence Enabled : Yes Source IP Selection : Outgoing Interface Encryption Key :
Server IP Addr Opens Closes Aborts Errors Pkts Rx Pkts Tx OOBM
--------------- ------ ------ ------ ------ ------- ------- ----
10.2.97.10
0
0
0
0
0
0
No
10.2.97.12
0
0
0
0
0
0
No
10.2.97.13
0
0
0
0
0
0
No
show tacacs host
Syntax
show tacacs [host <IP-ADDR | IPV6-ADDR>] Show TACACS status and statistics information.
152
Aruba 2930M/F | Access Security Guide
Parameters
host
Show information for the specified TACACS+ server.
IP-addr
The IP address of the TACACS+ server.
IPV6-addr
The IPv6 address of the TACACS+ server.
Example
switch(config)# show tacacs host <IP-ADDR> TACACS+ Server Information
Server Addr
: 10.0.0.3
OOBM
: Enabled
Sessions Opened :
Sessions Closed :
Sessions Aborted :
Sessions Error :
Authentication :
Packets Tx
:0
Packets Rx
:0
Timeouts
:0
Authorization :
Packets Tx
:0
Packets Rx
:0
Timeouts
:0
Accounting : Packets Tx Timeouts
:0
Packets Rx
:0
: 0ArubaSwitch# show tac host 2001:df::1
TACACS+ Server Information
Server Addr OOBM Sessions Opened Sessions Closed Sessions Aborted Sessions Errors
: 2001:df::1 : No :0 :0 :0 :0
Authentication :
Packets Tx Timedouts
:0
Packets Rx
:0
:0
Authorization :
Packets Tx Timedouts
:0
Packets Rx
:0
:0
Accounting
:
Packets Tx Timedouts
:0
Packets Rx
:0
:0
Aruba 2930M/F | Access Security Guide
153
Show accounting sessions
Syntax
show accounting sessions Show accounting data for all active sessions.
switch(config)# show accounting sessions Active Accounted actions on SWITCH, User (n/a) Priv (n/a), Acct-Session-Id 0x013E00000006, System Accounting record, 1:45:34 Elapsed, system event `Accounting On', method `radius' Active Accounted actions on SWITCH, User (n/a) Priv (n/a), Task-id 0x013E00000006, Command Accounting record, 1:45:34 Elapsed, method `tacacs'.
show ip source-interface
Syntax
show ip source-interface
Description
Shows IP source interface protocol information.
Example
switch(config)# show ip source-interface
Source-IP Configuration Information
Protocol | Admin Selection Policy IP Interface IP Address
-------- + ----------------------- -------------- ---------------
Tacacs | Configured IP Interface vlan-20
20.1.1.3
Radius | Configured IP Interface vlan-10
N/A
Syslog | Configured IP Interface vlan-30
20.2.1.4
Telnet | Outgoing Interface
N/A
N/A
Tftp
| Outgoing Interface
N/A
N/A
Sntp
| Configured IP Interface vlan-102
10.1.1.6
Sflow | Outgoing Interface
N/A
N/A
Tunne... | Outgoing Interface
N/A
N/A
RADSEC | Configured IP Interface vlan-102
10.1.1.4
show ipv6 source-interface
Syntax
show ipv6 source-interface show ipv6 source-interface <radius | tacacs><detail | status>
Description
Show source IPv6 configuration, status or detailed information. Invoked without parameters shows configuration information for all protocols. If 'status' keyword is specified the operational status information is shown. If 'detail' keyword is specified the detailed operational status information is shown.
Example
154
Aruba 2930M/F | Access Security Guide
switch# show ipv6 source-interface tacacs
Source-IPV6 Configuration Information
Protocol | IPV6 Address IPV6 Interface Admin Selection Policy
-------- + --------------- -------------- -----------------------
Tacacs | 2001:df::2
vlan-2
Configured IPv6 Address
switch# show ipv6 source-in detail
Source-IPV6 Detailed Information
Protocol : Tacacs
Admin Policy
: Configured IPv6 Address
Oper Policy
: Outgoing Interface
Source IPV6 Interface : vlan-2
IPV6 Address
: 2001:00df:0000:0000:0000:0000:0000:0002
Source Interface State : Down
switch# show ipv6 source-in tacacs status
Source-IPV6 Status Information
Protocol | Admin Selection Policy Oper Selection Policy -------- + ----------------------- ----------------------Tacacs | Configured IP Address Outgoing Interface
switch# show ipv6 source-in ?
detail
Show detailed information.
radius
Specify the name of protocol
tacacs
Specify the name of protocol
Specifying devices
Syntax
host <IP-ADDR | IPV6-ADDR> [key <KEY-STR>] | [oobm] Specifies the IP address of a device running a TACACS+ server application. Optionally, you can also specify the unique, per-server encryption key to use when each assigned server has its own, unique key. For more on the encryption key, see Encryption options in the switch on page 156 and the documentation provided with your TACACS+ server application. For switches that have a separate out-of-band management port, the OOBM parameter specifies that the TACACS+ traffic goes through the out-of-band management (OOBM) port. You can enter up to three IP addresses; one first-choice and two (optional) backups (one second-choice and one third-choice). Use show tacacs to view the current IP address list. If the first-choice TACACS+ server fails to respond to a request, the switch tries the second address, if any, in the show tacacs list. If the second address also fails, then the switch tries the third address, if any. The priority (first-choice, second-choice, and third-choice) of a TACACS+ server in the switch TACACS+ configuration depends on the order in which you enter the server IP addresses.
Procedure
1. When there are no TACACS+ servers configured, entering a server IP address makes that server the firstchoice TACACS+ server.
Aruba 2930M/F | Access Security Guide
155
2. When there is one TACACS+ serves already configured, entering another server IP address makes that server the second-choice (backup) TACACS+ server.
3. When there are two TACACS+ servers already configured, entering another server IP address makes that server the third-choice (backup) TACACS+ server.
The above position assignments are fixed. If you remove one server and replace it with another, the new server assumes the priority position that the removed server had. For example, suppose you configured three servers, A, B, and C, configured in order: First-Choice: A Second-Choice: B Third-Choice: C If you removed server B and then entered server X, the TACACS+ server order of priority would be: First-Choice: A Second-Choice: X Third-Choice: C If there are two or more vacant slots in the TACACS+ server priority list and you enter a new IP address, the new address takes the vacant slot with the highest priority. Thus, if A, B, and C are configured as above and you (1) remove A and B, and (2) enter X and Y (in that order), then the new TACACS+ server priority list will be X, Y, and C. To change the order of the TACACS+ servers in the priority list is to remove all server addresses in the list and then re-enter them in order, with the new first-choice server address first, and so on. To add a new address to the list when there are already three addresses present, you must first remove one of the currently listed addresses. See also General authentication process using a TACACS+ server on page 137. Default: None
Specifying switch timeout
Syntax
timeout <1-255>
Description
Specifies how long the switch waits for a TACACS+ server to respond to an authentication request. If the switch does not detect a response within the timeout period, it initiates a new request to the next TACACS+ server in the list. If all TACACS+ servers in the list fail to respond within the timeout period, the switch uses either local authentication (if configured) or denies access (if none configured for local authentication). Default: 5 seconds
Encryption options in the switch
When configured, the encryption key causes the switch to encrypt the TACACS+ packets it sends to the server. When left at "null", the TACACS+ packets are sent in clear text. The encryption key you configure in the switch must be identical to the encryption key configured in the corresponding TACACS+ server.
If the key is the same for all TACACS+ servers the switch uses for authentication, then configure a global key in the switch. If the key is different for one or more of these servers, use "server-specific" keys in the switch. (If you configure both a global key and one or more per-server keys, the per-server keys overrides the global key for the specified servers.)
For example, you would use the following command to configure a global encryption key in the switch to match a key entered as north40campus in two target TACACS+ servers. (That is, both servers use the same key for your switch.) You do not need the server IP addresses to configure a global key in the switch:
156
Aruba 2930M/F | Access Security Guide
switch(config)# tacacs-server key north40campus
Suppose that you subsequently add a third TACACS+ server (with an IP address of 10.28.227.87) that has south10campus for an encryption key. Because this key is different than the one used for the two servers in the previous example, you must assign a server-specific key in the switch that applies only to the designated server:
switch(config)# tacacs-server host 10.28.227.87 key south10campus
With both of the above keys configured in the switch, the south10campus key overrides the north40campus key only when the switch tries to access the TACACS+ server having the 10.28.227.87 address.
Encryption operation keys
When used, the encryption key (sometimes termed "key", "secret key", or "secret") helps to prevent unauthorized intruders on the network from reading user name and password information in TACACS+ packets moving between the switch and a TACACS+ server. At the TACACS+ server, a key may include both of the following:
n Global key: A general key assignment in the TACACS+ server application that applies to all TACACS-aware devices for which an individual key is not configured.
n Server-Specific key: A unique key assignment in the TACACS+ server application that applies to a specific TACACS-aware device.
Configure a key in the switch only if the TACACS+ server application has this exact same key configured for the switch. That is, if the key parameter in switch "X" does not exactly match the key setting for switch "X" in the TACACS+ server application, then communication between the switch and the TACACS+ server fails.
Thus, on the TACACS+ server side, you have a choice as to how to implement a key. On the switch side, it is necessary only to enter the key parameter so that it exactly matches its counterpart in the server. For information on how to configure a general or individual key in the TACACS+ server, see the documentation you received with the application.
Configuring an encryption key
Use an encryption key in the switch if the switch will be requesting authentication from a TACACS+ server that also uses an encryption key. If the server expects a key, but the switch either does not provide one, or provides an incorrect key, then the authentication attempt fails.
n Use a global encryption key if the same key applies to all TACACS+ servers the switch may use for authentication attempts.
n Use a per-server encryption key if different servers the switch may use have different keys. For more details on encryption keys, see Encryption options in the switch on page 156.
Optional global encryption key
Syntax
key <key-string> Specifies the optional, global "encryption key" that is also assigned in the TACACS+ servers that the switch accesses for authentication. This option is subordinate to any "per-server" encryption keys you assign, and applies only to accessing TACACS+ servers for which you have not given the switch a "per-server" key.
Aruba 2930M/F | Access Security Guide
157
You can configure a TACACS+ encryption key that includes a tilde (~) as part of the key, for example, "aruba~switch". It is not backward compatible; the "~" character is lost if you use a software version that does not support the "~" character For more on the encryption key, see Encryption options in the switch on page 156 and the documentation provided with your TACACS+ server application.
Configuring a global encryption key
To configure north01 as a global encryption key: switch(config)#tacacs-server key north01
Configuring a per-server encryption key
To configure north01 as a per-server encryption key: switch(config)#tacacs-server host 10.28.227.63 key north01
An encryption key can contain up to 100 characters, without spaces, and is case-sensitive in most TACACS+ server applications.
Deleting a per-server encryption key To delete a per-server encryption key in the switch, re-enter the tacacs-server host command without the key parameter. For example, if you have north01 configured as the encryption key for a TACACS+ server with an IP address of 10.28.227.104 and you want to eliminate the key, use the following command:
switch(config)# tacacs-server host 10.28.227.104
You can save the encryption key in a configuration file by entering this command: switch(config)# tacacs-server key <key-string> The <key-string> parameter is the encryption key in clear text.
The show tacacs command lists the global encryption key, if configured. However, to view any configured per-server encryption keys, you must use show config or show config running (if you have made TACACS+ configuration changes without executing write mem).
Deleting a global encryption key
To delete a global encryption key from the switch, use this command: switch(config)# no tacacs-server key
Configuring the Timeout period The timeout period specifies how long the switch waits for a response to an authentication request from a TACACS+ server before either sending a new request to the next server in the switch Server IP Address list or using the local authentication option. For example, to change the timeout period from 5 seconds (the default) to 3 seconds:
switch(config)# tacacs-server timeout 3
Configuring server specific encryption key
Syntax
158
Aruba 2930M/F | Access Security Guide
tacacs-server host <ip-addr | ipv6 addr> [key <key-string> | encrypted-key <key-string> | [oobm]
Adds a TACACS+ server and optionally assigns a server-specific encryption key. If the switch is configured to access multiple TACACS+ servers having different encryption keys, you can configure the switch to use different encryption keys for different TACACS+ servers.
When the switch is in enhanced secure mode, commands that take a secret key as a parameter have the echo of the secret typing replaced with asterisks. The input for <key-string> is prompted for interactively.
tacacs-server host <ip-addr | ipv6 addr> no tacacs-server host <ip-addr | ipv6 addr> Removes a TACACS+ server assignment (including its server-specific encryption key, if any). tacacs-server [key <key-string> | encrypted-key <key-string>]
Configures an optional global encryption key. Keys configured in the switch must exactly match the encryption keys configured in the TACACS+ servers that the switch attempts to use for authentication. The encrypted-key parameter configures a global encryption key, specified using a base64-encoded aes-256 encrypted string. tacacs-server key no tacacs-server key Removes the optional global encryption key. It does not affect any server-specific encryption key assignments. tacacs-server encrypted-key <key-string> Encryption key to use with a TACACS+ server, specified using a base64-encoded aes-256 encrypted string. tacacs-server timeout <1-255> Changes the wait period for a TACACS server response. (Default: 5 seconds.)
Encryption keys configured in the switch must exactly match the encryption keys configured in TACACS+ servers the switch attempts to use for authentication.
If you configure a global encryption key, the switch uses it only with servers for which you have not configured a server-specific key. Thus, a global key is more useful where the TACACS+ servers you are using all have an identical key, and server-specific keys are necessary where different TACACS+ servers have different keys.
If TACACS+ server "X" does not have an encryption key assigned for the switch, then configuring either a global encryption key or a server-specific key in the switch for server "X" blocks authentication support from server "X".
Using the privilege-mode option for login
When using TACACS+ to control user access to the switch, first login with your user name at the operator privilege level using the password for operator privileges, then login again with the same user name but using the Manger password to obtain manager privileges. You can avoid this double login process by entering the privilege-mode option with the aaa authentication login command to enable TACACS+ for a single login. The switch authenticates your user name/password, then requests the privilege level (operator or manager) that was configured on the TACACS+ server for this user name/password. The TACACS+ server returns the allowed privilege level to the switch. You are placed directly into operator or manager mode, depending on your privilege level.
switch(config) aaa authentication login privilege-mode
The no version of the above command disables TACACS+ single login capability.
Aruba 2930M/F | Access Security Guide
159
Examples for adding, removing, or changing the priority of a TACACS+ server
Example
Suppose the switch is configured to use TACACS+ servers at 10.28.227.10 and 10.28.227.15. 10.28.227.15 was entered first and so is listed as the first-choice server. Example of the switch with two TACACS+ server addresses configured:
switch(config)# show tacacs Status and Counters - TACACS Information Timeout : 5 Encryption Key:
Server IP Addr
Opens Closes Aborts Errors Pkts Rx Pkts Tx
--------------------------------------------------------------------------
10.28.277.151
0
0
0
0
0
00
0
10.28.277.10
0
0
0
0
0
00
0
To move the "first-choice" status from the "15" server to the "10" server, use the no tacacs-server host <ipaddr> command to delete both servers, then use tacacs-server host <ip-addr> to re-enter the "10" server first, then the "15" server. The servers would then be listed with the new "first-choice" server, that is:
switch(config)# show tacacs Status and Counters - TACACS Information Timeout : 5 Encryption Key:
Server IP Addr
Opens Closes Aborts Errors Pkts Rx Pkts Tx
--------------------------------------------------------------------------
10.28.277.102
0
0
0
0
0
00
0
10.28.277.15
0
0
0
0
0
00
0
To remove the 10.28.227.15 device as a TACACS+ server, use the following command:
Switch(config)# no tacacs-server host 10.28.227.15 1First-choice TACACS+ Server 2The "10" server is now "first-choice" TACACS+ authentication device.
Controlling Web UI access when using TACACS+ authentication
Configuring the switch for TACACS+ authentication does not affect Web UI access. To prevent unauthorized access through the Web UI, do one or more of the following:
n Configure local authentication (a manager user name and password and, optionally, an operator user name and password) on the switch.
n Configure the switch Authorized IP manager feature to allow Web UI access only from authorized management stations. The Authorized IP manager feature does not interfere with TACACS+ operation.
n Disable Web UI access to the switch by going to the System Information screen in the Menu interface and configure the Web UI Enabled parameter to No.
TACACS server order
In releases prior to 16.09, following was the configuration of TACACS server:
160
Aruba 2930M/F | Access Security Guide
n Newly added server occupied the first vacant index. n If a server was deleted before adding a new one, the server occupied the deleted server position rather than the
sequence in which new servers were included. Starting with this release, TACACS servers can be arranged in a sequential order. Following is the TACACS server order: n After a server is deleted, the existing server with lower priority is shifted one place above in the configuration. n Newly added server takes the lowest priority (highest index).
The parameter that reorders TACACS servers after deletion is tacacs-server ordering-sequence.
By default, reordering is disabled. You can configure up to three servers at a time.
show tacacs
Syntax
show tacacs [host <IP-ADDR | IPV6-ADDR>]
Description
Show TACACS status and statistics information.
Command context
config
Example
The following shows TACACS server when ordering sequence is enabled. switch(config)# show tacacs
Status and Counters - TACACS Information
Deadtime(min) : 0 Timeout : 5 Ordering-sequence Enabled : Yes Source IP Selection : Outgoing Interface Encryption Key :
Server IP Addr Opens Closes Aborts Errors Pkts Rx Pkts Tx OOBM
--------------- ------ ------ ------ ------ ------- ------- ----
10.2.97.10
0
0
0
0
0
0
No
10.2.97.11
0
0
0
0
0
0
No
10.2.97.12
0
0
0
0
0
0
No
The following example shows the deletion of server 10.2.97.11 and reordered, using the no form of the tacacsserver host 10.2.7.11 command. As per the ordering sequence, host 10.2.97.12 takes the place of 10.2.97.11.
switch(config)# show tacacs
Status and Counters - TACACS Information
Deadtime(min) : 0
Aruba 2930M/F | Access Security Guide
161
Timeout : 5 Ordering-sequence Enabled : Yes Source IP Selection : Outgoing Interface Encryption Key :
Server IP Addr Opens Closes Aborts Errors Pkts Rx Pkts Tx OOBM
--------------- ------ ------ ------ ------ ------- ------- ----
10.2.97.10
0
0
0
0
0
0
No
10.2.97.12
0
0
0
0
0
0
No
The following example shows a server 10.2.97.13 being added with tacacs-server host 10.2.97.13 command. This newly added server takes the place of 10.2.97.12.
switch(config)# show tacacs
Status and Counters - TACACS Information
Deadtime(min) : 0 Timeout : 5 Ordering-sequence Enabled : Yes Source IP Selection : Outgoing Interface Encryption Key :
Server IP Addr Opens Closes Aborts Errors Pkts Rx Pkts Tx OOBM
--------------- ------ ------ ------ ------ ------- ------- ----
10.2.97.10
0
0
0
0
0
0
No
10.2.97.12
0
0
0
0
0
0
No
10.2.97.13
0
0
0
0
0
0
No
Event Messages
Messages related to TACACS+ operation
The switch generates the CLI messages listed below. However, you may see other messages generated in your TACACS+ server application. For information on such messages, see the documentation you received with the application.
TACACS+ operation messages
Meaning
Connecting to TACACS+ server
The switch is attempting to contact the TACACS+ server identified in the switch tacacs-server configuration as the first-choice (or only) TACACS+ server.
Connecting to secondary TACACS+ server
The switch was not able to contact the first-choice TACACS+ server, and is now attempting to contact the next (secondary) TACACS+ server identified in the switch
tacacs-server configuration.
Invalid password
The system does not recognize the user name or the password or both. Depending on the authentication method (tacacs or local), either the TACACS+ server application did not recognize the user name/password pair or the user name/password pair did not match the user name/password pair configured in the switch.
No TACACS+ servers responding
The switch has not been able to contact any designated TACACS+ servers. If this message is followed by the Username prompt, the switch is attempting local authentication.
162
Aruba 2930M/F | Access Security Guide
TACACS+ operation messages Not legal combination of authentication methods
Record already exists
Meaning
For console access, if you select tacacs as the primary authentication method, you must select local as the secondary authentication method. This prevents you from being locked out of the switch if all designated TACACS+ servers are inaccessible to the switch.
When resulting from a tacacs-server host <ip addr> command, indicates an attempt to enter a duplicate TACACS+ server IP address.
Operating notes
n If you configure Authorized IP managers on the switch, it is not necessary to include any devices used as TACACS+ servers in the authorized manager list. That is, authentication traffic between a TACACS+ server and the switch is not subject to Authorized IP manager controls configured on the switch. Also, the switch does not attempt TACACS+ authentication for a management station that the Authorized IP manager list excludes because, independent of TACACS+, the switch already denies access to such stations.
n When TACACS+ is not enabled on the switch-or when the switch only designated TACACS+ servers are not accessible-setting a local operator password without also setting a local manager password does not protect the switch from manager-level access by unauthorized persons.
n When using the copy command to transfer a configuration to a TFTP server, any optional, server-specific and global encryption keys in the TACACS configuration are not included in the transferred file. Otherwise, a security breach can occur, allowing access to the TACACS+ user name/password information.
Aruba 2930M/F | Access Security Guide
163
Chapter 10 RADIUS Authentication, Authorization, and
Accounting
RADIUS Authentication, Authorization, and Accounting
Overview
RADIUS (Remote Authentication Dial-In User Service) enables you to use up to 15 servers and maintain separate authentication and accounting for each RADIUS server employed.
Authentication Services
RADIUS verifies identity for the following types of primary password access to the switch:
n Serial port (console) n Telnet n SSH n SFTP/SCP n WebAgent n Port-Access (802.1X)
The switch also supports RADIUS accounting for Web Authentication and MAC authentication sessions.
The switch does not support RADIUS security for SNMP (network management) access. For information on blocking access through the WebAgent, see Controlling WebAgent access on page 185.
Authentication order and priority
In the earlier releases, all Authentication methods were attempted in parallel. 802.1x had the highest priority, followed by MAC, Web, and local MAC authentication. Authentication methods started in parallel may cause issues for the clients that require authentication requests to be processed sequentially. Now users can specify the order and priority for Authentication methods. Users can assign an order of Authentication between 802.1X and MAC Authentication using the aaa portaccess <port> auth-order command. The switch will follow the order. If both the methods fail, the Authentication method defaults to Local MAC Authentication, if configured. Specifying Authentication priority is optional. Users must configure Authentication order before configuring priority. The Authentication method with higher priority is used to access a client when both methods are configured to succeed through the Authentication server. Setting the priority is useful in deployments where clients like wireless access-points (APs) or IT-compliant-laptops or phones or laptops without-pre-loadedsupplicant-software, can first download the supplicant software or firmware/OS patches before attempting 802.1x Authentication. In this case, you can set MAC Authentication as the primary Authentication method followed by 802.1x for the Authentication order, but set the Authentication priority with primary as 802.1x and secondary as MAC Authentication to enforce the access based on 802.1x. Thus the client (or end-access-device) will initially be authenticated by MAC Authentication, get the access required to on-board and install the software or patches, and subsequently attempt the 802.1x Authentication. When 802.1x Authentication succeeds, client will be provided access based on the 8021.x access as 802.1x is configured as the Authentication method with higher priority.
Aruba 2930M/F | Access Security Guide
164
You can configure the Local MAC Authentication as the fallback method in case both 802.1x and MAC Authentication fail.
Considerations
n If only Authentication order is configured, Authentication priority will be the same as Authentication order. n If Local mac authentication is configured on the port without fallback option in the Authentication order or vice-
versa, Local MAC Authentication will not be triggered. n If the primary method is MAC Authentication for order, EAP packets from the supplicant capable clients will
not trigger MAC Authentication. Use 802.1x as the primary Authentication method and use Authentication priority to enforce the priority for MAC Authentication. n If critical auth (vlan or user-role) is configured and RADIUS Service is not available, the clients will be placed in critical auth (vlan or user-role), even if Local MAC authentication is enabled as the fallback method. n If Authentication order or priority is configured or updated, the existing clients are de-authenticated and Authentication process is triggered again on the impacted ports. n Configure the max-eap-retries value to a smaller number to reduce the time in waiting for the EAPResponse from non-supplicant clients. n When priority is set and the highest priority method fails, the client is given access by the successful secondary priority method. The highest primary method will not be attempted again. n Re-authentication or cached re-authentication happens for the clients in the Authentication method that authenticated the client. After cached re-authentication expiry, client will attempt the next method in Authentication order if RADIUS service is still not available. n When MAC Authentication is configured as the primary method for Authentication order, the EAP packets from the supplicant capable clients will not trigger MAC Authentication. In such cases, use 802.1x as the primary Authentication method and use Authentication priority to enforce the priority for MAC Authentication. n If the primary method is Mac Authentication, non-supplicant capable clients will not be placed in critical vlan/user-role, if configured, when the RADIUS server is not reachable.
Configuring the Authentication Order, Priority, and Fallback
aaa port-access <PORT-LIST>
auth-order <authenticator | mac-based> <mac-based | authenticator>
auth-order <authenticator | mac-based> <mac-based | authenticator> [local-mac] auth-priority <authenticator | mac-based> <mac-based | authenticator>
Description
Configures the authentication order and priority for the ports listed.
Parameter PORT-LIST auth-order auth-priority
Description Specifies a single port or a range of ports. Configures the authentication order. Configures authentication priority.
165
Aruba 2930M/F | Access Security Guide
Parameter authenticator mac-based local-mac
Description
Sets 802.1X Authentication as the primary Authentication method for the clients of this port.
Sets MAC address based Authentication as the primary Authentication method for the clients of this port.
Sets the Local MAC address based Authentication as the fallback Authentication method for the clients of this port.
Example
switch(config)# show run interface 15
Running configuration:
interface 15 untagged vlan 1 aaa port-access authenticator aaa port-access authenticator client-limit 2 aaa port-access mac-based aaa port-access mac-based addr-limit 2 exit
switch(config)# show port-access clients l5 detailed
Port Access Client Status Detail
Client Base Details :
Port
: L5
Client Status : authenticated
Client Name
: accc8e9e05fa
MAC Address
: accc8e-9e05fa
IP
: n/a
Authentication Type : mac-based
Session Time
: 19 seconds
Session Timeout
: 0 seconds
Auth Order Auth Priority LMA Fallback
: 8021x, Mac-Auth : Not Set : Disabled
Downloaded user roles are preceded by *
User Role Information
Name
: *DUR_Mac_Auth-3089-5
Type
: downloaded
Reauthentication Period (seconds) : 0
Cached Reauth Period (seconds) : 0
Logoff Period (seconds)
: 300
Untagged VLAN
: 10
Tagged VLANs
:
Captive Portal Profile Policy Tunnelednode Server Redirect Secondary Role Name Device Attributes
: : : Enabled : mac-role : Disabled
Aruba 2930M/F | Access Security Guide
166
Accounting services
RADIUS accounting on the switch collects resource consumption data and forwards it to the RADIUS server. This data can be used for trend analysis, capacity planning, billing, auditing, and cost analysis.
RADIUS-administered CoS and rate-limiting
The switches covered in this guide take advantage of vendor-specific attributes (VSAs) applied in a RADIUS server to support these optional, RADIUS-assigned attributes:
n 802.1p (CoS) priority assignment to inbound traffic on the specified port(s) (port-access authentication only) n Per-Port Rate-Limiting on a port with an active link to an authenticated client (port-access authentication only)
RADIUS-administered commands authorization
This feature enables RADIUS server control of an authenticated client's access to CLI commands on the switch. See Commands Authorization on page 185.
SNMP access to the switch authentication configuration MIB
The switch default configuration allows SNMP access to the hpSwitchAuth MIB (Management Information Base). A management station running an SNMP networked device management application can access the switch MIB for read access to the switch status and read/write access to the switch configuration. For more information, including the CLI command to use for disabling this feature, see Using SNMP to view and configure switch authentication features on page 181.
Switch operating rules for RADIUS
n You must have at least one RADIUS server accessible to the switch. n The switch supports authentication and accounting using up to 15 RADIUS servers. The switch accesses the
servers in the order in which they are listed by show radius. If the first server does not respond, the switch tries the next one, and so-on. To change the order in which the switch accesses RADIUS servers, see Changing RADIUS-server access order on page 207. n You can select RADIUS as the primary authentication method for each type of access. (Only one primary and one secondary access method is allowed for each access type.) n In the switch, EAP RADIUS uses MD5 and TLS to encrypt a response to a challenge from a RADIUS server. n When primary/secondary authentication is set to Radius/Local (for either Login or Enable) and the RADIUS server fails to respond to a client attempt to authenticate, the failure is noted in the Event Log with the message radius: Can't reach RADIUS server <server-ip-addr>. When this type of failure occurs, the switch prompts the client again to enter a username and password. In this case, use the local username (if any) and password configured on the switch itself. n Zero-length usernames or passwords are not allowed for RADIUS authentication, even though allowed by some RADIUS servers.
General RADIUS setup procedure
Preparation:
Procedure
167
Aruba 2930M/F | Access Security Guide
1. Configure one to 15 RADIUS servers to support the switch. See the documentation provided with the RADIUS server application.
2. Before configuring the switch, collect the following information:
a. Determine the access methods (console, Telnet, Port-Access (802.1X), WebAgent and/or SSH) for which you want RADIUS as the primary authentication method. Consider both operator (login) and manager (enable) levels, and what secondary authentication methods to use (local or none) if the RADIUS authentication fails or does not respond.
Figure 19 Possible RADIUS access assignments
b. Determine the IP addresses of the RADIUS servers to support the switch. You can configure the switch for up to 15 RADIUS servers. See the documentation provided with the RADIUS server application for more information. Determine the IP addresses of the RADIUS servers to support the switch. You can configure the switch for up to three RADIUS servers.
c. If you need to replace the default UDP destination port (1812) the switch uses for authentication requests to a specific RADIUS server, select it before beginning the configuration process.
d. If you need to replace the default UDP destination port (1813) the switch uses for accounting requests to a specific RADIUS server, select it before beginning the configuration process.
e. Determine whether to use one global encryption key for all RADIUS servers or if unique keys will be required for specific servers. With multiple RADIUS servers, if one key applies to two or more of these servers, then you can configure this key as the global encryption key. For any server whose key differs from the global key you are using, you must configure that key in the same command that you use to designate that server IP address to the switch.
Aruba 2930M/F | Access Security Guide
168
f. Determine an acceptable timeout period for the switch to wait for a server to respond to a request. Hewlett Packard Enterprise recommends that you begin with the default (five seconds).
g. Determine how many times the switch can contact a RADIUS server before trying another RADIUS server or quitting. This depends on how many RADIUS servers you have configured the switch to access.
h. Determine whether you want to bypass a RADIUS server that fails to respond to requests for service. To shorten authentication time, you can set a bypass period in the range of 1 to 1440 minutes for nonresponsive servers. This requires that you have multiple RADIUS servers accessible for service requests.
Configuring the switch for RADIUS authentication
Configure RADIUS authentication for controlling access through one or more of the following:
n Serial port n Telnet n SSH n Port-Access (802.1X) n WebAgent
Procedure
1. RADIUS authentication on the switch must be enabled to override the default authentication operation which is to automatically assign an authenticated client to the operator privilege level. This applies the privilege level specified by the service type value received from the RADIUS server.
2. Configure the switch for accessing one or more RADIUS servers (one primary server and up to two backup servers): n Server IP address n (Optional) UDP destination port for authentication requests (default: 1812; recommended) n (Optional) UDP destination port for accounting requests (default: 1813; recommended) n (Optional) Encryption key for use during authentication sessions with a RADIUS server. This key overrides the global encryption key you can also configure on the switch, and must match the encryption key used on the specified RADIUS server. (default: null)
Step 2 assumes you have already configured the RADIUS servers to support the switch. See your RADIUS server documentation for details.
3. Configure the global RADIUS parameters. a. Server key: This key must match the encryption key used on the RADIUS servers the switch contacts for authentication and accounting services unless you configure one or more per-server keys. (default: null)
b. Timeout period: The timeout period the switch waits for a RADIUS server to reply. (default: 5 seconds; range: 1 to 15 seconds)
c. Retransmit attempts: The number of retries when there is no server response to a RADIUS authentication request. (default: 3; range of 1 to 5)
169
Aruba 2930M/F | Access Security Guide
d. Server dead-time: The period during which the switch will not send new authentication requests to a RADIUS server that has failed to respond to a previous request. This avoids a wait for a request to time out on a server that is unavailable. If you want to use this feature, select a dead-time period of 1 to 1440 minutes. (default: disabled; range: 1-1440 minutes.) If your first-choice server was initially unavailable, but then becomes available before the dead-time expires, you can nullify the dead-time by resetting it to zero and then trying to log on again. As an alternative, you can reboot the switch, (thus resetting the dead-time counter to assume the server is available) and then try to log on again.
e. Number of login attempts: This is actually an aaa authentication command. It controls how many times per session a RADIUS client (and clients using other forms of access) can try to log in with the correct username and password. (default: Three times per session)
Configuring authentication for the access methods that RADIUS protects
Configure the switch for RADIUS authentication through the following access methods:
n Console: Either direct serial-port connection or modem connection. n Telnet: Inbound Telnet must be enabled (the default). n SSH: To use RADIUS for SSH access, first configure the switch for SSH operation. n WebAgent:You can enable RADIUS authentication for WebAgent access to the switch.
You can configure RADIUS as the primary password authentication method for the above access methods. You also need to select either local, none, or authorized as a secondary, or backup, method. Note that for console access, if you configure radius (or tacacs) for primary authentication, you must configure local for the secondary method. This prevents the possibility of being completely locked out of the switch in the event that all primary access methods fail.
Syntax:
aaa authentication <console|telnet|ssh|web|<enable|login <local|radius>> web-based|mac-based <chap-radius|peap-radius>> Configures RADIUS as the primary password authentication method for console, Telnet, SSH, and/or the WebAgent. The default primary <enable|login> authentication is local. <console|telnet|ssh|web> [<local|none|authorized>]
Provides options for secondary authentication. For console access, secondary authentication must be local if primary access is not local. This prevents you from being locked out of the switch in the event of a failure in other access methods. <<web-based|mac-based> login> <chap-radius|peap-mschapv2>
Password authentication for web-based or MAC-based port access to the switch. Use peap-mschapv2 when you want password verification without requiring access to a plain text password; it is more secure. Default: chap-radius [none|authorized]
Provides options for secondary authentication. The none option specifies that a backup authentication method is not used. The authorized option allows access without authentication.
Default: none. In certain situations, RADIUS servers can become isolated from the network. Users are not able to access the network resources configured with RADIUS access protection and are rejected. To address this situation,
Aruba 2930M/F | Access Security Guide
170
configuring the authorized secondary authentication method allows users unconditional access to the network when the primary authentication method fails because the RADIUS servers are unreachable.
Configuring authorized as the secondary authentication method used when there is a failure accessing the RADIUS servers allows clients to access the network unconditionally. Use this method with care. Here is an example of the show authentication command displaying authorized as the secondary authentication method for port-access, web-based authentication access, and MAC authentication access. Since the configuration of authorized means no authentication will be performed and the client has unconditional access to the network, the "Enable Primary" and "Enable Secondary" fields are not applicable (N/A).
Figure 20 Example of AAA authentication using authorized for the secondary authentication method
Suppose you already configured local passwords on the switch, but want RADIUS to protect primary Telnet and SSH access without allowing a secondary Telnet or SSH access option (the switch local passwords): Figure 21 Example configuration for RADIUS authentication
171
Aruba 2930M/F | Access Security Guide
If you configure the Login Primary method as local instead of radius (and local passwords are configured on the switch), then clients connected to your network can gain access to either the operator or manager level without encountering the RADIUS authentication specified for Enable Primary. See Local authentication process (RADIUS) on page 185.
Enabling manager access privilege (optional)
In the default RADIUS operation, the switch automatically admits any authenticated client to the login (operator) privilege level, even if the RADIUS server specifies enable (manager) access for that client. Thus, an authenticated user authorized for the manager privilege level must authenticate again to change privilege levels. Using the optional login privilege-mode command overrides this default behavior for clients with enable access. That is, with privilege-mode enabled, the switch immediately allows enable (manager) access to a client for whom the RADIUS server specifies this access level.
Syntax
aaa authentication login privilege-mode no aaa authentication login privilege-mode When enabled, the switch reads the Service-Type field in the client authentication received from a RADIUS server. The following table describes the applicableService-Type values and corresponding client access levels the switch allows upon authentication by the server.
Table 13: Service-type value Service-type
Administrative-user NAS-prompt-user Any other type
Value 6 7 Any value except 6 or 7
Client access level manager operator Access Denied
This feature applies to console (serial port), Telnet, SSH, and WebAgent access to the switch. It does not apply to 802.1X port-access.
While this option is enabled, a Service-Type value other than 6 or 7, or an unconfigured (null) ServiceType causes the switch to deny access to the requesting client.
The no form of the command returns the switch to the default RADIUS authentication operation. The default behavior for most interfaces is that a client authorized by the RADIUS server for Enable (manager) access will be prompted twice, once for Login (operator) access and once for Enable access. In the default RADIUS authentication operation, the WebAgent requires only one successful authentication request. For more information on configuring the Service Type in your RADIUS application, see the documentation provided with the application.
Configuring the switch to access a RADIUS server
Configuring a RADIUS server to support web-based authentication and MAC Authentication require the following minimal commands: (See RADIUS Authentication, Authorization, and Accounting on page 164 for information on other RADIUS command options.)
Aruba 2930M/F | Access Security Guide
172
Syntax:
radius-server no radius-server [host <ip-addresss>]
Adds a server to the RADIUS configuration or, when no is used, deletes a server from the configuration. You can configure up to three RADIUS server addresses. The switch uses the first server it successfully accesses. (See RADIUS Authentication, Authorization, and Accounting on page 164). [key <global-key-string>]
Specifies the global encryption key the switch uses with servers for which the switch does not have a server specific key assignment (below). This key is optional if all RADIUS server addresses configured in the switch include a server-specific encryption key. The tilde (~) character is allowed in the string, for example, radius server key aruba~switch. It is not backward compatible; the "~" character is lost if you use a software version that does not support the "~" character.
(Default: Null.)
Syntax:
radius-server host <ip-address> key <server-specific key-string> no radius-server host <ip-address> key
Optional.
Specifies an encryption key for use during authentication (or accounting) sessions with the specified server. This key must match the encryption key used on the RADIUS server. Use this command only if the specified server requires a different encryption key than configured for the global encryption key, above. The tilde (~) character is allowed in the string. It is not backward compatible; the "~" character is lost if you use a software version that does not support the "~" character.
The no form of the command removes the key configured for a specific server.
For example, to configure the switch to access a RADIUS server at IP address 192.168.32.11 using a server specific shared secret key of `1A7rd':
Configure the switch to access a RADIUS server
switch(config)# radius-server host 192.168.32.11 switch(config)# radius-server host 192.168.32.11 key 1A7rd switch(config)# show radius
Status and Counters - General RADIUS Information
Deadtime(min) : 0 Timeout(secs) : 5 Retransmit Attempts : 3 Global Encryption Key : Dynamic Authorization UDP Port :
Auth Acct DM/ Time
Server IP Addr Port Port CoA Window Encryption Key
--------------- ---- ---- --- ------ ---------------------
192.168.32.11 1812 1813
1A7rd
RADIUS server groups
Per-port RADIUS server group for MAC authentication Overview
173
Aruba 2930M/F | Access Security Guide
The RADIUS group is configured globally or assigned based on the authentication method (802.1x or MAC-based authentication). This feature associates a RADIUS server group to a particular port for MAC-based authentication.
When per port RADIUS group is configured for MAC-based authentication, the authentication requests for all the clients on that port are sent to the configured per-port RADIUS server group. When RADIUS server groups are configured at different levels, the order of priority for MAC authentication is:
1. Per port 2. Per Authentication 3. Global
To connect a RADIUS server with a server group, see Connecting a RADIUS server with a server group. The feature is only supported for MAC-based authentication for clients.
aaa port-access mac-based server-group
Syntax
aaa port-access mac-based <port-num> server-group <group-name> no aaa port-access mac-based <port-num> server-group <group-name>
Description
This command configures RADIUS server group per port for MAC authentication. The no form of this command removes RADIUS server group configured for MAC authentication.
Command context
config
Parameters
<port-num> Specifies port or port numbers for MAC based authentication.
<group-name> Specifies the RADIUS server group for MAC based authentication.
Example
switch(config)# aaa port-access mac-based 1/D17 server-group group1
switch(config)#show port-access mac-based 1/D17 config detailed
Port Access MAC-Based Detailed Configuration
Port
: 1/D17
MAC-based enabled : Yes
Client Limit : 2
Client Moves
: No
Logoff Period : 250
Re-Auth Period : 0
Unauth VLAN ID : 0
Auth VLAN ID
:0
Max Requests : 3
Quiet Period
: 60
Server Timeout : 300
RADIUS Server Group : group1
Configuring RADIUS server group for NAS-ID
When NAS-ID is configured on per RADIUS group, the configured NAS-ID is sent in the radius packets. If NASID is not configured, the host switch name is used as NAS-ID. The option to configure the NAS-ID per RADIUS server group is added in the command.
aaa server-group radius nas-id aaa server-group radius <group-name> nas-id <string>
Aruba 2930M/F | Access Security Guide
174
no aaa server-group radius <group-name> nas-id <string>
Description
The command configures NAS-ID for the RADIUS server group. The no form of this command removes NAS-ID configured for the RADIUS server group.
Command context
config
Parameters
<group-name> Specifies the name of a RADIUS server group . A maximum of 12 characters are allowed for the name of a server group.
<string> Sets NAS-ID for the a server group. A maximum of 32 characters are allowed for a NAS-ID.
Example
switch(config)#aaa server-group radius group1
host
Name of the server to be added to the server group
nas-id
NAS ID string to be added to the server group
switch(config)#aaa server-group radius group1 nas-id
ASCII-STR Enter an ASCII string
switch(config)#aaa server-group radius group1 nas-id cppm-mac-auth-clients
Configuring the switch global RADIUS parameters
Configure the switch for the following global RADIUS parameters:
n Number of login attempts: Specifies how many tries at entering the correct username and password pair are allowed before access is denied and the session terminated. Number of login attempts is a general aaa authentication parameter and is not specific to RADIUS.
n Global server key: The server key the switch uses for contacts with all RADIUS servers for which there is not a server-specific key configured by radius-server host <ip-address> key <key-string>. This key is optional if you configure a server-specific key for each RADIUS server entered in the switch.
n Server timeout: Defines the time period in seconds for authentication attempts. If the timeout period expires before a response is received, the attempt fails.
n Server dead time: Specifies the time in minutes during which the switch avoids requesting authentication from a server that has not responded to previous requests.
n Retransmit attempts: If the first attempt to contact a RADIUS server fails, retransmit attempts specifies how many retries to allow the switch to attempt on that server.
n Change of Authorization port: The dyn-autz-port parameter specifies the UDP port number that listens for the Change of Authorization and Disconnect messages. The UDP port range is 1024-49151. The default port is 3799.
Syntax
aaa authentication num-attempts <1-10>
175
Aruba 2930M/F | Access Security Guide
Specifies how many tries for entering the correct username and password are allowed before shutting down the session due to input errors. Default: 3; Range: 110. radius-server no radius-server key <global-key-string> Specifies the global encryption key the switch uses with servers for which the switch does not have a serverspecific key assignment. This key is optional if all RADIUS server addresses configured in the switch include a server-specific encryption key. Default: Null. [encrypted-key <global-key-string>] Global encryption key, specified using a base64encoded aes-256 encrypted string. dead-time <1-1440> Optional. Specifies the time in minutes during which the switch will not attempt to use a RADIUS server that has not responded to an earlier authentication attempt. Default: 0; Range: 11440 minute dyn-autz-port <1024-49151> Specifies the UDP port number that listens for Change of Authorization or Disconnect messages. The range of ports is 102449151. Default: 3799 radius-server timeout <1-15> Specifies the maximum time the switch waits for a response to an authentication request before counting the attempt as a failure. Default: 5 seconds; Range: 115 seconds radius-server retransmit <1-5> If a RADIUS server fails to respond to an authentication request, specifies how many retries to attempt before closing the session. Default: 3; Range: 15
To calculate RADIUS timeout value, use equation:
((radius-server retransmit + 1) * radius-server timeout)*number of RADIUS servers configured)
If three RADIUS servers are configured with default values of radius-server timeout and radiusserver retransmit, the RADIUS timeout value will be ((3+1)*5)*3 = 60 seconds.
To apply secondary authentication methods (authorized or cached reauthentication) successfully, radiusserver timeout value (as per the equation) must be lesser than the server-timeout value. If radius-server timeout value is higher than the server timeout value, the client will be placed in timed out-unauth vlan(if unauth-vid is configured) or timed out-no vlan state after trying for max-requests(default value is 3).
Where the switch has multiple RADIUS servers configured to support authentication requests, if the first server fails to respond, then the switch tries the next server in the list, and so-on. If none of the servers respond, then the switch attempts to use the secondary authentication method configured for the type of access being attempted (console, Telnet, or SSH). For more information, see the Troubleshooting chapter of the management and configuration guide for your switch.
Example
Aruba 2930M/F | Access Security Guide
176
Suppose that your switch is configured to use three RADIUS servers for authenticating access through Telnet and SSH. Two of these servers use the same encryption key. In this case the plan is to configure the switch with the following global authentication parameters:
n Allow only two tries to correctly enter username and password. n Use the global encryption key to support the two servers that use the same key. (For this example, assume
that you did not configure these two servers with a server-specific key.) n Use a dead time of five minutes for a server that fails to respond to an authentication request. n Allow three seconds for request timeouts. n Allow two retries following a request that did not receive a response.
Global configuration exercise for RADIUS authentication
switch(config)# aaa authentication num-attempts 2 switch(config)# radius-server key My-Global-KEY-1099 switch(config)# radius-server dead-time 5 switch(config)# radius-server timeout 3 switch(config)# radius-server retransmit 2 switch(config)# write mem
Figure 22 Global RADIUS parameters configured in Global configuration exercise for RADIUS authentication
177
Aruba 2930M/F | Access Security Guide
Using multiple RADIUS server groups
The authentication and accounting features on the switch can use up to fifteen RADIUS servers and these servers can be put into groups. Up to 5 groups of 3 RADIUS servers each can be configured. The authentication and accounting features can choose which RADIUS server group to communicate with. End-user authentication methods (802.1X, MAC-based and web-based) can authenticate with different RADIUS servers from the management interface authentication methods (console, telnet, ssh, web).
Several commands are used to support the RADIUS server group option. The RADIUS server must be configured before it can be added to a group. See Configuring the switch for RADIUS authentication on page 169 for more information.
Figure 23 RADIUS server group command output
Connecting a RADIUS server with a server group
Syntax
radius-server host <FQDN | IP-ADDR | IPV6-ADDR> no radius-server host <FQDN | IP-ADDR | IPV6-ADDR> This command adds a server to the RADIUS configuration. No form of the command deletes a server from the configuration. You can configure up to 15 RADIUS server IP addresses. The switch uses the successfully accessed RADIUS server.
Syntax
aaa server-group radius <group-name> host <FQDN | IP-ADDR | IPV6-ADDR> tls no aaa server-group radius <group-name> host <FQDN | IP-ADDR | IPV6-ADDR> tls This command associates a RADIUS server with a server group. Each group can contain up to three RADIUS servers. The default group (called RADIUS'), can only contain the first three RADIUS servers. The default group cannot be edited. The no form of the command removes the RADIUS server with the indicated IP address from the server group. If that server was the last entry in the group, the group is removed. radius <group-name> The group name of the RADIUS server group. The name has a maximum length of 12 characters. Up to five groups can be configured with the maximum of three RADIUS servers in each group. The first group slot is used by the default group. host <FQDN | IP-ADDR | IPV6-ADDR> The IP address of the RADIUS server is used. tls Specifies the RADIUS server with TLS connection.
Aruba 2930M/F | Access Security Guide
178
Configuring the primary password authentication method for console, Telnet, SSH and WebAgent
The following commands have the server-group option. If no server-group is specified, the default RADIUS group is used. The server group must already be configured.
The last RADIUS server in a server group cannot be deleted if any authentication or accounting method is using the server group.
Syntax:
aaa authentication <console|telnet|ssh|web> <enable|[login <local]|radius [server-group <group-name>|local|none|authorized] Configures the primary password authentication method for console, Telnet, SSH, and the WebAgent. {<local | radius>} Primary authentication method. Default: local <local|radius> Use either the local switch user/password database or a RADIUS server for authentication. <server-group <group-name>> Specifies the server group to use. [local|none|authorized] Provides options for secondary authentication. Default: none Note that for console access, secondary authentication must be local if primary access is not local. This prevents being locked out of the switch in the event of a failure in other access methods.
Configuring the primary password authentication method for port-access, MAC-based, and web-based access
Syntax:
aaa authentication <port-access <local|eap-radius|chap-radius>|<mac-based|web-based|<chapradius|peap-mschapv2> [none|authorized|server-group|<group-name>]>> Configures the primary authentication method for port-access, MAC-based, or web-based access. mac-based|web-based <chap-radius|peap-mschapv2> Password authentication for web-based or MAC-based port access to the switch. Use peap-mschapv2 for password verification without requiring access to a plain text password; it is more secure. Default: chap-radius port-access <local|eap-radius|chap-radius> Configures local, chap-radius (MD5), or eap-radius as the primary password authentication method for port-access. Default primary authentication: local. [none|authorized|server-group <group-name>] none: No backup authentication method is used. authorized: Allow access without authentication server-group <group-name>: Specifies the server group to use with RADIUS.
Syntax:
179
Aruba 2930M/F | Access Security Guide
aaa accounting <exec|network|system|commands| <start-stop|stop-only> radius [server-group <group-name>] Configures accounting type and how data will be sent to the RADIUS server.
radius
Uses RADIUS protocol as accounting method.
server-group <group-name>
Specifies the server group to use with RADIUS.
Viewing RADIUS server group information
Syntax:
show server-group radius Displays the same information as the show radius command, but displays the servers in their server groups.
Output from the show server-group radius command
switch(config)# show server-group radius Status and Counters - AAA Server Groups
Group Name: radius
Auth Acct DM/ Time
Server IP Addr Port Port CoA Window Encryption Key
--------------- ----- ----- ---- ------- --------------------
192.168.1.3
1812 1813 No 300
default_key
192.168.3.3
1812 1813 No 300
grp2_key
192.172.4.5
1812 1813 No 300
grp2_key
192.173.6.7
1812 1813 No 300
grp2_key
Group Name: group2
Auth Acct DM/ Time
Server IP Addr Port Port CoA Window Encryption Key
--------------- ----- ----- ---- ------- --------------------
192.168.3.3
1812 1813 No 300
grp2_key
192.172.4.5
1812 1813 No 300
grp2_key
192.173.6.7
1812 1813 No 300
grp2_key
Group Name: group3
Auth Acct DM/ Time
Server IP Addr Port Port CoA Window Encryption Key
--------------- ----- ----- ---- ------- --------------------
192.168.30.3 1812 1813 No 300
grp3_key
192.172.40.5 1812 1813 No 300
grp3_key
192.173.60.7 1812 1813 No 300
grp3_key
Output from the show authentication command
switch(config)# show authentication
Status and Counters - Authentication Information
Login Attempts : 3 Respect Privilege : Disabled
| Login
Login
Login
Access Task | Primary Server Group Secondary
----------- + ---------- ------------ ----------
Console
| Local
radius
None
Aruba 2930M/F | Access Security Guide
180
Telnet
| Local
radius
Port-Access | Local
Webui
| Local
SSH
| Local
Web-Auth | ChapRadius group3
MAC-Auth | ChapRadius group3
None None None None None None
| Enable
Enable
Enable
Access Task | Primary Server Group Secondary
----------- + ---------- ------------ ----------
Console
| Local
radius
None
Telnet
| Radius
group2
None
Webui
| Local
None
SSH
| Local
None
Output from the show accounting command
switch(config)# show accounting
Status and Counters - Accounting Information
Interval(min) : 0 Suppress Empty User : No Sessions Identification : Unique
Type
| Method Mode
Server Group
-------- + ------ ---------- ------------
Network | None
Exec
| Radius Start-Stop group2
System | Radius Stop-Only group2
Commands | Radius Start-Stop radius
Using SNMP to view and configure switch authentication features
SNMP MIB object access is available for switch authentication configuration (hpSwitchAuth) features. This means that the switches covered by this guide allow, by default, manager-only SNMP read/write access to a subset of the authentication MIB objects for the following features:
n Number of primary and secondary login and enable attempts n TACACS+ server configuration and status n RADIUS server configuration n Selected 802.1X settings n Key management subsystem chain configuration n Key management subsystem key configuration n Local switch operator and manager usernames and passwords
With SNMP access to the hpSwitchAuth MIB enabled, a device with management access to the switch can view the configuration for the authentication features listed above (excluding usernames, passwords, and keys). Using SNMP sets, a management device can change the authentication configuration (including changes to usernames, passwords and keys). operator read/write access to the authentication MIB is always denied.
181
Aruba 2930M/F | Access Security Guide
Regarding Security: All usernames, passwords, and keys configured in the hpSwitchAuth MIB are not returned through SNMP, and the response to SNMP queries for such information is a null string. However, SNMP sets can be used to configure username, password, and key MIB objects.
To help prevent unauthorized access to the switch authentication MIB, Hewlett Packard Enterprise recommends following the reviewing Viewing and changing the SNMP access configuration on page 182.
If you do not want to use SNMP access to the switch authentication configuration MIB, then use the snmp-server mib hpswitchauthmib excluded command to disable this access, as described in the next section.
If you choose to leave SNMP access to the security MIB open (the default setting), Hewlett Packard Enterprise recommends that you configure the switch with the SNMP version 3 management and access security feature, and disable SNMP version 2c access. See "SNMP access to the authentication configuration MIB on page 22."
Viewing and changing the SNMP access configuration
Syntax:
snmp-server mib hpswitchauthmib <excluded|included> included Enables manager-level SNMP read/write access to the switch authentication configuration (hpSwitchAuth) MIB. excluded Disables manager-level SNMP read/write access to the switch authentication configuration (hpSwitchAuth) MIB. Default: included
Syntax:
show snmp-server The output for this command has been enhanced to display the current access status of the switch authentication configuration MIB in the Excluded MIBs field.
Example:
To disable SNMP access to the switch authentication MIB and then display the result in the Excluded MIB field, execute the following two commands.
Aruba 2930M/F | Access Security Guide
182
Figure 24 Disabling SNMP access to the authentication MIB and displaying the result
An alternate method of determining the current Authentication MIB access state is to use the show run command.
Figure 25 Using the show run command to view the current authentication MIB access state
Enabling TRAPS for specified events
Configuring event-list
To enable traps for specified events, user needs to define an event-list map like vid/port map that can also be stored in config-record.
hpicfSwitchSnmpEnabledTrapEventList OBJECT-TYPE
This mib cli command is used to configure the event-list that will be send as trap together with RMON logging.
183
Aruba 2930M/F | Access Security Guide
n A maximum of 100 events can be configured to enable SNMP traps. n By default, all the events will be sent as a SNMP trap together with RMON logging. But once this
object is configured, trap will be sent for only the specified events and RMON logging will be continued for all events.
Enable TRAPS for event-list
By default, all events are sent as SNMP trap along with the logging in the system.
When many traps are reported, it is difficult to filter out a particular trap from all trap messages. This CLI command provides the option to enable the traps only for the required events.
Syntax
snmp-server enable traps event-list <EVENT-LIST-STR>
Description
This command enables traps for specified events. Enter the event-list as a range, separated by commas, or both. When the event-list is configured, trap will be sent only for the specified events.
A maximum of 100 events can be configured to enable SNMP Traps.
setmib command overrides the configuration of snmp-server enable traps event-list command for the specified event ids. If the override operation occurrs, then the following RMON message will be logged with respective event id:
setmib command overrides the configuration of "snmp-server enable traps eventlist" for event id: %d
Example
Output of show running-config
hostname "Aruba-3810M-48G-1-slot" module 1 type jl072x module 2 type jl072y flexible-module A type JL083A snmp-server community "public" unrestricted no snmp-server enable traps event-list 1-9,101-8000 snmp-server enable traps event-list 10-100 oobm
ip address dhcp-bootp exit vlan 1 name "DEFAULT_VLAN" untagged 1-48,A1-A4 ip address dhcp-bootp ipv6 enable ipv6 address dhcp full exit
Aruba 2930M/F | Access Security Guide
184
Local authentication process (RADIUS)
When the switch is configured to use RADIUS, it reverts to local authentication only if one of these two conditions exists:
n Local is the authentication option for the access method being used. n The switch has been configured to query one or more RADIUS servers for a primary authentication request,
but has not received a response, and Local is the configured secondary option.
For local authentication, the switch uses the operator-level and manager-level username/password set(s) previously configured locally on the switch. These are the usernames and passwords you configure using the CLI password command, the WebAgent, or the menu interface which enables only local password configuration.
n If the operator at the requesting terminal correctly enters the username/password pair for either access level (operator or manager), access is granted on the basis of which username/password pair was used. For example, suppose you configure Telnet primary access for RADIUS and Telnet secondary access for local. If a RADIUS access attempt fails, then you can still get access to either the operator or manager level of the switch by entering the correct username/password pair for the level you want to enter.
n If the username/password pair entered at the requesting terminal does not match either local username/password pair previously configured in the switch, access is denied. In this case, the terminal is again prompted to enter a username/password pair. In the default configuration, the switch allows up to three attempts. If the requesting terminal exhausts the attempt limit without a successful authentication, the login session is terminated and the operator at the requesting terminal must initiate a new session before trying again.
Controlling WebAgent access
To help prevent unauthorized access through the WebAgent, do one or more of the following:
n Configure the switch to support RADIUS authentication for WebAgent access. l Configure local authentication (a manager user name and password and, optionally, an operator user name and password) on the switch. l Configure the switch's Authorized IP manager feature to allow WebAgent access only from authorized management stations. (The Authorized IP manager feature does not interfere with TACACS+ operation.) l Use one of the following methods to disable WebAgent access to the switch via http (Port 80): o CLI: no web-management o Menu Interface--From the Main menu, select the following: 2: Switch Configuration 1: System Information WebAgent Enabled: No
Commands Authorization
The RADIUS protocol combines user authentication and authorization steps into one phase. The user must be successfully authenticated before the RADIUS server sends the authorization information from the user's profile to the Network Access Server (NAS). After user authentication, the authorization information provided by the RADIUS server is stored on the NAS for the duration of the user's session. Changes in the user's authorization profile during this time is not effective until after the next authentication occurs.
185
Aruba 2930M/F | Access Security Guide
You can limit the services for a user by enabling AAA RADIUS authorization. The NAS uses the information set up on the RADIUS server to control the user's access to CLI commands.
Commands method is the authorization type implemented on the switches. In this method, the commands that are allowed on the client device for authenticated users are explicitly specified on the RADIUS server. This is done on a per-user or per-group basis.
Authorization will only be executed for commands entered from Telnet, SSH, or console sessions. The Web management interface is not supported.
By default, all users can execute a minimal set of commands, regardless of their authorization status. For example, commands to exit and logout. This minimal set of commands can prevent deadlock on the switch due to an error in the user's authorization profile on the RADIUS server.
Enabling authorization
Before you can create a role, you must enable the authorization commands for local users as follows:
1. Run the aaa authorization commands command.
2. Specify the local parameter.
Enabling authorization commands
# aaa authorization commands local
Viewing authorization information
Syntax:
show authorization
Configures authorization for controlling access to CLI commands. When enabled, the switch checks the list of commands supplied by the RADIUS server during user authentication to determine if a command entered by the user can be executed.
The show authorization command
switch(config)# show authorization
Status and Counters - Authorization Information
Type
| Method
-------- + ------
Commands | RADIUS
Configuring commands authorization on a RADIUS server
Using Vendor Specific Attributes
Some RADIUS-based features implemented on switches use Vendor Specific Attributes (VSA) for information exchange with the RADIUS server. RADIUS Access-Accept packets sent to the switch may contain the vendorspecific information. The attributes supported with commands authorization are:
Aruba 2930M/F | Access Security Guide
186
n HP-Command-String: List of commands (regular expressions) that are permitted (or denied) execution by the user. The commands are delimited by semi-colons and must be between 1 and 249 characters in length. Multiple instances of this attribute may be present in Access-Accept packets. (A single instance may be present in Accounting-Request packets.)
n HP-Command-Exception: A flag that specifies whether the commands indicated by the HP-Command-String attribute are permitted or denied to the user. A zero (0) means permit all listed commands and deny all others; a one (1) means deny all listed commands and permit all other commands except the commands that enable other management interfaces, where configurations can be performed.
The results of using the HP-Command-String and HP-Command-Exception attributes in various combinations are shown below.
Table 14: HP command string and exception
HP-commandstring
Not present
HP-commandexception
Not present
Not present
DenyListPermitOthers(1)
Not present Commands List Commands List Commands List
PermitListDenyOthers(0)
DenyListPermitOthers(1)
PermitListDenyOthers(0)
Not present
Empty Commands List
Empty Commands List
Empty Commands List
Not present
DenyListPermitOthers(1)
PermitListDenyOthers(0)
Description
If command authorization is enabled and the RADIUS server does not provide any authorization attributes in an Access-Accept packet, the user is denied access to the server. This message appears: "Access denied: no user's authorization info supplied by the RADIUS server."
Authenticated user is allowed to execute all commands except the commands that enable other management interfaces, where configurations can be performed.
Authenticated user can only execute a minimal set of commands (those that are available by default to any user).
Authenticated user may execute all commands except those in the Commands list.
Authenticated user can execute only those commands provided in the Commands List, plus the default commands.
Authenticated user can only execute commands from the Commands List, plus the default commands.
Authenticate user can only execute a minimal set of commands (those that are available by default to any user).
Authenticated user is allowed to execute all commands available on the switch.
Authenticate user can only execute a minimal set of commands (those that are available by default to any user).
By default, the following commands are not authorized because they enable other management interfaces, where configurations can be performed.
n Web management n Web management SSL n Menu
187
Aruba 2930M/F | Access Security Guide
n SetMIB n Testmode
To permit all the above listed commands, each command should be added explicitly to the permit list.
Example
steve Cleartext-Password := "testing" HP-Command-String += '.*', HP-Command-String += 'web-management', HP-Command-String += 'web-management ssl', HP-Command-Exception = Permit-List
You must configure the RADIUS server to provide support for the VSAs. There are multiple RADIUS server applications; the two examples below show how a dictionary file can be created to define the VSAs for that RADIUS server application.
Example configuration using FreeRADIUS
Procedure
1. Create a dictionary file (for example, dictionary.hp) containing VSA definitions. An example file is: Figure 26 Example dictionary file
2. Find the location of the dictionary files used by FreeRADIUS (try /usr/local/share/freeradius). 3. Copy dictionary.hp to that location. Open the existing dictionary file and add this entry:
$ INCLUDE dictionary.hp 4. You can now use VSAs with other attributes when configuring user entries.
Aruba 2930M/F | Access Security Guide
188
Dynamic port access auth via RADIUS
Overview
You can add, modify, and delete netdestination entries which are used by one or more alias-based class filters or ACLs. Any changes made to the netdestination entries are applied only when netedit-update command is executed. This feature is supported only on command line interface.
Configuring the RADIUS VSAs
Only RADIUS-authenticated port-access clients will be able to dynamically change the port access settings using the new proprietary RADIUS VSAs. The settings that can be overridden are:
n Client limit (address limit with mac-based port access)
n Disabling the port-access types
n Setting the port mode in which 802.1X is operating
If the VSA client limit decreases the switch configured client limit, all clients except the client that is overriding the settings is deauthenticated. Only one client session at a time can override the port-access settings on a port. When the client session is deauthenticated, the port resets itself to the configured settings. This port reset causes the deauthentication of all clients for the port-access authentication types that had their settings changed dynamically. The new VSAs are:
n HP-Port-Client-Limit-Dot1x: This VSA temporarily alters the 802.1X authentication client limit to the value contained in the VSA. Values range from 0 to 32 clients. A zero client limit means this VSA is disabled. This is a VSA with a value of 10.
n HP-Port-Client-Limit-MA: This VSA temporarily alters the MAC authentication client limit to the value contained in the VSA. Values range from 0 to 256 clients. A zero client limit means this VSA is disabled. This is a VSA with a value of 11.
n HP-Port-Client-Limit-WA: This VSA temporarily alters the web-based authentication client limit to the value contained in the VSA. Values range from 0 to 256 clients. A zero client limit means this VSA is disabled. This is a VSA with a value of 12.
n HP-Port-Auth-Mode-Dot1x: This VSA temporarily alters the 802.1X authentication mode to be either portbased or user-based depending on the value in the VSA. A port-based VSA is set with a value of 1; a userbased VSA is set with a value of 2. This is a VSA with a value of 13. If an 802.1X port is operating in portbased mode, it is invalid to set the 802.1X client limit using the HP-Port-Client-Limit VSA.
The changing of the client limits for a port using VSAs is temporary. The running configuration file is not changed and still displays the client limit and address limit settings.
Each authentication type may have a unique value for the client limit. If the value of the VSA is zero, the authentication type corresponding to that VSA will be disabled. Settings for these VSAs are in effect for the duration of the authenticated session of the downstream supplicant switch. If for any reason there is a loss of the session (link loss between authenticator switch and supplicant switch, or authentication failure during reauthentication), the originally configured 802.1X and MAC authentication limits are restored.
189
Aruba 2930M/F | Access Security Guide
Viewing port-access information
The show port-access summary command displays the dynamically changed client limit settings.
Syntax:
show port-access summary [radius-overridden] Displays summary configuration information for all ports, including the ports that have client limits set by RADIUS VSAs. radius-overridden: Displays only the ports with client limits that are overridden by RADIUS attributes.
If the command no aaa port-access authentication <port-list> client-limit is executed, the port access is in port-mode. If the 802.1X client-limit is configured with a value from 1-32, the port access is in user-mode.
Summary configuration information
Port Access Status Summary
Port-access authenticator activated [No] : No Allow RADIUS-assigned dynamic (GVRP) VLANs [No] : No Use LLDP data to authenticate [No] : No
| Authenticator
| Web Auth |
MAC Auth
| Local MAC
Port | Enable Mode Limit | Enable Limit | Enable Mode Limit | Enable Limit
----- - ----- ----- ------ - ------ ----- - ------ ------ ----- - ------ ---
1 | No
Port 0
| No
1
| No
Port 1
| No
1
2 | No
Port 0
| No
1
| No
User 1
| No
1
3 | No
Port 0
| No
1
| No
User 1
| No
1
4 | No
Port 0
| No
1
| No
User 1
| No
1
5 | No
Port 0
| No
1
| No
User 1
| No
1
6 | No
Port 0
| No
1
| No
User 1
| No
1
To display the configuration information for just those ports that are dynamically overridden by RADIUS attributes, use the show port-access summary radius-overridden command.
Output for client-limit values that are RADIUS overridden
switch(config)# show port-access summary radius-overridden Port Access Status Summary
Port-access authenticator activated [No} : No Allow RADIUS-assigned dynamic (GVRP) VLANs [No] : No
Note: * indicates values dynamically overridden by RADIUS
Authenticator
Web Auth
MAC Auth
Port Enabled Mode Limit Enabled Limit Enabled Limit
---- + ------- ---- ----- + ------- ----- + ------- -----
1 | Yes
user* 1* | Yes
1 | Yes
1
2 | Yes
user 32 | Yes
32* | Yes 32
4 | No
port 1 | No
1 | No*
1
Aruba 2930M/F | Access Security Guide
190
Operating notes
n Only RADIUS authentication supports the new VSAs. Other authentication types, such as TACACS, are not supported.
n If the RADIUS server delivers a new VSA to an authenticator switch that does not understand it, the AccessAccept message is accepted and the new VSA is ignored by the switch.
n If the RADIUS server delivers a new VSA to an authenticator switch that does not understand it, the AccessAccept message is rejected.
VLAN assignment in an authentication session
A switch supports concurrent 802.1X and either web-based or MAC authentication sessions on a port (with up to 32 clients allowed). If you have configured RADIUS as the primary authentication method for a type of access, when a client authenticates on a port, the RADIUS server assigns an untagged VLAN that is statically configured on the switch for use in the authentication session. See the documentation provided with the RADIUS server application.) If a switch port is configured to accept multiple 802.1X and/or web-based or MAC authentication client sessions, all authenticated clients must use the same port-based, untagged VLAN membership assigned for the earliest, currently active client session. On a port where one or more authenticated client sessions are already running, all clients are on the same untagged VLAN. If the RADIUS server subsequently authenticates a new client, but attempts to re-assign the port to a different, untagged VLAN than the one already in use for the previously existing, authenticated client sessions, the connection for the new client will fail.
Tagged and untagged VLAN attributes
When you configure a user profile on a RADIUS server to assign a VLAN to an authenticated client, you can use either the VLAN name or VLAN ID (VID) number. For example, if a VLAN configured in the switch has a VID of 100 and is named vlan100, you could configure the RADIUS server to use either "100" or "vlan100" to specify the VLAN. After the RADIUS server validates a client username and password, the RADIUS server returns an AccessAccept packet that contains the VLAN assignment and the following attributes for use in the authentication session:
n Egress-VLANID: Configures an optional, egress VLAN ID for either tagged or untagged packets (RFC 4675).
n Egress-VLAN-Name: Configures an optional, egress VLAN for either tagged or untagged packets when the VLAN ID is not known (RFC 4675).
n Tunnel-Type, Tunnel-Medium-Type, and Tunnel-Private-Group-ID: Tunnel attributes that specify an untagged VLAN assignment (RFC 3580).Tunnel (untagged VLAN) attributes may be included in the same RADIUS packet as the Egress-VLANID and Egress-VLAN-Name attributes. These attributes are not mutually exclusive.
The switch processes the VLAN information returned from the remote RADIUS server for each successfully 802.1X-, web-based, and MAC authenticated client (user). The VLAN information is part of the user profile stored in the RADIUS server database and is applied if the VLANs exist on the switch.
191
Aruba 2930M/F | Access Security Guide
Additional RADIUS attributes
These attributes are included in Access-Request and Access-Accounting packets sent from the switch to the RADIUS server, advertising switch capabilities, reporting authentication session information, and dynamically reconfiguring authentication parameters:
n MS-RAS-Vendor (RFC 2548): Allows switches to inform a Microsoft RADIUS server that the switches are from Hewlett Packard Enterprise Networking. This feature assists the RADIUS server in its network configuration.
n HP-capability-advert: The RADIUS attribute that allows a switch to advertise its current capabilities to the RADIUS server for port-based (MAC, Web, or 802.1X) authentication; for example, VSAs for port QoS, ingress rate-limiting, RFC 4675 QoS and VLAN attributes, and RFC 3580 VLAN-related attributes. The RADIUS server uses this information to make a more intelligent policy decision on the configuration settings to return to the switch for a client session.
n HP-acct-terminate-cause: The RADIUS accounting attribute that allows a switch to report to the RADIUS server why an authentication session was terminated. This information allows customers to diagnose network operational problems and generate reports on terminated sessions. This attribute provides extended information on the statistics provided by the acct-terminate-cause attribute.
n Change-of-Authorization (CoA) (RFC 3576: Dynamic Authorization Extensions to RADIUS): A mechanism that allows a RADIUS server to dynamically disconnect messages (DM) or change the authorization parameters (such as VLAN assignment) used in an active client session on the switch. The switch (NAS) does not have to initiate the exchange. For example, for security reasons you may want to limit the network services granted to an authenticated user. In this case, you can change the user profile on the RADIUS server and have the new authorization settings take effect immediately in the active client session. The Change-ofAuthorization attribute provides the mechanism to dynamically update an active client session with a new user policy that is sent in RADIUS packets.
Output for dynamic authorization configuration
switch(config)# show radius dyn-authorization
Status and Counters - RADIUS Dynamic Authorization Information
NAS Identifier : LAB-8212 Invalid Client Addresses (CoA-Reqs) : 0 Invalid Client Addresses (Disc-Reqs) : 0
Disc
Disc
Disc
CoA
CoA
CoA
Client IP Addr Reqs
ACKs
NAKs
Reqs
ACKs
NAKs
--------------- -------- -------- -------- -------- -------- --------
154.34.23.106 1
1
0
2
2
0
154.45.234.12 2
1
1
3
3
0
Output showing dynamic authorization statistics
switch(config)# show radius host 154.23.45.111 dyn-authorization Status and Counters - RADIUS Dynamic Authorization Information
Authorization Client IP Address : 154.23.45.111 Unknown PKT Types Received : 0
Disc-Reqs
:2
Disc-Reqs Authorize Only : 0
Disc-ACKs
:2
Disc-NAKs
:0
CoA-Reqs
:1
CoA-Reqs Authorize Only : 0
CoA-ACKs
:1
CoA-NAKs
:0
Aruba 2930M/F | Access Security Guide
192
Disc-NAKs Authorize Only : 0
Disc-NAKs No Ses. Found : 0
Disc-Reqs Ses. Removed : 0
Disc-Reqs Malformed
:0
Disc-Reqs Bad Authentic. : 0
Disc-Reqs Dropped
:0
CoA-NAKs Authorize Only : 0
CoA-NAKs No Ses. Found : 0
CoA-Reqs Ses. Changed : 0
CoA-Reqs Malformed
:0
CoA-Reqs Bad Authentic. : 0
CoA-Reqs Dropped
:0
MAC-based VLANs
MAC-Based VLANs (MBVs) allow multiple clients on a single switch port to receive different untagged VLAN assignments. VLAN assignment of untagged traffic is based on the source MAC address rather than the port. Clients receive their untagged VLAN assignment from the RADIUS server. This feature adheres to the requirement that if all known RADIUS attributes for a given client cannot be applied, the authentication request for that client must be rejected.
Both authenticated and unauthenticated clients can reside on the same port on different VLANs, but only if the mixed-mode configuration is enabled. This is not the default behavior. The normal operating behavior is not to allow unauthenticated clients on the port when at least one authenticated client is present on the port. If an unauthenticated client is present on the unauthorized VLAN and another client successfully authenticates on that port, the unauthenticated client is kicked off the port.
When an MBV cannot be applied due to a conflict with another client on that port, a message indicating VID arbitration error is logged.
When an MBV cannot be applied due to lack of resources, a message indicating lack of resources is logged.
The decision to use an MBV is made automatically if the hardware is capable and if the situation necessitates. If multiple clients authenticate on different untagged VLANs on hardware that does not support MBVs, the switch will reject all clients authorized on a VLAN different from the first client's VLAN - the first authenticated client sets the Port VID (PVID).
This feature has the side effect of allowing egress traffic from one client's VLAN to be accepted by all untagged clients on that port. For example, suppose that clients A and B are both on the same switch port, but on two different VLANs. If client A is subscribing to a multicast stream, then client B also receives that multicast traffic.
Accounting services
RADIUS accounting on the switch collects resource consumption data and forwards it to the RADIUS server. This data can be used for trend analysis, capacity planning, billing, auditing, and cost analysis.
Accounting service types
The switch supports four types of accounting services:
n Network accounting: Provides records containing the information listed below on clients directly connected to the switch and operating under Port-Based Access Control (802.1X):
n Acct-Session-Id n Acct-Status-Type n Acct-Terminate-Cause n Acct-Authentic n Acct-Delay-Time n Acct-Input-Packets
n Acct-Output-Packets n Acct-Input-Octets n Nas-Port n Acct-Output-Octets n Acct-Session-Time n User-Name
n Service-Type n NAS-IP-Address n NAS-Identifier n Calling-Station-Id n HP-acct-terminate-cause n MS-RAS-Vendor
193
Aruba 2930M/F | Access Security Guide
n Exec accounting:
Provides records holding the information listed below about login sessions (console, Telnet, and SSH) on the switch:
n Acct-Session-Id n Acct-Status-Type n Acct-Terminate-Cause n Acct-Authentic
n Acct-Delay-Time n Acct-Session-Time n User-Name n Service-Type
n NAS-IP-Address n NAS-Identifier n Calling-Station-Id n MS-RAS-Vendor
n System accounting:
Provides records containing the information listed below when system events occur on the switch, including system reset, system boot, and enabling or disabling of system accounting.
n Acct-Session-Id n Acct-Status-Type n Acct-Terminate-Cause n Acct-Authentic
n Acct-Delay-Time n Username n Service-Type n NAS-IP-Address
n NAS-Identifier n Calling-Station-Id n Acct-Session-Time n MS-RAS-Vendor
n Commands accounting: Provides records containing information on CLI command execution during user sessions.
n Acct-Session-Id n Acct-Status-Type n Service-Type n Acct-Authentic
n User-Name n NAS-IP-Address n NAS-Identifier n NAS-Port-Type
n Calling-Station-Id n HP-Command-String n Acct-Delay-Time
The switch forwards the accounting information it collects to the designated RADIUS server, where the information is formatted, stored, and managed by the server. For more information on this aspect of RADIUS accounting, see the documentation provided with your RADIUS server.
Operating rules for RADIUS accounting
n You can configure up to four types of accounting to run simultaneously: exec, system, network, and command.
n RADIUS servers used for accounting are also used for authentication. n The switch must be configured to access at least one RADIUS server. n RADIUS servers are accessed in the order in which their IP addresses were configured in the switch. Use
show radius to view the order. As long as the first server is accessible and responding to authentication requests from the switch, a second or third server will not be accessed. For more on this topic, see Changing RADIUS-server access order on page 207. n If access to a RADIUS server fails during a session, but after the client has been authenticated the switch continues to assume the server is available to receive accounting data. Thus, if server access fails during a session, it will not receive accounting data transmitted from the switch.
Aruba 2930M/F | Access Security Guide
194
Acct-Session-ID options in a management session
The switch can be configured to support either of the following options for the accounting service types used in a management session. (See Accounting service types on page 193.)
n Unique Acct-Session-ID for each accounting service type used in the same management session (the default)
n Same Acct-Session-ID for all accounting service types used in the same management session
Unique Acct-Session-ID operation
In the Unique mode (the default), the various service types running in a management session operate as parallel, independent processes. Thus, during a specific management session, a given service type has the same AcctSession-ID for all accounting actions for that service type. However, the Acct- Session-ID for each service type differs from the ID for the other types.
In Unique Acct-Session-ID operation, the Command service type is a special case in which the AcctSession-ID for each executed CLI command in the session is different from the IDs for other service types used in the session and also different for each CLI command executed during the session. That is, the ID for each successive CLI command in the session is sequentially incremented from the ID value assigned to the immediately preceding CLI command in that session.
195
Aruba 2930M/F | Access Security Guide
Figure 27 Example of accounting in the (default) unique mode
Common Acct-Session-ID operation
In this case, all service types running in a given management session operate as subprocesses of the same parent process, and the same Acct-Session-ID is used for accounting of all service types, including successive CLI commands.
Aruba 2930M/F | Access Security Guide
196
Figure 28 Example of accounting in common mode (with same session ID throughout)
Configuring RADIUS accounting
This procedure assumes: n RADIUS authentication is configured on the switch for one or more access methods n One or more RADIUS servers is configured to support the switch
Steps for configuring RADIUS accounting Procedure
1. Configure the switch for accessing a RADIUS server. You can configure up to three RADIUS servers (one primary, two backup). The switch operates on the assumption that a server can operate in both accounting and authentication mode. See the documentation for your RADIUS server application for additional information.
197
Aruba 2930M/F | Access Security Guide
n Use the same radius-server host command that you would use to configure RADIUS authentication.
n Provide the following: l A RADIUS server IP address. l Optional -- UDP destination port for authentication requests. Otherwise the switch assigns the default UDP port (1812; recommended). l Optional -- if you are also configuring the switch for RADIUS authentication, and need a unique encryption key for use during authentication sessions with the RADIUS server you are designating, configure a server-specific key. This key overrides the global encryption key you can also configure on the switch, and must match the encryption key used on the specified RADIUS server. Default: null
2. Configure accounting types and the controls for sending reports to the RADIUS server. a. Accounting types: n exec n network n system n commands
b. Trigger for sending accounting reports to a RADIUS server: At session start and stop or only at session stop.
3. (Optional) Configure session blocking and interim updating options. a. Updating: Periodically update the accounting data for sessions-in-progress.
b. Suppress accounting: Block the accounting session for any unknown user with no username trying to access to the switch.
Configuring a switch to access a RADIUS server Before you configure the actual accounting parameters, configure the switch to use a RADIUS server. This process is outlined in Configuring the switch to access a RADIUS server on page 172. Repeat this now only if one of the following applies:
n The switch is not yet configured to use a RADIUS server n Your server data has changed n You need to specify a non-default UDP destination port for accounting requests
Switch operation expects a RADIUS server to accommodate both authentication and accounting.
Syntax
radius-server host <ip-address> no radius-server host <ip-address> Adds a server to the RADIUS configuration or (with no) deletes a server from the configuration. [acct-port < port-number >] Optional. Changes the UDP destination port for accounting requests to the specified RADIUS server. If you do not use this option, the switch automatically assigns the default accounting port number. (Default: 1813) [key < key-string >]
Aruba 2930M/F | Access Security Guide
198
Optional. Specifies an encryption key for use during accounting or authentication sessions with the specified server. This key must match the encryption key used on the RADIUS server. Use this command only if the specified server requires a different encryption key than configured for the global encryption key.
If you save the config file using Xmodem or TFTP, the key information is not saved in the file. This causes RADIUS authentication to fail when the config file is loaded back onto the switch.
[encrypted-key < key-string >] Encryption key to use with the RADIUS server, specified using a base64-encoded aes-256 encrypted string.
Example
Suppose you want the switch to use the RADIUS server described below for both authentication and accounting purposes.
n IP address: 10.33.18.151 n A non-default UDP port number of 1750 for accounting.
For this example, assume that all other RADIUS authentication parameters for accessing this server are acceptable at their default settings, and RADIUS is already configured as an authentication method for one or more types of access to the switch (Telnet, Console, etc.). Because the radius-server command includes an acct-port keyword with a non-default UDP port number of 1750, the switch assigns this value as the UDP accounting port.
Configuring for a RADIUS server with a non-default accounting UDP port number
The radius-server command configures the switch to use a RADIUS server at IP address 10.33.18.151, with a non-default UDP accounting port of 1750, and a server-specific key of "source0151".
switch(config)# radius-server host 10.33.18.151 acct-port 1750 key source0151
switch(config)# write mem
switch(config)# show radius
Status and Counters - General RADIUS Information
Deadtime(min) : 0 Timeout(secs) : 5 Retransmit Attempts : 3 Global Encryption Key : Dynamic Authorization UDP Port : 3799
Auth Acct DM/ Time
Server IP Addr Port Port CoA Window Encryption Key
--------------- ---- ---- --- ------ -------------------
10.33.18.151 1812 1750 No 10
source0151
Reconfiguring the Acct-Session-ID operation (optional)
Syntax:
aaa accounting session-id <unique|common> Optional command to reconfigure the Acct-Session-ID mode to apply to the accounting service type records for a given management session. unique: Configures the switch to use a different Acct-Session-ID for each accounting service type. (Default setting)
199
Aruba 2930M/F | Access Security Guide
common: Configures the switch to apply the same Acct-Session-ID to all accounting service types in the same management session.
Figure 29 Accounting configured for the common option
Configure accounting types and controls for sending reports to the RADIUS server
Accounting service types to track Configure one or more accounting service types to track:
n Exec: Use exec if you want to collect accounting information on login sessions on the switch via the console, Telnet, or SSH.
n System: Use system if you want to collect accounting data when: l A system boot or reload occurs l System accounting is turned on or off
There is no time span associated with using the system option. It simply causes the switch to transmit whatever accounting data it currently has when one of the above events occurs.
n Network: Use network if you want to collect accounting information on 802.1X port-based-access to the network by users connected to the physical ports on the switch.
n Commands: When commands accounting is enabled, an accounting notice record is sent after the execution of each command.
Accounting controls These options are enabled separately, and define how the switch will send accounting data to a RADIUS server:
n Start-Stop: Applies to the exec, network, and system accounting service types: l Send a "start record accounting" notice at the beginning of the accounting session and a "stop record notice" at the end of the session. Both notices include the latest data the switch has collected for the requested accounting type. l Do not wait for an acknowledgment.
Aruba 2930M/F | Access Security Guide
200
n Stop-Only: Applies to the network, exec, system, and command service types, as described below: l Send a stop record accounting notice at the end of the accounting session. The notice includes the latest data the switch has collected for the requested accounting type (network, exec, or system service types). For the commandsservice type, sends the "Stop" accounting notice after execution of each CLI command. l Do not wait for an acknowledgment. The system option always delivers stop-only operation because the switch sends the accumulated data only when there is a reboot, reload, or accounting on/off event.
n Interim-Update: Applies only to the command service type, and is intended for use when the optional common session ID is configured. Enabling interim-update in this case results in the command accounting records appearing as enclosed sub-parts of the exec service type record for a given management session. Using interim-update when the unique session ID is configured has no effect because in this case, the different service types appear as separate accounting processes with separate Acct-Session-ID values.
Configuring interim-update for Command accounting results in all commands being reported as "update" records, regardless of whether common or unique is configured for the accounting session ID.
Syntax
aaa accounting <exec|network|system> <start-stop|stop-only> <radius|syslog> no aaa accounting <exec|network|system> <start-stop|stop-only> <radius|syslog> aaa accounting command <stop-only|interim-only> <radius|syslog> no aaa accounting command <stop-only|interim-only> <radius|syslog> Configures RADIUS accounting service type and how data will be sent to the RADIUS server. <exec|network|system|command> Specifies an accounting service type to configure. See Accounting service types on page 193. start-stop: Applies to exec, network, and system accounting service types. stop-only: Applies to all accounting service types. radius: Uses RADIUS as the accounting period. syslog: Uses syslog as the accounting protocol. interim-update: Applies to the commands accounting service type.
Example:
To configure RADIUS accounting on the switch with start-stop for Exec functions, stop-only for system functions, and interim-update for commands functions.
Figure 30 Example of configuring accounting types and controls
Example:
201
Aruba 2930M/F | Access Security Guide
If the switch is configured with RADIUS accounting on the switch to use start-stop for Exec, System, and Command functions, there will be an "Accounting-On" record when the switch boots up and an "Accounting-Off" record when the switch reboots or reloads. (Assume that Acct-Session-Id is configured for common.)
Figure 31 Example of accounting session operation with "start-stop" enabled
Configuring session blocking and interim updating options (optional) These optional parameters give you additional control over accounting data.
n Updates: In addition to using a Start-Stop or Stop-Only trigger, you can optionally configure the switch to send periodic accounting record updates to a RADIUS server.
n Suppress: The switch can suppress accounting for an unknown user having no user name.
Syntax
aaa accounting update periodic <1-525600> no aaa accounting update periodic <1-525600> Sets the accounting update period for all accounting sessions on the switch. The no form disables the update function and resets the value to zero. Default: zero; disabled
Syntax
Aruba 2930M/F | Access Security Guide
202
aaa accounting suppress null-username no aaa accounting suppress null-username Disables accounting for unknown users having no username. Default: suppression disabled To continue the example in Accounting controls on page 200 , suppose you want the switch to:
n Send updates every 10 minutes on in-progress accounting sessions. n Block accounting for unknown users (no username).
Figure 32 Example of optional accounting update period and accounting suppression on unknown user
Viewing RADIUS statistics
General RADIUS statistics
Syntax
show radius [host <ip-addr>] Shows general RADIUS configuration, including the server IP addresses. Optional form shows data for a specific RADIUS host. To use show radius, the server's IP address must be configured in the switch, which. requires prior use of the radius-server host command. See Accounting services on page 193 for more information.
General RADIUS information from show radius command
switch# show radius
Status and Counters - General RADIUS Information
Deadtime(min) : 5 Timeout(secs) : 10 Retransmit Attempts : 2 Global Encryption Key : myg10balkey Dynamic Authorization UDP Port : 3799 Source IP Selection : Outgoing Interface
Auth Acct DM/ Time Server IP Addr Port Port CoA Window Encryption Key --------------- ---- ---- --- ------ -------------192.33.12.65 1812 1813 No 300 my65key
OOBM ---No
OOBM information is displayed only for switches that support OOBM.
RADIUS server information from the show radius host command
switch(config)# show radius host 192.33.12.65
203
Aruba 2930M/F | Access Security Guide
Status and Counters - RADIUS Server Information
Server IP Addr : 192.33.12.65
Authentication UDP Port : 1812
Round Trip Time
:2
Pending Requests
:0
Retransmissions
:0
Timeouts
:0
Malformed Responses
:0
Bad Authenticators
:0
Unknown Types
:0
Packets Dropped
:0
Access Requests
:2
Access Challenges
:0
Access Accepts
:0
Access Rejects
:0
Accounting UDP Port : 1813
Round Trip Time
:7
Pending Requests
:0
Retransmissions
:0
Timeouts
:0
Malformed Responses : 0
Bad Authenticators : 0
Unknown Types
:0
Packets Dropped
:0
Accounting Requests : 2
Accounting Responses : 2
Table 15: Values for show radius host output
Term Round Trip Time Pending Requests
Retransmissions
Timeouts
Malformed Responses
Bad Authenticators Unknown Types Packets Dropped Access Requests Accounting Requests
Definition
The time interval between the most recent Accounting-Response and the Accounting-Request that matched it from this RADIUS accounting server.
The number of RADIUS Accounting-Request packets sent to this server that have not yet timed out or received a response. This variable is incremented when an accounting-Request is sent and decremented due to receipt of an Accounting-Response, a timeout or a retransmission.
The number of RADIUS Accounting-Request packets retransmitted to this RADIUS accounting server. Retransmissions include retries where the Identifier and Acct-Delay have been updated, as well as those in which they remain the same.
The number of accounting timeouts to this server. After a timeout the client may retry to the same server, send to a different server, or give up. A retry to the same server is counted as a retransmit as well as a timeout. A send to a different server is counted as an Accounting-Request as well as a timeout.
The number of malformed RADIUS Accounting-Response packets received from this server. Malformed packets include packets with an invalid length. Bad authenticators and unknown types are not included as malformed accounting responses.
The number of RADIUS Accounting-Response packets which contained invalid authenticators received from this server.
The number of RADIUS packets of unknown type which were received from this server on the accounting port.
The number of RADIUS packets which were received from this server on the accounting port and dropped for some other reason.
The number of RADIUS Access-Requests the switch has sent since it was last rebooted. (Does not include retransmissions.)
The number of RADIUS Accounting-Request packets sent. This does not include retransmissions.
Aruba 2930M/F | Access Security Guide
204
Term Access Challenges Access Accepts Access Rejects Responses
Definition
The number of RADIUS Access-Challenge packets (valid or invalid) received from this server.
The number of RADIUS Access-Accept packets (valid or invalid) received from this server.
The number of RADIUS Access-Reject packets (valid or invalid) received from this server.
The number of RADIUS packets received on the accounting port from this server.
RADIUS authentication statistics
Syntax
show authentication
Displays the primary and secondary authentication methods configured for the Console, Telnet, Port-Access (802.1X), and SSH methods of accessing the switch. Also displays the number of access attempts currently allowed in a session. show radius authentication
Displays NAS identifier and data on the configured RADIUS server and the switch interactions with this server. Requires prior use of the radius-server host command to configure a RADIUS server IP address in the switch, see Accounting services.
Login attempt and primary/secondary authentication information from the show authentication command
switch(config)# show authentication
Status and Counters - Authentication Information
Login Attempts : 3 Respect Privilege : Disabled
| Login
Login
Login
Access Task | Primary Server Group Secondary
----------- + ---------- ------------ ----------
Console
| Local
None
Telnet
| Radius
None
Port-Access | Local
None
Webui
| Local
None
SSH
| Radius
None
Web-Auth | ChapRadius radius
None
MAC-Auth | ChapRadius radius
None
| Enable
Enable
Enable
Access Task | Primary Server Group Secondary
----------- + ---------- ------------ ----------
Console
| Local
None
Telnet
| Radius
None
Webui
| Local
None
SSH
| Radius
None
RADIUS authentication information from a specific server
205
Aruba 2930M/F | Access Security Guide
switch(config)# show radius authentication
Status and Counters - RADIUS Authentication Information
NAS Identifier : Networking Invalid Server Addresses : 0
UDP
Server IP Addr Port Timeouts Requests Challenges Accepts Rejects
-------------- ---- --------- --------- ---------- -------- -------
192.33.12.65 1812 0
2
0
2
0
RADIUS accounting statistics
Syntax
show accounting
Lists configured accounting interval, "Empty User" suppression status, session ID, accounting types, methods, and modes. show radius accounting
Lists accounting statistics for one or more RADIUS servers configured in the switch (using the radius-server host command). show accounting sessions
Lists the accounting sessions currently active on the switch.
Listing the accounting configuration in the switch
switch(config)# show accounting
Status and Counters - Accounting Information
Interval(min) : 5 Suppress Empty User : No Sessions Identification : Common
Type
| Method Mode
Server Group
-------- + ------ -------------- ------------
Network | None
Exec
| Radius Start-Stop
System | Radius Stop-Only
Commands | Radius Interim-Update
RADIUS accounting information for a specific server
switch(config)# show radius accounting
Status and Counters - RADIUS Accounting Information
NAS Identifier : Networking Invalid Server Addresses : 0
UDP
Server IP Addr Port Timeouts Requests Responses
--------------- ----- ---------- ---------- ----------
192.33.12.65 1813 0
1
1
Listing of active RADIUS accounting sessions on the switch
Aruba 2930M/F | Access Security Guide
206
switch(config)# show accounting sessions Active Accounted actions on SWITCH, User (n/a) Priv (n/a),
Acct-Session-Id 0x013E00000006, System Accounting record, 1:45:34 Elapsed system event 'Accounting On
Changing RADIUS-server access order
The switch tries to access RADIUS servers according to the order in which their IP addresses are listed by the show radius command.
When you add a server IP address, it is placed in the highest empty position in the list.
Adding or deleting a RADIUS server IP address leaves an empty position, but does not change the position of any other server addresses in the list. For example if you initially configure three server addresses, they are listed in the order in which you entered them. However, if you subsequently remove the second server address in the list and add a server address, the new address will be placed second in the list. Thus, to move up a server address in the list, you must delete it from the list, ensure that the position to which you want to move it is vacant, and then re-enter it. For example, suppose that you have already configured the following three RADIUS server IP addresses in the switch: Figure 33 Search order for accessing a RADIUS server
To exchange the positions of the addresses so that the server at 10.10.10.3 is the first choice and the server at 10.10.10.1 is the last, perform the following:
Procedure
1. Delete 10.10.10.3 from the list. This opens the third (lowest) position in the list. 2. Delete 10.10.10.1 from the list. This opens the first (highest) position in the list. 3. Re-enter 10.10.10.3. Because the switch places a newly entered address in the highest-available position,
this address becomes first in the list. 4. Re-enter 10.10.10.1. Because the only position open is the third position, this address becomes last in the
list.
207
Aruba 2930M/F | Access Security Guide
Figure 34 Example of new RADIUS server search order
Creating local privilege levels
This feature allows more granular localized control over user access when accessing the switch through the console or by telnet or SSH. Instead of allowing access to all commands with the "manager" command, or very restricted access with the "operator" command, the local access can be customized to allow the commands that the local account is authorized to execute. The new local accounts are in addition to and independent of the existing manager and operator accounts, with the exception that if a username is set for a manager or operator account, that name cannot be the same as any of the local user account names. To do this, groups are created that contain up to 16 user accounts. The group has a list of match commands that determine if that user is authorized to execute that command. Up to 100 local user accounts are supported. The local user accounts are stored in the configuration as an SHA1 hash, which is only displayed if "includecredentials" is enabled. A password is required for the local user accounts, but nothing else. There is one default group--operator. Users assigned to the operator group have only operator privileges. Applying the authorization group to a local user account only occurs if the user logs in using local as the primary authentication method and the aaa authorization commands local command has been executed. Authorization groups are not supported when the login method is set as secondary local authentication. These commands are authorized at all access levels:
n exit
n logout
n page
n redo
n repeat
n end
Configuring groups for local authorization
You must create a group for local authorization before you can assign local users to it. When creating the group, at least one command is created as part of that group. Typically, multiple commands are assigned to a group.
You must enable local authorization by executing aaa authorizationcommands local to use this feature.
To create a group, enter this command:
Aruba 2930M/F | Access Security Guide
208
Syntax:
aaa authorization group <group-name> <1-2147483647> match-command <command-string> <permit|deny> [log] no aaa authorization group <group-name> <1-2147483647> match-command <command-string> <permit|deny> [log] Create a local authorization group with the specified name. The name is case-sensitive and may not contain spaces. Duplicate names are not allowed. You can create a maximum of 16 groups. The name of the group can have a maximum of 16 characters. <1-2147483647>
The evaluation order for the match commands. match-command <command-string> The <command-string> is the CLI command. It must be surrounded in double quotes of it contains any spaces, for example, "vlan*".
The <command-string> is a POSIX regular expression and follows POSIX matching rules. For example, the "*" character means match the preceding character zero or more times, so ab*c will match "ac", "abc", "abbc", etc. The "." character means match any character, so ".*" would match anything, while the command string "aaa.*" would match commands that have "aaa" followed by zero or more characters. The "^" character means match to the beginning of the string, so "^aaa.*" would mean the string must start with "aaa" and can have anything after that. <permit|deny>
Either permit or deny execution of the command. [log]
Optional. Indicates the matching of such commands will generate an event log entry for either permitted or denied. Typically multiple commands are assigned to a group. Each command is entered on a separate line. Commands are evaluated in numerical order of the sequence number until a match is found, then the permit or deny action for that command is executed.
Commands are expanded before the comparison is done, for example, sh ver would be expanded to show version and then this command is compared against the command strings of the authorization group See example: Creating a local authorization group and assigning the commands authorized
When a command must be preceded by the execution of another command, then both commands need to be permitted for the command authorization group. For example, you must execute the configure command before you can enter the vlan context, so both commands must be permitted.
Configuring authorized commands for a group in the correct order
switch(config)# aaa authorization group Redgroup 100 match-command configure permit switch(config)# aaa authorization group Redgroup 200 match-command "vlan *" permit
Some commands cause the switch CLI to enter a special context, such as test mode, and the input is not processed by the normal CLI. Keyboard input is not checked against the command authorization group. If these special contexts are permitted, the user can proceed outside the control and logging of the command group configuration.
Creating a local authorization group and assigning the commands authorized
209
Aruba 2930M/F | Access Security Guide
switch(config)# aaa authorization group Bluegroup 100 match-command configure permit switch(config)# aaa authorization group Bluegroup 200 match-command telnet permit switch(config)# aaa authorization group Bluegroup 300 match-command menu permit
Configuring a local user for a group
Local manager user logins and authorized command configuration are mutually exclusive with RADIUS or TACACS authentication and with RADIUS authorization and accounting. To create a local user enter this command for the group with the appropriate authorizations.
Syntax:
aaa authorization local-user <username> group <group-name> password <plaintext|sha1> <password> no aaa authorization local-user <username> group <group-name> password <plaintext|sha1> <password> Defines a local user for a defined group. local-user <password> The local user being added to the authorization group. The username can have a maximum of 16 characters. It must not contain spaces and is case-sensitive. group <group-name> The authorization group the local user belongs to. The group must have been created already. password <plaintext|sha1 <password> The plaintext password string can have a maximum of 16 characters. It must not contain spaces and is casesensitive.
You are not allowed to actually enter the plaintext password in-line as part of the command; you will be prompted for it. The password is obscured when you enter it. The password is obscured when you enter it. This is similar to entering the password for the manager or operator.
If include-credentials is enabled, displaying the configuration shows the user passwords as SHA1 hash. If include-credentials is not enabled, then no password information is shown. If a user is assigned to a command group and the group is subsequently deleted, the user will have operator privileges.
Creating a local user for a group
switch(config)# aaa authentication local-user User1 group Redgroup password plaintext New password for User1: *******
Displaying command authorization information
To display information about users and command authorization for command groups, enter this command.
Syntax:
show authorization group [group-name] Displays information about users and command authorization for command groups. Specifying the group parameter without any group names displays information for all configured groups.
Aruba 2930M/F | Access Security Guide
210
Showing command information for all groups
switch(config)# show authorization group
Local Management Groups - Authorization Information
Group Name: Redgroup
Username ---------------User1 User2
Sequence # | Permission Command Expression Log
---------- + ---------- --------------------- -------
100
| Permit
configure
Disable
200
| Permit
vlan *
Disable
Group Name: Bluegroup
Username ---------------User3
Sequence # | Permission Command Expression Log
---------- + ---------- --------------------- -------
100
| Permit
configure
Disable
200
| Permit
telnet
Disable
300
| Permit
menu
Disable
Dynamic removal of authentication limits
In some situations, it is desirable to configure RADIUS attributes for downstream supplicant devices that allow dynamic removal of the 802.1X, MAC, and web-based authentication limits on the associated port of the authenticator switch. This eliminates the need to manually reconfigure ports associated with downstream 802.1X-capable devices, and MAC relay devices such as IP phones, on the authenticator switches. When the RADIUS authentication ages out, the authentication limits are dynamically restored. This enhancement allows a common port policy to be configured on all access ports by creating new RADIUS vendor-specific attributes (VSAs) that will dynamically override the authentication limits. The changes are always applied to the port on the authenticator switch associated with the supplicant being authenticated.
All the changes requested by the VSAs must be valid for the switch configuration. For example, if either MAC or web-based port access is configured while 802.1X port access is in client mode, a RADIUS client with a VSA to change the 802.1X port access to port-based mode is not allowed. 802.1X in port-based mode is not allowed with MAC or web-based port access types. However, if the authenticating client has VSAs to disable MAC and web-based authentication in conjunction with changing 802.1X to port-based mode, then client authentication is allowed.
Bypassing authentication
For deployments, where authentication is required, bypassing authentication for a subset of the devices is not recommended because it allows rogue devices to gain access into the internal network. However, in certain deployments where the chances of that happening are low and the potential security risk is acceptable, customers can use the following feature to bypass authentication for certain devices.
211
Aruba 2930M/F | Access Security Guide
Bypassing authentication for Aruba APs and custom devices
Overview
You can add, modify, and delete netdestination entries which are used by one or more alias-based class filters or ACLs. Any changes made to the netdestination entries are applied only when netedit-update command is executed. This feature is supported only on command line interface.
Configuration commands
aaa port-access lldp-bypass From within the configure context:
Syntax
aaa port-access lldp-bypass no aaa port-access lldp-bypass
Description
Configures LLDP bypass on the switch ports to bypass authentication for Aruba APs which sends special LLDP TLVs. When LLDP bypass is enabled on a port, it will behave as any other devices and bypass LLDP PDU for all device-profile enabled device. By default, LLDP bypass is disabled on the switch ports.
Usage
aaa port-access lldp-bypass <PORT-LIST> no aaa port-access lldp-bypass <PORT-LIST>
Enabling aaa port-access lldp-bypass disables authentication on the port. It is recommended to use aaa port-access device-identity bypass for bypass authentication, where multiple clients are connected per port. For more information, see aaa port-access device-identity bypass on page 215.
Show commands
show port-access lldp-bypass clients
Syntax
show port-access lldp-bypass clients
Description
Displays the clients which bypassed the authentication.
Parameter
<PORT-LIST> Show information for specified ports only.
Usage
show port-access lldp-bypass clients <PORT-LIST>
show port-access lldp-bypass clients
Aruba 2930M/F | Access Security Guide
212
switch(config)#show port-access lldp-bypass clients
Port Access lldp-bypass Client Status
Port
MAC Address
------- ----------------
A1
000005-010203
A2
010203-040506
Stackable switch: show port-access lldp-bypass clients
switch(config)#show port-access lldp-bypass clients
Port Access lldp-bypass Client Status
Port
MAC Address
------- ----------------
1/1
000005-010203
1/2
005056-bd7039
show port-access lldp-bypass clients A1
switch(config)#show port-access lldp-bypass clients A1
Port Access lldp-bypass Client Status
Port
MAC Address
------- ----------------
A1
000005-010203
Stackable switch: show port-access lldp-bypass clients 1/1
switch(config)#show port-access lldp-bypass clients 1/1
Port Access lldp-bypass Client Status
Port
MAC Address
------- ----------------
1/1
000005-010203
show port-access lldp-bypass config
Syntax
show port-access lldp-bypass config
Description
Displays the lldp-bypass configuration applied on all switch ports.
show port-access lldp-bypass config
switch(config)#show port-access lldp-bypass config
Port Access lldp-bypass Configuration
Port Enabled
------ ----------
A1
Yes
A2
Yes
A3
No
213
Aruba 2930M/F | Access Security Guide
A4
No
...
A24 No
F1
No
F2
No
F3
No
F24 No
Stackable switch: show port-access lldp-bypass config
switch(config)#show port-access lldp-bypass config
Port Access lldp-bypass Configuration Port Enabled ------ ---------1/1 Yes 1/2 Yes 1/3 No ... 1/52 No 2/1 No
2/26 No 3/1 No
3/26 No
Bypassing Authentication for VoIP Phones
Overview
Some deployments allow the authentication bypass of VoIP phones to help with emergency scenarios to prevent delaying of authentication due to RADIUS outage. The following sections detail how VoIP devices can be configured to be bypassed by identifying their CDP or LLDP signatures. Before enabling the CDP and LLDP bypass feature using device-identity, following configurations are required:
n Creation of device-identity: device-identity command has protocol type and values required for configuring bypass.
n Creation of device profile: A profile is a named collection of port settings applied as a group.
n Mode is introduced in device profile to specify that the device is connected as an infrastructure device or a multi host supported device.
switch(config)#device profile name
mode
Specify the type of port mode for device profile
switch(config)#device profile name mode
client-mode
Configure the device connected port as client mode
Port-mode
Configure the device connected port as Port mode
For device profile and device-identity configurations, see Management and Configuration Guide of your switch.
Devices that do not match the requisite profile are subjected to full authentication as configured on the switch.
Aruba 2930M/F | Access Security Guide
214
Configuring device-identity as CDP
device-identity name cdp type value device-identity name <name> cdp type <cdp-type> value <value> no device-identity name <name> cdp type <cdp-type> value <value>
Description
Configures device-identity using CDP protocol. The no form of this command disables CDP protocol.
Parameter name cdp-type value
Description Specifies the name of the device to be discovered.
Specifies the type in CDP packets.
Specifies the value of voip-vlan-query in CDP packets.
Examples
switch#device-identity
name
Specify name of the device to be discovered.
switch(config)#device-identity name
ASCII-STR
Enter an ASCII string.
switch(config)#device-identity name test
cdp
Configuring device identity using CDP protocol.
lldp
Use LLDP's organizational specific TLV type 127 to identify
device.
switch(config)#device-identity name test cdp
type
Specify the type in CDP.
switch(config)#device-identity name test cdp type
voip-vlan-query
Configure the CDP type as VoIP
switch(config)#device-identity name test cdp type voip-vlan-query
value
Specify the data in CDP.
switch(config)#device-identity name test cdp type voip-vlan-query value
VALUE-STR
Configure the CDP value.
switch(config)#show device-identity cdp Device Identity Configuration
Index Device name
Protocol
------ ---------------------- --------------
1
test
LLDP/ CDP
You can configure device-identity using LLDP. See Management and Configuration Guide of your switch.
aaa port-access device-identity bypass
aaa port-access device-identity <name> bypass <port-list> no aaa port-access device-identity <name> bypass <port-list>
215
Aruba 2930M/F | Access Security Guide
Description
Enables bypass on port using device-identity based on CDP/LLDP protocol. This command can be use to bypass authentication of either CDP protocol enable device or LLDP protocol enable device. Authentication will be triggered for those clients which are not matching the profiles.
The no form of this command disables bypass on port.
Parameter name port-list
Description
Enter the name of the device-identity to bypass the device.
Enter a port number, a list of ports or 'all' for all ports.
Examples
switch(config)#aaa port-access
device-identity
Configure device-identity on the switch ports to bypass
authentication.
switch(config)#aaa port-access device-identity name
ASCII-STR
Enter an ASCII string.
Switch(config)#aaa port-access device-identity name test
bypass
Configure bypass on the switch ports to bypass
authentication.
switch(config)#aaa port-access device-identity name test bypass
PORT-LIST
Enter a port number, a list of ports or 'all' for all
ports.
Configuration commands to authenticate PCs connected to VoIP devices.
One of the authentication bypass scenarios is PC behind VoIP phone where CDP based VoIP phones are bypassed but the PCs behind the phones need to be authenticated.
1. CDP configuration on Preshared mode: Following is the prerequisite command to detect VoIP phone using CDP on Aruba switches.
switch(config)#cdp mode pre-standard-voice
2. Voice VLAN configuration:
switch(config)#vlan 20 voice Above configuration sets voice VLAN as 20. 3. device-identity configuration: Policy must be defined to identify a specific device based on incoming packet signatures. voip-vlan-query value is set as 512 to detect CDP VoIP phones. MAC OUI and subtype are configured to match LLDP packets.
switch(config)#device-identity name < voip > cdp type voip-vlan-query value <512> switch(config)#device-identity name <voip> lldp oui <MAC-OUI> sub-type <integer>
device-identity configurations must be followed by interface enable or interface disable commands to help voip-vlan-query to detect device identity.
4. Authenticate PC connected to the VoIP device.
Aruba 2930M/F | Access Security Guide
216
Examples switch(config)#aaa port-access mac-based A7 switch(config)#aaa port-access mac-based A7 addr-limit 2
switch(config)#aaa port-access authenticator A7 switch(config)#aaa port-access authenticator A7 client-limit 2 switch(config)#aaa authentication port-access eap-radius switch(config)#aaa port-access authenticator active
5. Device profile configuration: Associate profile named legacy_phone to device policy type voip Examples switch(config)#device-profile name legacy_phone switch(device-profile)#tagged-vlan 20 switch(device-profile)#mode client-mode
switch(config)#device-profile device-type voip switch(device-viop)#associate legacy_phone switch(device-viop)#enable
6. Enable bypass on authenticating ports based on certain policies. Example switch(config)#aaa port-access device-identity voip bypass A7
Show commands
show port-access bypass
Syntax
show port-access bypass
Description
Shows port-access bypass status.
Examples
switch#show port-access bypass Port Access bypass Status
Port MAC Address ----- ----------------1/5 000cce-f1a8e6 1/3 002333-9bbbfa
show port-access bypass config
Syntax
show port-access bypass config
Description
Shows the bypass configuration on ports.
Example
217
Aruba 2930M/F | Access Security Guide
switch#show port-access bypass config Port Access bypass Configuration
Port Enabled ----- ------1/1 Yes 1/2 No 1/3 Yes 1/4 No 1/5 Yes 1/6 No 1/7 No 1/8 No
show port-access bypass clients
Syntax
show port-access bypass clients <ETHERNET PORT NO>
Description
Shows client status on a specific port.
Example
switch#show port-access bypass clients 1/1 Port Access bypass Client Status
Port MAC Address ----- ----------------1/1 111111-111111
switch#show port-access bypass clients 1/5 Port Access bypass Client Status
Port MAC Address ----- -----------------
1/5 000cce-f1a8e6
show device-identity
Syntax
show device-identity
Description
Shows device-identity details which are configured by using CDP or LLDP protocol.
Example
switch#show device-identity
Device Identity Configuration
Index Device name
Protocol
------ ---------------------- --------------
1
legacy_phone
LLDP/ CDP
Aruba 2930M/F | Access Security Guide
218
2
lldp_phones
3
aruba_ap
4
aruba_switch
LLDP LLDP LLDP
show device-identity cdp
Syntax
show device-identity cdp
Description
Shows device-identity details configured using CDP protocol.
Example
switch#show device-identity cdp
Device Identity Configuration
Index
:1
Device name : legacy_phone
Type
: voip-vlan-query
Value
: 512
show device-identity lldp
Syntax
show device-identity lldp
Description
Shows device-identity details configured using LLDP protocol.
Example
switch#show device-identity lldp Device Identity Configuration
Index Device name
Oui
Subtype
------ ---------------------- ---------- -------
1
legacy_phone
000000
0
2
lldp_phones
0012bb
1
3
aruba_ap
000b86
0
4
aruba_switch
0016b9
0
Sample configuration for PC connected to VoIP phone
Configuration commands to authenticate PCs connected to VoIP phones are compiled in the following section.
Example
switch(config)#power-over-ethernet pre-std-detect ports A7 switch(config)#cdp mode pre-standard-voice switch(config)#vlan 20 voice switch(config)#device-identity name voip cdp type voip-vlan-query value 512 switch(config)#aaa authentication port-access eap-radius switch(config)#aaa port-access authenticator active
219
Aruba 2930M/F | Access Security Guide
switch(config)#aaa port-access aaa port-access authenticator A7 switch(config)#aaa port-access authenticator A7 client-limit 2 switch(config)#device-profile name "legacy_phone" switch(device-profile)#tagged-vlan 20 switch(device-profile)#mode client-mode switch(device-profile)#exit switch(config)#device-profile device-type "voip" switch(device-voip)#associate "legacy_phone" switch(device-voip)#enable switch(device-voip)#exit switch(config)#interface a7 disable switch(config)#aaa port-access device-identity voip bypass A7 switch(config)#interface a7 enable
Messages related to RADIUS operation
Message Can't reach RADIUS server < x.x.x.x >.
No server(s) responding.
Not legal combination of authentication methods.
Meaning
A designated RADIUS server is not responding to an authentication request. Try pinging the server to determine whether it is accessible to the switch. If the server is accessible, then verify that the switch is using the correct encryption key and that the server is correctly configured to receive an authentication request from the switch.
The switch is configured for and attempting RADIUS authentication, however it is not receiving a response from a RADIUS server. Ensure that the switch is configured to access at least one RADIUS server. (Use show radius.) If you also see the message Can't reach RADIUS server < x.x.x.x > , try the suggestions listed for that message.
Indicates an attempt to configure local as both the primary and secondary authentication methods. If local is the primary method, then none must be the secondary method.
Supress LLDP MED network policy TLV transmission
aaa port-access mac-based | authenticator
Syntax
aaa port-access mac-based | authenticator [ <portnumber> unauth-vid <VLAN-ID> supressedlldp-nwpolicy ]
no aaa port-access mac-based | authenticator [ <portnumber> unauth-vid VLAN-ID<> supressedlldp-nwpolicy ]
Description
Suppresses the LLDP-MED (media endpoint devices) network policy TLV transmission for unauthenticated clients on unauth VLAN. For more information, refer LLDP-MED section from Management and Configuration Guide. The no form of this command disables the Suppression of LLDP MED network policy TLV transmission for unauthenticated clients on unauth VLAN.
Aruba 2930M/F | Access Security Guide
220
Command context
config
Parameters
port number Specifies the port number for mac-based or 802.1x authenticator.
Parameters
VLAN-ID Specifies the unauth-vid.
Example
When LLDP MED Network Policy TLV is supressed Media policy Vlan id is set to 0 or 4095. aaa port-access mac-based 1/a10 unauth-vid 100 supressed-lldp-nwpolicy
aaa port-access authenticator 1/a10 unauth-vid 100 supressed-lldp-nwpolicy
aaa port-access mac-based 1/a10 unauth-vid 0 supressed-lldp-nwpolicy
show lldp info remote-device 1/a10
LLDP Remote Device Information Detail
Local Port : 1/A10
ChassisType : local
ChassisId : SEP00EBD5CD9B80
PortType
: local
PortId
: Port 1
SysName
: IP Phone 7975
System Descr : SIP75.9-4-2-1S
PortDescr :
Pvid
:
System Capabilities Supported : telephone System Capabilities Enabled : telephone
Remote Management Address Type : ipv4 Address : 172.16.222.120
------------------------------------------------------------------------------
Local Port : 1/A10
ChassisType : network-address
ChassisId : 172.16.222.120
PortType
: local
PortId
: 00EBD5CD9B80:P1
SysName
: SEP00EBD5CD9B80
System Descr : IP Phone 7975G,V17, SIP75.9-4-2-1S
PortDescr : SW PORT
Pvid
:
System Capabilities Supported : bridge, telephone System Capabilities Enabled : bridge, telephone
Remote Management Address Type : ipv4
221
Aruba 2930M/F | Access Security Guide
Address : 172.16.222.120
MED Information Detail EndpointClass Media Policy Vlan id Media Policy Priority Media Policy Dscp Media Policy Tagged Poe Device Type Power Requested Power Source Power Priority
:Class3 :0 :5 :46 :False :PD :12.0 W :Unknown :Unknown
show lldp info remote-device 1/a10
LLDP Remote Device Information Detail
Local Port : 1/A10
ChassisType : local
ChassisId : SEP00EBD5CD9B80
PortType
: local
PortId
: Port 1
SysName
: IP Phone 7975
System Descr : SIP75.9-4-2-1S
PortDescr :
Pvid
:
System Capabilities Supported : telephone System Capabilities Enabled : telephone
Remote Management Address Type : ipv4 Address : 172.16.222.120
------------------------------------------------------------------------------
Local Port : 1/A10
ChassisType : network-address
ChassisId : 172.16.222.120
PortType
: local
PortId
: 00EBD5CD9B80:P1
SysName
: SEP00EBD5CD9B80
System Descr : IP Phone 7975G,V17, SIP75.9-4-2-1S
PortDescr : SW PORT
Pvid
:
System Capabilities Supported : bridge, telephone System Capabilities Enabled : bridge, telephone
Remote Management Address Type : ipv4 Address : 172.16.222.120
MED Information Detail EndpointClass Media Policy Vlan id Media Policy Priority Media Policy Dscp Media Policy Tagged Poe Device Type Power Requested Power Source Power Priority
:Class3 :4095 :5 :46 :False :PD :12.0 W :Unknown :Unknown
Aruba 2930M/F | Access Security Guide
222
Security event log
The Joint Interoperability Test Command (JITC) is a United States military organization that tests technology that pertains to multiple branches of the armed services and government. The JITC requires that access to security logs be provided through security user authentication.
Security user log access
Security user logs are accessible when both the authentication and authorization are local. A default group called the default-security-group is available in manager mode and has the privileges to execute the commands copy security-log, show security-logging and clear security-logging. When a security user is attached to the group, they will only be able to execute the three commands. Any other user will not be able to execute the commands, no matter whether they are an operator or manager.
Creating a security user
Syntax
aaa authentication local-user user1 group default-security-group password plaintext
Security user commands
Syntax
copy security-log sftp | tfp | xmodem user IP-Address <FILENAME-STR>
Syntax
show security-logging
Syntax
clear security-logging
Authentication and Authorization through RADIUS
For RADIUS authentication and authorization, the security user will be able to access to security log by configuring the file located on RADIUS server.
Accessing the security log
/etc/raddb/users steve Cleartext-Password := "testing" Service-Type = Administrative-User, HP-Command-Exception=0, HP-Command-String="copy security log;show security-logging;clear security-logging"
Authentication and Authorization through TACACS+
For TACACS+ authentication and authorization, the user can access to security log by configuring the file located on TACACS+ server.
Security user access for TACACS authentication and authorization
/etc/tacacs/tac_plus.cfg group = admin { # default service = permit
223
Aruba 2930M/F | Access Security Guide
service = exec { priv-lvl = 15 } cmd = copy security-log {
permit .* } cmd = copy show security-logging { permit .* } cmd = clear security-logging { permit .*
Restrictions
In the case of local authentication and authorization, the default-security-group group only applies to manager logins for CLI actions; menu interface and Web UI capabilities.
n There is no WebUI and Menu support for this feature. n The same mechanism should be used for authentication and authorization when using this feature. Cross
combination is not supported. For example: If authentication is local, then the authorization should also be set to local. Similarly, if authentication is RADIUS, authorization should also be set to RADIUS. TACACS authentication works in the same fashion. n Security logging is supported via Syslog.
Event log wrap
To add a new log message when the event buffer wraps, a new RMON log is generated when the buffer wrapping is identified.
Configuring concurrent sessions
The following commands configure the max concurrent sessions allowable.
For non-stackable switches
Syntax
console max-sessions 1-6 The default value is 6. The no for the command restores the default value. For non-stackable devices the allocations is as :
n 1 local console and 5 SSH/Telnet sessions. n Minimum value of 1 is set since 1 local console is always available.
Configuring concurrent sessions per user
Configures the max concurrent sessions allowable per user in switches. The no command restores the default value.
Syntax
console max-sessions 1-7
Aruba 2930M/F | Access Security Guide
224
The default value in non-stackable and 5400R series switches is 6. The default value for stackable devices is 6.
Maximum session for a manager/operator
Configuring a value of 4 means that the Manager can have a maximum of 4 concurrent sessions and the Operator can also have a maximum of 4 concurrent sessions. The allocations will be based on the current available free session (since the system as a whole can have only 6 to 7 concurrent sessions by default. A session is allocated to a Manager or Operator only if the current allocation to the user is within the configured value. The session allocation thus happens based on the user sessions as well the max sessions available in the system.
Failed login attempts delay
Authentication happens by sending authentication request to the Authentication sub system. The Authentication sub system then authenticates and sends back the authentication result. If an authentication failure is identified, a delay is introduced so that the next authentication request is not serviced immediately. This is applicable for console, telnet and ssh sessions.
Configuring FQDN support for RADIUS server
AOS-S allows you to configure RADIUS servers with Fully Qualified Domain Name (FQDN) support for IPv4 address and ClearPass option.
radius-server host key
Syntax
radius-server host <FQDN> key <pre-shared-key> no radius-server host <FQDN> key <pre-shared-key>
Description
Configures the RADIUS server with FQDN support and clearpass server option. The no form of this command removes the RADIUS server configuration with FQDN support and ClearPass option.
Command context
config
Parameters
FQDN Specifies the FQDN server address.
Usage
radius-server host <IP-ADDR | IPV6-ADDR | FQDN> key <pre-shared-key>
Examples
225
Aruba 2930M/F | Access Security Guide
switch(config)# radius-server hostFQDN
The server fqdn address.
IP-ADDR
The server IPv4 address.
IPV6-ADDR
The server IPv6 address.
switch(config)# radius-server host http://clearpass.com
acct-port
Configure the UDP destination port for Accounting
requests (the default is 1813).
auth-port
Configure the UDP destination port for Authentication
requests (the default is 1812).
clearpass
Radius server is hosted by ClearPass or not
dyn-authorization
Accept dynamic authorization messages.
key
Configure the server authentication key.
oobm
Use the OOBM interface to connect to the server.
time-window
Configure replay protection for dynamic authorization
messages.
switch(config)# radius-server host http://clearpass.com key test123
Automatic certificate download with ClearPass
To improve the ease of deployment, Aruba switch allows automatic downloading of the root CA certificate of ClearPass servers. As a part of the ZTP process, if the configuration of the switch is provided with an additional keyword ClearPass in RADIUS configuration, the switch will contact ClearPass and download the root CA certificates. This simplifies use cases such as Downloadable user-roles as well as Device Fingerprinting with ClearPass.
radius-server host key clearpass
Syntax
radius-server host <FQDN> key <pre-shared-key> clearpass
no radius-server host <FQDN> key <pre-shared-key> clearpass
Description
Configures the RADIUS server with FQDN support and clearpass server option. If the RADIUS server is hosted by clearpass option, the switch tries to download the CA certificate from the configured server. The no form of this command disables the CA certificate download configuration.
Command context
config
Parameters
FQDN Specifies the FQDN server address. pre-shared-key Specifies the key name to download the certificate.
Usage
radius-server host <IP-ADDR | IPV6-ADDR | FQDN> key <pre-shared-key> clearpass
Examples
Aruba 2930M/F | Access Security Guide
226
switch(config)# radius-server hostFQDN
The server fqdn address.
IP-ADDR
The server IPv4 address.
IPV6-ADDR
The server IPv6 address.
switch(config)# radius-server host http://clearpass.com
acct-port
Configure the UDP destination port for Accounting
requests (the default is 1813).
auth-port
Configure the UDP destination port for Authentication
requests (the default is 1812).
clearpass
Radius server is hosted by ClearPass or not
dyn-authorization
Accept dynamic authorization messages.
key
Configure the server authentication key.
oobm
Use the OOBM interface to connect to the server.
time-window
Configure replay protection for dynamic authorization
messages.
switch(config)# radius-server host http://clearpass.com key test123 clearpass
crypto ca-download usage clearpass retry
Syntax
crypto ca-download usage clearpass retry <time-interval>
no crypto ca-download usage clearpass retry <time-interval>
Description
Configures the retry interval time in minutes to download the certificate from the ClearPass server. The no form of this command disables the certificate download configuration from the ClearPass server.
Command context
config
Parameters
time-interval Specifies the retry time interval for downloading the certificate. The time interval ranges from one to five minutes.
Usage
crypto ca-download usage clearpass retry <1-5>
Examples
switch(config)# crypto ca-download
usage
Download the CA certificate from server
switch(config)# crypto ca-download usage
clearpass
Server option to download the CA ceriticate.
switch(config)# crypto ca-download usage clearpass
force
Force to download the CA certificate of all the
configured ClearPass servers.
retry
Retry interval to download the CA certificate of
configured ClearPass servers which is failed to download
the CA certificate.
switch(config)# crypto ca-download usage clearpass retry
<1-5>
Enter the time interval.
switch(config)# crypto ca-download usage clearpass retry 3
227
Aruba 2930M/F | Access Security Guide
crypto ca-download usage clearpass force
Syntax
crypto ca-download usage clearpass force
no crypto ca-download usage clearpass force
Description
Force to download the certificate from the ClearPass server. The no form of this command removes the force option from the ClearPass server.
Command context
config
Examples
switch(config)# crypto ca-download
usage
Download the CA certificate from server
switch(config)# crypto ca-download usage
clearpass
Server option to download the CA ceriticate.
switch(config)# crypto ca-download usage clearpassforce Force to download the CA certificate
of all the
configured ClearPass servers.
retry
Retry interval to download the CA certificate of
configured ClearPass servers which is failed to download
the CA certificate.
switch(config)# crypto ca-download usage clearpass force
This is an action command and it will not be retained in configuration. This command must be used only in cases where the certificate Authority (CA) changes
for the ClearPass Certificate.
CA certificate is not downloadable after rebooting the system
Switch cannot download the CA certificate from ClearPass after rebooting the system in VSF, BPS, and in Standalone mode. To download the CA certificate using ClearPass, you must configure the following command before rebooting the system:
crypto ca-download usage clearpass retry
In the following scenarios, CA certificate from ClearPass is not downloaded without configuring ClearPass retry option:
n Switch downloads the configuration file when CA download option is enabled without the ClearPass certificate.
n config-restore is performed in VSF switch when CA download option is enabled without the ClearPass certificate.
Aruba 2930M/F | Access Security Guide
228
n When the certificate is deleted and rebooted before performing the CA download force option (crypto cadownload usage clearpass force).
If the force option is triggered, the ClearPass CA certificate will be downloaded without the retry option.
Limitations
n If the ClearPass option is configured, the CA certificate download is triggered for ClearPass server. This option is limited to only three servers.
n Multiple ClearPass servers will use the same user name and password configuration because there is a single command to configure ClearPass Identity and Password without any link to IP address of the ClearPass server.
n If the ClearPass server is configured with FQDN option, the resolution to the IP address will add the delay which impacts the authentication of clients. If the ClearPass server IP address is not resolved during authentication of the clients, an appropriate RMON log will be created.
n The RMON logs will be created when the CA certificate is not available at the time of downloading the user role, or while sending client data to Device Fingerprinting server.
Support for Framed IP Address in RADIUS requests
The framed IPv4 address is one of the many RADIUS attributes and it indicates the address assigned to the client. The attribute may be included in the access-request packet. When sent in an access-request packet, the IP address is sent as a hint to the RADIUS server. The Framed-IP-Address field is included in the accessrequest packets sent to RADIUS servers during authentication. n Configuration is enabled using the following CLI command:
radius-server access-request include <framed-ip-address>
no radius-server access-request include <framed-ip-address>
n If Framed IP is enabled in the switch, then the switch can learn the IP address of the authenticated client using two methods. l DHCP snooping: By snooping the DHCP packets sent by the client after authentication. l IP Client tracker: By sending ARP probes to the client.
If the IP address of the client known to the switch while sending the access-request packet. The
"Framed-IP-Address" attribute will not be included in the RADIUS access-request packet if the CLI is
not configured.
The framed-ip-address is sent to access-request packets for the following scenarios: End clients that support user and machine authentication
229
Aruba 2930M/F | Access Security Guide
For instance windows client that supports machine and user authentication is connected to a port where 802.1x authentication is enabled. The sequence of authentication is as follows:
1. Windows client initiates machine authentication. Since, it is initial authentication, access-request packet will not include framed-ip-address attribute.
2. Machine authentication is successful. 3. Client gets successfully authenticated and receives an IP Address from DHCP Server. 4. User tries to log in using credentials, which triggers user authentication. 5. Access request packet with framed-ip-address is sent to the RADIUS server.
Reauthentication of client
1. End client is connected to a port where MAC or 802.1x authentication is enabled with a reauthentication period.
2. Client gets successfully authenticated. 3. Client receives an IP address from DHCP server. 4. Upon reauthentication period expiry, a new access-request message will be sent from NAS to RADIUS
server. 5. If configured, the new access-request packet will contain framed-ip-address attribute.
Limitations
1. Framed-IPv6-Address RADIUS access-request attribute is not supported (RFC6911).
Support for Sending Interface VLAN in RADIUS Requests
The interface VLAN information is included in the RADIUS access-request packet, to differentiate the network access of unknown devices depending on the VLAN configured on the client switch port. The RADIUS accessrequest packet is sent to RADIUS server during all MAC and 802.1x authentication types. The interface VLAN information is sent to RADIUS server using the following attributes:
n Tunnel-Type indicates the tunneling protocol to be used. n Tunnel-Medium-Type indicates the transport medium to be used. n Tunnel-Private-Group-ID indicates the untagged VLAN ID of the port.
If a port is configured with tagged VLAN and does not contain any untagged VLAN, then the above attributes will not be sent in RADIUS access-request packets.
This feature is enabled using the following configuration options:
n statically-configured configuration is used when the RADIUS access-request contains the staticallyconfigured untagged VLAN ID for the port, as per switch configuration. Use the following command to include a statically-configured untagged VLAN ID of a port in the RADIUS access-request: radius-server access-request include interface-vlan-id statically-configured The no form of the command is used to remove the statically-configured untagged VLAN ID of a port in the RADIUS access-request.
Aruba 2930M/F | Access Security Guide
230
no radius-server access-request include interface-vlan-id statically-configured n dynamically-assigned configuration is used during re-authentication. Initially, the RADIUS accessrequest
contains the statically-configured untagged VLAN ID for the port, as per switch configuration. During reauthentication, the RADIUS access-request uses the dynamically-assigned untagged VLAN ID of the client. The RADIUS server assigns untagged VLAN ID to the client.
If RADIUS server does not assign any untagged VLAN ID to a client, then during reauthentication, the RADIUS access-request will contain statically-configured untagged VLAN ID for a port, as per switch configuration.
Use the following command to include dynamically-assigned untagged VLAN ID by RADIUS server of a port in the RADIUS access-request: radius-server access-request include interface-vlan-id dynamically-assigned The no form of the command is used to remove the dynamically-assigned untagged VLAN ID of a port in the RADIUS access-request. no radius-server access-request include interface-vlan-id dynamically-assigned
If the feature is not enabled using statically-configured or dynamically-assigned options, the interface VLAN is sent only in following authentication methods:
n MAC authentication with PEAP-MSCHAPv2 n 802.1x authentication with EAP
231
Aruba 2930M/F | Access Security Guide
Chapter 11 User roles
User roles
Overview
You can add, modify, and delete netdestination entries which are used by one or more alias-based class filters or ACLs. Any changes made to the netdestination entries are applied only when netedit-update command is executed. This feature is supported only on command line interface.
Captive-portal commands
Overview
You can add, modify, and delete netdestination entries which are used by one or more alias-based class filters or ACLs. Any changes made to the netdestination entries are applied only when netedit-update command is executed. This feature is supported only on command line interface.
no aaa authentication captive-portal profile
Syntax
aaa authentication captive-portal profile <PROFILE-STR> [url <URL-STR>] no aaa authentication captive-portal profile <PROFILE-STR> [url <URL-STR>]
Description
Create a captive-portal profile. Profiles are used in user roles to direct the user to a designated captive portal server. When the profile includes a web address, that web address is always used to contact the server. When no web address is specified, it is obtained from the RADIUS VSA.
A profile does not have to be pre-existing in the switch for it to be configured to a user role.
Parameters
profile Configure a captive portal profile.
<PROFILE-STR> Configure a captive portal profile string 64 characters long.
url Configure the captive portal server web address.
<URL-STR> Configure the captive portal server web address string.
Usage
Switch# aaa authentication captive-portal profile <NAME> Switch# aaa authentication captive-portal profile <NAME> url <URL>
Aruba 2930M/F | Access Security Guide
232
Netservice and Netdestination Local user role
Now, Netservice and Netdestination is available for Local user role. Local User role can apply the class filter rule for the authenticated user to control L2 and L3 traffic.
Syntax
netdestination <NAME-STR> {host <IP-ADDR> [position <NUM>] | network <IP-ADDR/MASK-LENGTH> [position <NUM>]} no netdestination <NAME-STR> {host <IP-ADDR> [position <NUM>] | network <IP-ADDR/MASK-LENGTH> [position <NUM>]} netservice <NAME-STR> {tcp|udp|<PROTOCOL>} [<PORT-NUM> | <PORT-NUM> | list <PORT-STR>] no netservice <NAME-STR> {tcp|udp|<PROTOCOL>} [<PORT-NUM> | <PORT-NUM> | list <PORT-STR>]
Parameters
Host
Configures a single IPv4 host. Network
An IPv4 subnet consisting of an IP address and subnet mask. Position
Specifies the position of a host/network/range in the net-destination. This optional parameter is specific to a net-destination, and will be used only to sort entries in a list. TCP
Configure an alias for a TCP protocol. UDP
Configure an alias for a UDP protocol. Protocol0-255
IP protocol number port-num0-65535
Specify a single port or two port numbers for a range. port-list0-65535
Specify a list of port numbers separated by commas up to six ports.
Examples
switch(net-dest)#show user-role TestInitialRole User Role Information
Name
: TestInitialRole
Type
: local
Reauthentication Period (seconds) : 0
Logoff Period (seconds)
: 300
Untagged VLAN
:
Tagged VLAN
:
Captive Portal Profile
:
Policy
:
Tunnelednode Server Redirect
: Enabled
Secondary Role Name
: secondaryrole
switch(net-dest)#show netdestination abc Name : abc
233
Aruba 2930M/F | Access Security Guide
Position Type
IP Address
Mask
---------- -------------- ------------------ ------------------
220
Host
10.10.10.0
-
switch(config)#show netservice
Name Protocol Port
: abc : tcp :1
Limitations
n Alias-based class filters can be configured for IPv4 class filters alone. n The configuration of netdestination, netservice, and alias-based class filters supports command-line interface
and DUR. SNMP support to configure and delete netdestination, netservice, and the alias-based class filters are not provided. n Both types of class filters can exist in a switch configuration, but not within same class. When alias-based class filters are configured, it is internally translated to individual lines of class filters for processing by protocol. Therefore, single alias-based class filter results in multiple single-line class filters. The total number of class filters in a switch is calculated as a sum of the translated class filters and other single-line class filters. This sum must not exceed the maximum permissible limit. n After entering command for an alias-based ACE, console will be available for execution of next command without any delay. However, the execution of another command to configure ACE will be prevented with a warning message. This action prevents corruption of switch configuration. n The sequence number for next alias-based class filter will be based on the entire single-line class filters. n If there is a duplicate entry during configuration of alias-based class filter, the alias-based class filter will not be created. RMON will be logged for such events. Error message will not be sent to user. However, remaining rules will be configured. n If all the entries formed during translation of an alias-based class filter are duplicate, RMON is logged for each of such entries. There is no rule corresponding to such alias-based class filter configured in hardware, but the running-configuration will display the alias-based class filter. When the next alias-based class filter is configured, it will overwrite this class filter and will not visible in running-configuration. n User cannot modify netdestination or netservice when they are in use by one or more alias class filters or ACEs. To modify, remove all the alias class filters and ACEs used in the particular net-destination or netservice. n The limit for maximum number of netdestination and netservice configurable on switch must remain the same.
n Operators such as lt,gt,eq,neq,range for source port in the class filter rule cannot be specified using the options available in net-service.
n Operators such as lt,gt and neq cannot be specified for destination port using the options available in netservice.
n Resequencing of alias-based class filters is not allowed. n Remark string for a class with alias-based class filters is not supported. n In a class with alias-based class filters, deletion is not possible using sequence number alone.
Aruba 2930M/F | Access Security Guide
234
Policy commands
Overview
You can add, modify, and delete netdestination entries which are used by one or more alias-based class filters or ACLs. Any changes made to the netdestination entries are applied only when netedit-update command is executed. This feature is supported only on command line interface.
policy user
Syntax
policy user <POLICY-NAME>
Description
Create and enter newly created user policy context.
Usage
Switch (config)# policy user employee
no policy user
Syntax
no policy user <POLICYNAME>
Description
Delete and remove specified user policy from switch configuration.
Operating notes
n The user policy will include implicit deny all rules for both IPv4 and IPv6 traffic. n ipv4 or ipv6 classes must specify source address as any. Specifying host addresses or subnets will result in
the following error message: Switch(policy-user)#class ipv4 class25 action priority 0 User policies cannot use classes that have a source IP address specified.
n permit and deny are mutually exclusive. n ip-precedence and dscp are mutually exclusive.
Usage
switch(config)#no policy user employee
policy resequence
Syntax
policy resequence <POLICYNAME><START><INCREMENT>
Description
Resequence classes and remarks configured within specified user policy. The usage shows resequencing classes and remarks within user policy "employee" starting at 200 and incrementing by 2.
235
Aruba 2930M/F | Access Security Guide
Usage
switch(config)#policy user employee 200 2
Commands in the policy-user context
Create classes inside of the policy context before you apply actions to them.
(policy-user)# class
Within the policy-user context:
Syntax
(policy-user)# [<SEQUENCE-NUMBER>] class ipv4 | ipv6 <CLASS-NAME> [action permit | deny | redirect captive portal] | [action dscp | ip--precedence <CODEPOINT | PRECEDENCE>] [action priority <PRIORITY>] | [action rate-limit kbps <RATE>] (policy-user)# no [<SEQUENCE-NUMBER>] class ipv4 | ipv6 <CLASS-NAME> [action permit | deny | redirect captive portal] | [action dscp | ip--precedence <CODEPOINT | PRECEDENCE>] [action priority <PRIORITY>] | [action rate-limit kbps <RATE>]
Description
Associate a class with ACL or QoS actions for this policy.
Parameters
deny Deny all traffic.
DSCP Specify an IP DSCP.
IP-precedence Specify the IP precedence.
permit Permit all traffic.
priority Specify the priority.
rate-limit Configure rate limiting for all traffic.
redirect Specify a redirect destination.
Usage
switch(policy-user)#class ipv6 employeeIpv6Http action deny switch(policy-user)#class ipv4 http action redirect captive-portal switch(policy-user)#class ipv4 dnsDhcp action permit
Aruba 2930M/F | Access Security Guide
236
User role configuration
aaa authorization user-role
Syntax
aaa authorization user-role [enable | disable| [initial-role <ROLE-STR>] |[name <ROLE>]]
Description
Configure user roles. A user role determines the client network privileges, the frequency of reauthentication, and applicable bandwidth contracts along with other permissions. Every client is associated with a user role or the client is blocked from access to the network.
Parameters
enable Enable authorization using user roles.
disable Disable authorization using user roles.
initial-role The default initial role denyall is used when no other role applies. If a client connects to the switch and lacks a user role associated, then the initial role is used. Any role can be configured as initial role using this option. Initial role can be configured at per-port level. The per port initial role takes priority over global initial role. The initial role may be assigned if:
n captive-portal profile is configured with a web address, but the Captive Portal VSA is sent from RADIUS. n captive-portal profile is configured to use the RADIUS VSA but no Captive Portal VSA is sent. n captive-portal feature is disabled when the captive-portal profile is referenced in the applied user role to
the client. n The user role feature is enabled with RADIUS authentication, but no user role VSA is returned. n User role does not exist. n Not enough TCAM resource available. n Access-Reject from RADIUS. n User role VSA is sent along with invalid attributes. n RADIUS not reachable. n VLAN configured on the user role does not exist. n Captive Portal profile does not exist. n User policy configured on the user role does not exist. n Reauthentication period is enabled (nonzero) in the user role for LMA. n Captive Portal profile is included in the user role for LMA. n Logoff period is not supported.
critical-role Critical role is disabled by default. If the critical role is enabled and the client is unable to connect the switch and the RADIUS server, then the client moves to critical role. Any role can be configured as critical role. Critical role can be configured at per-port level.
name<NAME-STR>
237
Aruba 2930M/F | Access Security Guide
Create or modify a user-role. Role name identifies a user-role. When adding a user-role, a new context will be created. The context prompt will be named user-role (user-role)#.
Usage
switch# aaa authorization user-role enable switch# aaa authorization user-role disable switch# aaa authorization user-role name <ROLE1> switch# no aaa authorization user-role enable switch# no aaa authorization user-role name <ROLE1> switch# aaa authorization user-role initial-role <ROLE1> switch# aaa authorization user-role name <MYUSERROLE> policy <MYUSERPOLICY> switch# aaa authorization user-role name <MYUSERROLE> vlan-id <VID> switch# aaa authorization user-role name <MYUSERROLE> reauth-period <0-999999999>
Error log
Scenario
Error Message
If the user tries to delete a user- User role <INITIAL_ROLE_NAME> is configured as the initial role and cannot be role configured as the initial role deleted.
If the user attempts to configure more than the number of administrator configured roles
#aaa authorization user-role name roleNumber33. No more user roles can be created.
If the user enters a role name that is too long
switch# aaa authorization user-role test342....jflkdsjflk. The name must be fewer than 64 characters long.
If the user enters a role name with invalid syntax
switch# aaa authorization user-role name "this is an invalid name". Invalid character ' ' in name.
If the user tries to delete a nonexisting user-role
User role <NON_EXISTING_ROLE_NAME> not found.
switch# aaa authorization User role <DENYALL> is read only and cannot be modified. user-role name <DENYALL>
captive-portal-profile
From within the user-role context:
Syntax
captive-portal-profile <PROFILE_NAME> no captive-portal-profile
Description
Assigns a captive portal profile to the user role. The predefined captive portal profile, use-radius-vsa, indicates that the redirect web address must be sent via RADIUS. To clear a captive portal profile from the user role, use the no form of the command.
policy
From within the user-role context:
Aruba 2930M/F | Access Security Guide
238
Syntax
policy <POLICY_NAME>
Description
Assigns a user policy to the user role. To clear a policy from the user role, use the no version of the command.
Modification of the user policy, or class contained in a user policy, will force users consuming that user policy via a user role to be deauthenticated.
reauth-period
From within the user-role context:
Syntax
reauth-period <VALUE>
Description
Set the reauthentication period for the user role. Use [0] to disable reauthentication. For RADIUS-based authentication methods, it will override the RADIUS session timeout. It also overrides any port-based reauthperiod configuration with the exception that LMA does not support a reauth-period.
Parameters <VALUE>
Valid values are 0 999,999,999; a required configuration in user roles and it defaults to 0.
(user-role)# reauth-period 100
Set the reauthentication value for the current user role: (user-role)# reauth-period 100
(user-role)# reauth-period 0
0 is used to disable reauthentication, and it is the default value. (user-role)# reauth-period 0
aaa authorization user-role name cached-reauth-period
Syntax
aaa authorization user-role name <Role-name> cached-reauth-period <Seconds> no aaa authorization user-role name <Role-name> cached-reauth-period <Seconds>
Description
Configures the cached reauthentication period for clients with the user roles. The no form of this command removes the cached reauthentication period for clients.
Command context
config
239
Aruba 2930M/F | Access Security Guide
Parameters
Role-name Specifies the user role name. Seconds Specifies the time period in seconds for cached reauthentication to be allowed on the port. The time range is 60 to 2147483647 seconds. If the value is zero, the time period of cached reauthentication is unlimited.
Examples
switch(config)# aaa authorization user-role name test cached-reauth-period
<60-2147483647>
The value indicates the period in seconds, during which
cached reauthentication is allowed on the port.
switch(config)# aaa authorization user-role name test cached-reauth-period 120
VLAN commands
The VLAN must be configured on the switch at the time the user role is applied. Only one of VLAN-name or VLAN-ID is allowed for any user role.
Modification of the VLAN will force users assigned to that VLAN via a user role to be deauthenticated.
vlan-id
From within the user-role context:
Subcommand syntax
vlan-id <VLAN-ID>
Description
Create a VLAN with id VLAN-ID. Use the no version of the command when clearing the VLAN-ID from the user role:
Usage
(user-role)# no vlan-id
vlan-name
From within the user-role context:
Subcommand syntax
vlan-name <VLAN-NAME>
Description
Create a VLAN with the name VLAN-NAME. Only one of VLAN-NAME or VLAN-ID is allowed for any user role. Use the no version of the command when clearing the VLAN from the user role, by name:
Usage
(user-role)# no vlan-name
Aruba 2930M/F | Access Security Guide
240
vlan-id 100
(user-role)# vlan-id 100
vlan-name vlan100
(user-role)#vlan-name VLAN100
vlan-id-tagged
Syntax
vlan-id-tagged [<VLAN-ID> | < VLAN-STR>] no vlan-id-tagged [<VLAN-ID> | < VLAN-STR>]
Description
Supports tagged client traffic by directing the user role. When the user role is applied, tagged traffic is allowed to pass. The no form of this command removes the [<VLAN-ID> | < VLAN-STR>] from the tagged VLAN ID.
Command context
user-role
Parameters
<VLAN-ID> Specifies the tagged VLAN ID assigned to users.
<VLAN-STR> Specifies the tagged VLAN name assigned to users.
Example
switch(config)# vlan-id-tagged
VLAN-ID
Set the tagged VLAN that users will be assigned to.
switch(config)# vlan-id-tagged 360
Show the user-role information for PUTN-emp.
switch-PoEP# show user-role PUTN-emp
User Role Information
Name
: PUTN-emp
Type
: local
Reauthentication Period (seconds) : 0
Untagged VLAN
:
Tagged VLAN
: 360-370
Captive Portal Profile
:
Policy
:
Tunnelednode Server Redirect
: Enabled
Secondary Role Name
: authenticated
Device Attributes
User role introduces a sub level context called 'device' in the user role context for defining the device level attributes along with other user authentication attributes. This enhancement facilitates the downloading the user-
241
Aruba 2930M/F | Access Security Guide
role from ClearPass and commands (for local user roles) for the new attributes that applies for a specific user role. You can use this feature for AP onboarding where port-mode and vlan-id-tagged support is required. The attribute admin-edge-port will result in the faster bring up of the port without waiting for Spanning Tree. The Power-over-Ethernet (PoE) attribute provides support for PoE capable devices. It helps to manage the PoE devices in the user role to allocate the power based by device class and to have a priority control mechanism that prevents higher power consumption.
Device Attributes for User Roles
The following attributes allow you to configure the device-specific attributes using user roles:
n port-mode n admin-edge-port n poe-allocate-by-class n poe-priority
switch(config)# aaa authorization user-role name test device
admin-edge-port
Set the administrative edge port status for the clients
port using this role.
poe-allocate-by-class Configure the power allocation method based on its
device classification.
poe-priority
Enable per-port power distribution for this user-role.
port-mode
Configure the client's port as port-mode for an
authentication method.
aaa authorization user-role name device admin-edge-port
Syntax
aaa authorization user-role name <Role-name> device admin-edge-port
no aaa authorization user-role name <Role-name> device admin-edge-port
Description
Configures the device administrative edge port status for the clients port. This attribute will prevent the port from being part of spanning tree convergence process when the port is enabled with spanning tree. The no form of this command removes the administrative edge port status for the client port.
Command context
config
Parameters
Role-name Specifies the user role name.
Examples
switch(config)# aaa authorization user-role name test device admin-edge-port
aaa authorization user-role name device poe-allocate-by-class
Syntax
Aruba 2930M/F | Access Security Guide
242
aaa authorization user-role name <Role-name> device poe-allocate-by-class
no aaa authorization user-role name <Role-name> device poe-allocate-by-class
Description
Configures the power allocation method based on the device classification. The no form of this command restores to its default power allocation method.
Command context
config
Parameters
Role-name Specifies the user role name.
Examples
switch(config)# aaa authorization user-role name test device poe-allocate-by-class
aaa authorization user-role name device poe-priority
Syntax
aaa authorization user-role name <Role-name> device poe-priority {critical | high | low}
no aaa authorization user-role name <Role-name> device poe-priority
Description
Enables the per-port power distribution for the user-roles. High power consumption can be prevented using poepriority control mechanism The no form of this command restores the per-port power distribution to its default priority.
Command context
config
Parameters
Role-name Specifies the user role name. critical | high | low Specifies the power distribution priority of the port where the device is connected.
Examples
switch(config)# aaa authorization user-role name test device poe-priority critical high low switch(config)# aaa authorization user-role name test device poe-priority high
aaa authorization user-role name device port-mode
Syntax
243
Aruba 2930M/F | Access Security Guide
aaa authorization user-role name <Role-name> device port-mode no aaa authorization user-role name <ROLE-NAME> device port-mode
Description
Configures the client port for an authentication method. The no form of this command disables the client port configuration.
Command context
config
Parameters
Role-name Specifies the user role name.
Examples
switch(config)# aaa authorization user-role name test device port-mode
Show CLIs show port-access clients
Syntax
show port-access clients
Description
Shows the list of all clients authenticated with successful user-role and clients rejected with initial-role.
Examples
switch(config)# show port-access clients Downloaded user roles are preceded by *
Port Access Client Status
Port Client Name MAC Address IP Address User Role
Type
----- ------------- -------------- ---------- ----------------- -----
--------
VLAN ----------------
1/A15 b45d50c54b24 b45d50-c54b24 n/a 363, 364,
368, 369,
1/A3 admin
000c29-316056 n/a
1/B3 20a6cdcf1be4 20a6cd-cf1be4 n/a
363, 364,
368, 369,
1/B5 34fcb9c3ab54 34fcb9-c3ab54 n/a 363, 364,
368, 369,
1/B6 08000f41f373 08000f-41f373 n/a
*KB_MacAuth_DU... MAC
360, 361, 362,
365, 366, 367,
*KB_Dot1x_DUR_... 8021X *KB_MacAuth_DU... MAC
370 50 360, 361, 362,
365, 366, 367,
*KB_MacAuth_DU... MAC
370 360, 361, 362,
365, 366, 367,
*KB_MacAuth_DU... MAC
370 360, 361, 362,
Aruba 2930M/F | Access Security Guide
244
363, 364, 368, 369,
365, 366, 367, 370
show port-access clients detailed
Syntax
show port-access clients <port-number> detailed
Description
Shows the details of the client connected to the particular port.
Parameters
port-number Specifies the client port number.
Examples
switch(config)# show port-acc clients 1/a15 detailed Port Access Client Status Detail
Client Base Details :
Port
: 1/A15
Client Status : authenticated
Client Name
: b45d50c54b24
MAC Address
: b45d50-c54b24
IP
: n/a
Authentication Type : mac-based
Session Time
: 31 seconds
Session Timeout
: 60 seconds
Auth Order Auth Priority LMA Fallback
: Not Set : Not Set : Disabled
Downloaded user roles are preceded by *
User Role Information
Name
: *KB_MacAuth_DUR-3004-29
Type
: downloaded
Reauthentication Period (seconds) : 60
Cached Reauth Period (seconds) : 120
Logoff Period (seconds)
: 300
Untagged VLAN
: 50
Tagged VLANs
: 360, 361, 362, 363, 364, 365, 366,
367, 368, 369, 370
Captive Portal Profile Policy Tunnelednode Server Redirect Secondary Role Name Device Attributes PoE Allocation By Class PoE Priority Admin-edge-port Port-mode
: : : Disabled : : Enabled : Enabled : high : Enabled : Enabled
show user-role detailed
Syntax
245
Aruba 2930M/F | Access Security Guide
show user-role detailed
Description
Shows the user-role information.
Examples
switch(config)# show user-role detailed
User Role Information
Name
: *KB_MacAuth_DUR-3004-29
Type
: downloaded
Reauthentication Period (seconds) : 60
Cached Reauth Period (seconds) : 120
Logoff Period (seconds)
: 300
Untagged VLAN
: 50
Tagged VLAN
: 360-370
Captive Portal Profile
:
Policy
:
Tunnelednode Server Redirect
: Disabled
Secondary Role Name
:
Device Attributes
: Enabled
PoE Allocation By Class
: Enabled
PoE Priority
: high
Admin-edge-port
: Disabled
Port-mode
: Disabled
VLAN range commands
This command is executed from a global configuration context.
VLANs specified by VLAN-ID-LIST
Syntax
vlan <VLAN-ID-LIST> no vlan <VLAN-ID-LIST>
Description
Creates VLANs specified by the VLAN-ID-LIST and returns to the global configuration context. Use the no version of the command to delete the VLANs specified by the VLAN-ID-LIST.
Examples
config# vlan 2-15 config# vlan 5,10,13-20,25 config# no vlan 2-10 config# no vlan 2,5,15-18,25
VLANs specified by VLAN-ID-LIST and tag specified ports specified by PORT-LIST
Syntax
vlan <VLAN-ID-LIST> tagged <PORT-LIST> no vlan <VLAN-ID-LIST> tagged <PORT-LIST>
Description
Creates VLANs specified by the VLAN-ID-LIST and tags the ports specified by the PORT-LIST to the VLAN-IDLIST. If VLANs already exist, the tagging of ports specified by the PORT-LIST is performed.
Aruba 2930M/F | Access Security Guide
246
Use the no form of the command to remove the tagged PORT-LIST from a range of VLANs specified by the VLAN-ID-LIST. After command execution, CLI returns to the global configuration context.
Examples
config# vlan 2-15 tagged A1-A20 config# vlan 5,10,13-20,25 tagged A1-A5,L2,L5-L10 config# vlan 2-20 tagged all config# no vlan 2-15 tagged A1-A5 config# no vlan 5,10,13-20 tagged A1-A5,L6
Applying User Derived Role with Local MAC Authentication
UDR can be used to assign user roles locally (that is, without RADIUS). LMA has been extended to allow applying a user role to a MAC address, MAC group, MAC mask, or MAC OUI.
aaa port-access local-mac apply user-role
Syntax
aaa port-access local-mac apply user-role <Role-Name> [ mac-oui <MAC-OUI> | mac-mask <MACMASK> |mac-addr <MAC-ADDR> | mac-group <MAC-GROUP-NAME>] no aaa port-access local-mac apply user-role <Role-Name> [ mac-oui <MAC-OUI> | mac-mask <MAC-MASK> |mac-addr <MAC-ADDR> | mac-group <MAC-GROUP-NAME>]
Description
Apply user roles.
Parameters
mac-addr
To apply user role with MAC address.
mac-group
To apply user role with MAC group.
mac-mask
To apply user role with MAC Mask.
mac-oui
To apply user role with MAC OUI.
Usage
aaa port-access local-mac apply user-role <MYUSERROLE> [mac-oui <MAC-OUI>] no aaa port-access local-mac apply user-role <MYUSERROLE> [mac-oui <MAC-OUI>]
aaa port-access local-mac apply user-role <MYUSERROLE> [mac-mask <MAC-MASK>] no aaa port-access local-mac apply user-role <MYUSERROLE> [mac-mask <MAC-MASK>]
no aaa port-access local-mac apply user-role <MYUSERROLE> [mac-addr <MAC-ADDR>] no aaa port-access local-mac apply user-role <MYUSERROLE> [mac-addr <MAC-ADDR>]
aaa port-access local-mac apply user-role <MYUSERROLE> [mac-group <MAC-GROUP-NAME>] no aaa port-access local-mac apply user-role <MYUSERROLE> [mac-group <MAC-GROUP-NAME>]
247
Aruba 2930M/F | Access Security Guide
VXLAN show commands
VXLAN show commands include commands to display the status of a VXLAN feature, tunnels, and tunnel statistics.
show captive-portal profile
Syntax
show captive-portal profile
Description
Show Captive Portal profile configuration.
show captive-portal profile
switch(config)#show captive-portal profile
Captive Portal Profile Configuration Name : use-radius-vsa Type : predefined URL :
Name : myCaptivePortalProfile Type : custom URL : http://mycppm.local/guest/captive_portal_login.php
show user-role
Syntax
show user-role [<ROLE-NAME>] [detailed]
Description
Show users role configuration.
Parameters
<ROLE-NAME> Show user roles by role-name.
<ROLE-NAME> detailed
Show user roles in detail by role-name.
show user-role
Switch#show user-role
User Roles
Enabled
: <Yes/No>
Initial Role : denyall
Type ---------local
Name -----------Employee
Aruba 2930M/F | Access Security Guide
248
local predefined
Guest denyall
show user-role <ROLE-NAME>
switch#show user-role captivePortalwithVSA
User Role Information
Name
: captivePortalwithVSA
Type
: local
Reauthentication Period (seconds) : 0
Untagged VLAN
: 610
Captive Portal Profile
: use-radius-vsa
Policy
: cppolicy
show user-role detailed
The example shows how to configure user roles to use Clearpass as a Captive Portal. The Captive Portal URL is specified in a RADIUS VSA.
switch#show user-role captivePortalwithVSA detailed
User Role Information
Name
: captivePortalwithVSA
Type
: local
Reauthentication Period (seconds) : 0
VLAN
: 610
Captive Portal Profile
: use-radius-vsa
URL
: (use RADIUS VSA)
Policy
: cppolicy
Statements for policy "cppolicy" policy user "cppolicy"
10 class ipv4 "cppm" action permit 20 class ipv4 "steal" action redirect captive-portal 30 class ipv4 "other" action permit exit
Statements for class IPv4 "cppm" class ipv4 "cppm"
10 match tcp 0.0.0.0 255.255.255.255 1.0.9.15 0.0.0.0 eq 80 20 match tcp 0.0.0.0 255.255.255.255 1.0.9.15 0.0.0.0 eq 443 exit
Statements for class IPv4 "steal" class ipv4 "steal"
10 match tcp 0.0.0.0 255.255.255.255 0.0.0.0 255.255.255.255 eq 80 20 match tcp 0.0.0.0 255.255.255.255 0.0.0.0 255.255.255.255 eq 443 exit
Statements for class IPv4 "other" class ipv4 "other"
10 match udp 0.0.0.0 255.255.255.255 0.0.0.0 255.255.255.255 eq 53 20 match udp 0.0.0.0 255.255.255.255 0.0.0.0 255.255.255.255 eq 67 30 match icmp 0.0.0.0 255.255.255.255 0.0.0.0 255.255.255.255 exit
show port-access clients
Syntax
show port-access clients
249
Aruba 2930M/F | Access Security Guide
Description
Shows the list of all clients authenticated with successful user-role and clients rejected with initial-role.
Examples
switch(config)# show port-access clients Downloaded user roles are preceded by *
Port Access Client Status
Port Client Name MAC Address IP Address User Role
Type
----- ------------- -------------- ---------- ----------------- -----
--------
VLAN ----------------
1/A15 b45d50c54b24 b45d50-c54b24 n/a 363, 364,
368, 369,
1/A3 admin
000c29-316056 n/a
1/B3 20a6cdcf1be4 20a6cd-cf1be4 n/a
363, 364,
368, 369,
1/B5 34fcb9c3ab54 34fcb9-c3ab54 n/a 363, 364,
368, 369,
1/B6 08000f41f373 08000f-41f373 n/a 363, 364,
368, 369,
*KB_MacAuth_DU... MAC
360, 361, 362,
365, 366, 367,
*KB_Dot1x_DUR_... 8021X *KB_MacAuth_DU... MAC
370 50 360, 361, 362,
365, 366, 367,
*KB_MacAuth_DU... MAC
370 360, 361, 362,
365, 366, 367,
*KB_MacAuth_DU... MAC
370 360, 361, 362,
365, 366, 367,
370
Access Point Onboarding Scenario
Deployment Sequences - IAP connected to access switch
n A branch deployment that involves small network setup including IAP/wireless access points, access switch, and external radius-server ClearPass.
n Instant Access Point (IAP) connected to switch triggers mac-auth.
n If mac-auth is successful: l IAP is on-boarded with mac-auth role. l When 802.1x is initiated: o If 802.1x is initiated successfully, remove mac-auth role and apply 802.1x role. o If 802.1x initiation fails, the device must stay with mac-auth until it triggers to reauthenticate. l IAP can be connected to external server ClearPass for authentication of all wireless clients that connected with existing user-role support. With the existing user-role support, the clients must go through authentication even at switch level after IAP. l The enhanced attribute port-mode is configured and all wireless clients VLANs are tagged as a part of mac-
Aruba 2930M/F | Access Security Guide
250
auth role with tagged-vid-list. Then device is successfully deployed by opening the connected port to allow all wireless clients behind AP. l Clients from AP do not require authentication because the attribute port-mode allows all the clients behind the IAP and validates successful communication between the clients.
Advantages
n User roles can be downloaded for clients connected to different ports other than the wireless clients coming through AP with port-mode user-role.
n Device-specific poe attributes can be managed centrally from ClearPass. It prevents higher power consumption by allocating the power based on its device class and priority control mechanism.
Limitations
n The device-specific attributes can be supported for only one client per port. n Once the port-mode is applied, all the clients in the port will be de-authenticated. n When applying user-role with PoE allocation by class, the power allocation must be set based on PD class
detection and/or LLDP negotiation.
IP Phones as User-Based Tunneling Clients
IP phones use tagged VLANs for voice traffic, whereas the initial signaling or data exchange is done through untagged VLANs. In the switch software versions 16.10.0012 and earlier, switch tunneled voice and data traffic to controllers through untagged VLANs. From the switch software version 16.10.0013 onwards this default behavior of the switch is updated to selectively tunnel voice and data traffic in tagged or untagged VLANs, based on the dynamic traffic pattern detection. When the switch detects a tagged pattern of traffic, it stops the traffic tunneling through the untagged VLANs, and starts to tunnel the traffic through the tagged VLANs. This feature has the following limitations:
n The switch can tunnel traffic either through tagged or untagged VLANs at the same time. n Once the traffic tunneling is switched from untagged to tagged VLANs, the switch cannot reverse the process.
Downloadable user-roles
Downloadable user-role enables AOS-S to download user-roles, policy, and class from the Clear Pass Policy Manager server. The download facilitates the setup of policies and attributes for a specific user-role which can then be stored on the switch. New users can be configured and assigned the same stored version of the user-role in ClearPass, saving the administrator time reconfiguring each user individually.
n The command radius-server cppm identity <IDENTITY> key <KEY> can only be used if the user role is going to be downloaded from the ClearPass server.
n See commands radius-server host <server-ip> and radius-server key <key-string>.
aaa authorization user-role enable download
Syntax
aaa authorization user-role enable download
no aaa authorization user-role enable download
251
Aruba 2930M/F | Access Security Guide
Description
Enables the downloadable user-role. The no form of this command disables the downloadable user-role in AOS-S.
Command context
config
Parameters
download Enables the switch to download the user role from a ClearPass server.
Warning
The command no aaa authorization user-role enable disables both the user-role and the downloadable user-role.
Usage
A ClearPass user name and password must be configured for download user-role to work.
Example
Download the user role from a ClearPass server. switch(config)# aaa authorization user-role enable download Some legacy secure client access functionality is not supported when user roles are enabled. Please refer to the end user documentation for details.
CPPM user name and password must be configured for downloading the user role. CPPM HTTPS root certificate must be installed for downloading the user role.
radius-server cppm identity
Syntax
radius-server cppm identity <IDENTITY> key <KEY>
no radius-server cppm identity <IDENTITY>
Description
User name and logon password combination of the ClearPass allows access to the download user-roles. The no form of the command removes the user name and password combination from ClearPass.
Command context
user-role
Parameters
<IDENTITY> Specifies the user name of the ClearPass. <KEY>
Aruba 2930M/F | Access Security Guide
252
Specifies the password of the ClearPass user.
Example
Set the password key for the ClearPass user. switch(config)# radius-server cppm identity admin key xxxxxxxx
downloadable-role-delete
Syntax
downloadable-role-delete <USER-ROLE-NAME>
Description
Deletes the downloaded user-role, the associated class, and policy information from the user-role.
Command context
manager
Parameter
<USER-ROLE-NAME> Specifies the user-role name to be deleted.
Example
Delete the user-role for the user DUR_prof2_PUTN-3037-12. switch(config)# downloadable-role-delete DUR_prof2_PUTN-3037-12
show user-role <XYZ>
Syntax show user-role <XYZ> [detailed | downloaded]
Description
Shows the named user-role in either detail or downloaded information.
Command context
operator or manager
Parameters
<detailed> Specifies the downloaded user-role in detail. <downloaded> Specifies the downloaded user-role.
Example
Show the download information for user-role XYZ.
253
Aruba 2930M/F | Access Security Guide
switch(config)# show user-role XYZ downloaded
User Role Information
Name Type Reauthentication Period (seconds) : 0 Untagged VLAN Tagged VLAN Captive Portal Profile Policy Tunnelednode Server Redirect Secondary Role Name
: XYZ : Downloaded
: : : : : Enabled : ROLE NAME
show port-access clients
Syntax
show port-access clients
Description
Shows the list of all clients authenticated with successful user-role and clients rejected with initial-role.
Examples
switch(config)# show port-access clients Downloaded user roles are preceded by *
Port Access Client Status
Port Client Name MAC Address IP Address User Role
Type
----- ------------- -------------- ---------- ----------------- -----
--------
VLAN ----------------
1/A15 b45d50c54b24 b45d50-c54b24 n/a 363, 364,
368, 369,
1/A3 admin
000c29-316056 n/a
1/B3 20a6cdcf1be4 20a6cd-cf1be4 n/a
363, 364,
368, 369,
1/B5 34fcb9c3ab54 34fcb9-c3ab54 n/a 363, 364,
368, 369,
1/B6 08000f41f373 08000f-41f373 n/a 363, 364,
368, 369,
*KB_MacAuth_DU... MAC
360, 361, 362,
365, 366, 367,
*KB_Dot1x_DUR_... 8021X *KB_MacAuth_DU... MAC
370 50 360, 361, 362,
365, 366, 367,
*KB_MacAuth_DU... MAC
370 360, 361, 362,
365, 366, 367,
*KB_MacAuth_DU... MAC
370 360, 361, 362,
365, 366, 367,
370
debug usertn
Syntax
Aruba 2930M/F | Access Security Guide
254
debug usertn
Description
Enables the debug for the user tunneled node.
Command context
manager
Example
Debug session for the user tunneled node.
0007:23:11:47.44 TNT mtnodeUserCtrl:userTNodeProcAddUserReq User Add for num clients: 1 0007:23:11:47.54 TNT mtnodeUserCtrl:AMM: Sync user add 0007:23:11:47.60 TNT mtnodeUserCtrl:Bucket 148 initialized 0007:23:11:47.68 TNT mtnodeUserCtrl:userTNodeDecapReserveResource: reservetgTcam
0 reserve 1 port's uitgReserveCnt: 0 uac->uitgReserve:0
0007:23:11:47.83 TNT mtnodeUserCtrl:1664a8c0 uac->uitgReserve ZERO reserve 1
0007:23:11:47.92 TNT mtnodeUserCtrl:Entering userTNodeTCAMDecapReserveResources
0007:23:11:48.07 TNT mtnodeUserCtrl:userTNodeDecapReserveResource: reservetgTcam 0 reserve 1 port's uitgReserveCnt: 0 uac->uitgReserve:0
0007:23:11:48.22 TNT mtnodeUserCtrl:1564a8c0 uac->uitgReserve ZERO reserve 1
0007:23:11:48.30 TNT mtnodeUserCtrl:Entering userTNodeTCAMDecapReserveResources
0007:23:11:48.45 TNT mtnodeUserCtrl:User 000ffe-c8ce92 added to tree 0007:23:11:48.52 TNT mtnodeUserCtrl:UAC Bootstrap to node: 192.168.100.22 0007:23:11:48.60 TNT mtnodeUserCtrl:userTNodeSendUACBStrapReq: Packet Sent Successfully 0007:23:11:48.70 TNT mtnodeUserCtrl:User 000ffe-c8ce92 bootstrapping 0007:23:11:48.82 TNT mtnodeUserCtrl:create tunnel: 1 port 1664a8c0 uac 0 ifindex 0 count 0007:23:11:48.91 TNT mtnodeUserCtrl:AMM: Active Sync State uac ifindex:
318767788 port: 1 cluster: 0 uac: 1 0007:23:11:49.03 TNT mtnodeUserCtrl:create tunnel: 1 port 1564a8c0 uac 0 ifindex 0 count 0007:23:11:49.17 TNT mtnodeUserCtrl:AMM: Active Sync State uac ifindex:
318767789 port: 1 cluster: 0 uac: 0 0007:23:11:49.29 TNT mtnodeUserCtrl:User 000ffe-c8ce92 tunneling to 318767788 0007:23:11:49.37 TNT mtnodeUserCtrl:AMM: Sync papi payload from the controller event
Netservice and Netdestination Downloadable User Role
After netservice and Netdestination support for class filters, user can create class filters with alias. For Downloadable User Role (DUR), all the class policies are configured in ClearPass. For Netservice and Netdestination DUR, alias commands must be configured before the policy and class rule are configured in ClearPass. Several devices can reuse downloadable configurations after changing the host or network IP specified in the netdestination.
Example
To allow ftp/dhcp/dns
netdestination "source_ip" network 0.0.0.0/0 position 1 exit
255
Aruba 2930M/F | Access Security Guide
netdestination "destination_ip" network 0.0.0.0/0 position 1 exit netdestination "destination_dhcp_ip" host 255.255.255.255 exit netservice "allowrad" udp 1812 1813 netservice "allowftp" tcp 21 netservice "allowdhcp" udp 67 68 netservice "allowdns" udp 53 class ipv4 "allow-service" 12 match alias-src "any" alias-dst "destination_ip" alias-srvc allowrad 14 match alias-src "any" alias-dst "destination_ip" alias-srvc allowftp 16 match alias-src "any" alias-dst "destination_ip" alias-srvc allowdns 10 match alias-src "any" alias-dst "destination_dhcp_ip" alias-srvc allowdhcp exit policy user "allow-service" 10 class ipv4 "allow-service" action permit exit aaa authorization user-role name "netdestrole" policy "allow-service" vlan-id 2098 exit
Limitations
n There is a delay introduced during download of configuration from ClearPass to translate alias based class filters.
n The name given to user-defined/system defaults netdestination and netservice cannot be used in dynamically configured netdestination and netservice through ClearPass.
n The downloaded netdestination, netservice and alias based class filters are not displaced by show commands.
n ClearPass is the only RADIUS server where downloading of netdestination and netservice support are provided.
n ClearPass supports netservice and netdestination in advanced mode only. Standard mode is not supported.
Aruba 2930M/F | Access Security Guide
256
Chapter 12 IPv4 Access Control Lists (ACLs)
IPv4 Access Control Lists (ACLs)
An Access Control List (ACL) is a list of one or more Access Control Entries (ACEs), where each ACE consists of a matching criteria and an action (permit or deny). The information below describes how to configure, apply, and edit static IPv4 ACLs in a network populated with switches, and how to monitor IPv4 ACL actions.
This chapter describes ACLs for IPv4 configuration and operation. Because the switches covered by this guide support IPv4/IPv6 dual-stack operation, simultaneous operation of statically configured IPv4 and IPv6 ACLs is supported in these switches. However:
n IPv6 ACLs are not supported on switches J9779A, J9780A, J9782A, and J9783A. n IPv4 and IPv6 ACEs cannot be combined in the same static ACL. n IPv4 and IPv6 static ACLs do not filter each other's traffic.
In the following information, unless otherwise noted:
n The term "ACL" refers to static IPv4 ACLs. n Descriptions of ACL operation apply only to static IPv4 ACLs.
IPv4 filtering with ACLs can help improve network performance and restrict network use by creating policies for: Switch Management Access: Permits or denies in-band management access, including limiting and/or preventing the use of designated protocols that run on top of IPv4, such as TCP, UDP, IGMP, ICMP, and others. Also included are the use of precedence and ToS criteria, and control for application transactions based on source and destination IPv4 addresses and transport layer port numbers. Application Access Security: Eliminates unwanted traffic in a path by filtering IPv4 packets where they enter or leave the switch on specific VLAN interfaces. IPv4 ACLs can filter traffic to or from a host, a group of hosts, or entire subnets.
IPv4 ACLs can enhance network security by blocking selected traffic, and can serve as part of your network security program. However, because ACLs do not provide user or device authentication, or protection from malicious manipulation of data carried in IPv4 packet transmissions, they should not be relied upon for a complete security solution.
IPv4 ACLs on the switches covered by this manual do not filter non-IPv4 traffic such as IPv6, AppleTalk, and IPX packets.
Extended ACL
Use an extended ACL when simple IPv4 source address restrictions do not provide the sufficient traffic selection criteria needed on an interface. Extended ACLs allow use of the following criteria:
Aruba 2930M/F | Access Security Guide
257
n source and destination IPv4 address combinations n IPv4 protocol options
Extended, named ACLs also offer an option to permit or deny IPv4 connections using TCP for applications such as Telnet, http, ftp, and others.
Types of IPv4 ACLs
A permit or deny policy for IPv4 traffic you want to filter can be based on source address alone, or on source address plus other factors.
Standard ACL
Use a standard ACL when you need to permit or deny IPv4 traffic based on source address only. Standard ACLs are also useful when you need to quickly control a performance problem by limiting IPv4 traffic from a subnet, group of devices, or a single device. This can block all IPv4 traffic from the configured source, but does not hamper IPv4 traffic from other sources within the network. A standard ACL uses an alphanumeric ID string or a numeric ID of 1 through 99. Specify a single host, a finite group of hosts, or any host.
Extended ACL
Use an extended ACL when simple IPv4 source address restrictions do not provide the sufficient traffic selection criteria needed on an interface. Extended ACLs allow use of the following criteria:
n source and destination IPv4 address combinations n IPv4 protocol options
Extended, named ACLs also offer an option to permit or deny IPv4 connections using TCP for applications such as Telnet, http, ftp, and others.
ACL applications
ACL filtering is applied to IPv4 traffic as follows: Static port ACL
Any inbound IPv4 traffic on that port. Dynamic port ACL
On a port having an ACL assigned by a RADIUS server to filter an authenticated client's traffic, filters inbound IPv4 and IPv6 traffic from that client. For information on RADIUS-assigned ACLs, see RADIUS Services Support on Aruba Switches on page 359. VLAN ACL (VACL) On a VLAN configured with a VACL, inbound IP traffic, regardless of whether it is switched or routed. On a multinetted VLAN, this includes inbound IPv4 traffic from any subnet.
VACL applications
VACLs filter any IPv4 traffic entering the switch on a VLAN configured with the "VLAN" ACL option.
Syntax
vlan <vid> ip access-group <identifier> vlan
258
Aruba 2930M/F | Access Security Guide
For example, in Figure 35: VACL filter application to IPv4 traffic entering the switch, you would assign a VACL to VLAN 2 to filter all inbound switched or routed IPv4 traffic received from clients on the 10.28.20.0 network. In this instance, routed traffic received on VLAN 2 from VLANs 1 or 3 would not be filtered by the VACL on VLAN 2.
Figure 35 VACL filter application to IPv4 traffic entering the switch
The switch allows one VACL assignment configured per VLAN. This is in addition to any other ACL applications assigned to the VLAN or to ports in the VLAN.
Static port ACL and RADIUS-assigned ACL applications
An IPv4 static port ACL filters any IPv4 traffic inbound on the designated port, regardless of whether the traffic is switched or routed.
RADIUS-assigned (dynamic) port ACL applications
Dynamic (RADIUS-assigned) port ACLs are configured on RADIUS servers and can be configured to filter IPv4 traffic inbound from clients authenticated by such servers.
802.1X user-based and port-based applications User-Based 802.1X access control allows up to 32 individually authenticated clients on a given port. Port-Based access control does not set a client limit, and requires only one authenticated client to open a given port; it is recommended for applications where only one client at a time can connect to the port.
n If you configure 802.1X user-based security on a port and the RADIUS response includes a RADIUSassigned ACL for at least one authenticated client, then the RADIUS response for all other clients authenticated on the port must also include a RADIUS-assigned ACL. Inbound IP traffic on the port from a client that authenticates without receiving a RADIUS-assigned ACL will be dropped and the client will be deauthenticated.
n Using 802.1X port-based security on a port where the RADIUS response includes a dynamic port ACL, only the first client to authenticate can use the port. Traffic from other clients will be dropped.
Aruba 2930M/F | Access Security Guide
259
Multiple ACLs on an interface
The switch allows multiple ACL applications on an interface (subject to internal resource availability). This means that a port belonging to a given VLAN "X" can simultaneously be subject to all of the following:
n One static port ACL for any IPv4 or IPv6 traffic entering the switch on the port.
n One static VACL for IPv4 or IPv6 traffic for VLAN "X" entering the switch on the port.
n One dynamic (RADIUS-assigned) port ACL applied to inbound IPv4 traffic for each authenticated client on the port.
Features common to all ACL applications
n Any ACL can have multiple entries (ACEs). n You can apply any one ACL to multiple interfaces. n All ACEs in an ACL configured on the switch are automatically sequenced (numbered). For an existing ACL,
entering an ACE without specifying a sequence number automatically places the ACE at the end of the list. Specifying a sequence number inserts the ACE into the list at the specified sequential location. l Automatic sequence numbering begins with "10" and increases in increments of 10. You can renumber the
ACEs in an ACL and also change the sequence increment between ACEs. l The CLI remark command option allows you to enter a separate comment for each ACE. n A source or destination IPv4 address and a mask, together, can define a single host, a range of hosts, or all hosts. n Every ACL populated with one or more explicit ACEs includes an Implicit Deny as the last entry in the list. The switch applies this action to any packets that do not match other criteria in the ACL. For standard ACLs, the Implicit Deny is deny any. For extended ACLs, it is deny ip any any. n In any ACL, you can apply an ACL log function to ACEs that have an explicit "deny" action. The logging occurs when there is a match on a "deny" ACE. The switch sends ACL logging output to Syslog, if configured, and, optionally, to a console session.
You can create ACLs for the switch configuration using either the CLI or a text editor. The text-editor method is recommended when you plan to create or modify an ACL that has more entries than you can easily enter or edit using the CLI alone.
General steps for planning and configuring ACLs
Procedure
1. Identify the ACL action to apply. As part of this step, determine the best points at which to apply specific ACL controls. For example, you can improve network performance by filtering unwanted IPv4 traffic at the edge of the network instead of in the core. Also, on the switch itself, you can improve performance by filtering unwanted IPv4 traffic where it is inbound to the switch instead of outbound.
Traffic source
IPv4 traffic entering the switch on a specific port
switched or routed IPv4 traffic entering the switch on a specific VLAN
ACL application
static port ACL (static-port assigned) for any inbound IPv4 traffic on a port from any source
VACL (VLAN ACL)
260
Aruba 2930M/F | Access Security Guide
2. Identify the traffic types to filter. n The SA and/or the DA of traffic you want to permit or deny. This can be a single host, a group of hosts, a subnet, or all hosts. n Traffic of a specific IPv4 protocol type (0-255) n Any TCP traffic (only) for a specific TCP port or range of ports, including optional control of connection traffic based on whether the initial request should be allowed n All UDP traffic or UDP traffic for a specific UDP port n All ICMP traffic or ICMP traffic of a specific type and code n All IGMP traffic or IGMP traffic of a specific type n Any of the above with specific precedence and/or ToS settings
3. Design the ACLs for the control points (interfaces) selected. When using explicit "deny" ACEs, optionally use the VACL logging feature for notification that the switch is denying unwanted packets.
4. Configure the ACLs on the selected switches. 5. Assign the ACLs to the interfaces you want to filter, using the ACL application (static port ACL)
appropriate for each assignment. 6. Test for desired results.
Options for applying IPv4 ACLs on the switch
To apply IPv4 ACL filtering, assign a configured IPv4 ACL to the interface on which you want traffic filtering to occur. VLAN and routed IPv4 traffic ACLs can be applied statically using the switch configuration.
Static ACLs
Static ACLs are configured on the switch. To apply a static ACL, you must assign it to an interface (VLAN or port).
VLAN ACL (VACL)
A VACL is an ACL configured on a VLAN to filter traffic entering the switch on that VLAN interface and having a destination on the same VLAN.
Static port ACL
A static port ACL is an ACL configured on a port to filter traffic entering the switch on that port, regardless of whether the traffic is routed, switched, or addressed to a destination on the switch itself.
The information provided here describes the IPv4 ACL applications you can statically configure on the switch. For information on static IPv6 ACL applications, see "IPv6 Access Control Lists (ACLs)" in the IPv6 Configuration Guide for your switch.
Dynamic port ACLs
A dynamic port ACL is configured on a RADIUS server for assignment to a given port when the server authenticates a specific client on that port. When the server authenticates a client associated with that ACL, the ACL is assigned to the port the client is using. The ACL then filters the IP traffic received inbound on that port from the authenticated client. When the client session ends, the ACL is removed from the port. The switch allows as many dynamic port ACLs on a port as it allows authenticated clients.
Aruba 2930M/F | Access Security Guide
261
The information provided here describes the IPv4 ACL applications you can statically configure on the switch. For information on dynamic port ACLs assigned by a RADIUS server, see .
IPv4 static ACL operation
Introduction
An ACL is a list of one or more Access Control Entries (ACEs), where each ACE consists of a matching criteria and an action (permit or deny). A static ACL applies only to the switch in which it is configured. ACLs operate on assigned interfaces, and offer these traffic filtering options:
n IPv4 traffic inbound on a port. n IPv4 traffic inbound on a VLAN. n Routed IPv4 traffic entering or leaving the switch on a VLAN. (Note that ACLs do not screen traffic at the
internal point where traffic moves between VLANs or subnets within the switch. See ACL applications.
The following table lists the range of interface options:
Interface Port
VLAN
ACL Application
Static Port ACL (switch configured)
VACL
Application Point inbound on the switch
Filter Action inbound IPv4 traffic
entering the switch on the VLAN inbound IPv4 traffic
After you assign an IPv4 ACL to an interface, the default action on the interface is to implicitly deny IPv4 traffic that is not specifically permitted by the ACL. (This applies only in the direction of traffic flow filtered by the ACL.)
The packet-filtering process
Packet-filtering in an applied ACL is sequential, from the first ACE in the ACL to the implicit deny any any following the last explicit ACE. This operation is the same regardless of whether the ACL is applied dynamically from a RADIUS server or statically in the switch configuration.
ACLs can enhance network security by blocking selected IP traffic, and can serve as one aspect of maintaining network security. However, because ACLs do not provide user or device authentication, or protection from malicious manipulation of data carried in IP packet transmissions, they should not be relied upon for a complete security solution.
262
Aruba 2930M/F | Access Security Guide
If a RADIUS-assigned ACL permits an authenticated client's inbound IP packet, but the client port is also configured with a static port ACL and/or belongs to a VLAN for which there is an inbound, VLAN-based ACL configured on the switch, then the packet will also be filtered by these other ACLs. If there is a match with a deny ACE in any of these ACLs, the switch drops the packet.
Sequential comparison and action
When an ACL filters a packet, it sequentially compares each ACE's filtering criteria to the corresponding data in the packet until it finds a match. The action indicated by the matching ACE (deny or permit) is then performed on the packet.
Implicit Deny
If a packet does not have a match with the criteria in any of the ACEs in the ACL, the ACL denies (drops) the packet. If you need to override the implicit deny so that a packet that does not have a match will be permitted, then you can use the "permit any" option as the last ACE in the ACL. This directs the ACL to permit (forward) packets that do not have a match with any earlier ACE listed in the ACL, and prevents these packets from being filtered by the implicit "deny any". The ACL tries to apply the first ACE in the list. If there is not a match, it tries the second ACE, and so on. When a match is found, the ACL invokes the configured action for that entry (permit or drop the packet) and no further comparisons of the packet are made with the remaining ACEs in the list. This means that when an ACE whose criteria matches a packet is found, the action configured for that ACE is invoked, and any remaining ACEs in the ACL are ignored. Because of this sequential processing, successfully implementing an ACL depends in part on configuring ACEs in the correct order for the overall policy you want the ACL to enforce.
Aruba 2930M/F | Access Security Guide
263
Figure 36 The packet-filtering process in an ACL with N entries (ACEs)
The order in which an ACE occurs in an ACL is significant.
For example, if an ACL contains six ACEs, but the first ACE allows Permit Any forwarding, then the ACL permits all IPv4 traffic, and the remainingACEs in the list do not apply, even if they specify criteria that would make a match with any of the traffic permitted by the first ACE.
It is important to remember that all IPv4 ACLs configurable on the switch include an implicit deny ip any. That is, IPv4 packets that the ACL does not explicitly permit or deny will be implicitly denied, and therefore dropped instead of forwarded on the interface. If you want to preempt the implicit deny so that IPv4 packets not explicitly denied by other ACEs in the ACL will be permitted, insert an explicit "permit any" as the last ACE in the ACL. Doing so permits any packet not explicitly denied by earlier entries.
Planning an ACL application
Before creating and implementing ACLs, you need to define the policies you want your ACLs to enforce, and understand how the ACL assignments will impact your network users.
264
Aruba 2930M/F | Access Security Guide
All IPv4 traffic entering the switch on a given interface is filtered by all ACLs configured for inbound traffic on that interface. For this reason, an inbound IPv4 packet will be denied (dropped) if it has a match with either an implicit or explicit deny in any of the inbound ACLs applied to the interface.
See Multiple ACLs on an interface for more detail.
IPv4 traffic management and improved network performance
Use ACLs to block traffic from individual hosts, workgroups, or subnets, and to block access to VLANs, subnets, devices, and services. Traffic criteria for ACLs include:
n Switched and/or routed traffic n Any traffic of a specific IPv4 protocol type (0-255) n Any TCP traffic (only) for a specific TCP port or range of ports, including optional control of connection traffic
based on whether the initial request should be allowed n Any UDP traffic or UDP traffic for a specific UDP port n Any ICMP traffic or ICMP traffic of a specific type and code n Any IGMP traffic or IGMP traffic of a specific type
Depending on the source and/or destination of a given IPv4 traffic type, you must also determine the ACL application(s) (VACL or static port ACL) needed to filter the traffic on the applicable switch interfaces. Answering the following questions can help you to design and properly position IPv4 ACLs for optimum network usage.
n What are the logical points for minimizing unwanted traffic, and what ACL application(s) should be used? In many cases it makes sense to prevent unwanted traffic from reaching the core of your network by configuring ACLs to drop the unwanted traffic at or close to the edge of the network. The earlier in the network path you can block unwanted traffic, the greater the benefit for network performance.
n From where is the traffic coming? The source and destination of traffic you want to filter determines the ACL application to use (static port ACL, VACL, and dynamic port ACL).
n What traffic should you explicitly block? Depending on your network size and the access requirements of individual hosts, this can involve creating a large number of ACEs in a given ACL (or a large number of ACLs), which increases the complexity of your solution.
n What traffic can you implicitly block by taking advantage of the implicitdeny ip any to deny traffic that you have not explicitly permitted? This can reduce the number of entries needed in an ACL.
n What traffic should you permit? In some cases you will need to explicitly identify permitted traffic. In other cases, depending on your policies, you can insert an ACE with "permit any" forwarding at the end of an ACL. This means that all IPv4 traffic not specifically matched by earlier entries in the list will be permitted.
Security
ACLs can enhance security by blocking traffic carrying an unauthorized source IPv4 address (SA). This can include:
n Blocking access from specific devices or interfaces (port or VLAN) n Blocking access to or from subnets in your network n Blocking access to or from the internet
Aruba 2930M/F | Access Security Guide
265
n Blocking access to sensitive data storage or restricted equipment n Preventing specific IPv4, TCP, UDP, IGMP, and ICMP traffic types, including unauthorized access using
functions such as Telnet, SSH, and web browser
You can also enhance switch management security by using ACLs to block IPv4 traffic that has the switch itself as the destination address (DA).
IPv4 ACLs can enhance network security by blocking selected traffic, and can serve as one aspect of maintaining network security. However, because ACLs do not provide user or device authentication, or protection from malicious manipulation of data carried in IP packet transmissions, they should not be relied upon for a complete security solution.
Static ACLs for the switches covered by this guide do not filter non-IPv4 traffic such as IPv6, AppleTalk, and IPX. Dynamic port ACLs assigned by a RADIUS server can be configured on the server to filter IPv4 traffic, but do not filter non-IP traffic.
Guidelines for planning the structure of a static ACL
After determining the filtering type (standard or extended) and ACL application (VACL or static port ACL) to use at a particular point in your network, determine the order in which to apply individual ACEs to filter IPv4 traffic.
n The sequence of ACEs is significant. When the switch uses an ACL to determine whether to permit or deny a packet on a particular VLAN, it compares the packet to the criteria specified in the individual Access Control Entries (ACEs) in the ACL, beginning with the first ACE in the list and proceeding sequentially until a match is found. When a match is found, the switch applies the indicated action (permit or deny) to the packet.
n The first match in an ACL dictates the action on a packet. Subsequent matches in the same ACL areignored.However, if a packet is permitted by one ACL assigned to an interface, but denied by another ACL assigned to the same interface, the packet will be denied on the interface.
n On any ACL, the switch implicitly denies IPv4 packets that are not explicitly permitted or denied by the ACEs configured in the ACL. If you want the switch to forward a packet for which there is not a match in an ACL, append an ACE that enables Permit Any forwarding as the last ACE in the ACL. This ensures that no packets reach the Implicit Deny case for that ACL.
n Generally, you should list ACEs from the most specific (individual hosts) to the most general (subnets or groups of subnets) unless doing so permits traffic that you want dropped. For example, an ACE allowing a small group of workstations to use a specialized printer should occur earlier in an ACL than an entry used to block widespread access to the same printer.
IPv4 ACL configuration and operating rules
VACLs and switched or routed IPv4 traffic
A VACL filters traffic entering the switch on the VLANs to which it is assigned.
Static port ACLs
A static port ACL filters traffic entering the switch on the ports or trunks to which it is assigned.
Per switch ACL limits for all ACL types
At a minimum an ACL must have one, explicit "permit" or "deny" Access Control Entry. You can configure up to 1024 ACLs.
266
Aruba 2930M/F | Access Security Guide
For IPv4 ACLs, the maximums are as follows:
n Named (Extended or Standard) ACLs: Up to 1024 (minus any numeric standard or extended ACL assignments)
n Numeric Standard ACLs: Up to 99; numeric range: 1-99
n Numeric Extended ACLs: Up to 100; numeric range: 100-199
n The maximum number of ACEs supported by the switch is up to 4096 for IPv4 ACEs. The maximum number of ACEs allowed on port depends on the concurrent resource usage by multiple configured features. For more information, use the show <qos|access-list> resources command. For a summary of IPv4 and IPv6 ACL resource limits, see the appendix covering scalability in the latest management and configuration guide for your switch.
Implicit deny
In any static IPv4 ACL, the switch automatically applies an implicit deny ip any that does not appear in show listings. This means that the ACL denies any IPv4 packet it encounters that does not have a match with an entry in the ACL. Thus, if you want an ACL to permit any packets that you have not expressly denied, you must enter a permit any or permit ip any any as the last ACE in an ACL. Because, for a given packet the switch sequentially applies the ACEs in an ACL until it finds a match, any packet that reaches the permit any or permit ip any any entry will be permitted, and will not encounter the deny ip any ACE the switch automatically includes at the end of the ACL. For Implicit Deny operation in dynamic ACLs, see .
Explicitly permitting any IPv4 traffic
Entering a permit any or a permit ip any any ACE in an ACL permits all IPv4 traffic not previously permitted or denied by that ACL. Any ACEs listed after that point do not have any effect.
Explicitly denying any IPv4 traffic
Entering a deny any or a deny ip any any ACE in an ACL denies all IPv4 traffic not previously permitted or denied by that ACL. Any ACEs after that point have no effect.
Replacing one ACL with another using the same application
For a specific interface, the most recent ACL assignment using a given application replaces any previous ACL assignment using the same application on the same interface.
Static port ACLs:
These are applied per-port, per port-list, or per static trunk. Adding a port to a trunk applies the trunk's ACL configuration to the new member. If a port is configured with an ACL, the ACL must be removed before the port is added to the trunk. Also, removing a port from an ACL-configured trunk removes the ACL configuration from that port.
VACLs
These filter any IPv4 traffic entering the switch through any port belonging to the designated VLAN. VACLs do not filter traffic leaving the switch or being routed from another VLAN.
VACLs operate on static VLANs
You can assign an ACL to any VLAN that is statically configured on the switch. ACLs do not operate with dynamic VLANs.
Aruba 2930M/F | Access Security Guide
267
A VACL affects all physical ports in a static VLAN
A VACL assigned to a VLAN applies to all physical ports on the switch belonging to that VLAN, including ports that have dynamically joined the VLAN.
How an ACE uses a mask to screen packets for matches
When the switch applies an ACL to IPv4 traffic, each ACE in the ACL uses an IPv4 address and ACL mask to enforce a selection policy on the packets being screened. That is, the mask determines the range of IPv4 addresses (SA only or SA/DA) that constitute a match between the policy and a packet being screened.
What Is the difference between network (or subnet) masks and the masks used with ACLs?
In common IPv4 addressing, a network (or subnet) mask defines which part of the address to use for the network number and which part to use for the hosts on the network. For example:
Address
Mask
Network address
10.38.252.195 255.255.255.0 first three octets
Host address The fourth octet.
10.38.252.195 255.255.248.0 first two octets and the left- most five bits of the third octet
The right most three bits of the third octet and all bits in the fourth octet.
Thus, the bits set to 1 in a network mask define the part of an IPv4 address to use for the network number, and the bits set to 0 in the mask define the part of the address to use for the host number. In an ACL, IPv4 addresses and masks provide criteria for determining whether to deny or permit a packet, or to pass it to the next ACE in the list. If there is a match, the configured deny or permit action occurs. If there is not a match, the packet is compared with the next ACE in the ACL. Thus, where a standard network mask defines how to identify the network and host numbers in an IPv4 address, the mask used with ACEs defines which bits in a packet's SA or DA must match the corresponding bits in the SA or DA listed in an ACE, and which bits can be wildcards.
Rules for defining a match between a packet and an ACE
n For a given ACE, when the switch compares an IPv4 address and corresponding mask in the ACE to an IPv4 address carried in a packet: l A mask-bit setting of 0 ("off") requires that the corresponding bits in the packet's address and in the ACE's address must be the same. Thus, if a bit in the ACE's address is set to 1 ("on"), the same bit in the packet's address must also be 1. l A mask-bit setting of 1 ("on") means the corresponding bits in the packet's address and in the ACE's address do not have to be the same. Thus, if a bit in the ACE's address is set to 1, the same bit in the packet's address can be either 1 or 0 ("on" or "off").
For an example, see Example of how the mask bit settings define a match on page 270. n In any ACE, a mask of all ones means any IPv4 address is a match. Conversely, a mask of all zeros means
the only match is an IPv4 address identical to the host address specified in the ACE. n Depending on your network, a single ACE that allows a match with more than one source or destination IPv4
address may allow a match with multiple subnets. For example, in a network with a prefix of 31.30.240 and a subnet mask of 255.255.240.0 (the leftmost 20 bits), applying an ACL mask of 0.0.31.255 causes the subnet mask and the ACL mask to overlap one bit, which allows matches with hosts in two subnets: 31.30.224.0 and
268
Aruba 2930M/F | Access Security Guide
31.30.240.0.
Bit Position in the Third Octet of Subnet Mask 255.255.240.0
Bit Values
128
64
32
16
8
4
2
1
Subnet Mask Bits
1
1
1
1
n/a
n/a
n/a
n/a
Mask Bit Settings
0
0
0
1 or 0 n/a
n/a
n/a
n/a
Affecting Subnet
Addresses
This ACL supernetting technique can help to reduce the number of ACLs you need. You can apply it to a multinetted VLAN and to multiple VLANs. However, ensure that you exclude subnets that do not belong in the policy. If this creates a problem for your network, you can eliminate the unwanted match by making the ACEs in your ACL as specific as possible, and using multiple ACEs carefully ordered to eliminate unwanted matches.
n Every IPv4 address and mask pair (source or destination) used in an ACE creates one of the following policies: l Any IPv4 address fits the matching criteria. In this case, the switch automatically enters the address and mask in the ACE. For example:
Syntax: access-list 1 deny any
Produces this policy in an ACL listing:
Address 0.0.0.0
Mask 255.255.255.255
This policy states that every bit in every octet of a packet's SA is a wildcard, which covers any IPv4 address. l One IPv4 address fits the matching criteria. In this case, you provide the address and the switch provides the mask. For example: Syntax: access-list 1 permit host 10.28.100.15Produces this policy in an ACL listing:
Address 10.28.100.15
Mask 0.0.0.0
This policy states that every bit in every octet of a packet's SA must be the same as the corresponding bit in the SA defined in the ACE. l A group of IPv4 addresses fits the matching criteria. In this case you provide both the address and the mask. For example: Syntax:access-list 1 permit 10.28.32.1 0.0.0.31
Aruba 2930M/F | Access Security Guide
269
Address Mask 10.28.32.1 0.0.0.31
This policy states that: o In the first three octets of a packet's SA, every bit must be set the same as the corresponding bit in the
SA defined in the ACE. o In the last octet of a packet's SA, the first three bits must be the same as in the ACE, but the last five bits
are wildcards and can be any value.
n Unlike subnet masks, the wildcardbits in an ACL mask need not be contiguous. For example, 0.0.7.31 is a valid ACL mask. However, a subnet mask of 255.255.248.224 is not a valid subnet mask.
Example of how the mask bit settings define a match
Assume an ACE where the second octet of the mask for an SA is 7 (the rightmost three bits are "on", or "1") and the second octet of the corresponding SA in the ACE is 31 (the rightmost five bits). In this case, a match occurs when the second octet of the SA in a packet being filtered has a value in the range of 24 to 31.
Table 16: How the mask defines a match
Location of octet
Bit position in the octet
128
64
32
16
8
4
2
SA in ACE
0
0
0
1
1
1
1
Mask for SA
0
0
0
0
0
1
1
Corresponding Octet of a Packet's
0*
SA
0*
0*
1*
1*
0/1
0/1
* Indicates that the bits in the packet must exactly match the bits in the source address in the ACE. Wherever the mask bits are zeros, the bit in the packet must exactly match must exactly match the corresponding bit in the source address in the ACE. Wherever the mask bits are ones (wildcards), the corresponding address bits in the packet can be any value.
NOTE: This example covers only one octet of an IPv4 address. An actual ACE applies this method to all four octets of the address.
Example of allowing only one IPv4 address ("host" option)
Suppose, for example, that you have configured the ACL in Figure 37: An ACL with an ACE that allows only one source address to filter inbound packets on VLAN 20. Because the mask is all zeros, the ACE policy dictates that a match occurs only when the source address on such packets is identical to the address configured in the ACE.
270
Aruba 2930M/F | Access Security Guide
Figure 37 An ACL with an ACE that allows only one source address
Examples allowing multiple IPv4 addresses The following tables provide examples of how to apply masks to meet various filtering requirements.
Table 17: Using an IP address and mask in an ACE
Address in the ACE A: 10.38.252.195 B: 10.38.252.195
C: 10.38.252.195 D: 10.38.252.195
Mask
Policy for a match between a packet and the ACE
Allowed addresses
0.0.0.255
Exact match in first three octets 10.38.252.<0-255>
only.
(See row A in the following table.)
0.0.7.255
Exact match in the first two octets and the leftmost five bits (248) of the third octet.
10.38.<248-255>.<0-255>
(In the third octet, only the rightmost three bits are wildcard bits. The leftmost five bits must be a match, and in the ACE, these bits are all set to 1. See row B in the following table.)
0.0.0.0
Exact match in all octets.
10.38.252.195 (There are no wildcard bits in any of the octets. See row C in the following table.)
0.15.255.255
Exact match in the first octet and the leftmost four bits of the second octet.
10.<32-47> .<0-255> .<0-255> (In the second octet, the rightmost four bits are wildcard bits. See row D in the following table.)
Table 18: Mask effect on selected octets of the IPv4 addresses in Using an IP address and mask in an ACE
Addr Octet Mask
A
3
0 all bits
B
3
7 last 3 bits
C
4
0 all bits
Octet range 128 64 32 16 8
252
1
1111
248-255
1
1111
195
1
1000
4
2
1
1
0
0
0 or 1 0 or 1 0 or 1
0
1
1
Aruba 2930M/F | Access Security Guide
271
Addr Octet Mask
Octet range 128 64 32 16 8
4
2
1
D
2
15 last 4 bits 32-47
0
0 1 0 0 or 1 0 or 1 0 or 1 0 or 1
All bit settings in this table must be an exact match.
If there is a match between the policy in the ACE and the IPv4 address in a packet, the packet is either permitted or denied according to how the ACE is configured. If there is no match, the next ACE in the ACL is applied to the packet. The same operation applies to a destination IPv4 address used in an extended ACE.
Where an ACE includes both source and destination addresses, there is one address/ACL-mask pair for the source address, and another address/ACL-mask pair for the destination address.
Configuring and assigning an IPv4 ACL
General steps for implementing ACLs
Procedure
1. Configure one or more ACLs. 2. This creates and stores the ACL(s) in the switch configuration. 3. Assign an ACL. 4. This step uses one of the following applications to assign the ACL to an interface:
a. VACL (any IPv4 traffic entering the switch on a given VLAN)
b. Static Port ACL (any IPv4 traffic entering the switch on a given port, port list, or static trunk)
Options for permit/deny policies
The permit or deny policy for IPv4 traffic you want to filter can be based on source address alone, or on source address plus other IPv4 factors.
n Standard ACL: Uses only a packet's source IPv4 address as a criterion for permitting or denying the packet. For a standard ACL ID, use either a unique numeric string in the range of 1-99 or a unique name string of up to 64 alphanumeric characters.
n Extended ACL: Offers the following criteria as options for permitting or denying a packet: For an extended ACL ID, use either a unique number in the range of 100-199 or a unique name string of up to 64 alphanumeric characters. l source IPv4 address l destination IPv4 address l IPv4 protocol options: o Any IPv4 traffic o Any traffic of a specific IPv4 protocol type (0-255) o Any TCP traffic (only) for a specific TCP port or range of ports, including optional use of TCP control bits or control of connection (established) traffic based on whether the initial request should be allowed o Any UDP traffic (only) or UDP traffic for a specific UDP port o Any ICMP traffic (only) or ICMP traffic of a specific type and code o Any IGMP traffic (only) or IGMP traffic of a specific type
272
Aruba 2930M/F | Access Security Guide
Carefully plan ACL applications before configuring specific ACLs.
ACL configuration structure
After you enter an ACL command, you may want to inspect the resulting configuration. This is especially true where you are entering multiple ACEs into an ACL. Also, it is helpful to understand the configuration structure when using the following information. The basic ACL structure includes four elements:
Procedure
1. ACL identity and type: identifies the ACL as standard or extended and shows the ACL name or number. 2. Optional remark entries. 3. One or more deny/permit list entries (ACEs): One entry per line.
Element Type Identifier Remark
Maximum ACEs per Switch
Notes
Standard or Extended
n Alphanumeric; Up to 64 Characters, Including Spaces n Numeric: 1-99 (Standard) or 100-199 (Extended)
Allows up to 100 alphanumeric characters, including blank spaces. (If any spaces are used, the remark must be enclosed in a pair of single or double quotes.) A remark is associated with a particular ACE and will have the same sequence number as the ACE. (One remark is allowed per ACE.)
The upper limit on ACEs supported by the switch depends on the concurrent resource usage by configured ACL, QoS, Mirroring, and other features.
4. Implicit Deny: Where an ACL is in use, it denies any packets that do not have a match with the ACEs explicitly configured in the list. The Implicit Deny does not appear in ACL configuration listings, but always functions when the switch uses an ACL to filter packets. (You cannot delete the Implicit Deny, but you can supersede it with a permit any or permit ip any any statement.)
Standard ACL structure
Individual ACEs in a standard ACL include only a permit/deny statement, the source addressing, and an optional log command (available with "deny" statements).
Figure 38 The general structure for a standard ACL
Aruba 2930M/F | Access Security Guide
273
For example, Figure 39: A displayed standard ACL configuration with two ACEs shows how to interpret the entries in a standard ACL. Figure 39 A displayed standard ACL configuration with two ACEs
Extended ACL configuration structure
Individual ACEs in an extended ACL include: n A permit/deny statement n Source and destination IPv4 addressing n Choice of IPv4 criteria, including optional precedence and ToS Optional ACL log command (for deny entries) Optional remark statements Figure 40 Example of general structure options for an extended ACL
For example, Figure 41: Displayed extended ACL configuration shows how to interpret the entries in an extended ACL.
274
Aruba 2930M/F | Access Security Guide
Figure 41 Displayed extended ACL configuration
ACL configuration factors
The sequence of entries in an ACL is significant
When the switch uses an ACL to determine whether to permit or deny a packet, it compares the packet to the criteria specified in the individual ACEs in the ACL, beginning with the first ACE in the list and proceeding sequentially until a match is found. When a match is found, the switch applies the indicated action (permit or deny) to the packet. This is significant because, once a match is found for a packet, subsequent ACEs in the same ACL will not be applied to that packet, regardless of whether they match the packet. For example, suppose that you have applied the ACL shown in to inbound IPv4 traffic on VLAN 1 (the default VLAN):
Figure 42 A standard ACL that permits all IPv4 traffic not implicitly denied
Aruba 2930M/F | Access Security Guide
275
Table 19: Effect of the above ACL on inbound IPv4 traffic in the assigned VLAN
Line # n/a 10 20 30
40
50 n/a
exit
Action
Shows type (extended) and ID (Sample-List-2).
A packet from SA 10.28.235.10 will be denied (dropped). This ACE filters out all packets received from 10.28.235.10. As a result, IPv4 traffic from that device will not be allowed and packets from that device will not be compared against any later entries in the list.
A packet from SA 10.28.245.89 will be denied (dropped). This ACE filters out all packets received from 10.28.245.89. As the result, IPv4 traffic from that device will not be allowed and packets from that device will not be compared against any later entries in the list.
A TCP packet from SA 10.28.18.100 with a DA of 10.28.237.1 will be permitted (forwarded). Since no earlier ACEs in the list have filtered TCP packets from 10.28.18.100 and destined for 10.28.237.1, the switch will use this ACE to evaluate such packets. Any packets that meet this criteria will be forwarded. (Any packets that do not meet this TCP source-destination criteria are not affected by this ACE.)
A TCP packet from source address 10.28.18.100 to any destination address will be denied (dropped). Since, in this example, the intent is to block TCP traffic from 10.28.18.100 to any destination except the destination stated in the ACE at line 30, this ACE must follow the ACE at line 30. (If their relative positions were exchanged, all TCP traffic from 10.28.18.100 would be dropped, including the traffic for the 10.28.18.1 destination.)
Any packet from any IPv4 SA to any IPv4 DA will be permitted (forwarded). The only traffic to reach this ACE will be IPv4 packets not specifically permitted or denied by the earlier ACEs.
The Implicit Deny is a function the switch automatically adds as the last action in all ACLs. It denies (drops) any IPv4 traffic from any source to any destination that has not found a match with earlier entries in the ACL. In this example, the ACE at line 50 permits (forwards) any IPv4 traffic not already permitted or denied by the earlier entries in the list, so there is no traffic remaining for action by the Implicit Deny function.
Marks the end of the ACL.
Allowing for the Implied Deny function
In any ACL having one or more ACEs there will always be a packet match. This is because the switch automatically applies an Implicit Deny as the last ACE in any ACL. This function is not visible in ACL listings, but is always present, see Figure 42: A standard ACL that permits all IPv4 traffic not implicitly denied. This means that if you configure the switch to use an ACL for filtering either inbound or outbound IPv4 traffic on a VLAN, any packets not specifically permitted or denied by the explicit entries you create will be denied by the Implicit Deny action. If you want to preempt the Implicit Deny (so that IPv4 traffic not specifically addressed by earlier ACEs in a given ACL will be permitted), insert an explicit permit any (for standard ACLs) or permit ip any any (for extended ACLs) as the last explicit ACE in the ACL.
A configured ACL has no effect until you apply it to an interface
The switch stores ACLs in the configuration file. Thus, until you actually assign an ACL to an interface, it is present in the configuration, but not used (and does not use any of the monitored resources, see "Monitored Resources" in the Management and Configuration Guide for your switch.)
276
Aruba 2930M/F | Access Security Guide
You can assign an ACL name or number to an interface even if the ACL does not exist in the switch configuration
In this case, if you subsequently create an ACL with that name or number, the switch automatically applies each ACE as soon as you enter it in the running-config file. Similarly, if you modify an existing ACE in an ACL you already applied to an interface, the switch automatically implements the new ACE as soon as you enter it. The switch allows up to 2048 ACLs each for IPv4 and determines the total from the number of unique ACL names in the configuration. For example, if you configure two ACLs, but assign only one of them to a VLAN, the ACL total is two, for the two unique ACL names. If you then assign the name of a nonexistent ACL to a VLAN, the new ACL total is three, because the switch now has three unique ACL names in its configuration. (RADIUS-based ACL resources are drawn from the IPv4 allocation). (For a summary of ACL resource limits, see the appendix covering scalability in the latest management and configuration guide for your switch.)
Using the CLI to create an ACL
You can use either the switch CLI or an offline text editor to create an ACL. This section describes the CLI method, which is recommended for creating short ACLs.
Inserting or adding an ACE to an ACL
These rules apply to all IPv4 ACEs you create or edit using the CLI:
Named IPv4 ACLs:
Add an ACE to the end of a named ACE by using the ip access-list command to enter the Named ACL (nacl) context and entering the ACE without the sequence number.For example, if you wanted to add a "permit" ACL at the end of a list named "List-1" to allow traffic from the device at 10.10.10.100:
switch(config)# ip access-list standard List-1 switch(config-std-nacl)# permit host 10.10.10.100
Insert an ACE anywhere in a named ACL by specifying a sequence number. For example, if you wanted to insert a new ACE as line 15 between lines 10 and 20 in an existing ACL named "List-2" to deny IPv4 traffic from the device at 10.10.10.77:
switch(config)# ip access-list standard List-2 switch(config-std-nacl)# 15 deny host 10.10.10.77
Numbered IPv4 ACLs:
Add an ACE to the end of a numbered ACL by using the access-list <1-99|100-199> command. For example, if you wanted to add a "permit" ACE at the end of a list identified with the number "11" to allow IPv4 traffic from the device at 10.10.10.100:
switch(config)# access-list 11 permit host 10.10.10.100
To insert an ACE anywhere in a numbered ACL, use the same process as described above for inserting an ACE anywhere in a named ACL. For example, to insert an ACE denying IPv4 traffic from the host at 10.10.10.77 as line 52 in an existing ACL identified (named) with the number 11:
switch(config)# ip access-list standard 99 switch(config-std-nacl)# 52 deny host 10.10.10.77
Aruba 2930M/F | Access Security Guide
277
After a numbered ACL has been created (using access-list <1-99|100-199>), it can be managed as either a named or numbered ACL.
n Deleting an ACE: Enter the ACL context and delete the sequence number for the unwanted ACE. (To view the sequence numbers of the ACEs in a list, use show access-list <acl-name-str> config.)
n Duplicate ACEs are not allowed in the same ACL. Attempting to enter a duplicate ACE displays the Duplicate access control entry message.
Using CIDR notation to enter the IPv4 ACL mask
Use CIDR notation to enter ACL masks. The switch interprets the bits specified with CIDR notation as the address bits in an ACL and the corresponding address bits in a packet that must match. The switch then converts the mask to inverse notation for ACL use.
Table 20: Examples of CIDR notation for masks
Address used in an ACL with CIDR notation
10.38.240.125/15
Resulting ACL mask
0.1.255.255
10.38.240.125/20
0.0.15.255
10.38.240.125/21
0.0.7.255
10.38.240.125/24
0.0.0.255
18.38.240.125/32
0.0.0.0
Meaning
The leftmost 15 bits must match; the remaining bits are wildcards.
The leftmost 20 bits must match; the remaining bits are wildcards.
The leftmost 21 bits must match; the remaining bits are wildcards.
The leftmost 24 bits must match; the remaining bits are wildcards.
All bits must match.
Configuring standard ACLs
A standard ACL uses only source IPv4 addresses in its ACEs. This type of ACE is useful when you need to:
n Permit or deny any IPv4 traffic based on source address only. n Quickly control the IPv4 traffic from a specific address. This allows you to isolate IPv4 traffic problems
generated by a specific device, group of devices, or a subnet threatening to degrade network performance. This gives you an opportunity to troubleshoot without sacrificing performance for users outside of the problem area.
A named, standard ACL is identified by an alphanumeric string of up to 64 characters and is created by entering the Named ACL (nacl) context. A numbered, standard ACL is identified by a number in the range of 1-99 and is created without having to leave the global config context. Note that the CLI Command syntax for creating a named ACL differs from the Command syntax for creating a numbered ACL. For example, the first pair of entries below illustrate how to create (or enter) a named, standard ACL and enter an ACE. The next entry illustrates creating a numbered, standard ACL with the same ACE.
switch(config)# ip access-list standard Test-List switch(config-std-nacl)# permit host 10.10.10.147
278
Aruba 2930M/F | Access Security Guide
switch(config)# access-list 1 permit host 10.10.10.147
Note that once a numbered ACL has been created, it can be accessed using the named ACL method. This is useful if it becomes necessary to edit a numbered ACL by inserting or removing individual ACEs. Inserting or deleting an ACE is done by sequence number, and requires the Named ACL (nacl) context.
Configuring named, standard ACLs
This section describes the commands for performing the following:
n creating and/or entering the context of a named, standard ACL n appending an ACE to the end of an existing list or entering the first ACE in a new list
Entering the IPv4 named ACL context
This command is a prerequisite to entering or editing ACEs in a named ACL.
Syntax:
ip access-list standard <name-str> Places the CLI in the "Named ACL" (nacl) context specified by the <name-str> alphanumeric identifier. This enables entry of individual ACEs in the specified ACL. If the ACL does not already exist, this command creates it. <namestr>: Specifies an identifier for the ACL. Consists of an alphanumeric string of up to 64 case-sensitive characters. Including spaces in the string requires that you enclose the string in single or double quotes.
Configuring ACEs in a named, standard ACL
Configuring ACEs is done after using the ip access-list standard <name-str> command to enter the "Named ACL" ( nacl) context of an access list.
Syntax:
<deny|permit>
<any|host <SA>|<SA> <mask>|<SA>/<mask-length> > [log] Executing this command appends the ACE to the end of the list of ACEs in the current ACL. In the default ACL configuration, ACEs are automatically assigned consecutive sequence numbers in increments of 10 and can be renumbered using resequence (See Resequencing the ACEs in an ACL.)
To insert a new ACE between two existing ACEs, precede deny or permit with an appropriate sequence number. See Inserting an ACE in an existing ACL.
<deny|permit> For named ACLs, used in the "Named ACL" ( nacl) context to configure an ACE. Specifies whether the ACE denies or permits a packet matching the criteria in the ACE, as described below. <any|host <SA>|<SA> <mask>|<SA>/<mask-length> > [log] Defines the source IPv4 address (SA) a packet must carry for a match with the ACE.
n any: Allows IPv4 packets from any SA. n host <SA>: Specifies only packets having <SA> as the source. Use this criterion when you want to match the
IPv4 packets from a single source address.
Aruba 2930M/F | Access Security Guide
279
n <SA> <mask> or <SA>/<masklength>: Specifies packets received from either a subnet or a group of IPv4 addresses. The mask format can be in either dotted-decimal format or CIDR format (number of significant bits).
n Mask Application: The mask is applied to the IPv4 address in the ACE to define which bits in a packet's SA must exactly match the SA configured in the ACE and which bits need not match. For example: 10.10.10.1/24 and 10.10.10.1 0.0.0.255 both define any address in the range of 10.10.10.(1-255).
Specifying a group of contiguous addresses may require more than one ACE.
n [log]: This option generates an ACL log message if: l There is a match. l ACL logging is enabled on the switch. l Use the debug command to direct ACL logging output to the current console session and/or to a Syslog server. Note that you must also use the logging <ip-addr>command to specify the addresses of Syslog servers to which you want log messages sent.
Example:
This example creates an ACL that:
n permits IPv4 traffic from a host with the address of 10.10.10.104 n creates another ACE that blocks all other IPv4 traffic from the same subnet n allows all other IPv4 traffic
Figure 43 Commands used to create a standard, named ACL
Screen output listing the sample-list ACL content
switch(config)# show access-list Sample-List
Access Control Lists
Name: Sample-List Type: Standard Applied: No
SEQ Entry
--------------------------------------------------------
10 Action: permit
IP : 10.10.10.104
Mask: 0.0.0.0
20 Action: deny (log) IP : 10.10.10.1
Mask: 0.0.0.255
30 Action: permit IP : 0.0.0.0
Mask: 255.255.255.255
Note that each ACE is automatically assigned a sequence number.
280
Aruba 2930M/F | Access Security Guide
Creating numbered, standard ACLs
Use the following steps when creating or adding to a numbered, standard ACL:
Procedure
1. Create a numbered, standard ACL by entering the first ACE in the list. 2. Append a new ACE to the end of an existing, standard ACL.
The following describes the commands for performing these steps. This command is an alternative to using ip access-list standard <name-str> and does not use the "Named ACL"(nacl) context.
Syntax:
access-list <199> <deny|permit> <any|host <SA>|<SA> <mask>|<SA>/<mask-length> > [log] Appends an ACE to the end of the list of ACEs in the current IPv4 standard, numbered ACL. If the ACL does not already exist, creates both the ACL and its first ACE. In the default configuration, ACEs are automatically assigned consecutive sequence numbers in increments of 10 and can be renumbered using resequence, see Resequencing the ACEs in an ACL on page 299.
To insert a new ACE between two existing ACEs in a standard, numbered ACL:
n Use ip access list extended <1-99> to open the ACL as a named ACL. n Enter the desired sequence number along with the ACE keywords and variables you want.
(After a numbered ACL has been created, it can be managed as either a named or numbered ACL.)
<199> Specifies the ACL identifier as a number. The switch interprets an ACL with a value in this range as a standard ACL (which filters all IPv4 traffic on the basis of SA). To create a standard access list with an alphanumeric name ( name-str) instead of a number, see Configuring named, standard ACLs on page 279. <deny|permit> Specifies whether the ACE denies or permits a packet matching the criteria in the ACE, as described next. <any|host <SA>|<SA> <mask>|<SA>/<mask-length> > [log] Defines the source IPv4 address (SA) a packet must carry for a match with the ACE.
n any Allows IPv4 packets from any SA. n host <SA> Specifies only packets having <SA> as the source. Use this criterion when you want to match
only the IPv4 packets from a single SA.
<SA> <mask> or <SA>/<masklength> Specifies packets received from an SA, where the SA is either a subnet or a group of IPv4 addresses. The mask format can be in either dotted-decimal format or CIDR format (number of significant bits). SA Mask application: The mask is applied to the SA in the ACE to define which bits in a packet's SA must exactly match the SA configured in the ACL and which bits need not match.
Example:
10.10.10.1/24 and 10.10.10.1 0.0.0.255 both define any address in the range of 10.10.10.(1255).
Aruba 2930M/F | Access Security Guide
281
Specifying a group of contiguous addresses may require more than one ACE.
[log] This option can be used after the SA to generate an Event Log message if:
n The action is deny or permit. n There is a match. n ACL logging is enabled.
Creating and viewing a standard ACL
This example creates a standard, numbered ACL with the same ACE content as shown in Configuring named, standard ACLs on page 279. Note that each ACE is automatically assigned a sequence number.
switch(config)# access-list 17 permit host 10.10.10.104 switch(config)# access-list 17 deny 10.10.10.1/24 log switch(config)# access-list 17 permit any switch(config)# show access-list 17
Access Control Lists
Name: 17 Type: Standard Applied: No
SEQ Entry
-------------------------------------------------------
10 Action: permit
IP : 10.10.10.104
Mask: 0.0.0.0
20 Action: deny (log) IP : 10.10.10.1
Mask: 0.0.0.255
30 Action: permit IP : 0.0.0.0
Mask: 255.255.255.255
Configuring extended ACLs
Standard ACLs use only source IPv4 addresses for filtering criteria, extended ACLs use multiple filtering criteria. This enables you to more closely define your IPv4 packet-filtering. Extended ACLs enable filtering on source and destination IPv4 addresses (required), in one of the following options:
n Source and destination IPv4 addresses for filtering criteria, extended ACLs use multiple filtering criteria. This enables you to more closely define your IPv4 packet filtering. Extended ACLs enable filtering on the following: l specific host l subnet or group of addresses l any address
n choice of any IPv4 protocol n optional packet-type criteria for IGMP and ICMP traffic n optional source and/or destination TCP or UDP port
282
Aruba 2930M/F | Access Security Guide
n filtering for TCP traffic based on either TCP control bits or whether the subject traffic is initiating a connection ("established" option)
n optional IP precedence and ToS criteria
Aruba Switches allow up to 2048 ACLs in any combination of IPv4 and IPv6 ACLs, and determine the total from the number of unique identifiers in the configuration. For example, configuring two ACLs results in an ACL total of two, even if neither is assigned to an interface. If you then assign a nonexistent ACL to an interface, the new ACL total is three, because the switch now has three unique ACL names in its configuration.
Configuring named, extended ACLs
For a match to occur with an ACE in an extended ACL, a packet must have the source and destination address criteria specified by the ACE, as well as any IPv4 protocol-specific criteria included in the command. Use the following general steps to create or add to a named, extended ACL:
Procedure
1. Create and/or enter the context of a named, extended ACL. 2. Enter the first ACE in a new, extended ACL or append an ACE to the end of an existing, extended ACL.
The following command is a prerequisite to entering or editing ACEs in a named, extended ACL.
Syntax:
ip accesslist extended <name-str> Places the CLI in the "Named ACL" (nacl) context specified by the <name-str> alphanumeric identifier. This enables entry of individual ACEs in the specified ACL. If the ACL does not already exist, this command creates it. <name-str> Specifies an alphanumeric identifier for the ACL. Consists of an alphanumeric string of up to 64 case-sensitive characters. Including spaces in the string requires that you enclose the string in single or double quotes. For example: accounting ACL. You can also use this command to access an existing, numbered ACL.
Configuring ACEs in named, extended ACLs
Configuring ACEs is done after using the ip access-list standard <name-str> command described. See the section "Standard ACL structure" for filtering criteria, extended ACLs use multiple filtering criteria. This enables you to more closely define your IPv4 packet-filtering. Syntax: (nacl context) <deny|permit> <ip|ip-protocol|ip-protocol-nbr> <any|host> <SA>|SA|mask-length|SA <mask>> <any|host> <DA>|DA|mask-length|DA <mask>> [precedence] [tos] [log] Appends an ACE to the end of the list of ACEs in the current ACL. In the default configuration, ACEs are automatically assigned consecutive sequence numbers in increments of 10 and can be renumbered using resequence, see Resequencing the ACEs in an ACL on page 299.
Aruba 2930M/F | Access Security Guide
283
To insert a new ACE between two existing ACEs in an extended, named ACL, precede deny or permit with an appropriate sequence number along with the ACE keywords and variables you want. See Inserting an ACE in an existing ACL on page 297.
For a match to occur, a packet must have the source and destination addressing criteria specified in the ACE, as well as:
n the protocol-specific criteria configured in the ACE, including any included, optional elements (described later in this section)
n any (optional) precedence and/or ToS settings configured in the ACE
<deny|permit> For named ACLs, these keywords are used in the "Named ACL" (nacl) context to specify whether the ACE denies or permits a packet matching the criteria in the ACE, as described below. <ip|ip-protocol|ip-protocol-nbr> Used after deny or permit to specify the packet protocol type required for a match. An extended ACL must include one of the following:
n ip any IPv4 packet.
n ip-protocol any one of the following IPv4 protocol names: l ip-in-ip l ipv6-in-ip l gre l esp l ah l ospf l pim l vrrp l sctp l tcp* l udp* l icmp* l igmp* *For TCP, UDP, ICMP, and IGMP, additional criteria can be specified.
n ip-protocol-nbr the protocol number of an IPv4 packet type, such as "8" for Exterior Gateway Protocol or 121 for Simple Message Protocol. (For a listing of IPv4 protocol numbers and their corresponding protocol names, see theIANA "Protocol Number Assignment Services" at http://www.iana.com. (Range: 0255)
<any|host <SA>|SA <mask>|SA/mask-length This is the first instance of IPv4 addressing in an extended ACE. It follows the protocol specifier and defines the source address (SA) a packet must carry for a match with the ACE.
284
Aruba 2930M/F | Access Security Guide
n any Allows IPv4 packets from any SA.
n host <SA> Specifies only packets having a single address as the SA. Use this criterion when you want to match only the IPv4 packets from a single SA.
n SA <mask> or SA/mask-length Specifies packets received from an SA, where the SA is either a subnet or a group of addresses. The mask can be in either dotted-decimal format or CIDR format (number of significant bits).
n SA Mask application. The mask is applied to the SA in the ACL to define which bits in a packet's SA must exactly match the SA configured in the ACL and which bits need not match. Example:10.10.10.1/24 and 10.10.10.1 0.0.0.255 both define any address in the range of 10.10.10.(1 - 255). Note: Specifying a group of contiguous addresses may require more than one ACE.
<any|host <DA>|DA/mask-length|DA <mask>> This is the second instance of IPv4 addressing in an extended ACE. It follows the first (SA) instance, described earlier, and defines the destination address (DA) that a packet must carry in order to have a match with the ACE.
n any Allows routed IPv4 packets to any DA.
n host <DA> Specifies only packets having DAas the destination address. Use this criterion when you want to match only the IPv4 packets for a single DA.
n DA/mask-length or DA <mask> Specifies packets intended for a destination address, where the address is either a subnet or a group of addresses. The mask format can be in either dotted-decimal format or CIDR format (number of significant bits).
n DA Mask application The mask is applied to the DA in the ACL to define which bits in a packet's DA must exactly match the DA configured in the ACL and which bits need not match.
[precedence <0-7|precedence-name>] This option can be used after the DA to cause the ACE to match packets with the specified IP precedence value. Values can be entered as the following IP precedence numbers or alphanumeric names: 0 or routine 1 " priority 2 " immediate 3 " flash 4 " flash-override 5 " critical 6 " internet (for internetwork control) 7 " network (for network control)
The precedence criteria described in this section are applied in addition to any other selection criteria configured in the same ACE.
[tos <tos-setting>] This option can be used after the DA to cause the ACE to match packets with the specified Type-of-Service (ToS) setting. ToS values can be entered as the following numeric settings or, in the case of 0, 2, 4, and 8, as alphanumeric names: 0 or normal 2 " max-reliability
Aruba 2930M/F | Access Security Guide
285
4 " max-throughput 6 8 " minimize-delay 10 12 14
The ToS criteria in this section are applied in addition to any other criteria configured in the same ACE.
[log] This option can be used after the DA to generate an Event Log message if:
n The action is deny. Not applicable to permit.
n There is a match.
n ACL logging is enabled.
Including options for TCP and UDP traffic in extended ACLs
An ACE designed to permit or deny TCP or UDP traffic can optionally include port number criteria for either the source or destination, or both. Use of TCP criteria also allows the established option for controlling TCP connection traffic. Syntax: <deny|permit> <tcp|udp> <SA> [comparison-operator <tcp/udp-src-port>] <DA> [comparison-operator <tcp-dest-port>][established] [comparison-operator <udp-dest-port>] In an extended ACL using either tcp or udp as the packet protocol type, you can optionally use TCP or UDP source and/or destination port numbers or ranges of numbers to further define the criteria for a match. For example: #deny tcp host 10.20.10.17 eq 23 host 10.20.10.155 established #permit tcp host 10.10.10.100 host 10.20.10.17 eq telnet #deny udp 10.30.10.1/24 host 10.20.10.17 range 161 162 [comparison-operator <tcp/udp-src-port>] To specify a TCP or UDP source port number in an ACE: (1) Select a comparison operator from the following list and (2) Enter the port number or a well-known port name. Comparison operators
n eq <tcp/udp-port-nbr> "Equal To"; to have a match with the ACE entry, the TCP or UDP source port number in a packet must be equal to <tcp/udp-port-nbr>.
n gt <tcp/udp-port-nbr> "Greater Than"; to have a match with the ACE entry, the TCP or UDP source port number in a packet must be greater than <tcp/udp-port-nbr>.
n lt <tcp/udp-port-nbr>
286
Aruba 2930M/F | Access Security Guide
"Less Than"; to have a match with the ACE entry, the TCP or UDP source port number in a packet must be less than <tcp/udp-port-nbr>.
n neq <tcp/udp-port-nbr> "Not Equal"; to have a match with the ACE entry, the TCP or UDP source port number in a packet must not be equal to <tcp/udp-port-nbr>.
n range <start-port-nbr> <end-port-nbr> For a match with the ACE entry, the TCP or UDP source-port number in a packet must be in the range <start-port-nbr> <end-port-nbr>.
Port number or well-known port name: Use the TCP or UDP port number required by your application. The switch also accepts these well-known TCP or UDP port names as an alternative to their port numbers:
n TCP bgp, dns, ftp, http, imap4, ldap, nntp, pop2, pop3, smtp, ssl, telnet
n UDP bootpc, bootps, dns, ntp, radius, radius-old, rip, snmp, snmp-trap, tftp
To list the above names, press the [Shift] [?] key combination after entering an operator. For a comprehensive listing of port numbers, visit http://www.iana.org/assignments/port-numbers. [comparison-operator <tcp-dest-port>][established] [comparison-operator <udp-dest-port>] This option, if used, is entered immediately after the <DA> entry. To specify a TCP or UDP port number;
1. select a comparison operator
2. enter the port number or a well-known port name
Comparison operators and well-known port names: These are the same as are used with the TCP/UDP source-port options, and are listed earlier in this command description. [established] This option applies only where TCP is the configured protocol type. It blocks the synchronizing packet associated with establishing a TCP connection in one direction on a VLAN while allowing all other IPv4 traffic for the same type of connection in the opposite direction. For example, a Telnet connect requires TCP traffic to move both ways between a host and the target device. Simply applying a deny to inbound Telnet traffic on a VLAN would prevent Telnet sessions in either direction because responses to outbound requests would be blocked. However, by using the established option, inbound Telnet traffic arriving in response to outbound Telnet requests would be permitted, but inbound Telnet traffic trying to establish a connection would be denied.
Options for ICMP traffic in extended ACLs
This option is useful where it is necessary to permit some types of ICMP traffic and deny other types, instead of simply permitting or denying all types of ICMP traffic. That is, an ACE designed to permit or deny ICMP traffic can optionally include an ICMP type and code value to permit or deny an individual type of ICMP packet while not addressing other ICMP traffic types in the same ACE. As an optional alternative, the ACE can include the name of an ICMP packet type.
Syntax:
<deny|permit> icmp <SA> <DA> [icmp-type [icmp-code] <deny|permit> icmp <SA> <DA> [icmp-type-name][]|]
Aruba 2930M/F | Access Security Guide
287
In an extended ACL using icmp as the packet protocol type (see above), you can optionally specify an individual ICMP packet type or packet type/code pair to further define the criteria for a match. This option, if used, is entered immediately after the destination address (DA) entry. The following example shows two ACEs entered in a Named ACL context: #permit icmp any any host-unknown #permit icmp any any 3 7 [icmp-type [icmp-code] This option identifies an individual ICMP packet type as criteria for permitting or denying that type of ICMP traffic in an ACE.
n icmp-type--This value is in the range of 0 - 255 and corresponds to an ICMP packet type. n icmp-code--This value is in the range of 0 - 255 and corresponds to an ICMP code for an ICMP packet
type.For more information on ICMP type names, visit the Internet Assigned Numbers Authority (IANA) website at http://www.iana.com, click "Protocol Number Assignment Services", and then go to the selections under "Internet Control Message Protocol (ICMP) Parameters".
[icmp-type-name] These name options are an alternative to the [icmp-type [icmp-code]] methodology described above. For more information, visit the IANA website Emphasisd above.
n administratively-prohibited
n alternate-address
n conversion-error
n dod-host-prohibited
n dod-net-prohibited
n echo
n echo-reply
n general-parameter-problem
n host-isolated
n host-precedence-unreachable
n host-redirect
n host-tos-redirect
n host-tos-unreachable
n host-unknown
n host-unreachable
n information-reply
n information-request
n mask-reply
n mask-request
n mobile-redirect
288
Aruba 2930M/F | Access Security Guide
n net-redirect n net-tos-redirect n net-tos-unreachable n net-unreachable n network-unknown n no-room-for-option n option-missing n packet-too-big n parameter-problem n port-unreachable n precedence-unreachable n protocol-unreachable n reassembly-timeout n redirect n router-advertisement n router-solicitation n source-quench n source-route-failed n time-exceeded n timestamp-reply n timestamp-request n traceroute n ttl-exceeded n unreachable
Option for IGMP in extended ACLs
This option is useful where it is necessary to permit some types of IGMP traffic and deny other types instead of simply permitting or denying all types of IGMP traffic. That is, an ACE designed to permit or deny IGMP traffic can optionally include an IGMP packet type to permit or deny an individual type of IGMP packet while not addressing other IGMP traffic types in the same ACE.
Syntax:
<permit|deny> igmp <SA> <DA> [icmp-type] In an extended ACL using igmp as the packet protocol type, you can optionally specify an individual IGMP packet type to further define the criteria for a match. This option, if used, is entered immediately after the destination addressing entry. The following example shows an IGMP ACE entered in the Named ACL context:
Aruba 2930M/F | Access Security Guide
289
switch(config-ext-nacl)# permit igmp any any host-query [igmp-type] The complete list of IGMP packet-type options includes:
n dvmrp
n host-query
n host-report
n pim
n trace
n v2-host-report
n v2-host-leave
n mtrace-reply
n mtrace-request
n v3-host-report
For more information on IGMP packet types, visit the Internet Assigned Numbers Authority (IANA) website at http://www.iana.com, click "Protocol Number Assignment Services", and then go to the selections under "Internet Group Management Protocol (IGMP) Type Numbers".
Configuring numbered, extended ACLs
This section describes the commands for performing the following in a numbered, extended ACL:
n Creating the ACL by entering the first ACE in the list n Appending a new ACE to the end of an existing ACL
Creating or adding to an extended, numbered ACL
Procedure
Use the access-list command as an alternative to using ip access-list extended <name-str>. This command does not use the nacl context. See access-list command for creating a numbered, extended ACL on page 290.
access-list command for creating a numbered, extended ACL
Syntax
access-list <100-199> <deny|permit> <ip|ip-protocol|ip-protocol-nbr> <any|host <SA>|SA/mask-length|SA <mask>> <any|host <DA>|DA/mask-length|DA <mask>> [precedence <0-7|precedence-name>] [tos <tos-bit-setting>] [log]
Description
If the ACL does not already exist, this command creates the specified ACL and its first ACE. If the ACL already exists, the new ACE is appended to the end of the configured list of explicit ACEs. In the default configuration,
290
Aruba 2930M/F | Access Security Guide
the ACEs in an ACL will automatically be assigned consecutive sequence numbers in increments of 10 and can be renumbered with resequence see Resequencing the ACEs in an ACL on page 299.
To insert a new ACE between two existing ACEs in an extended, numbered ACL:
1. Use ip access list extended <100-199> to open the ACL as a named ACL. 2. Enter the desired sequence number along with the ACE statement you want.
For a match to occur, a packet must have the source and destination addressing criteria specified in the ACE, as well as:
n The protocol-specific criteria configured in the ACE, including any included, optional elements (described later in this section.)
n Any (optional) precedence and/or ToS settings configured in the ACE.
Parameters
<100-199> Specifies the ACL ID number. The switch interprets a numeric ACL with a value in this range as an extended ACL. <deny|permit> Specifies whether to deny (drop) or permit (forward) a packet that matches the criteria specified in the ACE, as described below. <ip|ip-protocol|ip-protocol-nbr> Specifies the packet protocol type required for a match. An extended ACL must include one of the following:
n ip any IPv4 packet. n ip-protocol any one of the following IPv4 protocol names:
l ip-in-ip l ipv6-in-ip l gre l esp l ah l ospf l pim l vrrp l sctp l tcp* l udp* l icmp* l igmp* * For TCP, UDP, ICMP, and IGMP, additional criteria can be specified, as described later in this section. n ip-protocol-nbr the protocol number of an IPv4 packet type, such as "8" for Exterior Gateway Protocol or
Aruba 2930M/F | Access Security Guide
291
121 for Simple Message Protocol. (For a listing of IPv4 protocol numbers and their corresponding protocol names, see the IANA "Protocol Number Assignment Services" at http://www.iana.com.) (Range: 0-255).
<any|host <SA>|SA/mask-length|SA <mask>> In an extended ACL, this parameter defines the source address (SA) that a packet must carry in order to have a match with the ACE.
n any Specifies all inbound IPv4 packets.
n host <SA> Specifies only inbound IPv4 packets from a single address. Use this option when you want to match only the IPv4 packets from a single source address.
n SA/mask-length or SA <mask> Specifies packets received from an SA, where the SA is either a subnet or a group of IPv4 addresses. The mask can be in either dotted-decimal format or CIDR format with the number of significant bits.
SA mask application The mask is applied to the SA in the ACL to define which bits in a packet's source SA must exactly match the address configured in the ACL and which bits need not match.
Example:
10.10.10.1/24 and 10.10.10.1 0.0.0.255 both define any IPv4 address in the range of 10.10.10. (1-255).
Specifying a group of contiguous IPv4 addresses may require more than one ACE.
This is the second instance of addressing in an extended ACE. It follows the first (SA) instance, described earlier, and defines the destination address (DA) that a packet must carry in order to have a match with the ACE.
Syntax:
<any|host <DA>|DA/mask-length>> The options are the same as shown for <SA>.
n any Allows routed IPv4 packets to any DA.
n host <DA> Specifies only the packets having DAas the destination address. Use this criterion when you want to match only the IPv4 packets for a single DA.
n DA/mask-length or DA <mask> Specifies packets intended for a destination address, where the address is either a subnet or a group of IPv4 addresses. The mask format can be in either dotted-decimal format or CIDR format (number of significant bits). The mask is applied to the DA in the ACL to define which bits in a packet's DA must exactly match the DA Mask application DA configured in the ACL and which bits need not match. See also the above example and note.
[precedence <0-7|precedence-name>] This option causes the ACE to match packets with the specified IP precedence value. Values can be entered as the following IP precedence numbers or alphanumeric names: 0 or routine 1 " priority 2 " immediate 3 " flash 4 " flash-override
292
Aruba 2930M/F | Access Security Guide
5 " critical 6 " internet (for internetwork control) 7 " network (for network control)
The precedence criteria described in this section are applied in addition to any other selection criteria configured in the same ACE.
[tos] This option can be used after the DA to cause the ACE to match packets with the specified Type-of-Service (ToS) setting. ToS values can be entered as the following numeric settings or, in the case of 0, 2, 4, and 8, as alphanumeric names: 0 or normal 2 " max-reliability 4 " max-throughput 6 8 " minimize-delay 10 12 14
The ToS criteria in this section are applied in addition to any other criteria configured in the same ACE.
[log] Optional; generates an Event Log message if:
n The action is deny. This option is not configurable for Permit.
n There is a match. n ACL logging is enabled on the switch.
Controlling TCP and UDP traffic flow
An ACE designed to permit or deny TCP or UDP traffic can optionally include port number criteria for either the source or destination, or both.
Syntax:
access-list <100-199> <deny|permit> <tcp|udp> <SA> [comparison-operator <tcp/udp-src-port>] <DA> [comparison-operator <tcp-dest-port>][established] <DA> [comparison-operator <udp-dest-port>] This source-port and destination-port TCP/UDP criteria is identical to the criteria described for TCP/UDP use in named, extended ACLs.
Controlling ICMP traffic flow
This command is useful where it is necessary to permit some types of ICMP traffic and deny other types, instead of simply permitting or denying all types of ICMP traffic. That is, an ACE designed to permit or deny ICMP traffic can optionally include an ICMP type and code value to permit or deny an individual type of ICMP packet while not addressing other ICMP traffic types in the same ACE. As an optional alternative, the ACE can include the name of an ICMP packet type. Syntax:
Aruba 2930M/F | Access Security Guide
293
access-list <100-199> <deny|permit> icmp <SA> <DA> [[icmp-type [icmp-code]]|[icmp-type-name]] The ICMP "type" and "code" criteria are identical to the criteria described for ICMP in named, extended ACLs.
Controlling IGMP traffic flow
This command is useful where it is necessary to permit some types of IGMP traffic and deny other types, instead of simply permitting or denying all types of IGMP traffic. That is, an ACE designed to permit or deny IGMP traffic can optionally include an IGMP packet type to permit or deny an individual type of IGMP packet while not addressing other IGMP traffic types in the same ACE. As an optional alternative, the ACE can include the name of an ICMP packet type. Syntax: access-list <100-199> <deny|permit> igmp <src-ip> <dest-ip> [igmp-type] The IGMP "type" criteria is identical to the criteria described for IGMP in named, extended ACLs.
Adding or removing an ACL assignment on an interface
Filtering IPv4 traffic inbound on a VLAN
For a given VLAN interface on a switch configured for routing, you can assign an ACL as a VACL to filter inbound IPv4 traffic entering the switch on that VLAN. You can also use the same ACL for assignment to multiple VLANs. Syntax: Within the vlan context. vlan <vid> ip access-group <ACL> vlan no vlan <vid> ip access-group <ACL> vlan where: <ACL> = either a ACL name or an ACL ID number. Assigns an ACL as a VACL to a VLAN to filter routed IPv4 traffic entering or leaving the switch on that VLAN. You can use either the global configuration level or the VLAN context level to assign or remove an VACL.
The switch allows you to assign a nonexistent ACL name or number to a VLAN. In this case, if you subsequently configure an ACL with that name or number, it automatically becomes active on the assigned interface. Also, if you delete an assigned ACL from the switch without subsequently using the no form of this command to remove the assignment to an interface, the ACL assignment remains and will automatically activate any new ACL you create with the same identifier (name or number).
Figure 44 Methods for enabling and disabling VACLs
294
Aruba 2930M/F | Access Security Guide
Filtering inbound IPv4 traffic per port
For a given port, port list, or static port trunk, you can assign an ACL as a static port ACL to filter any IPv4 traffic entering the switch on that interface. You can also use the same ACL for assignment to multiple interfaces. For limits and operating rules. Syntax: interface <port-list|Trkx> ip access-group <identifier> in no interface <port-list|Trkx> ip access-group <identifier> in where: <identifier> = either a ACL name or an ACL ID number. Assigns an ACL as a static port ACL to a port, port list, or static trunk to filter any IPv4 traffic entering the switch on that interface. You can use either the global configuration level or the interface context level to assign or remove a static port ACL.
The switch allows for assigning a nonexistent ACL name or number to a VLAN. In this case, if you subsequently configure an ACL with that name or number, it automatically becomes active on the assigned VLAN. Also, if deleting an assigned ACL from the switch without subsequently using the no" form of this command to remove its assignment to a VLAN, the ACL assignment remains and automatically activates any new ACL created with the same identifier (name or number).
Figure 45 Methods for enabling and disabling ACLs
Deleting an ACL
Syntax:
no ip access-list standard <name-str|1-99> no ip access-list extended <name-str|100-199> no access-list <1-99|100-199> Removes the specified ACL from the switch running-config file.
If an ACL name is assigned to an interface before the ACL itself has actually been created, then the switch creates an "empty" version of the ACL in the running configuration and assigns the empty ACL to the interface. Subsequently populating the empty ACL with explicit ACEs causes the switch to automatically activate the ACEs as they are created and to implement the implicit deny at the end of the ACL.
Deleting an ACL from the running configuration while the ACL is currently assigned on an interface results in an "empty" version of the ACL in the running configuration and on the interface. Subsequently removing the ACL from the interface also removes the empty ACL from the running configuration.
Aruba 2930M/F | Access Security Guide
295
If you need to remove an ACL identifier assignment on an interface, see Adding or removing an ACL assignment on an interface on page 294.
Editing an existing ACL
The CLI provides the capability for editing in the switch by using sequence numbers to insert or delete individual ACEs. An offline method is also available. This section describes using the CLI for editing ACLs.
Using the CLI to edit ACLs
You can use the CLI to delete individual ACEs from anywhere in an ACL, append new ACEs to the end of an ACL, and insert new ACEs anywhere within an ACL.
General editing rules
n Named ACLs: l When you enter a new ACE in a named ACL without specifying a sequence number, the switch inserts the ACE as the last entry in the ACL. l When you enter a new ACE in a named ACL and include a sequence number, the switch inserts the ACE according to the position of the sequence number in the current list of ACEs.
n Numbered ACLs: When using the access-list <1-99|100-199> command to create or add ACEs to a numbered ACL, each new ACE you enter is added to the end of the current list. (This command does not offer a <seq-#> option for including a sequence number to enable inserting an ACE at other points in the list.) Note, however, that once a numbered list has been created, you have the option of accessing it in the same way as a named list by using the ip access-list <standard|extended> command. This enables you to edit a numbered list in the same way that you would edit a named list. (See the next item in this list.)
n You can delete any ACE from any ACL (named or numbered) by using the ip access-list command to enter the ACL's context, and then using the no <seq-#> command, see Deleting an ACE from an existing ACL on page 298.
n Deleting the last ACE from an ACL leaves the ACL in memory. In this case, the ACL is "empty" and cannot perform any filtering tasks. (In any ACL the Implicit Deny does not apply unless the ACL includes at least one explicit ACE.)
Sequence numbering in ACLs
The ACEs in any ACL are sequentially numbered. In the default state, the sequence number of the first ACE in a list is "10" and subsequent ACEs are numbered in increments of 10. For example, the following show run output lists three ACEs with default numbering in a list named "My-List":
Figure 46 The default sequential numbering for ACEs
You can add an ACE to the end of a named or numbered ACL by using either access-list for numbered ACLs or ip access-list for named ACLs:
296
Aruba 2930M/F | Access Security Guide
Figure 47 Adding an ACE to the end of numbered or named ACLs
For example, to append a fourth ACE to the end of the ACL in Figure 46: The default sequential numbering for ACEs: Figure 48 Appending an ACE to an existing list
When using the access-list <1-99|100-199> <permit|deny> <SA> command to create an ACE for a numbered ACL, the ACE is always added to the end of the current list and given the appropriate sequence number. However, once a numbered list has been created, you can use the ip access-list command to open it as a named ACL and specify a nondefault sequence number, as described in the next section.
Inserting an ACE in an existing ACL
This action uses a sequence number to specify where to insert a new ACE into an existing sequence of ACLs.
Syntax:
ip access-list <standard|extended> <name-str|1-99|100-199> <1-2147483647> <permit|deny> <standard-acl-ip-criteria> [log] <1-2147483647> <permit|deny> <extended-acl-ip-criteria> [options] The first command enters the "Named-ACL" context for the specified ACL. The remaining two commands insert a new ACE in a standard or extended ACL, respectively. To insert a new ACE between existing ACEs in a list:
Procedure
Aruba 2930M/F | Access Security Guide
297
1. Use ip access-list to enter the "Named-ACL" (nacl) context of the ACE. This applies regardless of whether the ACE was originally created as a numbered ACL or a named ACL.
2. Begin the ACE command with a sequence number that identifies the position you want the ACE to occupy. (The sequence number range is 1-2147483647).
3. Complete the ACE with the Command syntax appropriate for thetype of ACL you are editing. For example, inserting a new ACE between the ACEs numbered 10 and 20 in the following figure requires a sequence number in the range of 11-19 for the new ACE. Figure 49 Inserting an ACE in an existing ACL
In the following example, the first two ACEs entered become lines 10 and 20 in the list. The third ACE entered is configured with a sequence number of 15 and is inserted between lines 10 and 20. Figure 50 Inserting an ACE into an existing sequence
Deleting an ACE from an existing ACL
This action uses ACL sequence numbers to delete ACEs from an ACL.
Syntax:
ip access-list <standard|extended> <name-str|1-99|100-199> no <seq-#>
298
Aruba 2930M/F | Access Security Guide
The first command enters the "Named-ACL" context for the specified ACL. The no command deletes the ACE corresponding to the sequence number entered. Range: 12147483647
Procedure
1. To find the sequence number of the ACE you want to delete, use show run or show access-list <namestr|1-99|100-199> to view the ACL.
2. Use ip access-list to enter the "Named-ACL" (nacl) context of the ACE. This applies regardless of whether the ACE was originally created as a numbered ACL or a named ACL.
3. In the "Named-ACL" context, type no and enter the sequence number of the ACE you want to delete.
Figure 51 Deleting an ACE from any ACL
Resequencing the ACEs in an ACL
This action reconfigures the starting sequence number for ACEs in an ACL, and resets the numeric interval between sequence numbers for ACEs configured in the ACL.
Syntax:
ip access-list resequence <name-str|199|100199> <starting-seq-#> <interval> Resets the sequence numbers for all ACEs in the ACL. <startingseq-#> Specifies the sequence number for the first ACE in the list. (Default: 10; Range: 1 2147483647) <interval> Specifies the interval between sequence numbers for the ACEs in the list. (Default: 10; Range: 12147483647)
Aruba 2930M/F | Access Security Guide
299
Procedure
1. To view the current sequence numbering in an ACE, use show run or show access-list <name-str|199|100-199>.
2. Use the Command syntax (above) to change the sequence numbering.
This example resequences the "My-List" ACL at the bottom of figure so that the list begins with line 100 and uses a sequence interval of 100.
Viewing and resequencing an ACL
switch(config)# show run ... ip access-list standard "My-List"
10 permit 10.10.10.25 0.0.0.0 15 deny 10.10.10.1 0.0.0.255 30 deny 10.20.10.1 0.0.0.255 40 permit 0.0.0.0 255.255.255.255 exit ... switch(config)# ip access-list resequence My-List 100 100 switch(config)# show run ... ip access-list standard "My-List" 100 permit 10.10.10.25 0.0.0.0 200 deny 10.10.10.1 0.0.0.255 300 deny 10.20.10.1 0.0.0.255 400 permit 0.0.0.0 255.255.255.255 exit
Attaching a remark to an ACE
A remark is numbered in the same way as an ACE, and uses the same sequence number as the ACE to which it refers. This operation requires that the remark for a given ACE be entered prior to entering the ACE itself.
Syntax:
access-list <1-99|100-199> remark <remark-str> This syntax appends a remark to the end of a numbered ACL and automatically assigns a sequence number to the remark. The next command entry should be the ACE to which the remark belongs. (The new ACE will automatically be numbered with the same sequence number as was used for the preceding remark.)
Syntax:
ip access-list <standard|extended> <name-str|1-99|100-199> [seq-#]remark <remark-str> no <seq-#> remark This syntax applies to both named and numbered ACLs. Without an optional sequence number, the remark is appended to the end of the list and automatically assigned a sequence number. When entered with an optional sequence number, the remark is inserted in the list according to the numeric precedence of the sequence number. The no form of the command deletes the indicated remark, but does not affect the related ACE. To associate a remark with a specific ACE, enter the remark first, and then enter the ACE.
n Entering a remark without a sequence number and then entering an ACE without a sequence number results in the two entries being automatically paired with the same sequence number and appended to the end of the current ACL.
n Entering a remark with a sequence number and then entering an ACE with the same sequence number results
300
Aruba 2930M/F | Access Security Guide
in the two entries being paired together and positioned in the list according to the sequence number they share.
After a numbered ACL has been created (using access-list <1-99|100-199>), it can be managed as either a named or numbered ACL. For example, in an existing ACL with a numeric identifier of "115", either of the following command sets adds an ACE denying IPv4 traffic from any source to a host at 10.10.10.100: switch(config)# access-list 115 deny ip host 10.10.10.100 switch(config)# ip access-list extended 115 switch(config-ext-nacl)# deny ip any 10.10.10.100
Appending remarks and related ACEs to the end of an ACL To include a remark for an ACE that will be appended to the end of the current ACL, enter the remark first, then enter the related ACE. This results in the remark and the subsequent ACE having the same sequence number. For example, to add remarks using the "Named-ACL" (nacl) context: Figure 52 Appending a remark and its related ACE to the end of an ACL
You can also perform the operation illustrated in Figure 52: Appending a remark and its related ACE to the end of an ACL by using the numbered, access-list <1-99|100-199> syntax shown at the beginning of this section. Inserting remarks and related ACEs within an existing list To insert an ACE with a remark within an ACL by specifying a sequence number, insert the numbered remark first, then, using the same sequence number, insert the ACE. This operation applies only to ACLs accessed using the "Named-ACL" (nacl) context.
Aruba 2930M/F | Access Security Guide
301
Figure 53 Inserting remarks
Inserting a remark for an ACE that already exists in an ACL If a sequence number is already assigned to an ACE in a list, you cannot insert a remark by assigning it to the same number. (To configure a remark with the same number as a given ACE, the remark must be configured first.) To assign a remark to the same number as an existing ACE:
Procedure
1. Delete the ACE. 2. Configure the remark with the number you want assigned to the pair. 3. Re-Enter the deleted ACE with the number used to enter the remark.
Removing a remark from an existing ACE If you want to remove a remark, but want to retain the ACE, do the following:
Procedure
1. Use the Named ACL context to enter the ACL. 2. Using show run or show access-list <list-name> config, note the sequence number and content of
the ACE having a remark you want to remove. 3. Delete the ACE. 4. Using the same sequence number, re-enter the ACE.
Operating notes for remarks
n The resequence command ignores "orphan" remarks that do not have an ACE counterpart with the same sequence number. For example, if:then the remark retains "55" as its sequence number and will be placed in the renumbered version of the ACL according to that sequence number. l a remark numbered "55" exists in an ACE l there is no ACE numbered "55" in the same ACL l resequenceis executed on an ACL then the remark retains "55" as its sequence number and will be placed in the renumbered version of the ACL according to that sequence number.
n Entering an unnumbered remark followed by a numbered ACE, or the reverse, creates an "orphan" remark. The unnumbered entry will be assigned a sequence number that is an increment from the last ACE in the list. The numbered entry will then be placed sequentially in the list according to the sequence number used.
n Configuring two remarks without either sequence numbers or an intervening, unnumbered ACE results in the second remark overwriting the first.
302
Aruba 2930M/F | Access Security Guide
Figure 54 Overwriting one remark with another
Viewing ACL configuration data
The show commands in this section apply to both IPv4 and IPv6 ACLs. For information on IPv6 ACL operation, see the chapter titled "IPv6 Access Control Lists" in the IPv6 Configuration Guide for your switch.
Viewing an ACL summary
This command lists the configured IPv4 and IPv6 ACLs, regardless of whether they are assigned to any VLANs.
Syntax:
show access-list List a summary table of the name, type, and application status of IPv4 and IPv6 ACLs configured on the switch.
Figure 55 Summary table of access list
Term Meaning Type Shows whether the listed ACL is an IPv4 std ACL, an IPv4 extACL, or an IPv6 ACL. Appl Shows whether the listed ACL has been applied to an interface (yes/no). Name Shows the identifier (name or number) assigned to each ACL configured in the switch.
Aruba 2930M/F | Access Security Guide
303
Viewing the content of all ACLs on the switch
This command lists the configuration details for the IPv4 and IPv6 ACLs in the running-config file, regardless of whether any are actually assigned to filter IPv4 traffic on specific VLANs.
Syntax:
show access-list config List the configured syntax for all IPv4 ACLs currently configured on the switch.
Notice that you can use the output from this command for input to an offline text file in which you can edit, add, or delete ACL commands.
This information also appears in the show running display. If you executed write memory after configuring an ACL, it appears in the show config display.
An ACL configured syntax listing on page 304 shows the ACLs on a switch configured with two IPv6 ACLs named "Accounting" and "List-01-Inbound", and one extended IPv4 ACL named "101":
An ACL configured syntax listing
switch(config)# show access-list config
ip access-list standard "List-43" 10 deny 10.28.236.77 0.0.0.0 20 deny 10.29.140.107 0.0.0.0 30 permit 0.0.0.0 255.255.255.255 exit
ip access-list extended "111" 10 permit tcp 10.30.133.27 0.0.0.0 0.0.0.0 255.255.255.255 20 permit tcp 10.30.155.101 0.0.0.0 0.0.0.0 255.255.255.255 30 deny ip 10.30.133.1 0.0.0.0 0.0.0.0 255.255.255.255 log 40 deny ip 10.30.155.1 0.0.0.255 0.0.0.0 255.255.255.255 exit
Viewing the VACL assignments for a VLAN
This command briefly lists the identification and types of IPv4 and IPv6 VACLs currently assigned to a particular VLAN in the running-config file. For IPv6, the switch supports, per-VLAN, one VACL assignment.
Syntax:
show access-list vlan <vid> Lists the current ACL assignments to the specified VLAN (in the running config file).
This information also appears in the show running display. If you execute write memory after configuring an ACL, it also appears in the show config display.
Viewing static port (and trunk) ACL assignments
This command lists the identification and types of current static port ACL assignments to individual switch ports and trunks, as configured in the running-config file. The switch allows one static port ACL assignment per port.
Syntax:
show access-list ports <all|interface>
304
Aruba 2930M/F | Access Security Guide
Lists the current static port ACL assignments for ports and trunks in the running config file.
This information also appears in the show running output. If you execute write memory after configuring an ACL, it also appears in the show config output.
The following output shows IPv4 and IPv6 ACLs configured on various ports and trunks on the switch: Figure 56 Listing the ACL assignments for ports and trunks
Viewing the content of a specific ACL
This command displays a specific ACL configured in the running config file in an easy-to-read tabular format.
This information also appears in the show running display. If you execute write memory after configuring an ACL, it also appears in the show config display.
Syntax: show access-list <acl-id> Displays detailed information on the content of a specific ACL configured in the running-config file. For example, suppose you configured the following two ACLs in the switch:
ACL ID 1
Type Standard
105
Extended
Desired Action
n Deny IP traffic from 18.28.236.77 and 18.29.140.107.
n Permit IP traffic from all other sources.
n Permit any TCP traffic from 18.30.133.27 to any
Aruba 2930M/F | Access Security Guide
305
ACL ID
Type
Desired Action
destination. n Deny any other IP traffic from
18.30.133. (1-255). n Permit all other IP traffic from
any source to any destination.
Inspect the ACLs as follows: Figure 57 Example of a listing a standard ACL
Figure 58 Examples of listings showing the content of standard and extended ACLs
306
Aruba 2930M/F | Access Security Guide
Table 21: Descriptions of data types included in show access-list <acl-id> output
Field
Description
Name
The ACL identifier. Can be a number from 1 to 199, or a name.
Type
Standard or Extended. The former uses only source IPv4 addressing. The latter uses both source and destination IPv4 addressing and also allows TCP or UDP port specifiers.
Applied
"Yes" means the ACL has been applied to a port or VLAN interface. "No" means the ACL exists in the switch configuration, but has not been applied to any interface, and is therefore not in use.
SEQ
The sequential number of the Access Control Entry (ACE) in the specified ACL.
Entry
Lists the content of the ACEs in the selected ACL.
Action
Permit (forward) or deny (drop) a packet when it is compared to the criteria in the applicable ACE and found to match. Includes the optional log option, if used, in deny actions.
Remark
Displays any optional remark text configured for the selected ACE.
IP
Used for Standard ACLs: The source IPv4 address to which the configured mask is applied to
determine whether there is a match with a packet.
Src IP
Used for Extended ACLs: Same as above.
Dst IP
Used for Extended ACLs: The source and destination IPv4 addresses to which the corresponding configured masks are applied to determine whether there is a match with a packet.
Mask
The mask configured in an ACE and applied to the corresponding IPv4 address in the ACE to determine whether a packet matches the filtering criteria.
Proto
Used only in extended ACLs to specify the packet protocol type to filter. Must be either IPv4, TCP, or UDP. For TCP protocol selections, includes the established option, if configured.
Port(s)
Used only in extended ACLs to show any TCP or UDP operator and port number(s) included in the ACE.
TOS
Used only in extended ACLs to indicate Type-of-Service setting, if any.
Precedence Used only in extended ACLs to indicate the IP precedence setting, if any.
Viewing all ACLs and their assignments in the switch startup-config and running-config files
The show config and show running commands include in their listings any configured ACLs and any ACL assignments to VLANs. Remember that show config lists the startup-config file and show running lists the running-config file.
Aruba 2930M/F | Access Security Guide
307
Creating or editing an ACL offline
The section titled Editing an existing ACL on page 296 describes how to use the CLI to edit an ACL, and is most applicable in cases where the ACL is short or there is only a minor editing task to perform. The offline method provides an alternative to using the CLI for creating or extensively editing a large ACL. This section describes how to:
Procedure
1. Move an existing ACL to a TFTP server
2. Use a text (.txt) file format to create a new ACL or edit an existing ACL offline
3. Use TFTP to load an offline ACL into the switch's running-config
For longer ACLs that may be difficult or time-consuming to accurately create or edit in the CLI, you can use the offline method described in this section.
Copy commands that used either tftp or xmodem also include an option to use usb as a source or destination device for file transfers. So although the following example highlights tftp, bear in mind that xmodem or usb can also be used to transfer ACLs to and from the switch.
n Begin by doing one of the following: l To edit one or more existing ACLs, use copy commandoutput tftpto copy the current version of the ACL configuration to a file in your TFTP server. For example, to copy the ACL configuration to a file named acl02.txt in the TFTP directory on a server at 10.28.227.2: switch# copy command-output 'show access-list config' tftp 10.28.227.2 acl02.txt pc l To create a new ACL, open a text (.txt) file in the appropriate directory on a TFTP server accessible to the switch.
n Use a text editor to create or edit the ACL(s) in the *.txt ASCII file format. If you are replacing an ACL on the switch with a new ACL that uses the same number or name syntax, begin the command file with a no ip access-list command to remove the earlier version of the ACL from the switch running-config file. Otherwise, the switch will append the new ACEs in the ACL you download to the existing ACL. For example, if you planned to use the copy command to replace ACL "List-120", place this command at the beginning of the edited file: no ip access-list extended List-120
Figure 59 An offline ACL file designed to replace an existing ACL
308
Aruba 2930M/F | Access Security Guide
n Use copy tftp command-file to download the file as a list of commands to the switch. n The command to assign the ACL to a VLAN was included in the .txt command file. If this is not done in your
applications, then the next step is to manually assign the new ACL to the intended VLAN. n You can then use the show run or show access-list config command to inspect the switch configuration
to ensure that the ACL was properly downloaded. n Use the show run or show access-list config command to inspect the switch configuration to ensure that
the ACL was properly downloaded.
If a transport error occurs, the switch does not execute the command and the ACL is not configured.
Figure 60 Example of verifying the .txt file download to the switch
Monitoring static ACL performance
ACL statistics counters provide a means for monitoring ACL performance by using counters to display the current number of matches the switch has detected for each ACE in an ACL assigned to a switch interface. This can help in determining whether a particular traffic type is being filtered by the intended ACE in an assigned list, or if traffic from a particular device or network is being filtered as intended.
This section describes the command for monitoring static ACL performance. To monitor RADIUSassigned ACL performance, use either of the following commands: show access-list radius <all|port-list> show port-access <authenticator|mac-based|web-based> clients <port-list> detailed
See Displaying the current RADIUS-assigned ACL activity on the switch on page 386.
Syntax: <show|clear> statistics aclv4 <acl-name-str> port <port-#> aclv4 <acl-name-str> vlan <vid> <in|out|vlan> aclv6 <acl-name-str> port <port-#> aclv6 <acl-name-str> vlan <vid> <in|out|vlan> show: Displays the current match (hit) count per ACE for the specified IPv6 or IPv4 static ACL assignment on a specific interface.
Aruba 2930M/F | Access Security Guide
309
clear: Resets ACE hit counters to zero for the specified IPv6 or IPv4 static ACL assignment on a specific interface. Total: This column lists the running total of the matches the switch has detected for the ACEs in an applied ACL since the ACL's counters were last reset to 0 (zero). Figure 61 IPv6 and IPv4 ACL statistics
switch# show statistics aclv6 IPV6-ACL vlan 20 vlan
HitCounts for ACL IPV6-ACL
Total
( 12) 10 permit icmp ::/0 fe80::20:2/128 128 ( 6) 20 deny tcp ::/0 fe80::20:2/128 eq 23 log ( 41) 30 permit ipv6 ::/0 ::/0
Switch# show statistics aclv4 102 vlan 20 vlan
HitCounts for ACL 102
Total ( 4) 10 permit icmp 10.10.20.3 0.0.0.0 10.10.20.2 0.0.0.0 8 ( 8) 20 deny icmp 0.0.0.0 255.255.255.255 10.10.20.2 0.0.0.0 8 ( 2) 30 permit tcp 10.10.20.3 0.0.0.255 10.10.20.2 0.0.0.255 eq 23 ( 2) 55 deny tcp 0.0.0.0 255.255.255.255 10.10.20.2 0.0.0.0 8 ( 125) 60 permit ip 0.0.0.0 255.255.255.255 0.0.0.0 255.255.255.255
ACE Counter Operation: For a given ACE in an assigned ACL, the counter increments by 1 each time the switch detects a packet that matches the criteria in that ACE, and maintains a running total of the matches since the last counter reset. For example, in ACL line 10 below, there has been a total of 37 matches on the ACE since the last time the ACL's counters were reset. Total ( 37) 10 permit icmp 10.10.20.3
This ACL monitoring feature does not include hits on the "implicit deny" that is included at the end of all ACLs.
Resetting ACE Hit Counters to Zero:
n Removing an ACL from an interface zeros the ACL's ACE counters for that interface only. n For a given ACL, either of the following actions clear the ACE counters to zero for all interfaces to which the
ACL is assigned. l adding or removing a permit or deny ACE in the ACL l rebooting the switch
Below is an example of performance monitoring output for an IPv6 ACL assigned as a VACL. Figure 62 IPv6 ACL performance monitoring output
switch# show statistics aclv6 V6-02 vlan 20 vlan
HitCounts for ACL V6-02
Total
310
Aruba 2930M/F | Access Security Guide
( 5) 10 permit icmp ::/0 fe80::20:2/128 128 ( 4) 20 permit icmp ::/0 fe80::20:3/128 128 ( 136) 30 permit tcp fe80::20:1/128 ::/0 eq 23 ( 2) 40 deny icmp ::/0 fe80::20:1/128 128 ( 10) 50 deny tcp ::/0 ::/0 eq 23 ( 8) 60 deny icmp ::/0 ::/0 133 ( 155) 70 permit ipv6 ::/0 ::/0
Below is an example of performance monitoring output for an IPv4 ACL assigned as a VACL.
Figure 63 IPv4 ACL performance monitoring output
switch# show statistics aclv4 102 vlan 20 vlan
HitCounts for ACL 102
Total
( 1) 10 permit icmp 10.10.20.3 0.0.0.0 10.10.20.2 0.0.0.0 8 ( 2) 20 deny icmp 10.10.20.3 0.0.0.0 10.10.20.1 0.0.0.0 8 log ( 2) 30 deny icmp 10.10.20.2 0.0.0.0 10.10.20.3 0.0.0.0 8 log ( 1) 40 deny icmp 10.10.20.2 0.0.0.0 10.10.20.1 0.0.0.0 8 log ( 10) 50 deny tcp 10.10.20.2 0.0.0.255 10.10.20.3 0.0.0.255 eq 23 log ( 27) 60 permit ip 0.0.0.0 255.255.255.255 0.0.0.0 255.255.255.255
The following example demonstrates using clear statistics to reset the counters to zero.
Figure 64 IPv6 ACL performance monitoring output
switch# show statistics aclv6 V6-02 vlan 20 vlan
HitCounts for ACL V6-02
Total
( 5) 10 permit icmp ::/0 fe80::20:2/128 128 ( 4) 20 permit icmp ::/0 fe80::20:3/128 128 ( 136) 30 permit tcp fe80::20:1/128 ::/0 eq 23 ( 2) 40 deny icmp ::/0 fe80::20:1/128 128 ( 10) 50 deny tcp ::/0 ::/0 eq 23 ( 8) 60 deny icmp ::/0 ::/0 133 ( 155) 70 permit ipv6 ::/0 ::/0 switch# clear statistics aclv6 V6-02 vlan 20 vlan switch# show statistics aclv6 V6-02 vlan 20 vlan
HitCounts for ACL V6-02
Total
( 0) 10 permit icmp ::/0 fe80::20:2/128 128 ( 0) 20 permit icmp ::/0 fe80::20:3/128 128 ( 0) 30 permit tcp fe80::20:1/128 ::/0 eq 23 ( 0) 40 deny icmp ::/0 fe80::20:1/128 128 ( 0) 50 deny tcp ::/0 ::/0 eq 23 ( 0) 60 deny icmp ::/0 ::/0 133 ( 0) 70 permit ipv6 ::/0 ::/0
General ACL operating notes
n ACLs do not affect serial port access. ACLs do not apply to the switch's serial port.
Aruba 2930M/F | Access Security Guide
311
n ACL screening of IPv4 traffic generated by the switch.
ACLs applied on the switch screen IP traffic when other devices generate it. Similarly, ACL applications can screen responses from other devices to unscreened IP traffic the switch generates.
n ACL logging.
l The ACL logging feature generates a message only when packets are explicitly denied as the result of a match, and not when implicitly denied. To help test ACL logging, configure the last entry in an ACL as an explicit deny statement with a log statement included.
l A detailed event will be logged for the first packet that matches a "deny" or "permit" ACL logged entry with the appropriate action specified.
Subsequent packets matching ACL logged entries will generate a new event that summarizes the number of packets that matched each specific entry (with the time period).
l Logging enables you to selectively test specific devices or groups. However, excessive logging can affect switch performance. For this reason, Hewlett Packard Enterprise recommends that you remove the logging option from ACEs for which you do not have a current need. Also, avoid configuring logging where it does not serve an immediate purpose. (Note that ACL logging is not designed to function as an accounting method.) See also "Apparent Failure To Log All `Deny' Matches" in the section titled "ACL Problems", found in "Troubleshooting" of the Management and Configuration Guide for your switch.
l When configuring logging, you can reduce excessive resource use by configuring the appropriate ACEs to match with specific hosts instead of entire subnets.
n Minimum number of ACEs in an ACL.
Any ACL must include at least one ACE to enable IP traffic screening. A numbered ACL cannot be created without at least one ACE. A named ACL can be created "empty"; that is, without any ACEs. However in an empty ACL applied to an interface, the Implicit Deny function does not operate, and the ACL has no effect on traffic.
n Monitoring shared resources.
Applied ACLs share internal switch resources with several other features. The switch provides ample resources for all features. However, if the internal resources become fully subscribed, additional ACLs cannot be applied until the necessary resources are released from other applications. For information on determining current resource availability and usage, see "Monitoring Resources" in the management and configuration guide for your switch.
n Replacing or adding to an active ACL policy.
If you assign an ACL to an interface and subsequently add or replace ACEs in that ACL, each new ACE becomes active when you enter it. If the ACL is configured on multiple interfaces when the change occurs, then the switch resources must accommodate all applications of the ACL. If there are insufficient resources to accommodate one of several ACL applications affected by the change, then the change is not applied to any of the interfaces and the previous version of the ACL remains in effect.
312
Aruba 2930M/F | Access Security Guide
Chapter 13 MAC ACLs
MAC ACLs
MAC Access Control Lists (ACL)s are an extension of the ACLs feature which include IPv4 Standard, IPv4 Extended ACLs, and IPv6 ACLs. The MAC classes is an extension of Classifier policy feature which includes QoS and Mirror policies. Classifier Policies and ACLs specify packet attributes on which to match and then take action upon those packets. In the case of ACLs, the actions are permit, deny and log. In the case of Classifier Policies, the actions are specific to the policy type (QoS or Mirror). The current implementation of ACLs limits packet matching to fields within the IP header of the packet (source IP address, destination IP address, protocol, etc.). MAC ACLs will allow for matching within the Ethernet header of a packet, including source MAC address, destination MAC address and EtherType protocol. MAC ACLs will also allow access to the 802.1q Ethernet frame header values which include the CoS and the VLAN ID. The IP ACLs apply only to Ethernet packets that are of type IP but MAC ACLs will apply to all traffic.
Overview
The MAC ACL and MAC Classes are part of the ACL and Classifier subsystem and they each provide different functionality. Each of the features will be discussed independently to provide the most clarity. The MAC ACL feature provides a mechanism for the user to permit or deny traffic based on Ethernet frame information. The feature allows for matching traffic based on source MAC address, destination MAC address, Ethernet type, CoS, or VLAN ID. Customers can use this feature to permit or deny specific MAC addresses, block certain types of traffic (for example, appletalk), or block certain CoS/priority packets. The feature extends ACL capabilities down to the Ethernet header and allows matching on most of the fields within the header. This feature's CLI will work very similar to the way IP ACLs are configured but it will need a different context for configuring the match or ignore rules. The context will only allow permit or deny statements with the MAC header fields specified. The MAC classes feature provides a mechanism for the user to perform actions (for example, remark) on traffic that matches the specified Ethernet header information in the class. The user can create a class that matches the Ethernet header fields: source MAC address, destination MAC address, Ethernet type, VLAN ID or VLAN CoSvalue. After the class is configured the class can be added into a policy and be associated with an action. MAC classes can be included in QoS and Mirror policies and can be applied to those features interfaces (for example, port or VLAN). MAC classes and IPv4/IPv6 classes are mutually exclusive within a policy. A policy that contains both MAC classes and IPv4/IPv6 classes will not be allowed to be configured. Once the policy is applied to an interface any matching traffic will have the specified action applied. This CLI will work very similar to the way classes are defined for IP based traffic.
MAC ACL configuration commands
Mac-access-list standard configuration context
This command is used to configure MAC ACL with a simplified configuration. A simplified configuration provides a way to easily configure MAC ACLs that only require matching on a source MAC address.
Syntax
Aruba 2930M/F | Access Security Guide
313
SEQ-NUM < permit | deny > < any | host > SRC-MAC | SRC-MAC-MASKlog no SEQ-NUM < permit | deny > < any | host > SRC-MAC | SRC-MAC-MASKlog
permit
Packets matching the specified Ethernet header information.
deny
Packets matching the specified Ethernet header information.
any
Match the packets with any source MAC address.
host
Match the packets with the specified source MAC address.
SRC-MAC
Match the packets belonging to the specified source MAC address range.
SRC-MAC-MASK
The MAC address group mask.
log
Log a debug message when the MAC ACL rule is hit.
Similar Command
switch(config)#ip access-list standard 1
Configure standard MAC ACL
switch(config)#mac-access-list standard 200 switch(config-std-macl)#permit AABB.CCDD.EEFF 0000.0000.FFFF switch(config-std-macl)#deny host AABB.CCDD.EEFF log
Syntax
SEQ-NUM remark no SEQ-NUM remark
Add a comment for the MAC ACL rule specified. The maximum comment length is 100 characters.
Mac-access-list extended configuration context
Syntax
SEQ-NUM < permit | deny > < any | host > SRC-MAC | SRC-MAC-MASK < any | host > DST-MAC | DST-MAC-MASK < any | ETHERTYPE cos COS log no SEQ-NUM < permit | deny > < any | host > SRC-MAC | SRC-MAC-MASK < any | host > DST-MAC | DST-MAC-MASK < any | ETHERTYPE cos COS log
[<SEQ-NUM>] permit {any| host <SRC-MAC>|<SRC-MAC> <SRC-MAC-MASK>} {any|host <DST-MAC> | <DST-MAC> <DST-MAC-MASK>} {any|ETHERTYPE} [cos <priority>|vlan <vlan-id>] [log]
no [<SEQ-NUM>] permit {any| host <SRC-MAC>|<SRC-MAC> <SRC-MAC-MASK>} {any|host <DST-MAC> | <DST-MAC> <DST-MAC-MASK>} {any|ETHERTYPE} [cos <priority>|vlan <vlan-id>] [log]
314
Aruba 2930M/F | Access Security Guide
[<SEQ-NUM>] deny {any| host <SRC-MAC>|<SRC-MAC> <SRC-MAC-MASK>} {any|host <DST-MAC> | <DST-MAC> <DST-MAC-MASK>} {any|ETHERTYPE} [cos <priority>|vlan <vlan-id>] [log]
no [<SEQ-NUM>] deny {any| host <SRC-MAC>|<SRC-MAC> <SRC-MAC-MASK>} {any|host <DST-MAC> | <DST-MAC> <DST-MAC-MASK>} {any|ETHERTYPE} [cos <priority>|vlan <vlan-id>] [log] Used to configure an extended MAC ACL. The extended capabilities allow for matching on source MAC address, destination Mac address, EtherType, CoS, and VLAN. The VLAN value is only applicable when the MAC ACL is applied to a port or trunk interface.
permit
Packets matching the specified Ethernet Header information.
deny
Packets matching the specified Ethernet Header information.
any
Match packets with any source/destination MAC address.
host
Match packets with the specified source/destination MAC address.
SRC-MAC
Match packets belonging to the specified source/destination MAC address range.
SRC-MAC-MASK
The source MAC address group mask.
DST-MAC-MASK
The destination MAC address group mask.
<0x600-0xFFFF>
Match a specific EtherType protocol.
aarp
AppleTalk Address Resolution Protocol (AARP)
appletalk
AppleTalk/EtherTalk
arp
Address Resolution Protocol (ARP)
fcoe
Fibre Channel over Ethernet
fcoe-init
Fibre Channel over Ethernet Initialization
lldp
Link Layer Discovery Protocol
ip
Internet Protocol Version 4
ipv6
Internet Protocol Version 6
ipx-arpa
IPX Advanced Research Projects Agency (ARPA)
ipx-non-arpa
Aruba 2930M/F | Access Security Guide
315
IPX non-ARPA
is-is
Intermediate System to Intermediate System
mpls-unicast
MPLS Unicast
mpls-multicast
MPLS Multicast
q-in-q
IEEE 802.1ad encapsulation
rbridge
RBridge Channel Protocol
trill
IETF TRILL protocol
wake-on-lan
Wake on LAN
log
Log a debug message when the MAC ACL rule is hit.
cos
Match packets with a specified 802.1Q Priority Code Point value.
vlan
Match packets with the specified VLAN value.
VLAN-ID
Match packets with the specified VLAN value.
<0-7>
Match packets with a specified 802.1Q Priority Code Point value.
Similar Command
switch(config)#ip access-list extended 100
Remark command
The remark command allows for the insertion of a string at the specified sequence number. The remark will consume the sequence number where it is specified and will remain in proper order if the list is resequenced. The remark ability provides a way of tracking notes inside the given ACL but they do not affect the behavior of the ACL.
Syntax
SEQ-NUM remark no SEQ-NUM remark
Add a comment for the MAC ACL or MAC ACL rule specified. The maximum comment length is 100 characters.
Mac-access-list application syntax (PACL)
This command is used to apply a MAC ACL to an interface.
316
Aruba 2930M/F | Access Security Guide
Syntax
(Within interface context.) mac-access-group ACL-ID in|out Apply a MAC ACL to traffic on a port. A standard or extended MAC ACL filters packets based on the source MAC address, destination MAC address, ethertype, CoS, or VLAN.
ASCII-STR
The MAC ACL name.
in
Apply MAC ACL on the inbound packets.
Similar command
ip access-group name in
mac-access-group name in
Mac-access-list application syntax (VACL)
This command is used to apply a MAC ACL to a VLAN .
Syntax
(Within interface context.) mac-access-group ACL-ID in|out Apply a MAC ACL to traffic on a VLAN. A standard or extended MAC ACL filters packets based on the source MAC address, destination MAC address, ethertype, CoS, or VLAN.
ASCII-STR
The MAC ACL name.
in
Apply MAC ACL on the inbound packets.
Similar command
ip access-group name in|out
See: example
Applying a MAC ACL to VLAN 1
switch(config)#vlan 1 switch(vlan-1)# mac-access-group name in
show access-list
The new feature will modify some of the existing output content in `show access-list ports' and `show access-list vlan'. Added shared keyword after type. Yes/No to indicate whether the interface list is shared.
Aruba 2930M/F | Access Security Guide
317
Show access-list by name
This command is used to display the details about a specific ACL.
Syntax show access-list <ACL-ID> config
Show access-list 300
switch(config)# show access-list 300 Access Control Lists Name: 300 Type: MAC Extended Applied: No SEQ: Entry --------------------------------------------10 Action : permit Src MAC: 1111.2222.3333 Mask: ffff.ffff.0000 Dst MAC: 4444.5555.6666 Mask: ffff.ffff.0000 Ethertype: aarp CoS: 7 VLAN ID: 1
Show access-list 200
switch(config)# show access-list 200 Access Control Lists Name: 200 Type: MAC Standard Applied: No SEQ: Entry -----------------------------------------------------10 Action: permit Src MAC: 1111.2222.3333 Mask: ffff.ffff.0000 Ethertype : any
Show access-list 100
switch(config)# show access-list 100
Name: 100
Type: IPv4 Extended
Applied: No
SEQ: Entry
---------------------------------------------------
10 Action: deny
Src IP:
0.0.0.0
Mask: 255.255.255.255
Dst IP:
0.0.0.0
Mask: 255.255.255.255
Proto :
TCP
TOS :
Precedence:
20 Action: deny
Src IP:
0.0.0.0
Mask: 255.255.255.255
Dst IP:
0.0.0.0
Mask: 255.255.255.255
Proto :
UDP
TOS :
Precedence: -
Port(s): Port(s):
Port(s): Port(s):
Show access-list v6ACL
switch(config)# show access-list v6ACL Name: 100 Type: IPv6 Applied: No SEQ Entry ----------------------------------------
318
Aruba 2930M/F | Access Security Guide
10 Action:
deny
Src IP:
Prefix Len: 0
Dst IP:
Prefix Len: 0
Src Port(s): Dst Port(s):
Proto :
TCP Option(s):
Dscp :
Show access-list config
Syntax
show access-list <ACL-ID> config Used to display a specific ACL as it would be shown in configuration.
mac-access-list
switch(config)# mac-access-list 300 config 10 permit 1111.2222.3333 ffff.ffff.0000 4444.5555.6666 ffff.ffff.0000 aarp exit
switch(config)# mac-access-list 200 config 10 permit 1111.2222.3333 4444.5555.6666 exit
Show access-list port
Syntax
show access-list port <port-list> Used to display the current ACLs that are applied to a specified port.
Show access-list
switch(config)# show access-list port f1 Access Lists for Port F1 IPv4 Inbound : 100 Type: Extended MAC Inbound : 300 Type: Extended
Show access-list vlan
Syntax show access-list vlan < VLAN-ID | all > Used to display the current ACLs that are applied to a specified VLAN. VLAN-ID Show ACLs applied to the specified VLAN. all Show ACLs applied to all VLANs.
Show access-list
switch(config)# show access-list vlan 1
Access Lists for VLAN 1
IPv4 Router Inbound
: (None)
IPv4 VLAN Inbound
: (None)
IPv4 Connection Rate Filter : (None)
IPv6 Router Inbound
: (None)
Aruba 2930M/F | Access Security Guide
319
IPv6 VLAN Inbound MAC VLAN Inbound
: (None) : 300 Type: Extended
Show access-list resources
Syntax
show access-list resource Used to display current resource usage and availability in the policy enforcement engine.
Show access-list resource
switch#show access-list resource Resource usage in Policy Enforcement Engine
Ingress Policy Enforcement Engine Rules Resource usage in Policy Enforcement Engine
| Rules | Rules Used
Ports | Available | ACL | QoS | VT | Mirr | OF | Other |
--------------+-----------+-----+-----+-----+------+------+-------|
1-28
|
4080 | 0 | 0 | 0 | 0 | 0 |
0|
Ingress Policy Enforcement Engine Meters
| Meters | Meters Used
Ports | Available | ACL | QoS | VT | Mirr | OF | Other |
--------------+-----------+-----+-----+-----+------+------+-------|
1-28
|
2047 |
| 0| 0|
| 0|
0|
Ingress Policy Enforcement Engine Port Ranges
|Application|
|Port Ranges| Application Port Ranges Used
Ports | Available | ACL | QoS | VT | Mirr | OF | Other |
--------------+-----------+-----+-----+-----+------+------+-------|
1-28
|
60 | 0 | 0 |
| 0| 0|
0|
2 of 32 Policy Engine management resources used.
Egress Policy Enforcement Engine Rules Resource usage in Policy Enforcement Engine
| Rules | Rules Used
Ports | Available | ACL | QoS | VT | Mirr | OF | Other |
--------------+-----------+-----+-----+-----+------+------+-------|
1-28
|
2032 | 0 | 0 | 0 | 0 | 0 |
0|
Egress Policy Enforcement Engine Meters
| Meters | Meters Used
Ports | Available | ACL | QoS | VT | Mirr | OF | Other |
--------------+-----------+-----+-----+-----+------+------+-------|
1-28
|
1023 |
| 0| 0|
| 0|
0|
Egress Policy Enforcement Engine Port Ranges
320
Aruba 2930M/F | Access Security Guide
|Application|
|Port Ranges| Application Port Ranges Used
Ports | Available | ACL | QoS | VT | Mirr | OF | Other |
--------------+-----------+-----+-----+-----+------+------+-------|
1-28
|
60 | 0 | 0 |
| 0| 0|
0|
0 of 8 Policy Engine management resources used.
The hardware (TCAM) resources used by the ACLs configured on the switch are as follows: Key ACL Access Control Lists QoS Quality of Service VT Virus Throttling Mirror Mirror Policies, Remote Intelligent Mirror endpoints Other Management VLAN, DHCP Snooping, ARP Protection, Jumbo IP-MTU, Transparent Mode.
Resource usage includes resources actually in use, or reserved for future use by the listed feature. Internal dedicated-purpose resources, such as port bandwidth limits or VLAN QoS priority, are not included.
Show statistics
The show statistics command will need to be updated to take a MAC parameter.
Syntax
show statistics mac <ACL-NAME-STR> port <PORT-NUM> Used to display hit counts for a given MAC ACL.
mac
Display the statistics of MAC ACL.
ACL-NAME-STR
The MAC ACL name.
port
Show statistics for the specified port.
[ethernet] PORT-NUM
The port on which the MAC ACL is applied. Syntax show statistics mac <ACL-NAME-STR> vlan <VLAN-ID> in|out|vlan
vlan
Show statistics for the specified VLAN.
VLAN-ID
The VLAN ID or VLAN name.
in
Show statistics for MAC ACLs that are applied inbound.
out
Show statistics for MAC ACLs that are applied outbound.
Aruba 2930M/F | Access Security Guide
321
show statistics mac
show statistics mac 300 port 1 in
show statistics mac 300 vlan 10 in
show statistics mac 300 vlan 10 vlan
show statistics mac superMac vlan 10 in
show statistics mac superMac vlan 10 in
HitCounts for ACL superMac Total ( 540 ) 10 permit any 1111.2222.3333 4444.5555.6666
clear statistics
The clear statistics command will need to be updated to take a MAC parameter.
Syntax
clear statistics mac <ACL-NAME-STR> port <PORT-NUM> Clear all the counters for the ACLs that match the criteria specified. mac Clear the statistics for MAC ACL. ACL-NAME-STR The MAC ACL name or the MAC ACL number. port Clear statistics for the specified port. [ethernet] PORT-NUM The port from which the MAC ACL statistics is cleared.
Syntax
clear statistics mac <ACL-NAME-STR> port <PORT-NUM> | VLAN <VLAN-ID> in|out|vlan VLAN Clear statistics for the specified VLAN. VLAN-ID The VLAN ID or VLAN name. in Clear statistics for inbound packets on the VLAN. out Clear statistics for outbound packets on the VLAN.
Clear statistics mac superMac
clear statistics mac superMac vlan 10 in
322
Aruba 2930M/F | Access Security Guide
CLI command error messages
Event
Message
Attempt to move a port into a trunk with a MAC ACL applied and there are not enough hardware resources available to accommodate the new port.
Operation failed on Port %s: General error.
Attempt to move a port with a MAC ACL applied to it into a trunk.
Unable to apply access control list. Port %s is part of a trunk.
Apply a MAC ACL to a vlan, interface or tunnel and there are not enough hardware resources available.
Unable to apply access control list. Failed to add entry %s.
Add a class to a policy and a nonmatching class type is already applied IP/MAC)
Unable to add class. Policy cannot contain both IP and MAC classes.
Apply a MAC ACL on a vlan and it contains a rule that matches vlan-ID
Unable to apply access control list. ACLs applied to VLANs cannot match the VLAN ID parameter.
Apply a MAC Policy on a vlan and it contains a rule that matches vlan-ID
Unable to apply policy. Policies applied to VLANs cannot contain a class that matches the VLAN ID parameter.
Aruba 2930M/F | Access Security Guide
323
Chapter 14 ACL Grouping
ACL Grouping
Features n Enables Port ACL applications to be grouped. n Allows end users to programmatically control grouping on a per port ACL basis. n CLI support for new "shared" keyword. n ACLs will be treated as unshared when upgrading to new release. n Downgrading shared ACLs to previous release will not be supported, the ACLs will be disabled. n Enables ACL applications to VLAN to be grouped. n Grouped ACLs applied to multiple VLANs will use only a single TCAM resource. n Allow users to control grouping on a per VLAN ACL basis.
Overview
ACL grouping is an extension of the ACL feature. Each ACL application will consume n TCAM resources therefore x applications of an ACL will use x . *n resources. ACL grouping allows for grouping by an ACL. With ACL grouping, the TCAM usage would shrink to n. ACL grouping can be applied to both ports and VLANs. ACL grouping provides the following capabilities: n Enables Port ACL applications to be grouped. n Allows end users to programmatically control grouping on a per port ACL basis. n Provides CLI support for the shared keyword. n ACLs will be treated as unshared when upgrading to new release. n Downgrading shared ACLs to previous release will not be supported, the ACLs will be disabled. n Enables ACL applications to VLAN to be grouped. n Grouped ACLs applied to multiple VLANs will use only a single TCAM resource. n Allow users to control grouping on a per VLAN ACL basis.
Commands
These commands allow uers to control explicit groupings on PACLs, VACLs and RACLs applications which allows for TCAM resource consolidation. Allow for better network troubleshooting via an individual port or VLAN when reviewing statistics specifically for that port or VLAN.
IPv4 access-group (PACL)
Allows for the configuration of an IPv4 ACL on a port to be shared.
Syntax
Aruba 2930M/F | Access Security Guide
324
ip access-group ACL-ID in|out shared no ip access-group ACL-ID in|out shared
Description
Apply the specified IPv4 ACL to inbound or outbound packets on this interface. When ACLs are shared, hardware resource usage is optimized where possible.
Parameter
shared Apply the IPv4 ACL so as to share hardware resources.
Restrictions
n Per-application statistics will not be available when ACLs are applied as shared. n Connection rate filter ACLs cannot be applied on this interface.
ip access-group my-acl out shared
switch(config)# int a1 switch(eth-a1)# ip access-group my-acl out shared
IPv6 access-group (PACL)
Allows for the configuration of an IPv6 ACL on a port to be shared.
Syntax
ipv6 access-group ACL-ID in|out shared no ipv6 access-group ACL-ID in|out shared
Description
Apply the specified IPv6 ACL to inbound or outbound packets on this interface. When ACLs are shared, hardware resource usage is optimized where possible.
Parameter
shared Apply the IPv6 ACL so as to share hardware resources.
Restrictions
n Per-application statistics will not be available when ACLs are applied as shared. n Connection rate filter ACLs cannot be applied on this interface.
ipv6 access-group my-acl out shared
switch(config)# int a1 switch(eth-a1)# ipv6 access-group my-acl out shared
MAC access-group (PACL)
Allows for the configuration of a MAC ACL on a port to be shared.
Syntax
mac-access-group ACL-ID in|out shared
325
Aruba 2930M/F | Access Security Guide
Description
Apply the MAC ACL to the traffic on a port. MAC ACLs can be used to filter the traffic based on the source MAC address, destination MAC address, EtherType, CoS priority, or VLAN number. When ACLs are shared, hardware resource usage is optimized where possible.
Parameter
shared Apply the MAC ACL so as to share hardware resources.
Restrictions
Per-application statistics will not be available when ACLs are applied as shared.
mac-access-group my-acl out shared
Switch(config)# int a1 switch(eth-a1)# mac-access-group my-acl out shared
IPv4 access-group (VACL)
Allows for the configuration of an IPv4 ACL on a vlan to be shared. VACLs are applied from vlan context.
Syntax
ip access-group ACL-ID in|out|vlan-in|vlan-out|connection-rate-filter shared no ip access-group ACL-ID in|out|vlan-in|vlan-out|connection-rate-filter shared
Description
Apply the specified IPv4 ACL on this VLAN interface. When ACLs are shared, hardware resource usage is optimized where possible.
Parameter
shared Apply the IPv4 ACL so as to share hardware resources.
Restrictions
Per-application statistics will not be available when ACLs are applied as shared.
ip access-group my-acl out shared
switch(config)# vlan 1 switch(vlan-1)# ip access-group my-acl vlan-out shared switch(vlan-1)# ip access-group my-acl out shared
IPv6 access-group (VACL)
Allows for the configuration of an IPv6 ACL on a VLAN to be shared. VACLs are applied from VLAN context.
Syntax
ipv6 access-group ACL-ID in|out|vlan-in|vlan-out|connection-rate-filter shared no ipv6 access-group ACL-ID in|out|vlan-in|vlan-out|connection-rate-filter shared
Description
Aruba 2930M/F | Access Security Guide
326
Apply the specified IPv6 ACL on this VLAN interface. When ACLs are shared, hardware resource usage is optimized where possible.
Parameter
shared Apply the IPv6 ACL so as to share hardware resources.
Restrictions
Per-application statistics will not be available when ACLs are applied as shared.
ipv6 access-group my-acl out shared
switch(config)# vlan 1 switch(vlan-1)# ipv6 access-group my-acl vlan-out shared switch(vlan-1)# ipv6 access-group my-acl out shared
MAC access-group (VACL)
Allows for the configuration of a MAC ACL on a VLAN to be shared.
Syntax
mac-access-group ACL-ID in|out shared
Description
Apply the MAC ACL to the traffic on a VLAN. MAC ACLs can be used to filter the traffic based on the source MAC address, destination MAC address, EtherType, CoS priority, or VLAN number. When ACLs are shared, hardware resource usage is optimized where possible.
Parameter
shared Apply the MAC ACL so as to share hardware resources.
Restrictions
Per-application statistics will not be available when ACLs are applied as shared.
mac-access-group my-acl out shared
switch(config)# vlan 1 switch(vlan-1)# mac-access-group my-acl out shared
Mac-access-list creation syntax
This is a new command that needs to be created to allow for the configuration of MAC-based access control lists.
Standard MAC ACL Configuration
Syntax
mac-access-list standard Configure a standard MAC Access Control List. NAME-STR The standard MAC ACL name.
327
Aruba 2930M/F | Access Security Guide
200-299
The standard MAC ACL number. mac-access-list standard <200>
Description
Configure the standard MAC ACL to filter the packets based on the source MAC address. The standard MAC ACL number ranges from 200 to 299.
Example
switch(config)#mac accss-list standard 200 switch(config-std-macl)#
Extended MAC ACL Configuration
Syntax
mac-access-list extended
Configure an extended MAC Access Control List.
NAME-STR
The extended MAC ACL name.
300-399
The extended MAC ACL number.
mac-access-list extended <300>
Description Configure the extended MAC ACL to filter the packets based on the source MAC address, destination MAC address, ethertype, CoS priority, or VLAN number. The extended MAC ACL number ranges from 300 to 399. Example
(config)#mac accss-list extended 300 (config-ext-macl)#
Resequencing MAC ACL
Syntax mac-access-list resequence Renumber the sequence number of the rules in the MAC ACL specified.
<1-2147483647>
The sequence number assigned to the first rule of the specified MAC ACL.
<1-2147483646>
The increment value that renumbers the subsequent rules in the specified MAC ACL. mac-access-list resequence 200110 Description Re-number the sequence number of the rules in the MAC ACL specified. The first rule receives the sequence number specified in the start-seq-num and the subsequent rule numbers increment per the increment value. Example
(config)# mac-access-list resequence 300 1 10
Aruba 2930M/F | Access Security Guide
328
Similar Command ip access-list
Modify existing commands
ACL grouping feature does not introduce new show commands. Although it does modify the output content to indicate if an ACL is shared on specified interface lists.
show configuration
Another method to see if the ACL is shared by using show running-config. Add shared keyword after direction when the ACL is shared.
Syntax
show running-config
Description
The command displays the running configuration of the switch.
Parameters status
Shows whether the running configuration differs from the start-up configuration.
structured
Shows the running configuration in a grouped format.
oobm
Shows the running configuration for Out-of-band management (OOBM) used for remote management switch.
change-history [<NUMBER> | detail]
Shows the change-history logs of the running configuration.
Interface [<PORT-LIST> | loopback | tunnel]
Shows the running configuration for interfaces.
router [bgp | ospf | ospf3 | pim | rip | vrrp]
Shows the running configuration for layer 3 routing protocols.
Vlan [<VLAN-LIST>]
Shows the running configuration for VLANs.
hash [recalculate]
Shows the hash calculated for the running configuration.
concise
329
Aruba 2930M/F | Access Security Guide
Shows the running configuration in a concise format, with the output lines consolidated for a range of ports based on the supported feature.
This feature is currently supported for port-access and spanning-tree commands.
Examples
Output of show running config
#show running-config Running configuration: ; JL071A Configuration Editor; Created on release #KB.16.10.0011H ; Ver #14:6f.6f.f8.1d.fb.7f.bf.bb.ff.7c.59.fc.7b.ff.ff.fc.ff.ff.3f.ef:00
hostname "Aruba-3810M-24G-1-slot" module 1 type jl071x include-credentials password manager user-name "manager" sha1 "694ebcc5ea2e27ec8f045553853e06247626b787" snmp-server community "public" unrestricted snmpv3 engineid "00:00:00:0b:00:00:70:10:6f:84:0c:80" aaa port-access mac-based 2 addr-limit 20 aaa port-access mac-based 3 addr-limit 20 aaa port-access mac-based 3 addr-moves aaa port-access mac-based 4 addr-limit 20 aaa port-access mac-based 4 addr-moves aaa port-access mac-based 5 addr-moves aaa port-access mac-based 6 addr-moves aaa port-access mac-based 8 addr-limit 30 aaa port-access mac-based 9 addr-limit 30 aaa port-access mac-based 10 addr-limit 30 aaa port-access mac-based 13 addr-moves aaa port-access mac-based 14 addr-moves aaa port-access mac-based 15 addr-moves aaa port-access web-based 10 client-limit 20 aaa port-access web-based 11 client-limit 20 aaa port-access web-based 11 client-moves aaa port-access web-based 12 client-limit 20 aaa port-access web-based 12 client-moves aaa port-access web-based 13 client-moves aaa port-access web-based 14 client-limit 30 aaa port-access web-based 14 client-moves aaa port-access web-based 15 client-limit 30 aaa port-access web-based 15 client-moves aaa port-access web-based 16 client-limit 30 aaa port-access web-based 20 client-moves aaa port-access web-based 21 client-moves aaa port-access web-based 22 client-moves oobm
ip address dhcp-bootp ipv6 enable ipv6 address dhcp full exit vlan 1 name "DEFAULT_VLAN" untagged 1-24 ip address dhcp-bootp ipv6 enable ipv6 address dhcp full exit spanning-tree spanning-tree 1 point-to-point-mac false root-guard loop-guard tcn-guard bpdu-filter spanning-tree 2 point-to-point-mac false root-guard loop-guard tcn-guard bpdu-filter spanning-tree 3 point-to-point-mac false loop-guard tcn-guard bpdu-filter
Aruba 2930M/F | Access Security Guide
330
spanning-tree 4 point-to-point-mac false loop-guard tcn-guard bpdu-filter spanning-tree 5 point-to-point-mac false loop-guard tcn-guard spanning-tree 6 point-to-point-mac false loop-guard tcn-guard spanning-tree mode rapid-pvst
#
Output of show running config concise
# show running-config concise
Running configuration:
; JL071A Configuration Editor; Created on release #KB.16.10.0011H ; Ver #14:6f.6f.f8.1d.fb.7f.bf.bb.ff.7c.59.fc.7b.ff.ff.fc.ff.ff.3f.ef:00
hostname "Aruba-3810M-24G-1-slot" module 1 type jl071x include-credentials password manager user-name "manager" sha1
"694ebcc5ea2e27ec8f045553853e06247626b787" snmp-server community "public" unrestricted snmpv3 engineid "00:00:00:0b:00:00:70:10:6f:84:0c:80" aaa port-access mac-based 2-4 addr-limit 20 aaa port-access mac-based 8-10 addr-limit 30 aaa port-access mac-based 3-6,13-15 addr-moves aaa port-access web-based 10-12 client-limit 20 aaa port-access web-based 14-16 client-limit 30 aaa port-access web-based 11-15,20-22 client-moves oobm
ip address dhcp-bootp ipv6 enable ipv6 address dhcp full exit vlan 1 name "DEFAULT_VLAN" untagged 1-24 ip address dhcp-bootp ipv6 enable ipv6 address dhcp full exit spanning-tree spanning-tree 1-4 bpdu-filter spanning-tree 1-2 root-guard spanning-tree 1-6 tcn-guard spanning-tree 1-6 loop-guard spanning-tree 1-6 point-to-point-mac false spanning-tree mode rapid-pvst
#
Show statistics
The show statistics command will need to be updated to take a MAC parameter.
Syntax
show statistics mac <ACL-NAME-STR> port <PORT-NUM> Used to display hit counts for a given MAC ACL.
mac
Display the statistics of MAC ACL.
331
Aruba 2930M/F | Access Security Guide
ACL-NAME-STR
The MAC ACL name.
port
Show statistics for the specified port.
[ethernet] PORT-NUM
The port on which the MAC ACL is applied. Syntax show statistics mac <ACL-NAME-STR> vlan <VLAN-ID> in|out|vlan
vlan
Show statistics for the specified VLAN.
VLAN-ID
The VLAN ID or VLAN name.
in
Show statistics for MAC ACLs that are applied inbound.
out
Show statistics for MAC ACLs that are applied outbound.
show statistics mac
show statistics mac 300 port 1 in
show statistics mac 300 vlan 10 in
show statistics mac 300 vlan 10 vlan
show statistics mac superMac vlan 10 in
show statistics mac superMac vlan 10 in
HitCounts for ACL superMac Total ( 540 ) 10 permit any 1111.2222.3333 4444.5555.6666
show access-list
The new feature will modify some of the existing output content in `show access-list ports' and `show access-list vlan'. Added shared keyword after type. Yes/No to indicate whether the interface list is shared.
show access-list ports
Syntax
show access-list ports PORT-LIST | all
Description
Show access-list ports by port list or all.
Parameter
all Show all ports.
Example
Aruba 2930M/F | Access Security Guide
332
switch# show access-list ports all
Access Lists for Port A1 IPv4 Outbound: my-acl Type: Extended Shared: Yes
Access Lists for Port A2 IPv4 Outbound: my-acl Type: Extended Shared: Yes
Access Lists for Port A3 IPv4 Outbound: my-acl Type: Extended Shared: Yes
Show access-list vlan
Syntax show access-list vlan < VLAN-ID | all > Used to display the current ACLs that are applied to a specified VLAN. VLAN-ID Show ACLs applied to the specified VLAN. all Show ACLs applied to all VLANs.
Show access-list
switch(config)# show access-list vlan 1
Access Lists for VLAN 1
IPv4 Router Inbound
: (None)
IPv4 VLAN Inbound
: (None)
IPv4 Connection Rate Filter : (None)
IPv6 Router Inbound
: (None)
IPv6 VLAN Inbound
: (None)
MAC VLAN Inbound
: 300 Type: Extended
333
Aruba 2930M/F | Access Security Guide
Chapter 15 Netdestination and Netservice
Netdestination and Netservice
Overview
Net-destination is a list of hosts, networks, or subnets that are used to configure Access Control List (ACL) and classifier rules. An alias of net-destination configures a list of hosts, networks or subnets. An alias of net-services configures the protocols or TCP/UDP ports. Extended ACL and classifiers can have both source IP, destination IP and port number along with protocol in its ACE. An alias-based Access Control Entry (ACE) for an extended ACL or classifier allows the use of an alias of net-service protocol and destination port. The use of net-destination and net-service reduces effort required to configure ACL and classifier rules. There are two types of Access Control Lists (ACLs) and classifiers that are supported and configured on the switch:
n Standard ACL
n Extended ACL
Standard ACL The standard ACL and classifier can have an IP source or network in the ACE (Access Control Entry). To define the alias-based ACE for standard ACL or classifier, only use a net-destination alias for the source. Example - standard ACL
netdestination src-ip host 10.120.0.1 host 10.91.1.1 host 10.0.100.12
netdestination destn-ip host 16.90.51.12 host 10.93.24.1
netservice tcp-service tcp 100 ip access-list standard "acl1" 10 permit alias-src src-ip exit
Example - Classifier
netdestination src-ip host 10.120.0.1 host 10.91.1.1 host 10.0.100.12 network 10.1.1.0/24
netdestination destn-ip host 16.90.51.12 host 10.93.24.1
netservice tcp-service tcp 100 class ipv4 "abc"
Aruba 2930M/F | Access Security Guide
334
match alias-src "src-ip" alias-dst "destn-ip" alias-srvc "tcp-service"
Extended ACL The extended ACL can have both source IP, destination IP and port number along with protocol in its ACE. To define an alias-based ACE for an extended ACL, use a net-destination alias for the source and destination and a net-service alias for the protocol and destination port. Example - extended ACL
Switch(config)# ip access-list extended aext1 Switch(config-ext-nacl)# 10 permit alias-src "src-ip" alias-dst "destn-ip" alias-srvc "tcp-service" Switch(config-ext-nacl)# exit
Net-service Limitations Alias-based ACE will not support access-control based on source port. The use of net-service restrict operators specified for port number to equals and range.
n Operators lt, gt, equal,negative, and range for the source port in the ACL or classifier rule are not specified using the options available in net-service.
n Operators lt, gt, negative are not specified for destination port using the options available in net-service.
n Only the ACL and classifier will be affected when changes are made to an existing net-service. Either the rule must be reapplied to the ACL or classifier, or the switch must be rebooted to affect the service.
For user roles configuration, see Policy commands. Net-destination Limitations
n Limited to IPv4 addresses per syntax. n Any changes made to an existing net-destination that is used by an ACL or classifier are applied on the ACL or
classifier only when the rule is reapplied to it or when switch is rebooted. n The number of entries for a single net-destination is limited. The number of net-destinations configurable on a
switch is also limited. n A considerable amount of memory (for global structures) will be allocated when alias-based ACEs are
configured which may cause issues on a switch with low memory. n The Host or Domain name cannot be specified as an entry in a net-destination. n Application level gateway will not be supported as the existing ACL or classifier infra does not support ALG. n SNMP support to configure and delete net-destination, net-service, and the alias-based rules will not be
provided. n The `invert' and `range' option have been deprecated as per AOS-S 7.4 CLI Reference Guide and hence will
not be supported. However, the functionality of `invert' option can be achieved through the `deny' rule. n RADIUS server-based ACL or classifier application to interface/VLAN will not be supported for ACLs or
classifiers with alias-based rules.
For user roles configuration, see Policy Commands.
netdestination host |position | network
Syntax
335
Aruba 2930M/F | Access Security Guide
netdestination <NAME-STR> [host <IP-ADDR> [position <NUM>] network <IP-ADDR/MASK-LENGTH> [position <NUM>]] no netdestination <NAME-STR> [host <IP-ADDR> [position <NUM>] network <IP-ADDR/MASK-LENGTH> [position <NUM>]] Description Net-destination is a list of hosts, networks, or subnets that are used to configure an ACL or classifier rule. Parameters
host
Configures a single IPv4 host.
network
An IPv4 subnet consisting of an IP address and netmask.
position
Specifies the position of a host, network, or range in the net-destination. This optional parameter is specific to a net-destination and is used to sort entries in a list. Position is required to remove a host entry. Example
netdestination "src-ip" host 10.0.100.12 position 218 host 10.91.1.1 position 219 host 10.120.0.1 position 220 exit
netdestination "destn-ip" host 10.93.24.1 position 219 host 16.90.51.12 position 220 exit
netservice [tcp | udp | port]
Syntax
netservice <NAME-STR> [tcp | udp | <PROTOCOL>] port <PORT-LIST> no netservice <NAME-STR> [tcp | udp | <PROTOCOL>] port <PORT-LIST>
Description
Configures net-service. No form of this command disables net-service configuration.
Parameters
protocol
IP protocol number. Range: 0-255
TCP
Configure an alias for a TCP protocol.
UDP
Aruba 2930M/F | Access Security Guide
336
Configure an alias for a UDP protocol.
port
Specify a single port or a list of noncontiguous port numbers, by entering up to six port numbers, separated by commas or range of ports. Range: 0-65535
Example net-service tcp-service tcp 100 for ACL
netservice tcp-service tcp 100 ip access-list extended "acl1"
permit alias-src src-ip alias-dst destn-ip alias-srvc tcp-service
Example net-service tcp-service tcp 100 for classifier
netservice tcp-service tcp 100 class ipv4 "abc"
match alias-src "src-ip" alias-dst "destn-ip" alias-srvc "tcp-service"
show netdestination
Syntax
show netdestination <NAME-STR>
Description Show a host-specific net-destination. Example
switch(config)#show netdestination n1
Name : n1
Position Type
IP Address
Mask
---------- -------------- ------------------ ------------------
116
Network
200.1.1.1
255.255.255.0
117
Network
100.1.1.1
255.255.255.0
118
Host
30.1.1.1
-
119
Host
20.1.1.1
-
120
Host
10.1.1.1
-
Modifying Netdestination Entries
Overview
You can add, modify, and delete netdestination entries which are used by one or more alias-based class filters or ACLs. Any changes made to the netdestination entries are applied only when netedit-update command is executed. This feature is supported only on command line interface.
netedit-update
Syntax
337
Aruba 2930M/F | Access Security Guide
netedit-update
Description
This command updates the configuration for netdestination when the netdestination is in use by alias based ACLs or Classifiers.
Command context
config
Examples
switch(config)# show run Running configuration: hostname "switch" module 1 type jl255a netdestination "n1"
host 30.1.1.1 position 118 host 20.1.1.1 position 119 host 10.1.1.1 position 120 network 200.1.1.1 255.255.255.0 position 116 network 100.1.1.1 255.255.255.0 position 117 exit ip access-list extended "acl1"
10 permit alias-src "any" alias-dst "n1" alias-srvc "any" exit interface 2 ip access-group "acl1" in exit switch(config)# show netdestination
Name : n1
Position Type
IP Address
Mask
---------- -------------- ------------------ ------------------
116
Network
200.1.1.1
255.255.255.0
117
Network
100.1.1.1
255.255.255.0
118
Host
30.1.1.1
-
119
Host
20.1.1.1
-
120
Host
10.1.1.1
-
switch(conf)# exit (config)# netdestination n1 The netdestination 'n1' is in use and the changes are not applied until 'netedit-update'
command is executed. switch(net-dest)# host 10.1.1.2 position 120 switch(net-dest)# no host 30.1.1.1 position 118 switch(net-dest)# network 201.1.1.1/24 position 116 switch(net-dest)# host 40.1.1.1 position 110 switch(net-dest)# exit switch(config)# show run
Running configuration:
hostname "switch" module 1 type jl255a netdestination "n1"
host 30.1.1.1 position 118 host 20.1.1.1 position 119 host 10.1.1.1 position 120 network 200.1.1.1 255.255.255.0 position 116 network 100.1.1.1 255.255.255.0 position 117 exit ip access-list extended "acl1"
Aruba 2930M/F | Access Security Guide
338
10 permit alias-src "any" alias-dst "n1" alias-srvc "any" exit interface 2 ip access-group "acl1" in exit
switch(config)# show netdestination
Name : n1*
Position Type
IP Address
Mask
---------- -------------- ------------------ ------------------
110
Host
40.1.1.1
-
116
Network
201.1.1.1
255.255.255.0
117
Network
100.1.1.1
255.255.255.0
119
Host
20.1.1.1
-
120
Host
10.1.1.2
-
* The changes are not applied until 'netedit-update' command is executed.
switch(config)# netedit-update The netdestination update is in progress and may take a few minutes to complete. Configuration changes on classifier features are disabled during this operation.
switch(config)# show run
Running configuration: hostname "switch" module 1 type jl255a netdestination "n1"
host 40.1.1.1 position 110 host 20.1.1.1 position 119 host 10.1.1.2 position 120 network 201.1.1.1 255.255.255.0 position 116 network 100.1.1.1 255.255.255.0 position 117 exit ip access-list extended "acl1"
10 permit alias-src "any" alias-dst "n1" alias-srvc "any" exit interface 2 ip access-group "acl1" in exit switch(config)# show netdestination
Name : n1
Position Type
IP Address
Mask
---------- -------------- ------------------ ------------------
110
Host
40.1.1.1
-
116
Network
201.1.1.1
255.255.255.0
117
Network
100.1.1.1
255.255.255.0
119
Host
20.1.1.1
-
120
Host
10.1.1.2
-
Failure message due to hardware resource unavailability: The output of the show run will have original netdestination configuration. show netdestination will have the edited changes. These changes will be applied upon resource availability.
switch(config)# show run Running configuration: hostname "switch" module 1 type jl255a netdestination "n1"
host 30.1.1.1 position 118 host 20.1.1.1 position 119
339
Aruba 2930M/F | Access Security Guide
host 10.1.1.1 position 120 network 200.1.1.1 255.255.255.0 position 116 network 100.1.1.1 255.255.255.0 position 117 exit ip access-list extended "acl1"
10 permit alias-src "any" alias-dst "n1" alias-srvc "any" exit interface 2 ip access-group "acl1" in exit switch(config)# show netdestination
Name : n1
Position Type
IP Address
Mask
---------- -------------- ------------------ ------------------
116
Network
200.1.1.1
255.255.255.0
117
Network
100.1.1.1
255.255.255.0
118
Host
30.1.1.1
-
119
Host
20.1.1.1
-
120
Host
10.1.1.1
-
switch(conf)# exit switch(config)# netdestination n1 The netdestination 'n1' is in use and the changes are not applied until 'netedit-update'
command is executed. switch(net-dest)# host 10.1.1.2 position 120 switch(net-dest)# no host 30.1.1.1 position 118 switch(net-dest)# network 201.1.1.1/24 position 116 switch(net-dest)# exit switch(config)# show run Running configuration:
hostname "switch" module 1 type jl255a netdestination "n1"
host 30.1.1.1 position 118 host 20.1.1.1 position 119 host 10.1.1.1 position 120 network 200.1.1.1 255.255.255.0 position 116 network 100.1.1.1 255.255.255.0 position 117 exit ip access-list extended "acl1"
10 permit alias-src "any" alias-dst "n1" alias-srvc "any" exit interface 2 ip access-group "acl1" in exit
switch(config)# show netdestination
Name : n1*
Position Type
IP Address
Mask
---------- -------------- ------------------ ------------------
110
Host
40.1.1.1
-
116
Network
201.1.1.1
255.255.255.0
117
Network
100.1.1.1
255.255.255.0
119
Host
20.1.1.1
-
120
Host
10.1.1.2
-
* The changes are not applied until 'netedit-update' command is executed. switch(config)#netedit-update The netdestination update is in progress and may take a few minutes to complete. Configuration changes on classifier features are disabled during this operation.
Aruba 2930M/F | Access Security Guide
340
Failed to apply configuration changes fully since hardware resources are unavailable. Reverting the partially applied changes.
switch(config)#show run Running configuration:
hostname "switch"
module 1 type jl255a
netdestination "n1"
host 30.1.1.1 position 118
host 20.1.1.1 position 119
host 10.1.1.1 position 120
network 200.1.1.1 255.255.255.0 position 116
network 100.1.1.1 255.255.255.0 position 117
exit
ip access-list extended "acl1"
10 permit alias-src "any" alias-dst "n1" alias-srvc "any"
exit
interface 2
ip access-group "acl1" in
exit
switch(congfig)#show netdestination
Name : n1*
Position Type
IP Address
Mask
---------- -------------- ------------------ ------------------
110
Host
40.1.1.1
-
116
Network
201.1.1.1
255.255.255.0
117
Network
100.1.1.1
255.255.255.0
119
Host
20.1.1.1
-
120
Host
10.1.1.2
-
When netedit-update is in progress, show running-config,show tech, show class, ACL, and net-destination configurations will have inconsistency because of the configuration update in the background. After the success of the netedit-update command, the applied configurations can be seen.
Limitations
n This feature is not supported on SNMP, REST, and next Gen UI. n You cannot edit netservices. n Configuration backup and restore are not supported by netedit-update command. n When net edit is in progress, ctrl+c is disabled. n netedit-update command is not a part of the AirWave template.
341
Aruba 2930M/F | Access Security Guide
Chapter 16 Infrastructure MACsec
Infrastructure MACsec
Overview
MACsec is supported on the 2930M switch family. It is not supported on the 2930F switch family.
Media Access Control security (MACsec) is an IEEE 802 standard specifying how to secure all or part of a LAN at the link layer transparently. MACsec PHY devices can do this while meeting the scalability and high-speed requirements set on such networks. MACsec is intended for wired LANs only; wireless networks use a different protocol set. To ensure wired network security, the MACsec functionality is required on the newer generation of network infrastructure switches. The MACsec protocol provides:
n Connectionless data integrity -- (each MAC frame carries a separate integrity verification code, hence the term connectionless).
n Data origin authenticity--(an assurance that only authorized MACsec stations send MAC frames). n Confidentiality -- (each MAC frame is encrypted to prevent it from being eavesdropped). n Replay protection -- (MAC frames copied from the LAN by an attacker cannot be resent into the LAN without
being detected).
MACsec secures switch to switch infrastructure using the MKA (MACsec Key Agreement) protocol and the Static CAK (Connectivity Association Key) Mode. MACsec operation includes:
n Switch-to-Switch Pairwise Pre-Shared CAK mode with Single-User (CAK) per port. n A new MACsec-PHY for faster processing through hardware. n Supports MACsec Key Agreement protocol (MKA) for automatic MACsec peer discovery, peer-participant
liveliness, Key-Server election and for distribution of SAKs n Supports AES-GCM-128 bit Key-length (CAKs/ICKs/KEKs/SAKs). n Configuration includes "Integrity Check Only" and "Integrity Check with Confidentiality at offset 0" modes. n Supports MACsec CLI configurations through CLI and SNMP and over Telnet/SSH. MACsec configuration
through the web interface is not supported.
MACsec switch support
All 2930M ports support MACsec, with the exception of the JL078A 1-port QSFP+ 40GbE Module.
MACsec configuration commands
For supporting the MACsec configuration, configure the following:
Aruba 2930M/F | Access Security Guide
342
n MACsec Policy creation and configuration n Apply MACsec policy on ports n Configure the MKA parameters on ports
Create, modify or delete a MACsec policy
Syntax
macsec policy <policy-name> no macsec policy <policy-name> Configures the MAC Security (MACsec) protocol.
macsec
MAC Security (MACsec).
policy
Apply a MACsec policy.
policy-name
MACsec policy name up to 32 characters long.
Configuring mode of MACsec policy
Configure the mode of this MACsec policy. The mode determines how the CA Key Name (CKN) and CA Key (CAK) are obtained.
Syntax
mode pre-shared-key ckn <CKN> cak <CAK> no mode pre-shared-key ckn <CKN> cak <CAK> Configure the MACsec policy to use pre-shared key mode. In the pre-shared key mode, the CA Key Name (CKN) and the CA Key (CAK) are set manually. Configure the CA Key Name (CKN) of this MACsec policy. A CKN must be specified before the policy can be applied. Enter the CKN as a string of hexadecimal digits up to 32 characters long. If the CKN configured is less than 32 digits, it will be padded up to 32 hexadecimal digits with 0s. A CAK must be specified before the policy can be applied. Enter the CAK as a string of hexadecimal digits up to 64 characters long. If the CAK is less than 64 digits, it will be padded up to 64 hexadecimal digits with 0s.
mode
Configure the mode of this MACsec policy.
pre-shared-key
Configure the MACsec policy to use pre-shared key mode.
cak
Configure the CA Key (cak) of this MACsec policy. Example: Mode pre-shared-key ckn 37c9c2c45ddd cak
ckn
Configure the CA Key Name (CKN) of this MACsec policy.
343
Aruba 2930M/F | Access Security Guide
The CKN as a string of hexadecimal digits up to 32 characters long. The CAK as a string of hexadecimal digits up to 64 characters long. Example: Mode pre-shared-key ckn 37c9c2c45ddd cak 2c45ddd012
Encrypted-credentials mode
As CAK is a key and needs to be protected, when in encrypt-credentials mode the value gets encrypted and stored in the configuration.
Syntax
mode pre-shared-key ckn <CKN> encrypted-cak <ENC-CAK> no mode pre-shared-key ckn <CKN> encrypted-cak <ENC-CAK> Configure the CA Key (CAK) of this MACsec policy in encrypted form. A CAK must be specified before the policy can be applied. The value is an encrypted string previously read from a compatible Networking device.
mode
Configure the mode of this MACsec policy.
CAK
Configure the CA Key (CAK) of this MACsec policy.
CKN
Configure the CA Key Name (CKN) of this MACsec policy.
encrypted-cak
Configure the CA Key (CAK) of the MACsec policy, specificed as a base64 encoded AES-256 encrypted string.
MACsec policy: configuring confidentiality (policy context)
Syntax
confidentiality no confidentiality Enable confidentiality in this MACsec policy. When confidentiality is enabled, data packets are encrypted and verified. When confidentiality is disabled, data packets are not encrypted, but they are still verified. By default, confidentiality is enabled.
confidentiality
Enable confidentiality in this MACsec policy.
Configuring replay protection
Syntax
replay-protection <replaywindowsize> no replay-protection <replaywindowsize> Configure the Replay Protection feature on this MACsec policy. When Replay Protection is enabled, the receiving port checks the IP number of all received packets. If a packet arrives out of sequence and the difference between the packet numbers exceeds the Replay Protection window size, the packet is dropped. By setting the replay window size to 0, it is mandated that all packets arrive in order. The default value of Replay Protection is enabled and the default value of the Replay Protection window size is 0.
replay-protection
Aruba 2930M/F | Access Security Guide
344
Enable Replay Protection in this MACsec policy.
0-1024
Configure the Replay Protection window size value.
Configuring include-sci-tag
Syntax
include-sci-tag no include-sci-tag
Description
Include Secure Channel Identifier (SCI) tag information in the Security TAG (SecTAG) field. The SCI tag information s included by default. The no form of this command causes the SCI tag information to be omitted. If MACsec is enabled and SCI tag information is omitted (using the no include-sci-tag command) on a link between a 10G SmartRate copper port and a 1G copper port, no traffic will pass through the link. Therefore, to avoid this problem, use the same type of port on each side of the link or enable the SCI tag information with include-sci-tag. The SCI tag information is included by default.
Apply policy on a port-list
Syntax
macsec apply policy <policy-name> ethernet PORT-LIST no macsec apply policy <policy-name> ethernet PORT-LIST Apply a MACsec policy to a list of ports.
MACsec is only supported on static trunk ports. It is not supported on any of these ports:
n LACP trunk port
n Distributed trunk ports
n Distributed LACP trunk ports
apply
Apply a MACsec policy to a list of ports.
policy
Configure a MACsec policy.
policy-name
The MACsec policy to apply.
ethernet PORT-LIST
The port on which to apply the MACsec policy.
345
Aruba 2930M/F | Access Security Guide
MKA configuration on a port-list
Syntax aaa port-access mka key-server-priority PRIORITY transmit-interval INTERVAL ethernet PORT-LIST no aaa port-access mka key-server-priority PRIORITY transmit-interval INTERVAL ethernet PORT-LIST aaa port-access <authenticator ...|supplicant ...web-based ...|mac-based ...|mka ...> no aaa port-access <authenticator ...|supplicant ...web-based ...|mac-based ...|mka ...> Configure the MACsec Key Agreement (MKA) protocol parameters. Configure 802.1X (Port Based Network Access), MAC address based network access, or web authentication based network access or the MACsec Key Agreement (MKA) protocol on the device.
See the help for the commands aaa port-access authenticator, aaa port-access supplicant, aaa port-access mac-based, aaa port-access web-based for further details on authenticator, supplicant, MAC address based, and web authentication based network access configuration.
Syntax
aaa port-access mka key-server-priority transmit-interval <INTERVAL>[ethernet] PORT-LIST Configure the MKA key server Priority. The key server priority is used by MKA protocol in selecting a key server. The participant with the lower server priority is selected as the key server. The default value is 16.
Syntax
aaa port-access mka key-server-priority 18 Configure the MKA transmit interval. MKA sends the periodic MKA protocol data unit (PDU) at this interval to the connected device to maintain MACsec connectivity on the link. The default value is 2 seconds.
Syntax
Configure the MACsec Key Agreement (MKA) protocol parameters. aaa port-access mka aaa port-access mka key-server-priority 18 transmit-interval aaa port-access mka key-server-priority 18 transmit-interval 4 aaa port-access mka key-server-priority 18 transmit-interval 4 A1 aaa port-access mka key-server-priority aaa port-access mka key-server-priority 5 aaa port-access mka key-server-priority 10 transmit-interval 6 a3
key-server-priority
Configure the MKA key server priority.
transmit-interval
Configure the MKA transmit interval.
0-31
Enter a Key Server priority value.
[ethernet] port-list
Enter a port number, a list of ports or 'all' for all ports.
transmit-interval
Aruba 2930M/F | Access Security Guide
346
Configure the MKA transmit interval.
2-6
Enter a transmit interval value.
[ethernet] PORT-LIST
Enter a port number, a list of ports or 'all' for all ports.
Clearing MKA statistics on ports
Syntax
clear statistics mka ethernet port-list Reset statistics counters. clear statistics <PORT-LIST>|global|aclv4| aclv6|policy|mka Reset the MKA protocol statistics.
aclv4
Reset IPv4 Access Control List statistics.
aclv6
Reset IPv6 Access Control List statistics.
dldp
Reset Device Link Detection Protocol (DLDP) statistics.
global
Reset the port counters in all sessions.
mac
Reset MAC Access Control List statistics.
macsec
Reset the MACsec protocol statistics.
mka
Reset the MKA protocol statistics.
policy
Reset policy statistics.
[ethernet] PORT-LIST
Reset the port counters in the current session.
Clear statistics MKA
clear statistics mka <PORT-LIST> [ethernet] PORT-LIST The port for which to reset statistics. clear statistics mka A1 Reset the MKA protocol statistics.
347
Aruba 2930M/F | Access Security Guide
Clearing MACsec statistics on ports
Syntax
clear statistics PORT-LIST|global|aclv4 ...|aclv6 ...|policy|mka ...|macsec ...
aclv4
Reset IPv4 Access Control List statistics.
aclv6
Reset IPv6 Access Control List statistics.
dldp
Reset Device Link Detection Protocol (DLDP) statistics.
global
Reset the port counters in all sessions.
mac
Reset MAC Access Control List statistics.
macsec
Reset the MACsec protocol statistics.
mka
Reset the MKA protocol statistics.
policy
Reset policy statistics.
[ethernet] PORT-LIST
Reset the port counters in the current session.
Reset statistics counters
clear statistics macsec [ethernet] PORT-LIST Reset statistics counters.
Reset the MACsec protocol statistics
clear statistics macsec Reset the MACsec protocol statistics.
Reset the MACsec protocol statistics
clear statistics macsec A1 Reset the MACsec protocol statistics
Aruba 2930M/F | Access Security Guide
348
Show commands
Show command for MACsec policies
Syntax
show macsec policy <policy-name> Shows one or more MACsec policies.
policy-name
A MACsec policy name up to 32 characters long.
show macsec policy
switch(config)# show macsec policy
Configuration - MACsec Policy
Policy Name : policy1
Cipher Suite
: AES-GCM-128
Include-SCI
: Yes
Confidentiality : On
Confidentiality offset : 0
Replay-Protection : On
Replay-Protection Window : 0
Mode : pre-shared-key (PSK)
CKN : abcd
CAK : abcd
Policy Name : macsecpolicy5
Cipher Suite
: AES-GCM-128
Include-SCI
: No
Confidentiality : Off
Confidentiality offset : 0
Replay-Protection : On
Replay-Protection Window : 0
Mode : pre-shared-key (PSK)
CKN : abcd11111111121212121212abcd3434
CAK : abab121212121212abcd34343434121212121212abcd34343434abcdefabcdef
show macsec policy Policy1
switch(config)# show macsec policy Policy1
Configuration - MACsec Policy
Policy Name : policy1
Cipher Suite
: AES-GCM-128
Include-SCI
: Yes
Confidentiality : On
Confidentiality offset : 0
Replay-Protection : On
Replay-Protection Window : 0
Mode : pre-shared-key (PSK)
CKN : abcd
CAK : abcd
Details
In Manager mode.
Condition
Include-credentials enabled/disabled
Behavior CAK value is displayed in plaintext format.
349
Aruba 2930M/F | Access Security Guide
Condition
Behavior
Encrypt-credentials enabled/disabled
CAK value is displayed in plaintext format.
In Enhanced Secure Mode (FIPS)
A dialogue is provided to proceed with display of sensitive information and only on a consent to proceed, policy details are displayed.
Show command for MACsec status
Syntax
show macsec status Show the status of all MACsec-enabled ports.
status
Show the status of all MACsec-enabled ports.
show macsec status
switch(config)# show macsec status
Status and Configuration - MACsec Protocol
Interface Policy
Mode Status Protection
--------- -------------------------------- ------- ------ ---------------
A2
policy1
PSK
Up
Confidentiality
L22
policy1
PSK
Down Confidentiality
Show command for MACsec status on a port
Syntax
show macsec status <port-num> Show the status of all MACsec-enabled ports.
show macsec status
switch(config)# show macsec status A1
show command output
switch(config)# show macsec status A1
Status and Configuration - MACsec Protocol
Interface : A1
Policy
: Policy1
Transmitting : Yes
Receiving : Yes
Protection : Confidentiality
Transmit secure Channel
SCI
: 000C29F6A4380004c
Secure Association
Association Number : 1 (old)
KI
: 4F18CE25228178FD15976E4C
LPN
:2
SA-Start-time
: 01:02:19
SA-Stop-time
: 02:04:29
Association Number : 0 (current)
Aruba 2930M/F | Access Security Guide
350
KI
: 4F18CE25228178FD15976E4C
LPN
:3
SA-Start
: 04:05:11
SA-Stop-time
: 04:10:12
Receive secure Channel
SCI
: 000C29F6A4380003b
Secure Association
Association Number : 0 (current)
KI
: 4F18CE29456aefFD15976E4C
LPN
: 121198
SA-Start
: 04:05:12
SA-Stop-time
: 04:10:13
Validation
Check whether MACsec is enabled on the port.
Error/Warning/Prompt MACsec is not enabled on port %s.
Show command for MACsec statistics
Syntax
show macsec statistics <port-num>
statistics
Show MACsec statistics.
[ethernet] PORT-NUM
The port to show MACsec statistics for.
Show macsec statistics
switch(config)# show macsec statistics
Status and Counters - MACsec Protocol
Interface : A1
Receive Statistics
Totals (Since boot or last clear) :
Bytes Received
: 234435
Unicast Packets
:0
Multicast Packets
:0
Broadcast Packets
:0
Errors (Since boot or last clear) :
Discarded Packets
:0
Crypto Overruns
:0
Packets With No Tag : 0
Erroneous Packets
:0
Packets With Bad Tag : 0
Packets With No SCI : 0
Transmit Statistics
Totals (Since boot or last clear) :
Bytes Transmitted
: 28733989
Unicast Packets
:0
Multicast Packets
:0
Broadcast Packets
:0
Errors (Since boot or last clear) :
Erroneous Packets
:0
Packets Too Long
:0
351
Aruba 2930M/F | Access Security Guide
Interface : A2
Receive Statistics
Totals (Since boot or last clear) :
Bytes Received
: 234435
Unicast Packets
:0
Multicast Packets
:0
Broadcast Packets
:0
Errors (Since boot or last clear) :
Discarded Packets
:0
Crypto Overruns
:0
Packets With No Tag : 0
Erroneous Packets
:0
Packets With Bad Tag : 0
Packets With No SCI : 0
Transmit Statistics
Totals (Since boot or last clear) :
Bytes Transmitted
: 28733989
Unicast Packets
:0
Multicast Packets
:0
Broadcast Packets
:0
Errors (Since boot or last clear) :
Erroneous Packets
:0
Packets Too Long
:0
Show macsec statistics A1
switch(config)# show macsec statistics A1
Status and Counters - MACsec Protocol
Interface : A1
Receive Statistics
Totals (Since boot or last clear) :
Bytes Received
: 234435
Unicast Packets
:0
Multicast Packets
:0
Broadcast Packets
:0
Errors (Since boot or last clear) :
Discarded Packets
:0
Crypto Overruns
:0
Packets With No Tag : 0
Erroneous Packets
:0
Packets With Bad Tag : 0
Packets With No SCI : 0
Transmit Statistics
Totals (Since boot or last clear) :
Bytes Transmitted
: 28733989
Unicast Packets
:0
Multicast Packets
:0
Broadcast Packets
:0
Errors (Since boot or last clear) :
Erroneous Packets
:0
Packets Too Long
:0
Show command for detailed MACsec statistics on a port
Syntax
show macsec statistics <port-num> detail Show detailed statistics for a MACsec-enabled port.
statistics
Aruba 2930M/F | Access Security Guide
352
Show MACsec statistics.
detail
Show detailed statistics for a MACsec-enabled port.
[ethernet] PORT-NUM
The port to show MACsec statistics for.
show macsec statistics A1 detail
switch(config)# show macsec statistics A1 detail
Status and Counters - MACsec Protocol
Interface : A1
Receive Statistics
Totals (Since boot or last clear) :
Bytes Received
: 234435
Unicast Packets
:0
Multicast Packets
:0
Broadcast Packets
:0
Errors (Since boot or last clear) :
Discarded Packets
:0
Crypto Overruns
:0
Packets With No Tag : 0
Erroneous Packets
:0
Packets With Bad Tag : 0 Packets With No SCI : 0
Transmit Statistics
Totals (Since boot or last clear) :
Bytes Transmitted
: 28733989
Unicast Packets
:0
Multicast Packets
:0
Broadcast Packets
:0
Errors (Since boot or last clear) :
Erroneous Packets
:0
Packets Too Long
:0
Secure Channel Transmit Statistics
Encrypted Packets : 0
Bytes Protected
:0
Bytes Encrypted
:0
Secure Association Statistics Association Number : 0 (old) Protected Packets : 0
Encrypted Packets : 0 Association Number : 1 (current) Protected Packets : 0 Encrypted Packets : 0
Secure Channel Receive Statistics
Not using SA
:0
Late
:0
Not Valid
:0
Delayed
:0
Valid
:0
Bytes Validated
:0
Bytes Decrypted
:0
353
Aruba 2930M/F | Access Security Guide
Secure Association Statistics
Association Number : 1 (current)
Not using SA
:0
Not Valid
:0
Valid
:0
Show command for MKA status
Syntax
show port-access mka status <port-num> Show the MKA protocol status information. show port-access authenticator [...]|supplicant [...]|summary [...]| mka... Show 802.1X (Port Based Network Access) supplicant or authenticator current status and configuration.
[ethernet] PORT-LIST
Show Web/MAC Authentication statistics and configuration.
authenticator
Show 802.1X (Port Based Network Access) authenticator current status, configuration or last session counters.
config
Show status of 802.1X, Web Auth, and MAC Auth configurations.
local-mac
Show Local MAC Authentication statistics and configuration.
mac-based
Show MAC Authentication statistics and configuration.
mka
Show the MKA protocol information.
summary
Show summary configuration information for all ports, including that overridden by RADIUS attributes.
supplicant
Show 802.1X (Port Based Network Access) supplicant current status and configuration.
web-based
Show Web Authentication statistics and configuration.
statistics
Show the MKA statistics.
status
Show the MKA protocol status information.
Show port-access mka status
Aruba 2930M/F | Access Security Guide
354
switch(config)# show port-access mka status
Status and Configuration - MKA Protocol
Interface : A2
Port MAC Address
: f0921c-4576fe
MKA Session Status : Secured
CKN
: abcd
MI
: 1c64f054f894b5482defdf81
MN
: 86
Capability
: IC, Conf, Offset 0
Transmit Interval
:2
Key Server Priority : 16
Key Server
: No
Live Peer List:
MI
MN
PRI Capability
Rx-SCI
------------------------ -------- --- --------------------- ----------------
fb7f82788e4cd38dbc65dc55 119
16 IC, Conf, Offset 0 a45d36489bfe0002
Potential Peer List:
MI
MN
PRI Capability
Rx-SCI
------------------------ -------- --- --------------------- ----------------
Interface : L2 Port MAC Address MKA Session Status CKN MI MN Capability Transmit Interval Key Server Priority Key Server
: f0921c-4576fe : Secured : abcdefabcd : 1c64f054f894b5482defdf81 : 86 : IC, Conf, Offset 0 :2 : 16 : No
Live Peer List:
MI
MN
PRI Capability
Rx-SCI
------------------------ -------- --- --------------------- ----------------
fb7f82788e4cd38dbc65dc55 119
16 IC, Conf, Offset 0 a45d36489bfe0002
Potential Peer List:
MI
MN
PRI Capability
Rx-SCI
------------------------ -------- --- --------------------- ----------------
Show port-access MKA status A2
switch(config)# show port-access mka status A2
Status and Configuration - MKA Protocol
Interface : A2
Port MAC Address
: f0921c-4576fe
MKA Session Status : Secured
CKN
: abcd
MI
: 1c64f054f894b5482defdf81
MN
: 86
Capability
: IC, Conf, Offset 0
Transmit Interval
:2
Key Server Priority : 16
Key Server
: No
Live Peer List:
MI
MN
PRI Capability
Rx-SCI
------------------------ -------- --- --------------------- ----------------
fb7f82788e4cd38dbc65dc55 119
16 IC, Conf, Offset 0 a45d36489bfe0002
355
Aruba 2930M/F | Access Security Guide
Potential Peer List:
MI
MN
PRI Capability
Rx-SCI
------------------------ -------- --- --------------------- ----------------
Show command for MKA statistics
Syntax
show port-access mka statistics <port-num> Show the MKA statistics. When a PORT-NUM is used, the MKA statistics of the selected port are shown.
[ethernet] PORT-LIST
Show Web/MAC Authentication statistics and configuration.
authenticator
Show 802.1X (Port Based Network Access) authenticator current status, configuration or last session counters.
config
Show status of 802.1X, Web Auth, and MAC Auth configurations.
local-mac
Show Local MAC Authentication statistics and configuration.
mac-based
Show MAC Authentication statistics and configuration.
mka
Show the MKA protocol information.
summary
Show summary configuration information for all ports, including that overridden by RADIUS attributes.
supplicant
Show 802.1X (Port Based Network Access) supplicant current status and configuration.
web-based
Show Web Authentication statistics and configuration.
statistics
Show the MKA statistics.
status
Show the MKA protocol status information.
[ethernet] PORT-NUM
Specify the port number.
Show port-access MKA statistics
Aruba 2930M/F | Access Security Guide
356
switch(config)# show port-access mka statistics
Status and Counters - MKA Protocol
CAs Established : 32
CAs Deleted
:1
Interface : A1
Tx MKPDUs
: 16534893
Rx MKPDUs
: 16534893
SAKs Distributed
:0
SAKs Received
:0
MKPDUs With Invalid Version : 0
MKPDUs With Invalid CKN
:0
MKPDUs With Invalid ICV
:0
MKPDUs With Duplicate MI
:0
MKPDUs With Invalid MN
:0
Interface : A2
Tx MKPDUs
: 16534893
Rx MKPDUs
: 16534893
SAKs Distributed
:0
SAKs Received
:0
MKPDUs With Invalid Version : 0
MKPDUs With Invalid CKN
:0
MKPDUs With Invalid ICV
:0
MKPDUs With Duplicate MI
:0
MKPDUs With Invalid MN
:0
Show port-access MKA statistics A1
switch(config)# show port-access mka statistics A1
Status and Counters - MKA Protocol
Interface : A1
Tx MKPDUs
: 16534893
Rx MKPDUs
: 16534893
SAKs Distributed
:0
SAKs Received
:0
MKPDUs With Invalid Version : 0
MKPDUs With Invalid CKN
:0
MKPDUs With Invalid ICV
:0
MKPDUs With Duplicate MI
:0
MKPDUs With Invalid MN
:0
Show tech command
Syntax
show tech macsec status|statistics Show tech MACsec for either status or statistics.
Mutually exclusive commands with MACsec configuration on a port
Validation
Error/Warning/Prompt
aaa port-access authenticator [ethernet] PORT-LIST
Cannot enable 802.1X authenticator on port x when MACsec is enabled on that port.
aaa port-access supplicant [ethernet] PORT- Cannot enable 802.1X authenticator on port x when
LIST
MACsec is enabled on that port
357
Aruba 2930M/F | Access Security Guide
Validation
aaa port-access mac-based [ethernet] PORT-LIST
no aaa port-access web-based [ethernet] PORT-LIST
Mesh command
Error/Warning/Prompt
Cannot enable MAC Authentication on port x when MACsec is enabled on that port
Cannot enable Web Authentication on port x when MACsec is enabled on that port
Cannot configure mesh on port x because MACsec is enabled on that port.
MACsec Log messages
Event
Message
CAK Mismatch (Note that CAK will not be displayed)
MACsec Connectivity Association failed on port %s: Mismatch in the Integrity Check Value (ICV).
Throttled messages for CAK mismatch
Ceasing 'Detection of Macsec CAK Mismatch' message for 5m.
CKN Mismatch (or missing Policy on a port) MACsec Connectivity Association failed on port %s: Mismatch in the CA Key Name (CKN).
Throttled messages for CKN Mismatch
Ceasing 'Detection of Macsec CKN Mismatch' message for 5m.
MKA session start
The MACsec Connectivity Association established on port %s.
MKA session end
The MACsec Connectivity Association ended on port %s.
Detection of replay attack
Possible replay attack on MACsec port %s.
Throttled replay attack messages
Ceasing `Detection of Replay Attack' for 5m.
More than 1 MACsec client on a MACsec enabled port.
More than one MACsec clients detected on port %s
Throttled message for more than 1 client
Ceasing 'Detection of More than one Macsec clients' for 5m.
If MACsec is running in integrity mode, as it might be configured for integrity on either of sides
The MACsec is operating in Integrity Check (IC) mode on port %s.
If MACsec is running in encryption mode, as it might be configured to confidentiality from integrity on both sides
The MACsec is operating in Encryption mode on port %s.
when boot up FIPS test failed
FIPS test failed on port %s in slot %s. (where 1st %s is Port-Name and 2nd %s is for Slot-Name)
when FIPS bypass test failed
FIPS bypass self-test failed on port %s in slot %s.(where 1st %s is Port-Name and 2nd %s is for Slot-Name)
When hard expiry limit is reached
MACsec Secure Association Key (SAK) expired in hardware. Port %s blocked by MACsec.
Macsec errors
MACsec errors detected on port %s.
Aruba 2930M/F | Access Security Guide
358
Chapter 17 RADIUS Services Support on Aruba Switches
RADIUS Services Support on Aruba Switches
Remote Authentication Dial-In User Service (RADIUS) is a networking protocol that provides centralized Authentication, Authorization, and Accounting (AAA) management for users that connect and use a network service. RADIUS is the transport for AAA services. The services can include the user profiles including storing user credentials, user access policies, and user activity statistics which can reside on the same server. Gateway devices that control network access, such as remote access servers, VPN servers, and network switches, can use the RADIUS protocol to communicate with a RADIUS server for:
n Authentication -- verifying user credentials regarding granted access to their networks.
n Authorization -- verifying user access policy on how much and what kind of resources are allowed for an authenticated user.
n Accounting -- keeping statistic information about the user activities for accounting purpose.
Overview
The following information provides an overview about RADIUS services supported on a switch, including CoS (802.1p priority), ingress and egress rate-limiting, and ACL client services on a RADIUS server. For information on configuring client authentication capability on the switch, see RADIUS Authentication, Authorization, and Accounting.
Table 22: RADIUS services supported on the switch
Service
Application
Standard RADIUS attribute
Cos (Priority)
per-user
59
Ingress Rate-Limiting Egress Rate-Limiting
per-user
--
per-port1
--
ACLs
IPv6 and/or IPv4 ACEs(NAS- per-user
92
Filter-Rule)
Vendorspecific RADIUS attribute (VSA) 40 46 x`48
61
1If multiple clients are authenticated on a port where per-port rules are assigned by a RADIUS server, then the most recently assigned rule is applied to the traffic of all clients authenticated on the port.
Aruba 2930M/F | Access Security Guide
359
Service
Application
Standard RADIUS attribute
NAS-Rules-IPv6 (sets IP
per-user
--
mode to IPv4-only or IPv4 and
IPv6)
Vendorspecific RADIUS attribute (VSA)
63
Hewlett Packard Enterprise recommends using the Standard RADIUS attribute, if available. Where both a standard attribute and a VSA are available, the VSA is maintained for backwards compatibility with configurations based on earlier software releases.
About RADIUS server support
RADIUS client and server requirements
n Clients can be dual-stack, IPv4-only or IPv6 only. n Client authentication can be through 802.1X, MAC authentication, or web-based authentication. (clients using
web-based authentication must be IPv4-capable.)
RADIUS server configuration for CoS (802.1p priority) and rate-limiting
The following information provides general guidelines for configuring RADIUS servers, so that the features listed in the following table can be dynamically applied on ports that support authenticated clients.
Table 23: CoS and rate-limiting services
Service
Control method and operating notes
802.1p (CoS) Priority Assignments Per-User on Traffic Inbound to the Switch Assigns a RADIUS-configured 802.1p priority to the inbound packets received from a specific client authenticated on a switch port.
NOTE: This attribute is assigned per authenticated user.
Standard Attribute used in the RADIUS server: 59 (This is the preferred attribute for new or updated configurations.) Vendor-Specific Attribute used in the RADIUS server. (This attribute is maintained for legacy configurations.) vendor-specific ID: 11 VSA: 40 Setting: User-Priority-Table=xxxxxxxx where: x=desired 802.1p priority
NOTE: This is an eight-digit field. Enter the same x-value for all eight digits.
Requires a port-access authentication method (802.1X, Web Auth, or MAC Auth) configured on the client's port on the switch. For more on 802.1p priority levels, see "Quality of Service (QoS)" in the advanced traffic management guide for your switch.
Ingress (inbound) rate-limiting per-user
Vendor-Specific Attribute used in the RADIUS server. vendor-specific ID: 11 VSA: 46 Setting: HP-Bandwidth-Max-Egress=< bandwidth-in-Kbps >
360
Aruba 2930M/F | Access Security Guide
Service
Control method and operating notes
Assigns a RADIUS-configured bandwidth limit to the inbound packets received from a specific client authenticated on a port.
NOTE: This attribute is assigned per-authenticateduser, not per-port. To assign a per-port inbound rate-limit, use the rate-limit all in CLI command instead of this option.
NOTE: RADIUS-assigned rate-limit bandwidths must be specified in Kbps. (Bandwidth percentage settings are not supported.) Using a VSA on a RADIUS server to specify a per-user rate-limit requires the actual Kbps to which you want to limit ingress (inbound) traffic volume. For example, to limit inbound traffic on a gigabit port to half of the port's bandwidth capacity requires a VSA setting of 500,000 Kbps.
Requires a port-access authentication method (802.1X, Web Auth, or MAC Auth) configured on the client's port on the switch. The actual bandwidth available for ingress traffic from an authenticated client can be affected by the total bandwidth available on the client port. See Per-port bandwidth override on page 362.
Egress (outbound) rate-limiting per-port Assigns a RADIUS-configured bandwidth limit to the outbound traffic sent to a switch port.
Vendor-Specific Attribute used in the RADIUS server. vendor-specific ID: 11 VSA: 48 (string=HP) Setting: HP-RATE-LIMIT=< bandwidth-in-Kbps >
NOTE: RADIUS-assigned rate-limit bandwidths must be specified in Kbps. (Bandwidth percentage settings are not supported.) Using a VSA on a RADIUS server to specify a per-port rate-limit requires the actual Kbps to which you want to limit outbound traffic volume. For example, to limit outbound traffic on a gigabit port to half of the port's bandwidth capacity requires a VSA setting of 500,000 Kbps.
In instances where multiple, authenticated clients are using this feature on the same switch port, only one (per-port) rate limit will be applied. In this case, the actual rate used is the rate assigned by the RADIUS server to the most recently authenticated client. This rate remains in effect as long as any authenticated client remains connected on the port. Requires a port-access authentication method (802.1X, Web Auth, or MAC Auth) configured on the client's port on the switch. The actual bandwidth available for egress traffic from an authenticated client can be affected by the total bandwidth available on the client port. See Per-port bandwidth override on page 362.
To configure support for the services listed in the preceding table on a specific RADIUS server application, see the documentation provided with the RADIUS application.
Applied rates for RADIUS-assigned rate limits
A particular switch does not necessarily support all rates. The actual rate applied is rounded down to the nearest value that is supported by switch. The increments are in graduated steps, as described in the following table.
Table 24: RADIUS-assigned rate-limit increments
RADIUS-assignedbits-per-second rate limit Applied rate-limiting increment
1 - 10,999,999
100 Kbps
11,000,000 - 100,999,999
1 Mbps
101,000,000 - 999,999,999
10 Mbps
1,000,000,000 - 10 Gbps
100 Mbps
Aruba 2930M/F | Access Security Guide
361
For example, some of the following RADIUS-assigned rates fall between their respective incremental values, resulting in applied rates lower than the RADIUS-assigned rates. However, others match their respective incremental values, resulting in no difference between the RADIUS-assigned rate limits and the applied rate limits.
Table 25: Assigned and applied rate limits example
RADIUS-assigned bandwidth (Kbps) 5,250 50,250 51,000 525,000 530,000 1,250,000 1,300,000
Applied increments 100 Kbps 1 Mbps 1 Mbps 10 Mbps 10 Mbps 100 Mbps 100 Mbps
Applied rate limit (Kbps) 5,200 50,000 51,000 520,000 530,000 1,200,000 1,300,000
Difference/Kbps
50 250 Kbps 0 5,000 Kbps 0 50,000 Kbps 0
Per-port bandwidth override
Hewlett Packard Enterprise recommends that rate-limiting be configured either solely through RADIUS assignments or solely through static CLI configuration on the switch unless the potential for the override described below is specifically desired.
Ingress (inbound) traffic
RADIUS-assigned ingress rate-limits are applied to individual clients instead of to the client's port. But if you use the CLI to configure a per-port ingress rate-limit on the same port where an authenticated client receives a RADIUS-assigned ingress rate-limit, the client's assigned ingress limit can be reduced by the CLI-configured port ingress limit. This occurs if the port reaches its CLI-configured rate-limit maximum before the client reaches its RADIUS-assigned rate-limit maximum, thus denying the client its intended maximum.
Egress (outbound) traffic
The most recent RADIUS-assigned egress rate-limit specifies the maximum egress rate-limit for a port, even if the CLI has also been used to configure an egress rate limit on the port.
Rate-limit assignment method
Inbound
CLI ingress rate-limit per-port
rate-limit all in
RADIUS ingress ratelimit per-client VSA 46
Rate-limit actions and restrictions
Determines the maximum ingress bandwidth available on the port, regardless of any RADIUSassigned per-client rate-limits dynamically assigned to the same port.
Each client is allowed the inbound bandwidth individually assigned to it by the RADIUS server, up to the port's physical capacity, unless the available bandwidth on the port has been reduced by a CLI-assigned per-port bandwidth limit.
362
Aruba 2930M/F | Access Security Guide
Rate-limit assignment method
Rate-limit actions and restrictions
Outbound
CLI egress rate-limit perport
rate-limit all out
Determines the maximum egress bandwidth available on the port, unless there is also a RADIUS-assigned per-port rate limit on the port.
RADIUS egress ratelimit per client VSA 48
The most recent client to authenticate determines the maximum egress bandwidth on the port for all outbound traffic, regardless of any CLI-assigned per-port outbound rate-limit.
For example, suppose the CLI is used to configure a gigabit port to have an ingress rate limit of 500,000 Kbps (50% of available bandwidth), and is receiving 450,000 Kbps of traffic from existing clients. If a RADIUS server then authenticates a new client with an ingress rate-limit of 100,000 Kbps, the maximum ingress rate limit actually available for the new client is 50,000 Kbps as long as the bandwidth usage by the other clients already on the port remains at 450,000 Kbps. For more information on static rate-limiting, see "Rate-Limiting" in the "Port Traffic Controls" in the Management and Configuration Guide for your switch.
Configuring and using dynamic (RADIUS-assigned) access control lists
A RADIUS-assigned ACL is configured on a RADIUS server and dynamically assigned by the server to filter IP traffic from a specific client after the client is authenticated by the server. The information in this section describes how to apply RADIUS-assigned ACLs on the switch, and assumes a general understanding of ACL structure and operation. If you need information on ACL filtering criteria, design, and operation, see IPv4 Access Control Lists (ACLs) in the latest IPv6 configuration guide for your switch.
Overview of RADIUS-assigned, dynamic ACLs
RADIUS-assigned ACLs enhance network and switch management access security and traffic control by permitting or denying authenticated client access to specific network resources and to the switch management interface. This includes preventing clients from using TCP or UDP applications, ICMP packet types, and IGMP (IPv4 only) if you do not want their access privileges to include these capabilities.
Traffic applications
The switch supports RADIUS-assigned ACLs for the following traffic applications:
n Inbound IPv4 traffic only
n Inbound IPv4 and IPv6 traffic
This feature is designed for use on the network edge to accept RADIUS-assigned ACLs for Layer-3 filtering of IP traffic entering the switch from authenticated clients. A given RADIUS-assigned ACL is identified by a unique username/password pair or client MAC address, and applies only to IP traffic entering the switch from clients that authenticate with the required, unique credentials. The switch allows multiple RADIUS-assigned ACLs on a given port, up to the maximum number of authenticated clients allowed on the port. Also, a RADIUS-assigned ACL for a given client's traffic can be assigned regardless of whether other ACLs assigned to the same port are statically configured on the switch. A RADIUS-assigned ACL filters IP traffic entering the switch from the client whose authentication caused the ACL assignment. Filter criteria is based on:
n Destination address
n IPv4 or IPv6 traffic type (such as TCP and UDP traffic)
Aruba 2930M/F | Access Security Guide
363
Implementing the feature requires:
n RADIUS authentication using the 802.1X, web-based authentication, or MAC authentication available on the switch to provide client authentication services
n Configuring one or more ACLs on a RADIUS server (instead of the switch), and assigning each ACL to the username/password pair or MAC address of the client(s) you want the ACLs to support
Using RADIUS to dynamically apply ACLs to clients on edge ports enables the switch to filter IP traffic coming from outside the network, thus removing unwanted IP traffic as soon as possible and helping to improve system performance. Also, applying RADIUS-assigned ACLs to the network edge is likely to be less complex than configuring static port and VLAN-based ACLs in the network core to filter unwanted IP traffic that could have been filtered at the edge.
A RADIUS-assigned ACL filters inbound IP traffic on a given port from the client whose authentication triggered the ACL assignment to the port.
A RADIUS-assigned ACL can be applied regardless of whether IP traffic on the port is already being filtered by other, static ACLs that are already assigned. The following table lists the supported per-port ACL assignment capacity (Subject to resource availability on the switch. For more information, see the appendix titled "Monitoring Resources" in the latest management and configuration guide.).
ACLs enhance network security by blocking selected IP traffic, and can serve as one aspect of network security. However, because ACLs do not protect from malicious manipulation of data carried in IP packet transmissions, they should not be relied upon for a complete edge security solution.
Depending on the ACL configuration in the RADIUS server, the ACLs described in this section filter either IPv4 traffic only or both IPv4 and IPv6 traffic. These ACLs do not filter non-IP traffic such as AppleTalk and IPX.
The values in the following table are subject to resource availability on the switch. For more information, see the appendix titled "Monitoring Resources" in the latest management and configuration guide for your switch.
Table 26: Simultaneous ACL activity supported per-port for your switch.
ACL type
Function
IPv4 IPv6
VACL
Static ACL assignment to filter inbound IP traffic on a specific VLAN.
1 in 1 1 out
Port ACL
Static ACL assignment to filter
1
inbound IP traffic on a specific port.
RADIUS-assigned ACL Dynamic ACL assignment to filter
1-
inbound IP traffic from a specific
321
client on a given port.
1 1-321
RACL (IPv4 only)
static ACL assignment to filter
1 in n/a
1One per authenticated client, up to a maximum of 32 clients per-port for 802.1X, web-based authentication, and MACAuthentication methods combined.
364
Aruba 2930M/F | Access Security Guide
ACL type Connection-rate ACL
Function
routed IPv4 traffic entering or leaving the switch on a specific VLAN
Static ACL assignment for virusthrottling on a specific port
IPv4 IPv6 1 out
1
n/a
ACLs enhance network security by blocking selected IP traffic, and can serve as one aspect of network security. However, because ACLs do not protect from malicious manipulation of data carried in IP packet transmissions, they should not be relied upon for a complete edge security solution. Depending on the ACL configuration in the RADIUS server, the ACLs described in this section filter either IPv4 traffic only or both IPv4 and IPv6 traffic. These ACLs do not filter non-IP traffic such as AppleTalk and IPX.
RADIUS filter-id
IP traffic filter rules, also known as IP ACLs, provide a user access policy that defines what IP traffic from the user is permitted. IP ACLs can be specified in two ways:
n By using the filter-id attribute that gives the ID of a pre-defined ACL. A filter-id is an alphabetic-string identifier, or name, corresponding to an IP ACL that is pre-configured on the access-control device.
n By using the NAS-filter-rule attribute which explicitly defines a set of filter rules.
Filter-id attributes and NAS-Filter-Rule attributes may be intermixed in the RADIUS user entry. Filter-id attributes are expanded as they are read so they are added to the ACL in the correct order.
This feature does not modify any existing commands. CLI show commands currently display the applied RADIUS defined ACL rules. ACL rules specified by a filter-id attribute are expanded and displayed as if they were NAS-Filter-Rule entries. The list of rules will be a snapshot of the CLI ACL at the time of authentication. Updates to the ACL are not applied until the client reauthenticates.
A filter-id name may refer to an IPv4 ACL, an IPv6 ACL, or both. ACLs for both families are checked and expanded if found. All other ACL types, including MAC and router ACLs, are ignored when processing filter-id attributes. Any number of filter-id attributes may be specified subject to length limitations of a RADIUS packet. The limit for all platforms is 100 ACEs per client ACL.
RADIUS ACL rules do not support source IP or source L4 port qualifiers. If any source IP or source L4 port qualifiers are found in the CLI ACL, the client will fail authentication and an error will be logged.
CLI ACLs include an optional log keyword that captures rule hits for debugging. No logging for ACL rules that are applied via filter-id is available. However, all rules from ACLs have an implicit cnt keyword which allows the administrator to see the hit count for each rule.
RADIUS user entry
NAS-Filter-Rule += "permit in 10 from any to any cnt", Filter-ID += "104", NAS-Filter-Rule += "permit in 30 from any to any cnt", Filter-ID += "106",
Aruba 2930M/F | Access Security Guide
365
NAS-Filter-Rule += "permit in 55 from any to any cnt", Filter-ID += "146", NAS-Filter-Rule += "permit in 70 from any to any cnt",
Forcing reauthentication
Syntax
aaa port-access < authenticator | mac-based | web-based ><port-list> reauthenticate A manager may force a reauthentication by using this command.
RADIUS Filter-Rule entries are only allowed to contain IPv6 addresses if the hp-nas-rules-ipv6 attribute is set. This does not apply to filter-id ACLs. If there is an IPv6 ACL of the name given, it will be applied even if hp-nas-rules-ipv6 is not set.
show access-list radius
Syntax
show running config
System configuration for show running config
ip access-list extended "104" 10 permit 20 0.0.0.0 255.255.255.255 0.0.0.0 255.255.255.255 log exit
ip access-list extended "146" 10 permit 64 0.0.0.0 255.255.255.255 0.0.0.0 255.255.255.255 exit
ipv6 access-list "106" 10 permit 40 ::/0 ::/0 log exit
ipv6 access-list "146" 10 permit 66 ::/0 ::/0 exit
show access-list (NAS rule) and (filter-id)
There is a legacy attribute named hp-nas-filter-rule that was in use before the nas-filter-rule was standardized in RFC 4849. Switches still support the hp-nas-filter-rule for backwards compatibility, but this rule should not be mixed with the newer nas-filter-rule or filter-id attributes. With mixed ACEs, rules will not be applied in the order listed, which may block traffic that should be permitted or may permit traffic that should be blocked. No error message is produced to inform the user that mixing current and legacy attributes will lead to unexpected results.
Syntax
show access-list radius
show access-list radius (NAS rule)
Radius-configured Port-based ACL for Port 1/1, Client - 24BE05-76DA40
366
Aruba 2930M/F | Access Security Guide
IPv6 ACLs enabled (HP-Nas-Rules-Ipv6): FALSE permit in 10 from any to any cnt Packet Hit Counter 0 permit in 20 from any to 0.0.0.0 255.255.255.255 cnt (IP ACL 104, rule 10) Packet Hit Counter 0 permit in 30 from any to any cnt Packet Hit Counter 0 permit in 40 from any to ::/0 cnt (IPv6 ACL 106, rule 10) Packet Hit Counter 0 permit in 55 from any to any cnt Packet Hit Counter 0 permit in 64 from any to 0.0.0.0 255.255.255.255 cnt (IP ACL 146, rule 10) Packet Hit Counter 0 permit in 66 from any to ::/0 cnt (IPv6 ACL 146, rule 10) Packet Hit Counter 0 permit in 70 from any to any cnt Packet Hit Counter 0
The output shows IPv6 rules with a prefix of IPv6 and shows IPv4 rules with a prefix of IP.
Log messages
Event
Message
dca_filter_id_match_not_found This event is logged
Authentication failed for client <mac> on port <port>:
when the ACL name given in a filter-id attribute does not unknown ACL name in attribute filter-id.
match any existing `ip' or `ipv6' access-list.
rmon_dca_acl_has_source_qualifier This event is logged when the ACL given in a filter-id attribute contains an ACE that has a source IP address or source tcp/udp port qualifier.
Authentication failed for client <mac> on port <port>: the ACL specified by the filter-id attribute contains a source address or application port qualifier.
Event message
W 10/20/14 15:26:17 03214 dca: Authentication failed for client 0025618D7920 on port 1: unknown ACL name in attribute filter-id.
W 10/20/14 15:26:17 03215 dca: Authentication failed for client 0025618D7920 on port 1: the ACL specified by the filter-id attribute contains a source address or application port qualifier.
Contrasting RADIUS-assigned and static ACLs
The following table highlights several key differences between the static ACLs configurable on switch VLANs and ports, and the dynamic ACLs that can be assigned by a RADIUS server to filter IP traffic from individual clients.
Aruba 2930M/F | Access Security Guide
367
Table 27: Contrasting dynamic (RADIUS-assigned) and static ACLs
RADIUS-assigned ACLs
Configured in client accounts on a RADIUS server.
Static port and VLAN ACLs
Configured on switch ports and VLANs.
Designed for use on the edge of the network where filtering of IP traffic entering the switch from individual, authenticated clients is most important and where clients with differing access requirements are likely to use the same port.
Designed for use where the filtering needs focus on static configurations covering:
n switched IP traffic entering from multiple authenticated or unauthenticated sources (VACLs or static port ACLs)
n routed IPv4 traffic (RACLs)
n IP traffic from multiple sources and having a destination on the switch itself
Implementation requires client authentication.
Client authentication not a factor.
Identified by the credentials (username/password pair or the MAC address) of the specific client the ACL is intended to service.
Identified by a number in the range of 1-199 or an alphanumeric name.
Supports dynamic assignment to filter only the IP traffic entering the switch from an authenticated client on the port to which the client is connected. (IPv6 traffic can be switched; IPv4 traffic can be routed or switched. For either IP traffic family, includes traffic having a DA on the switch itself.)
Supports static assignments to filter:
n switched IPv6 traffic entering the switch
n switched or routed IPv4 traffic entering the switch, or routed IPv4 traffic leaving the switch.
When the authenticated client session ends, the switch removes the RADIUS-assigned ACL from the client port.
Remains statically assigned to the port or VLAN.
Allows one RADIUS-assigned ACL per authenticated client on a port. (Each such ACL filters traffic from a different, authenticated client.)Note: The switch provides ample resources for supporting RADIUS-assigned
Simultaneously supports all of the following static assignments affecting a given port:
n IPv4 traffic: o inbound RACL
368
Aruba 2930M/F | Access Security Guide
RADIUS-assigned ACLs
Static port and VLAN ACLs
ACLs and other features. However, the actual number of ACLs supported depends on the switch current feature configuration and the related resource requirements. For more information, see the appendix titled "Monitoring Resources" in the management and configuration guide for your switch.
o outbound RACL o VACL o static port ACL
n IPv6 traffic: o VACL o static port ACL
Supports IPv6 ACLs and IPv4 extended ACLs. "IPv6 Access Control Lists (ACLs)" in the IPv6 Configuration Guide for your switch.
Supports IPv6 ACLs and standard, extended, and connection-rate IPv4 ACLs
A given RADIUS-assigned ACL operates on a port to filter only the IP traffic entering the switch from the authenticated client corresponding to that ACL, and does not filter IP traffic inbound from other authenticated clients. (The traffic source is not a configurable setting.)
An RACL applied to inbound traffic on a VLAN filters routed IPv4 traffic entering the switch through a port on that VLAN, as well as any inbound traffic having a DA on the switch itself. An RACL can be applied to outbound IPv4 traffic on a VLAN to filters routed IPv4 traffic leaving the switch through a port on that VLAN (and includes routed IPv4 traffic generated by the switch itself). A VACL can be applied on a VLAN to filter either IPv4 or IPv6 traffic entering the switch through a port on that VLAN.A static port ACL can be applied on a port to filters either IPv4 or IPv6 traffic entering the switch through that port.
Requires client authentication by a RADIUS server configured to dynamically assign an ACL to a client on a switch port, based on client credentials.
No client authentication requirement.
ACEs allow a counter (cnt) option that causes a counter to increment when there is a packet match.
The show statistics command includes options for displaying the packet match count, see Monitoring static ACL performance. Also, ACEs allow a log option that generates a log message whenever there is a packet match.
Aruba 2930M/F | Access Security Guide
369
Regarding the Use of IPv4 Source Routing:
IPv4 source routing is enabled by default on the switch and can be used to override IPv4 ACLs. For this reason, if you are using IPv4 ACLs to enhance network security, the recommended action is to use the no ip source-route command to disable source routing on the switch. (If source routing is disabled in the running-config file, the show running command includes "no ip source-route" in the running-config file listing.)
How a RADIUS server applies a RADIUS-assigned ACL to a client on a switch port
A RADIUS-assigned ACL configured on a RADIUS server is identified and invoked by the unique credentials (username/password pair or a client MAC address) of the specific client the ACL is intended to service. Where the username/password pair is the selection criteria, the corresponding ACL can also be used for a group of clients that all require the same ACL policy and use the same username/password pair. Where the client MAC address is the selection criteria, only the client having that MAC address can use the corresponding ACL. When a RADIUS server authenticates a client, it also assigns the ACL configured with that client's credentials to the client's port. The ACL then filters the client's inbound IP traffic and denies (drops) any such traffic that is not explicitly permitted by the ACL.
n If the filter rule used for a RADIUS-based ACL is one of the options that specifies only IPv4 traffic, then the ACL will implicitly deny any inbound IPv6 traffic from the authenticated client.
n If the filter rule used for a RADIUS-based ACL is the option for specifying both IPv4 and IPv6 traffic, then the ACL filter both IP traffic types according to the ACEs included in the RADIUS-assigned ACL.
When the client session ends, the switch removes the RADIUS-assigned ACL from the client port.
Implicit Deny
Every RADIUS-assigned ACL ends with an implicit deny in ACE for both IPv4 and IPv6 traffic. This implicit ACE denies any IP traffic that is not specifically permitted. To override this default, configure an explicit permit in ip from any to any as the ACL's last explicit ACE.
Multiple clients in a RADIUS-assigned ACL environment
Where multiple clients are authenticated on the same port, if any of the clients has a RADIUS-assigned ACL, then all of the authenticated clients on the port must have a RADIUS-assigned ACL. In this case, the switch drops the IP traffic from any authenticated client that does not have a RADIUS-assigned ACL, and deauthenticates that client.
Multiple clients sharing the same RADIUS-assigned ACL When multiple clients supported by the same RADIUS server use the same credentials, they will all be serviced by different instances of the same ACL. (The actual IP traffic inbound from any client on the switch carries a source MAC address unique to that client. The RADIUS-assigned ACL uses this MAC address to identify the traffic to be filtered.)
Effect of multiple ACL application types on an interface The switch allows simultaneous use of all supported ACL application types on an interface. Thus, a static ACL assigned to an interface filters authenticated client traffic, regardless of whether a RADIUS-assigned ACL is also filtering the client's traffic. For more information, see Multiple ACLs on an interface.
370
Aruba 2930M/F | Access Security Guide
General ACL features, planning, and configuration
These steps suggest a process for using RADIUS-assigned ACLs to establish access policies for client IP traffic.
Procedure
1. Determine the polices you want to enforce for authenticated client traffic inbound on the switch. 2. Plan ACLs to execute traffic policies:
a. Apply ACLs on a per-client basis where individual clients need different traffic policies or where each client must have a different username/password pair or will authenticate using MAC authentication.
b. Apply ACLs on a client group basis where all clients in a given group can use the same traffic policy and the same username/password pair.
3. Configure the ACLs on a RADIUS server accessible to the intended clients. 4. Configure the switch to use the desired RADIUS server and to support the desired client authentication
scheme. Options include 802.1X, web-based authentication, or MAC authentication. (Note that the switch supports the option of simultaneously using 802.1X with either web-based or MAC authentication.) 5. Test client access on the network to ensure that your RADIUS-assigned ACL application is properly enforcing your policies.
For further information common to all IPv4 or IPv6 ACL applications, see the IPv4 Configuration Guide or IPv6 Configuration Guide for your switch.
The packet-filtering process
Packet-filtering in an applied ACL is sequential, from the first ACE in the ACL to the implicit deny any any following the last explicit ACE. This operation is the same regardless of whether the ACL is applied dynamically from a RADIUS server or statically in the switch configuration.
ACLs can enhance network security by blocking selected IP traffic, and can serve as one aspect of
maintaining network security. However, because ACLs do not provide user or device authentication, or
protection from malicious manipulation of data carried in IP packet transmissions, they should not be relied
upon for a complete security solution.
If a RADIUS-assigned ACL permits an authenticated client's inbound IP packet, but the client port is also configured with a static port ACL and/or belongs to a VLAN for which there is an inbound, VLAN-based ACL configured on the switch, then the packet will also be filtered by these other ACLs. If there is a match with a deny ACE in any of these ACLs, the switch drops the packet.
Operating rules for RADIUS-assigned ACLs
n Relating a client to a RADIUS-assigned ACLA RADIUS-assigned ACL for a particular client must be configured in the RADIUS server under the authentication credentials the server should expect for that client. If the client must authenticate using 802.1X and/or web-based authentication, the username/password pair
Aruba 2930M/F | Access Security Guide
371
forms the credential set. If authentication is through MAC Authentication, then the client MAC address forms the credential set. See Configuring an ACL in a RADIUS server.
n Multiple clients using the same username/password pairMultiple clients using the same username/password pair will use duplicate instances of the same ACL.
n Limits for ACEs in RADIUS-assigned ACLsThe switch supports up to 80 characters in a single ACE. Exceeding this limit causes the related client authentication to fail.
n Effect of other, statically configured ACLsSuppose that port B1 belongs to VLAN "Y" and has a RADIUSassigned ACL to filter inbound traffic from an authenticated client. Port B1 is also configured with IPv4 and IPv6 static port ACLs, and VLAN "Y" is statically configured with IPv4 and IPv6 VACLs.
o IP traffic entering the switch on port B1 from the client and having a match with a deny ACE configured in any of the ACLs mentioned above will be dropped.
o If an inbound RACL was also configured on VLAN "Y", then a deny match in the RACL would apply to any inbound, routed IPv4 traffic from the client (and to any inbound, switched traffic having a destination on the switch itself).
o If an outbound RACL was also configured on VLAN "Y", then any outbound, routed IPv4 traffic leaving the switch through the port B1 would be filtered by the outbound RACL.
Configuring an ACL in a RADIUS server
The following information provides general guidelines for configuring a RADIUS server to specify RADIUSassigned ACLs. It also provides an example configuration for a FreeRADIUS server application. To configure services on a specific RADIUS server application, see the documentation provided with that application. A RADIUS-assigned ACL configuration in a RADIUS server includes the following elements:
n Nas-Filter-Rule attributes -- standard and vendor-specific n ACL configuration, entered in the server, and associated with specific username/password or MAC address
criteria, and comprised of ACEs entered in the server
A RADIUS-assigned ACL includes:
n One or more explicit permit and/or deny ACEs n An implicit deny in ip from any to any ACE automatically applied after the last operator-created ACE
Nas-filter-Rule options
Table 28: Nas-filter-Rule attribute options
Service
ACLs Applied to Client Traffic Inbound to the Switch Assigns a RADIUS-configured ACL to filter inbound packets received from a specific client authenticated on a switch port.
Control method and operating notes
Standard Attribute: 92 This is the preferred attribute for use in RADIUS-assigned ACLs to configure ACEs to filter IPv4 and IPv6 traffic. Entry for IPv4-Only ACE To Filter Client Traffic: Nas-filter-Rule="< permit or deny ACE >"(Standard Attribute 92) For example: Nas-filter-Rule=permit in tcp from any to any Entries for IPv4/IPv6 ACE To Filter Client Traffic:
372
Aruba 2930M/F | Access Security Guide
Service
Set IP Mode Used with the Nas-filter-Rule attribute described above to provide IPv6 traffic-filtering capability in an ACE.
Control method and operating notes
HP-Nas-Rules-IPv6 <1 2> (VSA, where 1=IPv4 and IPv6 traffic,
and 2=IPv4-only traffic.)
Nas-filter-Rule="<permit or deny ACE>"(Standard Attribute
92.) For example: HP-Nas-Rules-IPv6=1
Nas-filter-Rule="permit in tcp from any to any"
NOTE: If HP-Nas-Rules-IPv6 is set to 2 or is not present in the ACL, IPv6 traffic from the client will be dropped.
HP-Nas-Rules-IPv6: 63 (Vendor-Specific Attribute) When using the standard attribute (92) described above in a RADIUS-assigned ACL to support both IPv4 and IPv6 traffic inbound from an authenticated client, one instance of this VSA must be included in the ACL. Note that this attribute supports either of the following IP modes for Nas-filter-Rule ACEs: n Both IPv6 and IPv4 traffic n Only IPv4 traffic vendor-specific ID: 11VSA: 63 (string=HP-Nas-Rules-IPv6) n IPv6 and IPv4 ACLs: integer = 1(Using this option causes the ACL to filter
both IPv4 and IPv6 traffic.) n IPv4-only ACLs: integer=2 (Using this option causes the ACL to drop any
IPv6 traffic received from the authenticated client.) Setting:
HP-Nas-Rules-IPv6=< 1 2 > Nas-filter-Rule "< permit or deny
ACE >"
NOTE: When the configured integer option is "1", the any keyword used as a destination applies to both IPv4 and IPv6 destinations for the selected traffic type (such as Telnet). Thus, if you want the IPv4 and IPv6 versions of the selected traffic type to both go to their respective "any" destinations, then a single ACE is needed for the selected traffic type. For example: HP-Nas-RulesIPv6=1
Nas-filter-Rule="permit in tcp from any to any 23"
However, if you do not want both the IPv4 and IPv6 traffic of the selected type to go to their respective "any" destinations, then two ACEs with explicit destination addresses are needed. In this case, do one of the following: n Use 0.0.0.0/0 in one ACE to specify the "any" destination for IPv4 traffic,
and use a specific IPv6 address for the destination in the other ACE. n Use ::/0 in one ACE to specify the "any" destination for IPv6 traffic, and use
a specific IPv4 address for the destination in the other ACE. For example, if you want to allow the IPv4 Telnet traffic from a client to go to any destination, but you want the IPv6 Telnet traffic from the same client to go only to a specific address or group of addresses, you will need to distinguish the separate destinations. This is done by using explicit addresses for the "any" destinations. For example:
Aruba 2930M/F | Access Security Guide
373
Service
Control method and operating notes
HP-Nas-Rules-IPv6=1
Nas-filter-Rule="deny in tcp from any to 0.0.0.0/0 23"
Nas-filter-Rule="deny in tcp from any to fe80::b1 23" The above example sends IPv4 Telnet traffic to its "any" destination, but allows IPv6 Telnet traffic only to fe80::b1 23. To reverse this example, you would configure ACEs such as the following: HP-Nas-Rules-IPv6=1
Nas-filter-Rule="deny in tcp from any to 10.10.10.1 23"
Nas-filter-Rule="deny in tcp from any to ::/0 23" In cases where you do not want the selected traffic type for either IPv4 or IPv6 to go to the "any" destination, you must use two ACEs to specify the destination addresses. For example: HP-Nas-Rules-IPv6=1
Nas-filter-Rule="deny in tcp from any to 10.10.10.1 23"
Nas-filter-Rule="deny in tcp from any to fe80::23 23" To use the IPv6 VSA while allowing only IPv4 traffic to be filtered, you would use a configuration such as the following: HP-Nas-Rules-IPv6=2 Nas-filter-Rule="permit in tcp from any
to any"
IPv4-only ACLs applied to client traffic inbound to the switch
Assigns a RADIUS-configured IPv4 ACL to filter inbound IPv4 packets received from a specific client authenticated on a switch port.
HP-Nas-filter-Rule (Vendor-Specific Attribute): 61 This attribute is maintained for legacy purposes (for configurations predating software release xx.15.01) to support ACEs in RADIUS-assigned ACLs capable of filtering only IPv4 traffic. However, for new or updated configurations (and any configurations supporting IPv6 traffic filtering) Hewlett Packard Enterprise recommends using the Standard Attribute (92) described earlier in this table instead of the HP-Nas-filter-Rule attribute described here. vendor-specific ID: 11 VSA: 61 (string=HP-Nas-filter-Rule) Setting: HP-Nas-filter-Rule="< permit or deny ACE >"
NOTE: An ACL applying this VSA to inbound traffic from an authenticated client drops any IPv6 traffic from the client.
ACE syntax in RADIUS servers
The following information describes ACE syntax configuration options in a RADIUS server.
ACE syntax (standard attribute-92)
IPv6 VSA for standard attribute
Nas-filter-Rule = " <permit|deny> in <ip|ip-protocol-value> from any to <any|host|<ip-addr>|ipv4-addr/mask|IPv6-address/prefix> [tcp/udpport|tcp/udp-port range>] [cnt] "
[HP-Nas-Rules-IPv6=<1|2>] For an example of how to apply this VSA, see Figure 72: Configuring a FreeRADIUS server to filter IPv4 and IPv6 traffic for a client with correct credentials.
374
Aruba 2930M/F | Access Security Guide
ACE syntax (legacy VSA-61)
HP-Nas-filter-Rule= " <permit|deny> in <ip|ip-protocol-value> from any to <any|host|<ip-addr>|ipv4-addr/mask|IPv6-address/prefix> [<tcp/udpport|tcp/udp-port range> ] [cnt] "
Nas-filter-Rule= : Standard attribute for filtering inbound IPv4 traffic from an authenticated client. When used without the VSA option (below) for filtering inbound IPv6 traffic from the client, drops the IPv6 traffic. See also Nas-filter-Rule options on page 372.
[HP-Nas-Rules-IPv6=|<1|2>] : VSA used in an ACL intended to filter IPv6 traffic. Settings include: n 1: ACE filters both IPv4 and IPv6 traffic. n 2: ACE filters IPv4 traffic and drops IPv6 traffic. n VSA not used: ACE filters IPv4 traffic and drops IPv6 traffic.
This VSA must be present in an ACL where the Nas-filter-Rule= attribute is intended to filter inbound IPv6 traffic from an authenticated client. See also Nas-filter-Rule options on page 372.
HP-Nas-filter-Rule=: Legacy VSA for filtering inbound IPv4 traffic only from an authenticated client. Drops inbound IPv6 traffic from the client. See also Nas-filter-Rule options on page 372.
Must be used to enclose and identify a complete permit or deny ACE syntax statement. For example: Nas-filter-Rule="deny in tcp from any to 0.0.0.0/0 23"
<permit|deny> Specifies whether to forward or drop the identified IP traffic type from the authenticated client. (For information on explicitly permitting or denying all inbound IP traffic from an authenticated client, or for implicitly denying all such IP traffic not already permitted or denied, see Configuration notes on page 377.)
in Required keyword specifying that the ACL applies only to the traffic inbound from the authenticated client.
{<ip|ip-protocol-value>} Options for specifying the type of traffic to filter.
ip Applies the ACE to all IP traffic from the authenticated client.
ip-protocol-value This option applies the ACE to the type of IP traffic specified by either a protocol number or by tcp, udp, icmp, or (for IPv4-only) igmp. The range of protocol numbers is 0-255. (Protocol numbers are defined in RFC 2780. For a complete listing, see "Protocol Registries" on the Website of the Internet Assigned Numbers Authority at ( http://www.iana.com). Some examples of protocol numbers include: 1=ICMP 17=UDP 2=IGMP (IPv4 only) 41=IPv6 6=TCP
from any
Aruba 2930M/F | Access Security Guide
375
Required keywords specifying the (authenticated) client source. (Note that a RADIUS-assigned ACL assigned to a port, filters only the inbound traffic having a source MAC address that matches the MAC address of the client whose authentication invoked the ACL assignment.)
to Required destination keyword.
any n Specifies any IPv4 destination address if one of the following is true:
l the ACE uses the standard attribute ( Nas-filter-Rule) and the IPv6 VSA ( HP-NasRules-IPv6) is not included the ACL. For example: Nas-filter-Rule="permit in tcp from any to any 23"
Nas-filter-Rule+="permit in ip from any to 10.10.10.1/24"
Nas-filter-Rule+="deny in ip from any to any"
l the ACE uses the standard attribute (Nas-filter-Rule) and the IPv6 VSA (HP-NasRules-IPv6) is included in the ACL with an integer setting of 2. For example, all of the following destinations are for IPv4 traffic: HP-Nas-Rules-IPv6=2
Nas-filter-Rule="permit in tcp from any to any 23"
Nas-filter-Rule+="permit in ip from any to 10.10.10.1/24"
Nas-filter-Rule+="deny in ip from any to any" l the HP-Nas-Filter-Rule VSA is used instead of either of the above options. For example,
all of the following destinations are for IPv4 traffic: HP-Nas-filter-Rule="permit in tcp from any to any 23"
HP-Nas-filter-Rule+="permit in ip from any to 10.10.10.1/24"
HP-Nas-filter-Rule+="deny in ip from any to any" n Specifies any IPv4 or IPv6 destination address if the ACL uses the HP-Nas-Rules-IPv6 VSA
with an integer setting of 1. See Nas-filter-Rule options on page 372. For example, the any destinations in the following ACL apply to both IPv4 and IPv6 traffic:
HP-Nas-Rules-IPv6=1Nas-filter-Rule="permit in tcp from any to any 23"
Nas-filter-Rule+="permit in ip from any to 10.10.10.1/24"
Nas-filter-Rule+="permit in ip from any to fe80::d1:1/120"
Nas-filter-Rule+="deny in ip from any to any"
host <ipv4-addr> Specifies a single destination IPv4 address.
<ipv4-addr/<mask>
376
Aruba 2930M/F | Access Security Guide
Specifies a series of contiguous destination addresses or all destination addresses in a subnet. The <mask> is CIDR notation for the number of leftmost bits in a packet's destination IPv4 address that must match the corresponding bits in the destination IPv4 address listed in the ACE. For example, a destination of 10.100.17.1/24 in the ACE means that a match occurs when an inbound packet (of the designated IPv4 type) from the authenticated client has a destination IPv4 address where the first three octets are 10.100.17. (The fourth octet is a wildcard, and can be any value up to 255.)
host <ipv6-addr> Specifies a single destination IPv6 address. Note: Filtering IPv6 traffic requires the Standard Attribute(Nas-Filter-Rule)with the HP-Nas-Rules-IPv6 VSA set to 1. See Nas-filter-Rule options on page 372.
<ipv6-addr/<prefix> Specifies a series of contiguous destination addresses or all destination addresses in a subnet. The < prefix > specifies the number of leftmost bits in a packet's destination IPv6 address that must match the corresponding bits in the destination IPv6 address listed in the ACE. For example, a destination of FE80::1b:127/112 in the ACE means that a match occurs when an inbound packet (of the designated IPv6 type) from the authenticated client has a destination IPv6 address where the first 112 are FE80::1b. (The last 16 bits in the address configured in the ACE form a "wildcard", and can be any value from 0 to FFFF.)
[<tcp/udp-port>|<tcp/udp-port-range>] Optional TCP or UDP port specifier. Used when the ACE is intended to filter client TCP or UDP traffic with one or more specific TCP or UDP destination port numbers. You can specify port numbers as individual values and/or ranges. For example, the following ACE shows two ways to deny any UDP traffic from an authenticated client that has a DA of any address and a UDP destination port of 135, 137-139, or 445:
deny in udp from any to any 135, 137-139, 445
deny in 17 from any to any 135, 137-139, 445
[<icmp-type>|icmpv6-type] Optional ICMP type specifier. This can be either a keyword or an ICMP type number. For a listing of numbers and types, see Displaying the current RADIUS-assigned ACL activity on the switch on page 386.
[cnt] Optional counter specifier for a RADIUS-assigned ACE. When used, the counter increments each time there is a "match" with the ACE. This option does not require that you configure the switch for RADIUS accounting.
Configuration notes
Explicitly permit IPv4 and IPv6 traffic from an authenticated client
This option for ending a RADIUS-assigned ACL permits all of the client's inbound IPv4 and IPv6 traffic not previously permitted or denied.
Nas-filter-Rule += permit in ip from any to any HP-Nas-Rules-IPv6=1
See Nas-filter-Rule options on page 372 for information on the above attributes.
Explicitly permit only the IPv4 traffic from an authenticated client
Any of the following three options for ending a RADIUS-assigned ACL explicitly permit all of the client's inbound IPv4 traffic not previously permitted or denied. These options also deny any of the client's IPv6 traffic not previously permitted or denied.
Aruba 2930M/F | Access Security Guide
377
Nas-filter-Rule += permit in ip from any to any
(Using this attribute to permit IPv4 traffic from the client while denying any IPv6 traffic from the client assumes that HP-Nas-Rules-IPv6=1 does not exist elsewhere in the ACL. See Nas-filter-Rule options on page 372 for more on HP-Nas-Rules-IPv6.)
n HP-Nas-Filter-Rule += permit in ip from any to any
n Nas-filter-Rule += permit in ip from any to any HP-Nas-Rules-IPv6=2
Implicitly denying any IP traffic For any packet being filtered by a RADIUS-assigned ACL, there will always be a match. That is, any packet that does not have a match with an explicit permit or deny ACE in the list will match with the implicit deny any any ACE automatically included at the end of the ACL. That is, a RADIUS-assigned ACL includes an implicit deny in ip from any to any ACE at the end of the ACL to deny any IPv4 and IPv6 traffic not previously permitted or denied.
Monitoring shared resources
Currently active RADIUS-based authentication sessions using RADIUS-assigned ACLs share internal switch resources with several other features. The switch provides sufficient resources for all features. However, if the internal resources do become fully subscribed, new RADIUS-based sessions using RADIUS-assigned ACLs cannot be authenticated until the necessary resources are released from other applications.
n For information on determining the current resource availability and usage, see "Monitoring Resources" in the Management and Configuration Guide for your switch.
n For a summary of ACL resource limits, see the topics covering scalability in the latest Management and Configuration Guide for your switch.
Event log messages
See the event log message reference guide for information about event log messages.
Causes of client deauthentication immediately after authenticating
n ACE formatted incorrectly in the RADIUS server examples: l from, any, or to keyword missing. l An IPv4 or IPv6 protocol number in the ACE exceeds 255. l An optional UDP or TCP port number is invalid, or a UDP/TCP port number is specified when the protocol is neither UDP or TCP. l An ACE in the ACL for a given authenticated client exceeds 80 characters.
n A RADIUS-assigned ACL limit has been exceeded: l The TCP/UDP port-range quantity of 14 per slot or port group has been exceeded. l The rule limit has been exceeded.
n An IPv6 ACE has been received on a port and either the HP-Nas-Rules-IPv6 attribute is missing or HP-NasRules-IPv6=2 is configured. See Nas-filter-Rule options for more on this attribute.
378
Aruba 2930M/F | Access Security Guide
Configuring the switch to support RADIUS-assigned ACLs
An ACL configured in a RADIUS server is identified by the authentication credentials of the client or group of clients the ACL is designed to support. When a client authenticates with credentials associated with a particular ACL, the switch applies that ACL to the switch port the client is using. To enable the switch to forward a client's credentials to the RADIUS server, you must first configure RADIUS operation and an authentication method on the switch.
Procedure
1. Configure RADIUS operation on the switch: radius-server host <ipv4-address> key <key-string> This command configures the IPv4 address and encryption key of a RADIUS server. The server should be accessible to the switch and configured to support authentication requests from clients using the switch to access the network.
2. Configure RADIUS network accounting on the switch (optional). aaa accounting network <start-stop|stop-only> radius
You can also view ACL counter hits using either of the following commands: show access-list radius <port-list> show port-access <authenticator|mac-based|web-based> <port-list> clients detailed
See the documentation provided with your RADIUS server for information on how the server receives and manages network accounting information, and how to perform any configuration steps necessary to enable the server to support network accounting data from the switch.
3. Configure an authentication method. Options include 802.1X, web-based authentication, and MAC authentication. You can configure 802.1X, web-based authentication, and/or MAC authentication to operate simultaneously on the same ports. n 802.1X Option: aaa port-access authenticator <port-list> aaa authentication port-access chap-radius aaa port-access authenticator active These commands configure 802.1X port-based access control on the switch, and activates this feature on the specified ports. For more on 802.1X configuration and operation, see User authentication methods on page 517. n MAC Authentication Option: aaa port-access mac-based <port-list> This command configures MAC authentication on the switch and activates this feature on the specified ports. For more on MAC authentication, see Web and MAC Authentication on page 77. n Web Authentication Option: aaa port-access web-based <port-list> This command configures web-based authentication on the switch and activates this feature on the specified ports. For more on web-based authentication, see Web and MAC Authentication on page 77.
Viewing the currently active per-port CoS and rate-limiting configuration
While a RADIUS-assigned client session is active on a given port, any RADIUS-imposed values for the settings listed in the following table are applied as shown:
Aruba 2930M/F | Access Security Guide
379
Table 29: Application of RADIUS-assigned values
Dynamic RADIUS assignment options
Static per-port setting Application of dynamic RADIUS assignment options
802.1p Priority (CoS)
qos priority <0-7
Applies per-client; that is, only to client whose authentication triggered the assignment. (Up to 32 clients supported per-port.)
Inbound (Ingress) RateLimiting
rate-limit <all|bcast| icmp|mcast> in <kbps| percent>
Outbound (Egress) RateLimiting
rate-limit <all|bcast| icmp|mcast> out <kbps| percent>
Applies per-port; that is, to all clients on the port.1
Syntax: show port-access web-based clients [port-list] detail mac-based clients [port-list] detail authenticator clients [port-list] detail
If the switch receives an 802.1p priority (CoS) and/or rate-limit setting(s) from a RADIUS server as the result of a client authentication on a port, the above commands display the assigned values while the client's session is active. When the session ends, the values for that client are no longer displayed.
The priority and inbound (ingress) rate-limit are applied only to the inbound traffic of the client whose authentication triggered the assignment. The outbound (egress) rate-limit applies to all outbound traffic on the port. web-based clients [port-list] detail
Displays, for a Web authenticated client (web-based authentication), the status of RADIUS-assignment details for that client. See Show commands for web-based authentication. mac-based clients [port-list] detail
Displays, for a MAC authenticated client (MAC-Auth), the status of RADIUS-assignment details for that client. authenticator clients [port-list] detail
Displays, for an 802.1X- authenticated client, the status of RADIUS-assignment details for that client.
Example:
Suppose port 4 has been statically configured from the CLI with the following:
1Uses the value assigned to the port by the most recent instance of client authentication.
380
Aruba 2930M/F | Access Security Guide
n 802.1p priority: 7
n Inbound rate-limit: 50 percent
n Outbound rate-limit: 50 percent
n The above, statically configured, per-port priority and inbound rate-limit settings will not apply to any clients who authenticate and receive different inbound priority and rate-limit settings from the RADIUS server. If the RADIUS server also assigns an outbound rate-limit setting, which is applied per-port instead of per-client, then the outbound traffic from the port to all connected clients will be rate-limited according to the value set by the server for the most recently authenticated client. Thus, if client "X" authenticates with web-based authentication on port 4 with a RADIUS server that assigns a priority of 3, an inbound rate-limit of 10,000 kbps, and an outbound rate-limit of 50,000 kbps, then: The inbound traffic from client "X" will be subject to a priority of 3 and inbound rate-limit of 10,000 kbps. Traffic from other clients using the port will not be affected by these values.
n The combined rate-limit outbound for all clients using the port will be 50,000 kbps until either all client sessions end, or another client authenticates and receives a different outbound rate-limit.
n Mixing CLI-configured and RADIUS-assigned rate-limiting on the same port can produce unexpected results. See Per-port bandwidth override
n Where multiple clients are currently authenticated on a given port where outbound (egress) ratelimiting values have been assigned by a RADIUS server, the port operates with the outbound ratelimit assigned by RADIUS for the most recently authenticated client. Any earlier outbound rate-limit values assigned on the same port for other authenticated client sessions that are still active are superseded by the most recent RADIUS-assigned value. For example, if client "X" is authenticated with an outbound rate-limit of 750 kbps, and client "Y" later becomes authenticated with an outbound rate-limit of 500 kbps while the session for client "X" is still active, then the port operates with an outbound rate-limit of 500 kbps for both clients.
Assignment method on port 10
802.1p
Statically Configured Values 7
RADIUS-assigned when
3
client "X" authenticates
Inbound rate-limit
Outbound rate-limit
100,000 kbps
100,000 kbps1
10,000 kbps 50,000 kbps1
1Combined rate-limit output for all clients active on the port.
Aruba 2930M/F | Access Security Guide
381
Figure 65 Results of client authentication on port 4
Viewing CLI-configured rate-limiting and port priority for ports
Syntax
show rate-limit all [port-list] show qos port-priority These commands show the CLI-configured rate-limiting and port priority for the selected ports. They also include indications of RADIUS-assigned rate-limiting and client traffic priority settings for any clients that may be authenticated on the same ports.
Figure 66 Displaying rate-limiting for multiple ports (CLI and RADIUS)
Figure 67 Displaying priority for multiple ports (CLI and RADIUS)
382
Aruba 2930M/F | Access Security Guide
ACE syntax configuration options in a RADIUS server, using the standard attribute in an IPv4 ACL (Example)
The Standard attribute (92), when used in an ACL without the HP-Nas-Rules-IPv6 VSA, filters IPv4 traffic inbound from the authenticated client. (Any IPv6 traffic inbound from the client is dropped.) This example illustrates configuring RADIUS-assigned IPv4 ACL support on FreeRADIUS using the standard attribute for two different client identification methods (username/password and MAC address).
Procedure
1. Enter the ACL standard attribute in the FreeRADIUS dictionary.rfc4849 file. ATTRIBUTE Nas-FILTER-Rule 92
2. Enter the switch IP address, NAS (Network Attached Server) type, and the key used in the FreeRADIUS clients.conf file. For example, if the switch IP address is 10.10.10.125 and the key ("secret") is "1234", you would enter the following in the server's clients.conf file: Figure 68 Switch identity information for a freeRADIUS application
3. For a given client username/password pair or MAC address, create an ACL by entering one or more ACEs in the FreeRADIUS "users" file. Remember that every ACL created automatically includes an implicit deny in ip from any to any ACE. For example, to create identical ACL support for the following: n Client having a username of "mobilE011" and a password of "run10kFast" n Client having a MAC address of 08-E9-9C-4F-00-19 The ACL in this example must achieve the following: n Permit http (TCP port 80) traffic from the client to the device at 10.10.10.101 n Deny http (TCP port 80) traffic from the client to all other devices n Permit all other traffic from the client to all other devices
For information on syntax details for RADIUS-assigned ACLs, see Using HPE VSA 63 to assign IPv6 and IPv4 ACLs (example).
To configure the above ACL, enter the username/password and ACE information shown in Figure 69: Configuring the FreeRADIUS server to support ACLs for the indicated clients.
Aruba 2930M/F | Access Security Guide
383
Figure 69 Configuring the FreeRADIUS server to support ACLs for the indicated clients
Using HPE VSA 63 to assign IPv6 and IPv4 ACLs (example)
The ACL VSA HP-Nas-Rules-IPv6=1 is used in conjunction with the standard attribute (Nas-Filter-Rule) for ACL assignments filtering both IPv6 and IPv4 traffic inbound from an authenticated client. For example, to use these attributes to configure a RADIUS-assigned ACL on a FreeRADIUS server to filter both IPv6 and IPv4 ACLs, perform these steps:
Procedure
1. Enter the following in the FreeRADIUS dictionary.hp file: n vendor-specific ID n ACL VSA for IPv6 ACLs (63) n HP-Nas-Rules-IPv6 VALUE setting to specify both IPv4 and IPv6 (1)
Figure 70 Configuring the VSA for RADIUS-assigned IPv6 and IPv4 ACLs in a FreeRADIUS server
2. Enter the switch IPv4 address, NAS (Network Attached Server) type, and the key used in the FreeRADIUS clients.conf file. For example, if the switch IP address is 10.10.10.125 and the key ("secret") is "1234", you would enter the following in the server's clients.conf file:
Figure 71 Switch identity information for a freeRADIUS application
3. For a given client username/password pair, create an ACL by entering one or more IPv6 and IPv4 ACEs in
384
Aruba 2930M/F | Access Security Guide
the FreeRADIUS "users" file. Remember that the ACL created to filter both IPv4 and IPv6 traffic automatically includes an implicit deny in ip from any to any ACE at the end of the ACL in order to drop any IPv4 and IPv6 traffic that is not explicitly permitted or denied by the ACL. For example, to create ACL support for a client having a username of "Admin01" and a password of "myAuth9". The ACL in this example must achieve the following: a. Permit http (TCP port 80) traffic from the client to the device at FE80::a40.
b. Deny http (TCP port 80) traffic from the client to all other IPv6 addresses.
c. Permit http (TCP port 80) traffic from the client to the device at 10.10.10.117.
d. Deny http (TCP port 80) traffic from the client to all other IPv4 addresses.
e. Deny Telnet (TCP port 23) traffic from the client to any IPv4 or IPv6 addresses.
f. Permit all other IPv4 and IPv6 traffic from the client to all other devices.
4. To configure the above ACL, enter the username/password and ACE information, as shown in this example:
Figure 72 Configuring a FreeRADIUS server to filter IPv4 and IPv6 traffic for a client with correct credentials
Using HPE VSA 61 to assign IPv4 ACLs (example)
The recommended use of this option is to support legacy ACL configurations that rely on VSA 61. Hewlett Packard Enterprise recommends using the standard attribute (92) for new, RADIUS-based IPv4 ACLs, see Nasfilter-Rule options on page 372, and ACE syntax configuration options in a RADIUS server, using the standard attribute in an IPv4 ACL (Example) on page 383.
This example uses the VSA attribute 61 for configuring RADIUS-assigned IPv4 ACL support on FreeRADIUS for two different client identification methods (username/password and MAC address).
Aruba 2930M/F | Access Security Guide
385
1. Enter the vendor-specific ID and the ACL VSA in the FreeRADIUS dictionary file: Figure 73 Configuring the VSA for RADIUS-assigned IPv4 ACLs in a FreeRADIUS server
2. Enter the switch IPv4 address, NAS (Network Attached Server) type, and the key used in the FreeRADIUS clients.conf file. For example, if the switch IP address is 10.10.10.125 and the key ("secret") is "1234", you would enter the following in the server's clients.conf file: Figure 74 Switch identity information for a freeRADIUS application
3. For a given client username/password pair, create an ACL by entering one or more IPv4 ACEs in the FreeRADIUS "users" file. Remember that the ACL created to filter IPv4 traffic automatically includes an implicit deny in ip from any to any ACE (for IPv4). For example, to create ACL support for a client having a username of "User-10" and a password of "auth7X". The ACL in this example must achieve the following: n Permit http (TCP port 80) traffic from the client to the device at 10.10.10.117. n Deny http (TCP port 80) traffic from the client to all other IPv4 addresses. n Deny Telnet (TCP port 23) traffic from the client to any IPv4 address. n Permit all other IPv4 traffic from the client to all other devices.
4. To configure the above ACL, you would enter the username/password and ACE information shown in Figure 75: Configuring a FreeRADIUS server to filter IPv4 traffic for a client with the correct credentials into the FreeRADIUS "users" file. Figure 75 Configuring a FreeRADIUS server to filter IPv4 traffic for a client with the correct credentials
Displaying the current RADIUS-assigned ACL activity on the switch
These commands output data indicating the current ACL activity imposed per-port by RADIUS server responses to client authentication.
386
Aruba 2930M/F | Access Security Guide
Syntax
show access-list radius <port-list> For the specified ports, this command lists:
n Whether the ACL for the indicated client is configured to filter IPv4 traffic only, or both IPv4 and IPv6 traffic. See Nas-filter-Rule options on page 372 for more on this topic.
n The explicit ACEs, switch port, and client MAC address for each ACL dynamically assigned by a RADIUS server as a response to client authentication.
If cnt (counter) is included in an ACE, then the output includes the current number of inbound packet matches the switch has detected in the current session for that ACE, see ACE syntax in RADIUS servers on page 374.
If there are no ACLs currently assigned to any port in <port-list>, executing this command returns only the system prompt. If a client authenticates but the server does not return a RADIUS-assigned ACL to the client port, then the server does not have a valid ACL configured and assigned to that client's authentication credentials.
Example
The following output shows that a RADIUS server has assigned an ACL to port B1 to filter inbound traffic from an authenticated client identified by a MAC address of 00-17-A4-E6-D7-87. Figure 76 A RADIUS-assigned ACL application to a currently active client session
Syntax
show port-access <web-based|mac-based|authenticator> clients <port-list> detailed For ports in <port-list> configured for authentication, this command shows the details of the RADIUSassigned features listed below that are active as the result of a client authentication. (Ports in <port-list> that are not configured for authentication are not listed.)
Client Base Details:
Port
Port number of port configured for authentication.
Session Status
Aruba 2930M/F | Access Security Guide
387
Indicates whether there is an authenticated client session active on the port. Options include authenticated and unauthenticated.
Username
During an authenticated session, shows the user name of the authenticated client. If the client is not authenticated, this field is empty.
IP
Shows the authenticated client's IP address, if available. Requires DHCP snooping enabled on the switch. When "n/a" appears in the field, the switch has not been able to acquire the client's IP address. Note: Where the client IP address is available to the switch, it can take a minute or longer for the switch to learn the address. For more on this topic, see Configuring RADIUS accounting on page 197.
Session Time (sec)
For an unauthenticated session, indicates the elapsed time in seconds since the client was detected on the port. For an authenticated session, this indicates the elapsed time in seconds since the client was authenticated on the port.
MAC Address
During an authenticated session, shows the MAC address of the authenticated client.
Access Policy Details:
COS Map
Indicates the 802.1p priority assigned by the RADIUS server for traffic inbound on the port from an authenticated client. The field shows an eight-digit value where all digits show the same, assigned 802.1p number. For example, if the assigned 802.1p value is 5, then this field shows 55555555. If an 802.1p priority has not been assigned by the RADIUS server, this field shows Not Defined. Untagged VLAN VLAN ID (VID) of the untagged VLAN currently supporting the authenticated connection.
Tagged VLANs
VLAN IDs (VIDs) of any tagged VLANs currently supporting the authenticated connection.
RADIUS ACL List
Lists the explicit ACEs in the ACL assigned to the port for the authenticated client. Includes the ACE "Hit Count" (matches) for ACEs configured with the cnt option, see ACE syntax in RADIUS servers on page 374. If a RADIUS ACL for the authenticated client is not assigned to the port, No Radius ACL List appears in this field.
In Limit Kbps
Indicates the ingress rate-limit assigned by the RADIUS server to the port for traffic inbound from the authenticated client. If there is no ingress rate-limit assigned, then Not Set appears in this field.
Out Limit Kbps
Indicates the egress rate-limit assigned by the RADIUS server to the port for traffic outbound to the authenticated client. If there is no egress rate-limit assigned, then Not Set appears in this field.
388
Aruba 2930M/F | Access Security Guide
Output showing current RADIUS-applied features
switch(config)# show port-access web-based clients 10 detailed
Port Access Web-Based Client Status Detailed
Client Base Details :
Port
:9
Session Status : authenticated
Username
: acluser1
IP
: n/a
Session Time(sec) : 5
MAC Address
: 0017a4-e6d787
Access Policy Details :
COS Map
: 77777777
In Limit Kbps
Untagged VLAN : 10
Out Limit Kbps
Tagged VLANs : 20
RADIUS-ACL List :
deny in 23 from any to 10.0.8.1/24 23 CNT
Hit Count: 1
permit in 1 from any to 10.0.10.1/24 CNT
Hit Count: 112
deny in udp from any to any 67-68 CNT
Hit Count: 7
permit in ip from any to any CNT
Hit Count: 125
: 1000 : Not Set
Table 30: ICMP type numbers and keywords
IPv4 ICMP # 0 3 4 5 8 9 10 11 12 13 14 15 16 17
IPv6 ICMP
Keyword
#
echo reply
1
destination unreachable 2
source quench
3
redirect
4
echo request
128
router advertisement
129
router solicitation
130
time-to-live exceeded
131
IP header bad
132
timestamp request
133
timestamp reply
134
information request
135
information reply
136
address mask request
137
Keyword destination unreachable packet too big time exceeded parameter problem echo request echo reply multicast listener query multicast listener reply multicast listener done router solicitation router advertisement neighbor solicitation neighbor advertisement redirect message
Aruba 2930M/F | Access Security Guide
389
IPv4 ICMP # 18
Keyword address mask reply
IPv6 ICMP # 138 139 140 141
142
143 144
145 146 147 148 149 151 152 153
Keyword
router renumbering
icmp node information query
icmp node information response
inverse neighbor discovery solicitation message
inverse neighbor discovery advertisement message
version 2 multicast listener report
home agent address discovery request message
home agent address discovery reply message
mobile prefix solicitation
mobile prefix advertisement
certification path solicitation message
certification path advertisement message
multicast router advertisement
multicast router solicitation
multicast router termination
Force client re-authorization
Authenticated clients will be forced to perform re-authentication during the authentication session using the Session-Timeout attribute in RADIUS CoA. When the authenticator switch (acting as NAS for wired clients) receives RADIUS CoA with Session-Timeout value set to 'x' seconds; client re-authentication for specified client is triggered, after 'x' seconds.
Mandatory RADIUS CoA attributes to force client re-authentication
390
Aruba 2930M/F | Access Security Guide
User-Name = '00:50:56:bd:39:55', NAS-Port-Id = '3', NAS-IP-Address = 10.1.1.10, Calling-Station-Id = '00-50-56-bd-39-55', Session-Timeout = 2 Termination-Action = RADIUS_REQ (1)
Attributes such as User-Name, NAS-Port-Id, NAS-IP-Address and Calling-Station-Id are used to uniquely identify client's authentication session in NAS.
Aruba 2930M/F | Access Security Guide
391
Chapter 18 Critical and Open Authentication
Critical and Open Authentication
Open Authentication allows a device, such as an IP Phone, to have network access before the device is authenticated. Open Authentication is triggered when a mac-based client is connected to an Aruba switch before being authenticated by the RADIUS Server. To provide network connectivity for devices, they must be assigned a VLAN. Two new VLANs are created for Open Authentication functionality, one for voice traffic and one for data traffic. Open Authentication VLANs can be configured on the switch individually or within a user-role. Devices that can be connected to the switch without authentication are divided into two categories:
n Devices that send voice traffic.
n Devices that send data traffic.
Either one of open authentication VLAN (voice and/or data) or open authentication user-role can be configured for a port. However, both a VLAN and user-role cannot coexist for an interface. Initial traffic on the port is restricted only by ACLs configured for the port or for VLANs or ACLs in the user-role.
Impact of Open Authentication on existing features
Unauthenticated devices
Configuring open authentication VLAN will change the behavior of unauthenticated devices. Normally, authentication-enabled ports will not provide unauthenticated client any network access until the device is authenticated by the RADIUS Server. With open authentication VLAN configured, the client will be put in open authentication VLAN until the RADIUS Server authenticates the device.
Unauthenticated clients will be placed into the VLAN specified in the open authentication command string. After authentication by the RADIUS server, the client will be placed into the VLAN specified by the RADIUS authentication command string or as specified in the RADIUS authentication accept string.
LLDP-Bypass
When LLDP-bypass is enabled on the switch, Aruba APs are not authenticated therefore open authentication VLAN is not applicable.
Bypass using device-identity
Open authentication VLAN is not applicable to VoIP devices because they do not need authentication. It is applicable to PCs which need authentication.
ACLs applied on an Interface
If an ACL rule is applied on an interface which is part of an open authentication VLAN, traffic coming through that interface will be affected. Traffic will be affected based on the rule in the ACL. For more information, see the Access Security Guide for your switch.
ACLs applied on a VLAN
If an ACL rule is applied on an open authentication VLAN, traffic entering that VLAN will be affected. Traffic will be affected based on the rule in the ACL. For more information, see the Access Security Guide for your switch.
Rate-limiting on an interface
If the traffic is rate-limited on an interface as part of an open authentication VLAN, the traffic will be impacted. The traffic will be affected based on the rule in the rate-limiting configuration command. For more information, see the Management and Configuration Guide for your switch.
Authenticated or rejected clients
Aruba 2930M/F | Access Security Guide
392
Clients which are either authenticated or rejected by the RADIUS server are given different VLANs. These clients are moved from open authentication to new VLANs based on authentication by the RADIUS Server.
MAC pinning
Clients whose MAC addresses are pinned and have undergone authentication will always be treated as authenticated. Open authentication VLAN is not applicable in this scenario.
Effect of RADIUS tracking on open authentication
If RADIUS tracking is enabled and no RADIUS server is available for authentication, the port will be changed from an open authentication VLAN to a critical VLAN. The time taken to move from open authentication VLAN to Critical VLAN depends on the time it takes for RADIUS tracker to inform the subsystem.
Impact of disabling open authentication feature
When a device is in an open authentication VLAN and the open authentication feature is disabled at the switch, the device will be moved to the PVID. All tagged traffic to that device will be dropped while untagged traffic will be assigned to the PVID.
Restrictions
This feature will not support more than one tagged or untagged VLAN membership either through direct VLAN configuration or through user-roles. This feature is not applicable for authentication methods other than mac-based. This feature is not available to be configured from WebUI, Menu, or REST.
aaa port-access
aaa port-access <port> open-auth voice-vlan <VLAN-ID> no aaa port-access <port> open-auth voice-vlan
Description
A voice VLAN is configured on the switch using the port number and open authentication. "A voice VLAN is configured on a port for open authentication.
Parameter no
<port>
Description Disables the open authentication on that port for that VLAN
Specifies the port number of the device.
<VLAN-ID>
Specifies the ID of the VLAN being mapped to the device.
aaa port-access open-auth data-vlan
Syntax
aaa port-access <port> open-auth data-vlan <VLAN-ID> no aaa port-access <port> open-auth data-vlan
Description
A data VLAN is configured on a port for open authentication. The no form of this command disables open authentication on that port for that VLAN
393
Aruba 2930M/F | Access Security Guide
Command context
manager
Parameters
<port> Specifies the port number of the device. <VLAN-ID> Specifies the ID of the VLAN being mapped to the device.
aaa port-access open-auth user-role
Syntax
aaa port-access <port> open-auth user-role <ROLE-NAME> no aaa port-access <port> open-auth user-role <ROLE-NAME>
Description
Assign an open-auth user-role to a port by role-name instead of assigning individual VLANs. Role-names can be created by the user. The no form of this command disassociates the open-auth user-role from the port.
Command context
manager
Parameters
<port> Specifies the port number of the device. <ROLE-NAME> The role-name is created when the user role is named and configured to contain a VLAN.
show port-access clients
Syntax
show port-access clients
Description
Shows the list of all clients authenticated with successful user-role and clients rejected with initial-role.
Examples
switch(config)# show port-access clients Downloaded user roles are preceded by *
Port Access Client Status
Port Client Name MAC Address IP Address User Role
Type
----- ------------- -------------- ---------- ----------------- -----
--------
VLAN ----------------
Aruba 2930M/F | Access Security Guide
394
1/A15 b45d50c54b24 b45d50-c54b24 n/a 363, 364,
368, 369,
1/A3 admin
000c29-316056 n/a
1/B3 20a6cdcf1be4 20a6cd-cf1be4 n/a
363, 364,
368, 369,
1/B5 34fcb9c3ab54 34fcb9-c3ab54 n/a 363, 364,
368, 369,
1/B6 08000f41f373 08000f-41f373 n/a 363, 364,
368, 369,
*KB_MacAuth_DU... MAC
360, 361, 362,
365, 366, 367,
*KB_Dot1x_DUR_... 8021X *KB_MacAuth_DU... MAC
370 50 360, 361, 362,
365, 366, 367,
*KB_MacAuth_DU... MAC
370 360, 361, 362,
365, 366, 367,
*KB_MacAuth_DU... MAC
370 360, 361, 362,
365, 366, 367,
370
Critical authentication
Critical authentication provides alternative VLAN authentication for a client when the remote authentication server is not reachable. When remote authentication is not available, the client is placed in Critical VLAN instead of being blocked from access. A Critical VLAN can be configured per-port for both voice and data traffic and can be applied to Mac-based or 802.1x authentication. A critical user-role is configured which accepts the client when authentication fails due to an unreachable authentication server.
Critical voice (tagged) VLAN
When the remote authentication server is not reachable, clients sending tagged traffic will be placed in a Critical (tagged) VLAN. When a client is sending a MED device advertisement (such as an IP phone) using CDP, the switch sends the VLAN information in the TIA TR-41 Committee - Network Policy of the LLDP packet with auto-VLAN-negotiation capability. The MED device uses the VLAN to tag traffic. A Critical VLAN can be tagged, untagged or a combination of both. To enable this VLAN advertisement in LLDP, the Critical VLAN must be a voice VLAN. A Critical (tagged) VLAN is called a Critical voice VLAN. There are two ways to configure a Critical voice VLAN:
n Directly assign the VLAN.
n Assign a user-role containing the tagged VLAN as a critical-role.
Critical data (untagged) VLAN
For clients sending untagged traffic, if the RADIUS server is unreachable, the client is placed in a Critical VLAN. There are two ways to configure a Critical Data VLAN:
1. Directly assigning the VLAN using the command aaa port-access <port> critical-auth data-vlan <VLAN-ID>.
2. Assign a user-role containing untagged VLAN as critical-role using the command aaa port-access <port> critical-auth user-role <ROLE-NAME>.
395
Aruba 2930M/F | Access Security Guide
Restrictions
n Aruba switches will only support one Critical VLAN per port. n Either a Critical VLAN or a Critical user-role can be configured for a port. However, both VLAN and user-role
cannot coexist for a port.
n This feature is configurable per-port and only applies to RADIUS-based authentication mechanisms. n Web-based authentication is applicable to web-aware clients. However, if the port connected to the client
(either phone or PC behind phone) has web-based authentication enabled, the switch will initiate web-based authentication for all devices.
Examples of Behaviors
Unreachable RADIUS server
A device, such as an IP phone or PC, goes to a RADIUS server and is unable to authentication. The authentication of the device is then applied to a Critical VLAN or a critical user-role.
Stack(config)# show port-ac clients
Port Access Client Status
Port Client Name
MAC Address
IPAddress
User Role Type VLAN
----- ------------ ------------- ---------- --------- ---------
1/1
b4b0178db6a2 b4b017-8db6a2
n/a
critical MAC
Tagged critical role
When a critical-role has tagged VID and configured as voice, the port-connected to the MED device (IP phone) will be a tagged member of the voice VLAN. The switch will only support one tagged VLAN as critical. For clients with auto-VLAN-negotiation capabilities (MED devices), the switch sends the VLAN information in the "TIA TR41 Committee Network Policy" of the LLDP packet. If the MED device advertising is using CDP, the switch sends the VLAN information in the VOIP VLAN Reply field of CDP. The MED devices will use that VLAN to tag their traffic. To enable this VLAN advertisement in LLDP, we must make the Critical VLAN as `voice' VLAN.
For clients which send tagged traffic, switch can put them in Critical Tagged-VLAN:
1. Create tagged VLAN.
2. Make the tagged VLAN voice.
3. Create a user-role.
4. Make the tagged VLAN a member of the user-role.
5. Make the user-role a critical user-role with the command aaa authorization user-role name <CRITICAL-VOICE> vlan-id-tagged <ID>
Stack(config)# show vlan 10 VLAN ID : 10
Name : VLAN10 Status : Port-based Voice : Yes Jumbo : No Private VLAN : none Associated Primary VID : none
Aruba 2930M/F | Access Security Guide
396
Associated Secondary VIDs : none
Port Information Mode
Unknown VLAN Status
---------------- -------- ------------ ----------
1/1
MACAUTH Learn
Up
Overridden Port VLAN configuration
------ -----------1/1 MACAUTH
Deploying Critical VLAN
When a RADIUS server is configured as an authentication server, the clients are authenticated based on responses from the RADIUS server. The critical authentication feature does not operate unless the RADIUS server does not respond to authentication requests and only on those ports where critical authentication is configured. RADIUS Authentication can be deployed as is or as a module within policy managers such as ClearPass Policy Manager.
1. Creating a critical VLAN 2. Creating a user-role 3. Making a critical-role
Creating a VLAN for voice traffic.
Creates a critical VLAN for voice traffic.
Procedure
1. Create a voice VLAN.
For more information on how to create a VLAN see Advanced Traffic Guide for your switch.
2. Name the new VLAN using the following convention: Critical_Voice_VLAN-NAME. 3. Exit
Creating a user-role
creates a user-role.
Prerequisites
Create a critical VLAN.
Procedure
1. Create a user-role. For information about creating user-roles, refer to Local user-roles.
2. Make the user-role a voice VLAN by using the command vlan-id-tagged.
Associating a critical user-role to the critical VLAN Prerequisites
Create a user-role
397
Aruba 2930M/F | Access Security Guide
Procedure
1. Name the user-role as a critical voice user with the command aaa authorization user-role name critical-voice.
2. Enable the user-role by using the command aaa authorization user-role enable 3. Associate the port with the user-role critical voice VLAN by using the command aaa port-access port
critical user-role critical-voice.
aaa port-access critical-auth
Syntax
aaa port-access <PORT-LIST> critical-auth {voice-vlan <VLAN-ID> | data-vlan <VLAN-ID> | user-role <ROLE-NAME>}
no aaa port-access <PORT-LIST> critical-auth {voice-vlan <VLAN-ID> | data-vlan <VLAN-ID> | user-role <ROLE-NAME>}
Description
Configures and enables critical authentication for clients due to nonreachable authentication server. The no form of this command disables the critical authentication.
Command context
manager
Parameters
<PORT-LIST> Specifies the port or list of ports to configure with Critical Authentication. <VLAN-ID> Specifies the IP of the voice or data VLAN being configured with Critical Authentication. <ROLE-NAME> Specifies the role name assigned to the user-role for Critical Authentication.
Restrictions
Critical authentication is only available for MAC-based and 802.1x authentication.
show port-access clients
Use the show commands to display Critical Authentication and Open Authentication information and status.
switch# show port-access clients
Port Access Client Status
Port Client Name MAC Address IP Address User Role Type VLAN
----- ------------- -------------- ---------- ---------- ----- ----
A1 b4b0178db6a2 b4b017-8db6a2
n/a
critical_role
MAC
A2 b4b0178db6a3 b4b017-8db6a3
n/a
open-auth_role MAC
show port-access authenticator clients
Aruba 2930M/F | Access Security Guide
398
switch# show port-access authenticator clients
Port Access Authenticator Client Status
Port Client Name MAC Address IP Address Session Status
----- ------------- -------------- --------- -------------
A1 b4b0178db6a2 b4b017-8db6a2
n/a
critical
A2 b4b0178db6a3 b4b017-8db6a3
n/a
open-auth
show port-access mac-based clients
switch# show port-access mac-based clients
Port Access MAC-Based Client Status
Port Client Name MAC Address IP Address Session Status
----- ------------- ------------- ---------- --------------
A1 b4b0178db6a2 b4b017-8db6a2 n/a
critical-auth
A2 b4b0178db6a3 b4b017-8db6a3 n/a
open-auth
switch# show port-access mac-based clients A1 detailed
Port Access MAC-Based Client Status Detailed
Client Base Details:
Port
: A1
Session Status : critical auth Session Time (Sec) : 6
Username
: client1 MAC Address : b4b0178db6a2
IP
: n/a
...
switch# show port-access mac-based clients A2 detailed
Port Access MAC-Based Client Status Detailed
Client Base Details:
Port
: A2
Session Status : open-auth Session Time (Sec) : 6
Username
: client1 MAC Address : b4b0178db6a3
IP
: n/a
...
show running config
switch# show runnig-config
aaa port-access A1 critical-auth voice-vlan 10 aaa port-access A2 critical-auth user-role guest_role aaa port-access A4 open-auth voice-vlan 10 aaa port-access A5 open-auth user-role guest_role
Cached reauthentication
Currently Aruba network switches support primary and fallback authentication mechanism for mac-authentication & dot1x authentication methods. This fallback method will be applied for these authentication methods only if RADIUS is not reachable or down. Following option can be enabled as fallback mechanism.
399
Aruba 2930M/F | Access Security Guide
n Authorized
n Cached Re-Auth
n None
When authorized is set, authenticated clients will be allowed as authenticated during reauthentication. When cached Re-Auth is set, authenticated client will be authenticated for the configured cached reauth period or RADIUS server reachability. none is the default option, authenticated client will be de-authenticated. A CLI is introduced after the fallback mechanism cached reauthentication for 8021x and MAC authentication to authorize. Once cachedreauth has expired, the client will be triggered to authorized if the CLI option has been enabled.
aaa authentication mac-based cached-reauth authorized
Syntax
aaa authentication mac-based [chap-radius | peap-mschapv2 | none] cached-reauth authorized
Description
When authorized is set for MAC-based, authenticated clients, clients are allowed authentication during reauthentication.
Command context
config
show authentication
switch # show authentication
Status and Counters - Authentication Information Authorized enabled as backup for secondary login are preceded by *
Login Attempts : 3 Lockout Delay : 0 Respect Privilege : Disabled Bypass Username For Operator and Manager Access : Disabled
| Login
Login
Login
Access Task | Primary
Server Group Secondary
-------------- + ----------- ------------ ----------
Console
| Local
None
Telnet
| Local
None
Port-Access | Local
*Cached
Webui
| Local
None
SSH
| Local
None
Web-Auth
| ChapRadius radius
None
MAC-Auth
| ChapRadius radius
*Cached
SNMP
| Local
None
Local-MAC-Auth | Local
None
| Enable
Enable
Enable
Access Task | Primary
Server Group Secondary
-------------- + ----------- ------------ ----------
Console
| Local
None
Telnet
| Local
None
Aruba 2930M/F | Access Security Guide
400
Webui SSH
| Local | Local
None None
aaa authentication port-access cached-reauth authorized
Syntax
aaa authentication port-access [chap-radius | eap-radius | none] cached-reauth authorized
Description
When authorized is set for port-access, clients are allowed authentication during re-authentication.
Command context
config
Configuring a client for retain-unauth-clients
A series of steps must be undertaken to configure a client for enforce-cache reauthentication.
Procedure
1. switch(config)# aaa port-access mac-based <PORT-LIST> Associates the specified port with the port-access on a MAC-based client.
switch(config)# aaa port-access mac-based
addr-format
Set the MAC address format to be used in the RADIUS
request message (default no-delimiter).
[ethernet] PORT-LIST Manage MAC address based network authentication on the
device ports.
password
Specify the password for MAC authentication. If in
enhanced secure-mode, you will be prompted for the
password.
unauth-redirect
Configure macAuth redirect registration server featu
2. switch(config)# no aaa port-access mac-based addr-format [no-delimiter | single-dash | multi-dash | multi-colon | no-delimiter-uppercase | single-dash-uppercase | multidash-uppercase | multi-colon-uppercase] Sets the MAC address format to use. The same format is used for all ports in the system.
3. switch(config)# no aaa port-access mac-based <PORT-LIST> [addr-limit <Limit> | addrmoves | quiet-period <1-65535> | retain-unauth-clients | server-timeout <1-300> | macpin | max-requests <1-10> | logoff-period <1-9999999> | reauth-period <0-999999999> | unauth-period 0-255> | auth-vid <VLAN-ID> | unauth-vid <VLAN-ID> | reauthenticate|server-group < SERVER_GROUP>] Specifies parameters and limits on the configured client authentication.
switch(config)#aaa port-access mac-based 1
addr-limit
Set the port's maximum number of authenticated MAC
addresses (default 1).
addr-moves
Set whether the MAC can move between ports (default
disabled - no moves).
auth-vid
Configures VLAN where to move port after successful
authentication (not configured by default).
401
Aruba 2930M/F | Access Security Guide
cached-reauth-period Time in seconds, during which cached reauthentication is
allowed on the port.The minimum reauthentication period
should be greater than 30 seconds.
logoff-period
Set the period of time of inactivity that the switch
considers an implicit logoff (default 300 seconds).
mac-pin
Forces the clients to remain in authenticated state even
upon log-off expiry.
max-requests
Set maximum number of times the switch retransmits
authentication requests (default 3).
quiet-period
Set the period of time the switch does not try to
authenticate (default 60 seconds).
reauth-period
Set the re-authentication timeout in seconds; set to '0'
to disable re-authentication (default 0).
reauthenticate
Force re-authentication to happen.
retain-unauth-clients Enable access to unauthorized clients by placing port in
unauthorized VLAN during reauthentication
server-group
Specify the server group to use.
server-timeout
Set the authentication server response timeout (default
300 seconds).
unauth-period
Set period of time the switch waits before moving the
port to the VLAN for unauthenticated clients.
unauth-vid
Configures VLAN where to keep port while there is an
unauthorized client connected (not configured by
default).
switch(config)# aaa port-access mac-based 1 server-group
ASCII-STR
Enter an ASCII string.
switch(config)# aaa port-access mac-based 1 server-group group1
switch(config)#show port-access mac-based 1 config Port Access MAC-Based Configuration MAC Address Format : no-delimiter Allow RADIUS-assigned dynamic (GVRP) VLANs [No] : No Mac password :
Unauth Redirect Configuration URL :
Unauth Redirect Client Timeout (sec) : 1800 Unauth Redirect Restrictive Filter : Disabled Total Unauth Redirect Client Count : 0 RADIUS Server Group : group1
Client Client Logoff Re-Auth Unauth Auth Cntrl
Port Enabled Limit Moves Period Period VLAN ID VLAN ID Dir
----- ------- ------ ------ --------- --------- ------- ------- -----
1
No
1
No
300
0
0
0
both
4. no aaa port-access mac-based password <PASSWORD> The password' form of the command sets the global password for all MAC authentication clients. This password is used instead of the client's MAC address in the RADIUS request.
5. aaa port-access mac-based <port-list> retain-unauth-clients
Retain unanth-vid is not enabled .
Aruba 2930M/F | Access Security Guide
402
Time considerations for reauthenticating clients
When radius-server is not reachable, switch will try to connect each radius-server three times to check whether server is available or not. The default value of radius-timeout is 5 seconds and radius-server retransmit is 3. Switch will take 20 seconds ((3+1)*5=20) to connect with each server.
Time considerations for 802.1X clients on windows
n If radius-server is not reachable, the client sends an EAPOL (Extensible Authentication Protocol Over LAN) start message after 18 seconds.
n Authenticator considers EAPOL start as a new authentication request from the client. So, the existing authentication session is stopped.
n Identity request and response are exchanged between authenticator and client. Even then client does not wait for the next authentication packets and sends another EAPOL start message after 18 minutes. Two issues are noticed due to this behavior:
o Authentication of a new client: General behavior is that if first radius-server is not reachable, switch will send authentication request to second server after 20 seconds. Client on windows sends EAPOL start message after every 18 seconds. On receiving EAPOL start, existing session is stopped and authentication with second server is not tried.
o Cached reauthentication is not triggered: When reauthentication is triggered, it tries for three times to check server availability. After every try (before cached reauth is triggered), client sends EAPOL start message. Authenticator starts new authentication session and stops existing session. Hence, cached reauthentication is not triggered.
The issue Windows 7 does not respond to 802.1X authentication requests after initial 802.1X authentication fails is already reported to Microsoft. You can see reference here: https://support.microsoft.com/en-in/kb/980295
Configuration to avoid issues with 802.1X clients on windows.
Following configurations can be used with the commands radius-server retransmit x and radius-server timeout y.
Case a
Retransmit x 1
Timeout y 8
b
2
6
c
2
5
d
3
5
e
3
4
f
3
3
Time considerations for 802.1X clients on linux
403
Aruba 2930M/F | Access Security Guide
When server is not reachable, there is no EAPOL start from the client after 18 seconds. Hence, there is no deviation from general behavior.
Resilient 802.1x cached-reauth
802.1x authenticated clients are placed in cached-reauthentication phase when a RADIUS server is not reachable. The switch sends an EAPOL (Extensible Authentication Protocol Over LAN) start message to reauthenticate the client before RADIUS connection timeout occurs or the server-times out. When configured, the client may be authorized to use a cached reauthentication as a backup method for access to the RADIUS server. Currently Aruba switches support primary and fallback authentication for both MAC authentication & DOT1x authentication. If the RADIUS server is down or unreachable, the fallback method is applied using one of the three methods available:
Authorized
When configured, authenticated clients are authorized.
Cached reauthentication
When configured, the client is authorized for the configured cached reauthentication period or RADIUS server reachability.
None
If none is configured, for the client, the client will be de-authenticated. None is the default.
Configuring a client for retain-unauth-clients
A series of steps must be undertaken to configure a client for enforce-cache reauthentication. 1. switch(config)# aaa authentication port-access eap-radius cached-reauth Enable cache-reauth as secondary authentication method 2. switch(config)# aaa port-access authenticator <PORT-LIST> Associate the specific port with port-access authenticator for 802.1x authentication 3. Configure server timeout < (no. of retransmit+1)*timeout default is [(3+1)*5] 20sec
switch(config)# show radius
Dead RADIUS server are preceded by *
Deadtime (minutes)
:0
Timeout (seconds)
:5
Retransmit Attempts
:3
Global Encryption Key
:
Dynamic Authorization UDP Port : 3799
Source IP Selection
: Outgoing Interface
Tracking
: Disabled
Tracking Period (seconds)
: 300
CPPM Identity
:
Auth Acct DM/ Time |
Server IP Addr Port Port CoA Window | Encryption Key OOBM
--------------- ----- ----- --- ------ + --------------- ----
<Server IP>
1812 1813 No 300 | <encryption-key> No
(config)# aaa port-access authenticator <PORT-LIST> server-timeout 4. switch(config)# aaa port-access authenticator <PORT-LIST> enforce-cache-reauth
Aruba 2930M/F | Access Security Guide
404
Enable enforce-cache-reauth on the 802.1x authentication associated port. 5. switch(config)# aaa port-access authenticator <PORT-LIST> cached-reauth-period
Set the cache-reauth-period for 802.1x associated port. a. Time in seconds, <1-2147483647>, during which cached reauthentication is allowed on the port. The
minimum reauthentication period should be greater than 30 seconds. 6. switch(config)# aaa port-access authenticator <PORT-LIST> reauth-period
Set the reauth-period for the 802.1x associated port. Enter a number, <0-999999999>. 7. switch(config)# aaa port-access authenticator | mac-based | local-mac <PORT-LIST> [auth-vid <VLAN-ID> | cached-reauth-period | clear-statistics | client-limit <1-32> | control | enforce-cache-reauth | initialize | logoff-period | max-requests <1-10> | quiet-period <1-65535> | reauth-period <0-999999999>| reauthenticate | server- timeout <1-300> | supplicant-timeout | tx-period | unauth-period <0-255> | unauth-vid <VLAN-ID> | suppress-lldp-nwpolicy ] Specifies parameters and limits on the configured client authentication. 8. switch(config)# aaa port-access authenticator active Initializes the authenticator.
405
Aruba 2930M/F | Access Security Guide
Chapter 19 RBAC
RBAC
RBAC Overview
The Role Based Access Control (RBAC) is a runtime database that consists of roles and rules that are mapped to users. RBAC lets you secure the management of your network infrastructure by defining the roles for each network administrator for their specific function. The resource access permissions ensure that the network administrator of one department cannot modify the configuration of another department. The feature access permission allows you to create roles based on the function of the user. Every user is mapped to a role in the RBAC database and every role has one or more rules. RBAC supports 64 roles and you can configure a maximum of 1000 rules per role. This figure shows the mapping of users, roles, and rules. In this example, User 3 and User 8 share the same role, Role 3. In turn, Role 3 points to the various rules it was configured to support. Figure 77 RBAC role and rule mapping
Limitations
n This feature is not supported on SNMP, REST, and next Gen UI. n You cannot edit netservices. n Configuration backup and restore are not supported by netedit-update command. n When net edit is in progress, ctrl+c is disabled. n netedit-update command is not a part of the AirWave template.
Roles
You can configure a maximum of 64 roles in a system and for each role, you can assign one or more rules. Roles are categorized as follows:
Aruba 2930M/F | Access Security Guide
406
n 3 default roles: operator, manager, and default-security-group n 16 predefined roles: Level-0 to Level-15 n 45 user roles
When a user is not mapped to any role, the user gets mapped to the predefined Network-Operator role (Level-1).
Predefined roles
RBAC offers 16 predefined roles in the system (Level-0 to Level-15) as follows:
n The Network-Diagnostic role (Level-0)This role can perform the following commands: o ping o tracert o ssh o telnet
The superuser can configure the access rights for this role. n The Network-Operator role (Level-1)This role has the same access rights as the Operator role and can
perform the following commands: o ping o traceroute o traceroute6 o ssh o telnet o All show commands, except for show
history o All display commands, except for display
history The superuser can configure the access rights for this role. n User modifiable roles (Level-2 to Level-8 and Level-10 to Level-14)By default, these roles have no access to any commands. The superuser can configure the access rights for these roles. n The Designated-Administrator role (Level-9)This role can perform all commands except for user management commands (such as : deny rwx aaa, denyrwx tacas, deny radius, deny configure password, deny configure authentication, deny show authorization). You cannot configure the access rights for this role.
n The Administrator role (Level-15)This role has the same access rights as the Manager role and it can perform all commands, features, and policies in the system. You cannot configure the access rights for this role.
407
Aruba 2930M/F | Access Security Guide
Rules
RBAC supports a maximum of 1000 rules per role. With RBAC, you can configure the access of a user to a limited set of VLAN, interfaces, features, and commands rules. When a user logs into the system, the role and rules are mapped to their session data structure.
Figure 78 RBAC rule mapping based on role per session
There are four types of rules:
n Command rules n Feature rules n VLAN policy rules n Interface policy rules
Command rules
The command rule indicates the absolute command path, including the command context that is taken into consideration while validating the commands. The command rule is specific to each user session. The command parameter must contain the command context separated with a ; delimiter. For example, the command string that indicates the configuration of an IP address on any VLAN is as follows: "configure;vlan;ip address"
The command strings are not validated. You must provide a valid command string.
Feature rules
The feature rule indicates that the feature is related to a command set. There are 40 predefined features. Each feature can have read, write, and execute privileges. You can configure multiple features for a single role. When
Aruba 2930M/F | Access Security Guide
408
you add a feature to a role, the command rule entries are included automatically for all the commands associated with that feature. A feature can have the following permissions:
n r: The read permission displays the configuration and maintenance information. For example, the display and show commands.
n w: The write permission configures the feature in the system. For example, the ACL and the OSPF configuration commands.
n x: The execute permission executes specific functions. For example, the ping and the copy commands.
VLAN policy rules
To configure a VLAN policy rule, set the policy parameter to vlan. Only one VLAN policy rule is allowed per role. The opposite VLAN rule is applied to the rest of the VLAN IDs. For example, a policy rule "policy:vlan:2-4" permit gives access permission to user for VLANs 2 to 4 only and denies access to rest of the VLANs available in the system. If you configure multiple VLAN policy rules, only the last entry is taken into effect. All other VLAN policy rules are ignored.
By default, VLAN policy rules allow all commands.
Interface policy rules
To configure an interface policy rule, set the policy parameter to the interface value. Only one interface policy rule is allowed per role. The opposite interface rule is applied to the rest of the interface IDs. For example, a policy rule "policy:interface:A2-A4" deny denies access permission to user for interfaces A2 to A4 only and permits access to rest of the interfaces available in the system. If you configure multiple interface policy rules, only the last entry is taken into effect. All other interface policy rules are ignored.
By default, interface policy rules allow all commands.
Creating roles and assigning rules
To create roles and assign rules to the configured roles, follow these steps:
1. Enabling authorization 2. Creating a role 3. Assign one or more rules:
a. Configuring command rules b. Configuring VLAN policy c. Configuring interface policy d. Configuring feature policy
409
Aruba 2930M/F | Access Security Guide
Enabling authorization
Before you can create a role, you must enable the authorization commands for local users as follows:
1. Run the aaa authorization commands command.
2. Specify the local parameter.
Enabling authorization commands
# aaa authorization commands local
Creating a role
Create a role as follows:
1. Run the aaa authorization local-user command.
2. Specify the local-user parameter. 3. Specify the group parameter. 4. Press enter. 5. Enter a password.
In this example, a local-user user1 is assigned to the network-admin role.
Assigning a local-user
# aaa authentication local-user "user1"group "network-admin" password plaintext
Configuring command rules
Assign one or more command rules to a user as follows:
1. Run the aaa authorization group command.
2. Specify the group parameter. 3. Specify the match-command parameter. You can specify one or more rules. 4. Specify the access: permit or deny.
In the following example, the network-admin role is given access to the router ospf and ip address commands.
Permit rule
# aaa authorization group "network-admin" 1 match-command "command:router ospf;ip address" permit log In the following example, the network-admin role is denied access to the configure router ospf enable command.
Deny rule
# aaa authorization group "network-admin"1 match-command "command:configure router ospf enable" deny log
Aruba 2930M/F | Access Security Guide
410
Configuring VLAN policy
1. Run the aaa authorization group command. 2. Specify the group parameter. 3. Specify the match-command parameter for the desired VLAN policy. 4. Specify the access: permit or deny.
If a command must be preceded by the execution of another command, you must first permit both commands for the command authorization group. You can then configure the rule.
In this example, the network-admin role is denied access to the "policy:vlan:10-12,20,30-40" VLAN policy. The sequence parameter is used to give order to the sequence of commands to be executed. See: example Since only one VLAN policy rule can be assigned per role, if access is permitted for VLAN IDs 10 to 12, access to the rest of the VLAN IDs is denied for the same role. Similarly, if access is denied for VLAN IDs 10 to 12, then access to the rest of the VLAN IDs is permitted for the same role.
Configuring VLAN policy rules
# aaa authorization group "network-admin" 1 match-command "command:^configure$" permit # aaa authorization group "network-admin" 2 match-command "command:configure vlan" permit log # aaa authorization group "network-admin" 3 match-command "policy:vlan:10-12,20,30-40" deny log
Configuring interface policy
1. Run the aaa authorization group command. 2. Specify the group parameter. 3. Specify the match-command parameter for the desired interface policy. 4. Specify the access: permit or deny.
If a command is preceded by the execution of another command, you must first permit both commands for the command authorization group. You can then configure the rule. In this example, the network-admin role is denied access to the "policy:interface:A10A12,A20,L20-L24" interface policy. The sequence parameter is used to give order to the sequence of commands to be executed.
Configuring interface policy rules
switch(config)# aaa authorization group "network-admin" 1 match-command "command:^configure$" permit switch(config)# aaa authorization group "network-admin" 2 match-command "command:configure interface" permit log switch(config)# aaa authorization group "network-admin" 3 match-command "policy:interface:A10A12,A20,L20-L24" deny log Since only one interface policy rule can be assigned per role, if access is permitted for A10 to A12, access to the rest of the interfaces is denied for the same role. Similarly if access is denied for A10 to A12, then access to rest of the interfaces is permitted for the same role.
411
Aruba 2930M/F | Access Security Guide
Configuring feature policy
1. Run the aaa authorization group command. 2. Specify the group parameter. 3. Specify the match-command parameter. You can specify one or more features. 4. Specify the access: permit or deny.
If a command must be preceded by the execution of another command, you must first permit both commands for the command authorization group. You can then configure the rule.
In this example, the network-admin role is granted access to the "feature:rwx:ospf" feature policy. The sequence parameter is used to give order to the sequence of commands to be executed.See: example
Configuring feature rules
switch# aaa authorization group "network-admin" 1 match-command "command:^configure$" permit switch# aaa authorization group "network-admin" 2 match-command "command:configure feature" permit log switch# aaa authorization group "network-admin" 1 match-command "feature:rwx:ospf" permit log
Displaying rules for predefined roles
1. Run the show authorization command. 2. Specify the group parameter. In this example, the authorization is displayed for the predefined roles.
Displaying rules
# show authorization group Local Management Groups - Authorization Information
Group Name: Level-0 Group Privilege Level: 18
Users: Tom, Bill, Will
Seq. Num. | Permission Rule Expression
Log
---------- + ---------- ------------------------------------------ -------
999
| Permit
ping *
Disable
1000
| Permit
ping6 *
Disable
1001
| Permit
traceroute *
Disable
1002
| Permit
traceroute6 *
Disable
1003
| Permit
ssh *
Disable
1004
| Permit
telnet *
Disable
1005
| Permit
telnet-server *
Disable
1006
| Deny
.*
Disable
...
Group Name: Level-15 Group Privilege Level: 33
Aruba 2930M/F | Access Security Guide
412
Users ----------------
Seq. Num. | Permission Rule Expression
Log
---------- + ---------- ------------------------------------------ -------
999
| Permit
configure .*
Disable
1000
| Permit
.*
Disable
Displaying predefined features
1. Run the show authorization command. 2. Specify the feature parameter. 3. Specify the detailed option.
In the following example, the details of the access-list feature are displayed. Displaying predefined features # show authorization feature access-list detailed
access-list
IP access list related commands
(W) command:debug acl
(W) command:configure access-list
(W) command:configure ip access-list
(W) command:configure ipv6 access-list
(W) command:configure s?vlan .* ip access-group
(W) command:configure s?vlan .* ipv6 access-group
(W) command:configure interface .* ip access-group
(W) command:configure interface .* ipv6 access-group
(W) command:configure interface tunnel .* ipv6 access-group
(R) command:show access-list
(R) command:show statistics aclv4
(R) command:show statistics aclv6
(R) command:display acl
To view all the predefined features in your system, enter: # show authorization feature all detailed
Troubleshooting
Cannot modify group name
The default group '<group-name>' cannot be modified. User tries to modify a predefined group name.
1. Do not attempt to change the name of a predefined group.
Cannot delete a group
The default group '<group-name>' cannot be deleted.
413
Aruba 2930M/F | Access Security Guide
User tries to delete a predefined group.
1. Do not attempt to delete a predefined group.
Unable to run a command
User is not authorized to execute this command. The user is not getting access to the command.
1. Superuser must execute the command show logging -r to check the sequencing of rules and arrange the rules in the proper sequence.
Unable to add a rule
User is unable to add a rule. Adding a new rule fails if the existing rules exceed the limit (1000).
1. If you have exceeded the limit, you can only add a new rule if you remove an existing rule.
aaa authorization group
Syntax
aaa authorization group <GROUPNAME> <SEQ-NUM> match-command {command | feature | policy} {deny | permit} [log] no aaa authorization group <GROUPNAME> <SEQ-NUM> match-command {command | feature | policy} {deny | permit} [log]
Description
Assigns rules to existing roles. Rules can be permitted or denied for a specified user.
Parameters
GROUPNAME The name of the role. SEQ-NUM When more than one rule matches the command entered, the rule with the lowest sequence number gets precedence over the other rules. command Indicates that the rule requires context level information to validate the command string following this parameter. feature Indicates that it is a feature related to a command set. A feature can have the following permissions:
n r: The read feature displays the configuration and maintenance information. For example, the display and show commands.
n w: The write feature configures the feature in the system. For example, the ACL and the OSPF configuration commands.
n x: The execute feature executes specific functions. For example, the ping and the copy commands.
There are 40 predefined features. Multiple features can be configured for a single role. When a feature is added to a role, the command rule entries are included automatically for all the commands for that feature.
Aruba 2930M/F | Access Security Guide
414
policy Indicates that it is a resource policy rule. There are two resource policies: VLAN and interface. deny The specified match-command is denied for the specified group. permit The specified match-command is permitted for the specified group. log Generates a log message in the show logging output for the rule that is permitted or denied.
Predefined features
Feature aaa arp cdp ping snmp radius syslog tacacs access-list vlan spanning-tree dhcp gvrp igmp router port-security dldp
Description AAA service-related commands. ARP protocol-related commands. Cisco Discovery Protocol-related commands. Network reachability test commands. SNMP related commands. Radius configuration and show commands. Syslog related commands. TACACS configuration and show commands. IP access list related commands. Virtual LAN related commands. Spanning Tree protocol-related commands. DHCP related commands. GVRP related commands. IGMP related commands. Routing related Commands. Port security related commands. DLDP related commands.
415
Aruba 2930M/F | Access Security Guide
Feature
Description
lldp
LLDP related commands.
crypto
Crypto related commands.
mac-access-list MAC related commands.
telnet
Telnet related commands.
smart-link group smart-link group related commands.
sntp
SNTP related commands.
mirror
Mirror diagnostic related commands.
rmon
RMON feature related commands.
interface
Interface related commands.
ip
IP related commands.
ipv6
IPv6 related commands.
qos
QoS related commands.
mesh
mesh related commands.
policy
classifier policy commands.
redundancy
Redundancy management related commands.
sflow
sFlow related commands.
rate-limit
Rate limit related commands.
trunk
Trunk related commands.
terminal
Terminal related commands.
tftp
TFTP related commands.
ssh
SSH related commands.
copy
copy related commands.
macsec
MAC security-related commands.
Aruba 2930M/F | Access Security Guide
416
Chapter 20 password complexity
password complexity
Syntax
password complexity [repeat-password-check|repeat-char-check|user-name-check|all]
no password complexity [repeat-password-check|repeat-char-check|user-name-check|all]
Description
The password complexity command configures complexity checks on a new user password. You can enable the Password Complexity feature only if the password control is enabled. Use the password configurationcontrol command to enable it. The no form of this command disables the configuration.
Parameters
repeat-password-check Configures the repeat password character check.
repeat-char-check Ensures that password does not contain three of the same characters used consecutively.
user-name-check Ensures that the password does not contain the associated username or its reverse form.
Restrictions
The password control must be enabled. Use the password configuration-control command to enable it.
Password complexity overview
Password Complexity enforces the use and configuration of a complex password, and offers more stringent password policies. This feature complies with the UCR-2008 standard for system passwords. Password Complexity performs checks while configuring the password and provides user alerts based on the configuration of the password expiration. By default, Password Complexity is disabled. The Password Complexity feature offers the following:
n Enable or disable password configuration and complexity features. n Configure minimum password length. n Configure password history specifications. Password modification requires re-authentication of user identity
where the old password is required to change the password. n Configure global as well as per user specific password aging interval. n Notification for password expiration (alert before expiry, at expiry, and grace period). n Configure additional number of subsequent logon attempts after password expiry. By default, three attempts
within a configurable grace period (default 30 days). n Minimum wait period before password change (default 24 hours).
Aruba 2930M/F | Access Security Guide
417
n When the user establishes a session for the first time, they are prompted to change the password and the session is denied if the user does not comply.
n Enabling or disabling the display of the last successful or unsuccessful log-on information
Password expiration periods
The Password Complexity feature includes the following expiration periods:
n Aging Period: The aging period is the password expire period. This is the validity period of the password. n Grace periods:
l The grace period before expiry: During this period, the user is informed of how many days are left for the password to expire.
l The grace period after expiry: During this period, the user is informed that the password has expired and how much more time is left after which the user will not be allowed to login if the password is not reconfigured.
Requirements
The requirements to enable the Password Complexity feature are as follows:
n The manager's password must be configured. It can be done using the password manager command. n The minimum length of the password must be set to a value greater than or equal to the sum-of-
compositions value. Since the sum of the default value of compositions is 8, the minimum length of the password must be at least 8. This can be set using the password minimum-length command. n The WebUI and REST interface must be disabled. Only the CLI can be used to configure the password.
The requirements to configure the password are as follows:
n Password consists of a minimum of eight characters using at least two characters from each of the four character sets: uppercase letters, lowercase letters, numbers, and special characters.
n Password cannot be the same value or the reverse form of the associated user ID. n Password cannot have three consecutive identical characters. n Password cannot be empty. n The new password must differ from the old password by at least four characters.
Limitations
n This feature is not supported on SNMP, REST, and next Gen UI. n You cannot edit netservices. n Configuration backup and restore are not supported by netedit-update command. n When net edit is in progress, ctrl+c is disabled. n netedit-update command is not a part of the AirWave template.
Configuring Password Complexity
Enable the Password Complexity feature
418
Aruba 2930M/F | Access Security Guide
Procedure
1. Set the minimum password length to at least 8. 2. The manager credentials must be configured. If they are not, use the password manager command to
create the password. 3. Enable the Password Complexity feature (Enable Password Complexity on page 419)
Configure the Password Complexity parameters
n Configure the password aging, history, and log-on details. (Configure the Password Complexity parameters on page 420)
n Configure the password minimum length (Configure password minimum length on page 420) n Configure the password composition (Configure password composition on page 421) n Configure complexity checks on a new user password (Configure Password Complexity Checks on page 421)
Viewing the password configuration
Procedure
To view the password configuration, e show password-configuration command. The Password Control parameter displays the status and parameters of the feature, either enabled or disabled.
show password-configuration
In this example, the password configuration is disabled and the minimum password length is 8.
switch# show password-configuration Global password control configuration
Password control Password history Number of history records Password aging Aging time Early notice on password expiration Minimum password update interval Expired user login Password minimum length User login details checking Password composition
Lower case Upper case Special character Number Repeat password checking Username checking Repeat characters checking
: Disabled : Disabled :8 : Disabled : 90 days : 7 days : 24 hours : 3 login attempts in 30 days :8 : Enabled
: 2 characters : 2 characters : 2 characters : 2 characters : Disabled : Disabled : Disabled
Enable Password Complexity
To enable the Password Complexity feature, enter the password configuration-control command.
Example
In this example, the WebUI is enabled and the user enters y to disable the WebUI and enable the Password Complexity feature.
Aruba 2930M/F | Access Security Guide
419
switch# password configuration-control The password configuration feature cannot be enabled when the WebUI is enabled. Would you like to disable WebUI and REST protocol? [y/n]: y
Configure the Password Complexity parameters
You can configure the Password Complexity parameters at any time but they will only take effect if the Password Complexity feature is enabled.
Example
In this example, we enable the aging and history parameters.
switch# password configuration aging switch# password configuration history
The Password history and Password aging are now enabled. We then set the aging parameter, aging-period, to 60 days:
switch# password configuration aging-period 60
The show password-configuration displays the configuration changes:
switch# show password-configuration Global password control configuration
Password control Password history Number of history records Password aging Aging time Early notice on password expiration Minimum password update interval Expired user login Password minimum length User login details checking Password composition
Lower case Upper case Special character Number Repeat password checking Username checking Repeat characters checking
: Enabled : Enabled :8 : Enabled : 60 days : 7 days : 24 hours : 3 login attempts in 30 days :8 : Enabled
: 2 characters : 2 characters : 2 characters : 2 characters : Disabled : Disabled : Disabled
Configure password minimum length
To configure the password minimum length, enter the password minimum-length command. The minimum password length must be equal or greater than the sum of the password composition. You can set the password minimum length for all users or per user.
Example
To configure the password minimum length to 10 for all users, enter: switch# password minimum-length 10
To configure the password minimum length to 10 for the operator user operatorABC only, enter:
switch# password operator user-name operatorABC minimum-length 10
420
Aruba 2930M/F | Access Security Guide
To configure the password minimum length to 10 for the local user localuserXYZ only, enter: switch# aaa authentication local-user localuserXYZ min-pwd-length 10
Configure password composition
To configure the password composition policy for all users, which includes the minimum number of characters from the set of lowercase letters, uppercase letters, special characters, and numbers, enter the password composition command. The minimum password length must be equal or greater than the sum of the password composition.
Example
In this example, we set the password special characters parameter to 3. switch# password composition specialcharacter 3
The show password-configuration command displays the configuration changes:
switch# show password-configuration Global password control configuration
Password control Password history Number of history records Password aging Aging time Early notice on password expiration Minimum password update interval Expired user login Password minimum length User login details checking Password composition
Lower case Upper case Special character Number Repeat password checking Username checking Repeat characters checking
: Enabled : Enabled :8 : Enabled : 60 days : 7 days : 24 hours : 3 login attempts in 30 days : 10 : Enabled
: 2 characters : 2 characters : 3 characters : 2 characters : Disabled : Disabled : Disabled
Configure Password Complexity Checks
To configure password complexity checks on a new user password, enter the password complexity command.
Example
In this example, we set the password complexity check to all, which includes repeat-password-check, repeatchar-check, and user-name-check.
switch# password complexity all
password configuration commands
Use the following password configuration commands to configure the Password Complexity feature:
Aruba 2930M/F | Access Security Guide
421
Command name password configuration
password configuration aging password configuration history
Description
Enables the aging, logon, and history checks. Configures aging and history parameters. You can configure the password parameters even if the password configuration feature is not enabled. But they will only take effect once the password configuration feature is enabled. The no option disables the Password Complexity configuration.
Enables the password configuration aging check. The no option disables aging.
Enables the password history check. After authentication, the history is updated. The history is also updated whenever there is reconfiguration of the password. Once the maximum number of configured entries are reached, the oldest entry is overwritten. The no option disables the history check.
password configuration log-on-details
Disables the display of user login details. The no option enables the same.
password configuration aging-period
Configures the global password aging time for a system. The no option sets the global aging time to the default value of 90 days.
password configuration alert-before-expiry
Specifies the number of days for which the user is warned of the pending password expiration. The default value is 7 days.
password configuration expired-user-login
Configures additional login attempts allowed or a delay period during which the user is allowed to login after the password expiry. The default value is 30 days. The maximum number of login attempts is 10, the default is 3.
password configuration update-interval-time Configures the minimum period of waiting, in hours, before an existing password can be changed.
password configuration history-record
Configures the maximum number of history password records for each user.
password minimum-length
Configures the minimum password length and completes the password configuration command. When changing the password for the manager, operator, and local management users, the new password must be at least the length of this parameter. The possible values are 0 to 64. The no option sets the minimum password length to the default value of 0. When the Password Complexity feature is enabled, the minimum password length is 15 for the manager user
and 8 for all other users, including the operator. The
range is 15 to 64 for the manager and 8 to 64 for all other users.
422
Aruba 2930M/F | Access Security Guide
password configuration-control
The password configuration-control command globally enables or disables the Password Complexity feature.
Syntax
password configuration-control no password configuration-control
Description
Enables the Password Complexity feature to follow the UCR-2008 standard. The no option disables the password complexity feature.
Parameter
no Disables the Password Complexity feature.
Limitations
This command has the following prerequisites:
n The manager's password must be configured. You can configure the manager's password using the password manager command.
n You must set the minimum length of the password to a value greater than or equal to the sum-of-compositions. Since the sum of the default value of compositions is 8, the minimum length of the password must be at least 8. You can set this value with the password minimum-length command.
n The WebUI and REST interface must be disabled.
password configuration
The password configuration command enables the aging, logon, and history checks and configures the aging and history parameters. The no option disables the password configuration feature.
Syntax
password configuration [aging | history | log-on-details | aging-period <aging-time> | alert-before-expiry <alert-time> | expired-user-login [days <delay> ] [attempts <time> ] | update-interval-time <time> | history-record <max-record-num>
no password configuration [aging | history | log-on-details | aging-period <aging-time> | alert-before-expiry <alert-time> | expired-user-login [days <delay> ] [attempts <time> ] |
Aruba 2930M/F | Access Security Guide
423
update-interval-time <time> | history-record <max-record-num>]
Parameters
aging Enables the password configuration aging check.
history Enables the password history check.
log-on-details Disables execution of the show authentication last-login command to display the logon details.
aging-period Configures the password aging time for a system.
alert-before-expiry Sets the number of days before password aging during which the user is warned of the pending password expiration.
expired-user-login Configures additional login attempts within a specified period during which a user is allowed to access the switch without changing an expired password.
update-interval-time The period of waiting, in hours, before an existing password can be changed.
history-record Configures the maximum number of history password records for each user.
no Disables the password configuration feature.
attempts The number of subsequent login attempts allowed after the password expiry. Possible values are 0 to 10, the default value is 3.
days The period during which subsequent login attempts are allowed after the password expiry. Possible values are 1 to 90, the default value is 30 days.
update-interval-time <time> The minimum period of waiting, in hours, before an existing password can be updated. Possible values are 0 to 168, the default value is 24 hours.
max-record-num Maximum number of history password records. Possible values are 2 to 15 for each user, the default value is 8.
aging-time Password aging time, in days. Possible values are 1 to 365, the default value is 90 days.
alert-time Sets the number of days before password aging during which the user is warned of the pending password expiration. The no option sets the alert time to the default value of 7.
424
Aruba 2930M/F | Access Security Guide
password minimum-length
Syntax
password minimum-length <length> no password minimum-length <length>
Description
Configures the minimum password length. When changing the password for the manager, operator, or local management users, the new password must be at least the length of this parameter. The no form of this command sets the minimum password length to the default value of 0. If the Password Complexity feature is disabled, the length parameter is set to 0. The manager minimum password length is 15.
Parameter
length When the Password Complexity feature is enabled, the minimum password length is 15 for the manager user and 8 for all other users, including the operator. The range is 15 to 64 for the manager and 8 to 64 for all other users.
show password-configuration
Syntax
show password-configuration [manager | operator | [group <group_name>]] <user_name>
Description
The show password-configuration command displays the global password information for all users as well as for a particular user.
Parameters
manager Displays the password configuration for the manager user.
operator Displays the password configuration for the operator user.
group Displays the password configuration for the group user.
Example input
switch# show password-configuration manager ABCD
Example output
password settings for the user: Aging time: Minimum password length:
10 days 15
Global password control configurations:
Password control:
Enabled
Aruba 2930M/F | Access Security Guide
425
Password history: Number of history records:
Enabled 8
Password aging:
Enabled
Aging time:
80 days
Early notice on password expiration: 7 days
Minimum password update interval: 24 hours
Expired user login:
3 login attempts in 30 days
Password composition:
Lower case:
2 characters
Upper case:
2 characters
Special character:
2 characters
Number :
2 characters
Repeat password checking:
Enabled
Username checking:
Enabled
Repeat characters checking:
Enabled
password
Syntax
password [manager|operator] [user-name ASCII-STR] [{{plaintext|sha1} ASCII-STR} | {min-pwd-length{length}} | {aging-period {value}} | {clear-history-record}}]
no password [manager|operator] [user-name ASCII-STR] [{{plaintext|sha1} ASCII-STR} | {min-pwd-length{length}} | {aging-period {value}} | {clear-history-record}}]
Description
Configures the local password and username for an access level. If no password is specified on the command line, the user will be prompted for the new password and for confirmation. The port-access password is only configurable when include-credentials is enabled. The no form of this command removes the specified password.
Parameters
aging-period Configures the password aging time for a user. This will override the global set value. The no option applies the global aging time to the user password expiry. Password aging time, in days. Possible values are 1 to 365, the default value is 90 days.
clear-history-record Clears history records of passwords for a user. The no option results in no change.
min-pwd-length Configures the minimum password length for a user. The no option applies the default minimum length to the user. If the Password Complexity feature is enabled, the default minimum password length is 15 for a manager user and 8 for all other users.
plaintext
426
Aruba 2930M/F | Access Security Guide
Prompts for a plaintext password. The password can have a maximum of 64 characters. It must not contain spaces and is case-sensitive. Plaintext is the default type.
aaa authentication local-user
Syntax
aaa authentication local-user <USERNAME> {{group <GROUPNAME> password {plaintext|sha1 <PASSWORD> }}| {aging-period <aging-time> } | {min-pwd-length <length> } | {clear-password-history}}
no aaa authentication local-user <USERNAME> {{group <GROUPNAME> password {plaintext|sha1 <PASSWORD> }}| {aging-period <aging-time> } | {min-pwd-length <length> } | {clear-password-history}}
Description
Configures the aging period, minimum password length, and clear password history for a local user.
Parameters
local-user The local user being added to the authorization group. The username can be up to 16 characters. The username must not contain spaces and should be case-sensitive.
group Name of the authorization group to which the local user belongs. This must be a pre-existing group.
aging-period Configures the password aging time in days for a user. Possible values are 1 to 365. The default value is 90 days. The no option applies the global aging time for the user.
min-pwd-length Configures the password minimum length for a user. Possible values are 1 to 64. The default value is 8 characters. The no option applies the default minimum length for the user.
clear-password-history Clears the password history for a user. The no option does not have any affect.
password complexity
Syntax
password complexity [repeat-password-check|repeat-char-check|user-name-check|all]
no password complexity [repeat-password-check|repeat-char-check|user-name-check|all]
Description
The password complexity command configures complexity checks on a new user password. You can enable the Password Complexity feature only if the password control is enabled. Use the password configurationcontrol command to enable it. The no form of this command disables the configuration.
Aruba 2930M/F | Access Security Guide
427
Parameters
repeat-password-check Configures the repeat password character check.
repeat-char-check Ensures that password does not contain three of the same characters used consecutively.
user-name-check Ensures that the password does not contain the associated username or its reverse form.
Restrictions
The password control must be enabled. Use the password configuration-control command to enable it.
password composition
Syntax
password composition [lowercase | uppercase | specialCharacter | number] <value>
Description
Configures the password composition policy for all users. This includes the minimum number of characters from the set of lowercase letters, uppercase letters, special characters, and numbers.
Parameters
lowercase Minimum number of lowercase characters. The default value is 2. Possible values are 2 to 15.
uppercase Minimum number of uppercase characters. The default value is 2. Possible values are 2 to 15.
specialCharacter Minimum number of special characters. The default value is 2. Possible values are 2 to 15.
number Minimum number of number character type. The default value is 2. Possible values are 2 to 15.
Troubleshooting
Unable to enable Password Complexity
Symptom
Getting an error when trying to enable the Password Complexity feature.
Cause
The username must be unique on the switch when the Password Complexity feature is enabled.
Action
Select a unique username.
428
Aruba 2930M/F | Access Security Guide
Unable to download the configuration file
Symptom
Getting an error message when trying to download the configuration file.
Cause
When the password complexity feature is enabled, the configuration file that you are downloading must have a unique username for each privilege.
Action
Edit the configuration file to make sure that the usernames are unique for each privilege.
Display messages
Validation Error/Warning/Prompt
First time log-on, the user is prompted for entering new password along with old password.
Please change the password to logon to the system. Old password: ******** New password: ******** Re-enter the new password: ********
First time log-on, if the user fails to change the password the following error message is displayed.
The respective error message related to password validation will be displayed and the existing session termination message is displayed.
When the value of the alert before expiry is configured greater than the aging value.
Alert before expiry is greater than password aging value.
When the user is not configured on the switch.
Password configuration feature is enabled. Configure the password for the user `admin' to get access.
Aruba 2930M/F | Access Security Guide
429
Validation Error/Warning/Prompt
When a password aging time is about to expire a warning message is displayed.
Password ages out in %d day(s). Change it now [Y/Any key - No]?
If yes, the user will be prompted: Old password: ******** New password: ************* Re-enter the new password: *************
If the new password configuration fails, then the error message will be prompted and the user will be provided the access:
Password cannot be changed. It must have special characters, A-Z, a-z & 09. Your previous successful login (as manager) was on 1990-01-01 07:57:24 from the console switch#
When a password aging time expires, and the password is still not updated with the user still within the configured login attempt and period the following warning message is displayed.
Password expired; %d login left in %d day(s). Change it now [Y/Any key - No]?
If yes, the user will be prompted: Old password: ******** New password: ************* Re-enter the new password: *************
If the new password configuration fails, then the error message will be prompted and the user will be provided the access:
Password cannot be changed. It must have special characters, A-Z, a-z & 09.
Your previous successful login (as manager) was on 1990-01-01 07:57:24 from the console
switch#
When a password aging time expires and all the additional login attempts are exhausted, a warning message is displayed with a prompt for entering the new password.
Password grace period is complete. Please change password. Old password: ******** New password: ******** Re-enter the new password: ********
If the above entry fails, the respective error message related to password validation will be displayed and the existing session termination message is displayed.
430
Aruba 2930M/F | Access Security Guide
Chapter 21 Configuring Secure Shell (SSH)
Configuring Secure Shell (SSH)
Overview
The switches covered in this guide use Secure Shell version 2 (SSHv2) to provide remote access to management functions on the switches via encrypted paths between the switch and management station clients capable of SSH operation. SSH provides Telnet-like functions but, unlike Telnet, SSH provides encrypted, authenticated transactions. The authentication types include:
n Client public-key authentication n Switch SSH and user password authentication
SSH in switches is based on the OpenSSH software toolkit. For more information on OpenSSH, visit http://www.openssh.com.
Secure Shell for IPv4 and IPv6
Secure Shell (SSH) for IPv4 and IPv6 operate simultaneously with the same command set. Both are enabled in the default configuration, and are controlled together by the same command set. SSH for IPv6 provides the same Telnet-like functions through encrypted, authenticated transactions as SSH for IPv4. SSH for IPv6 provides CLI (console) access and secure file transfer functionality. The following types of transactions are supported:
n Client public-key authentication: Public keys from SSH clients are stored on the switch. Access to the switch is granted only to a client whose private key matches a stored public key.
n Password-only client authentication: The switch is SSH-enabled but is not configured with the login method that authenticates a client's public-key. Instead, after the switch authenticates itself to a client, users connected to the client authenticate themselves to the switch by providing a valid password that matches the operator- and/or manager-level password configured and stored locally on the switch or on a RADIUS or TACACS+ server.
n Secure Copy (SCP) and Secure File Transfer Protocol (SFTP) client applications: You can use either one SCP session or one SFTP session at a given time to perform secure file transfers to and from the switch.
By default, SSH is automatically enabled for IPv4 and IPv6 connections on a switch. Use the ip ssh command options to reconfigure the default SSH settings used in SSH authentication for IPv4 and IPv6 connections:
n TCP port number n timeout period n file transfer n MAC type n cipher type n listening port n key exchange algorithm
Aruba 2930M/F | Access Security Guide
431
ip ssh
Syntax
ip ssh no ip ssh
Description
Enables SSH on the switch for both IPv4 and IPv6, and activates the connection with a configured SSH server. The no form of the command disables SSH on the switch.
Command context
config
Parameters
rekey {time <time> | volume <volume>} Enable SSH key re-exchange. To comply with RFC 4251, session rekeying ensures that either the SSH server or the SSH client initiates a rekey. This results in a new set of encryption and integrity keys to be exchanged between them. Once the rekey is complete, new keys are used for further communication, which ensures that the same key is not used for a long duration and the security of the session is maintained.
SSH rekeying is available only on switches running KB, WC and YC softwares.
Valid options are:
n time <time>--Sets the time in minutes for rekey initiation; the range is 10 to 60. n volume <volume>--Sets the volume in KB for rekey initiation; the range is 100-1048576. The default is
1048576 KB.
Use the no form of the command to disable SSH rekeying and set the time to default value of 10 minutes. cipher cipher-type Specifies a cipher type to be used for the connection. Valid types are:
n aes128cbc n 3des-cbc n aes192cbc n aes256cbc n rijndael-cbc@lysator.liu.se n aes128ctr n aes192ctr n aes256ctr
Default: All cipher types are available. Use the no form of the command to disable a cipher type. filetransfer Enables SSH on the switch to connect to an SCP or SFTP client application to transfer files to and from the switch over IPv4 or IPv6.
432
Aruba 2930M/F | Access Security Guide
Default: Disabled
Enabling filetransfer automatically disables TFTP client and TFTP server functionality.
kex Enables SSH Key Exchange (KEX) algorithms on the switch connection with a configured SSH server. Valid types include:
n ecdh-sha2-nistp256 n ecdh-sha2-nistp384 n ecdh-sha2-nistp521 n diffie-hellman-group-exchange-sha256 n diffie-hellman-group14-sha1
Default: All key exchange algorithms are enabled. Use the no form of the command to disable SSH KEX algorithms on the switch. mac <MAC-type> Enables the type of Message Authentication Code (MAC) to be used. Valid MAC types include:
n hmac-md5 n hmac-sha1 n hmac-sha196 n hmac-md596 n hmac-sha2-256
Default: All MAC types are available. Use the no form of the command to disable a MAC type. port [1 - 65535|default] TCP port number used for SSH sessions in IPv4 and IPv6 connections. Default: 22 Valid port numbers are from 1 to 65535, except for port numbers 23, 49, 80, 280, 443, 1506, 1513, and 9999, which are reserved for other subsystems. public-key [manager|operator]keystring Stores a client-generated key for public-key authentication. manager Allows manager-level access using SSH public-key authentication. operator Allows operator-level access using SSH public-key authentication. keystring A legal SSHv2 (RSA or DSA) public key. The text string for the public key must be a single-quoted token. If the keystring contains double quotes, it can be quoted with single quotes ('key-string'). The following restrictions are applicable for a keystring:
n A keystring cannot contain both single and double quotes. n A keystring cannot have extra characters, such as a blank space or a new line. (To improve readability, you
can add a backslash at the end of each line.)
Aruba 2930M/F | Access Security Guide
433
timeout 5 - 120 Time out value allowed to complete an SSH authentication and login on the switch. Default: 120 seconds. listen [oobm|data|both] The listen parameter is available only on switches that have a separate OOBM port. Values for this parameter are: oobm Inbound SSH access is enabled only on the OOBM port. data Inbound SSH access is enabled only on the data ports. both Inbound SSH access is enabled on both the OOBM port and on the data ports. This is the default value.
Restrictions
For both IPv4 and IPv6, the switch supports only SSH version 2. You cannot set up an SSH session with a client device running SSH version 1. The listen parameter is not available on switches that do not have a separate OOBM port.
Examples
Use the following command to initiate rekeying every 45 minutes switch(config)# ip ssh rekey time 45
Initiate rekeying every 45 minutes. Use the following command to reset the rekey time
switch(config)# no ip ssh rekey time
Reset the configured time to the default value (60 minutes). Use the following command to initiate rekeying after a specific data transfer
switch(config)# ip ssh rekey volume 2000
Initiate rekeying after every 2000 KB of data is transferred. Use the following command to reset the data transfer volume
switch(config)# no ip ssh rekey volume
Reset the configured volume to the default value (1048576 KB).
show ip ssh
Syntax
show ip ssh
Description
To verify an SSH configuration and display all SSH sessions running on the switch, enter the show ip ssh command. Information on all current SSH sessions (IPv4 and IPv6) is displayed.
Restrictions
434
Aruba 2930M/F | Access Security Guide
With SSH running, the switch supports one console session and up to five other SSH and Telnet (IPv4 and IPv6) sessions. WebAgent sessions are also supported, but are not displayed in show ip ssh output.
Example
Switch(config)# show ip ssh
SSH Enabled
: Yes
Secure Copy Enabled : No
TCP Port Number
: 22
Timeout (sec)
: 120
Rekey Enabled
: No
Rekey time (min) : 60
Rekey Volume (KB) : 1048576
Host Key Type
: RSA
Host Key Size
: 2048
Ciphers : aes128-cbc,3des-cbc,aes192-cbc,aes256-cbc,rijndael-cbc@lysator.liu.se,aes128-
ctr,aes192-ctr,aes256-ctr
MACs : hmac-sha2-256,hmac-md5,hmac-sha1,hmac-sha1-96,hmac-md5-96
Kex
: ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-
exchange-sha256,
diffie-hellman-group14-sha1
Ses Type
| Source IP
Port
--- -------- + ---------------------------------------- -----
1 console |
2 ssh
| 10.168.31.114
1722
3 inactive |
4 inactive |
5 inactive |
6 inactive |
show ip ssh strict
Syntax
show ip ssh strict
Description
Displays both current SSH configuration and the status of active SSH connections. n This command displays Inbound SSH sessions on the switch. n This command does not display Active/Standby console sessions or Active/Stack-member sessions.
Example
Output for show ip ssh and show ip ssh strict with SSH and Telnet clients Switch(config)# show ip ssh
SSH Enabled
: Yes
Secure Copy Enabled : No
TCP Port Number
: 22
Timeout (sec)
: 120
Rekey Enabled
: No
Rekey time (min)
: 60
Rekey Volume (KB) : 1048576
Host Key Type
: RSA
Host Key Size
: 2048
Ciphers : aes128-cbc,3des-cbc,aes192-cbc,aes256-cbc,rijndael-cbc@lysator.liu.se,aes128-
ctr,aes192-ctr,aes256-ctr
MACs : hmac-sha2-256,hmac-md5,hmac-sha1,hmac-sha1-96,hmac-md5-96
Kex
: ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-
exchange-sha256,
diffie-hellman-group14-sha1
Ses Type
| Source IP
Port
--- -------- + ---------------------------------------- -----
1 console |
2 ssh
| 10.168.31.114
1722
Aruba 2930M/F | Access Security Guide
435
3 inactive | 4 inactive | 5 inactive | 6 inactive |
Switch(config)# show ip ssh strict
SSH Enabled
: Yes
Secure Copy Enabled : No
TCP Port Number
: 22
Timeout (sec)
: 120
Rekey Enabled
: No
Rekey time (min)
: 60
Rekey Volume (KB) : 1048576
Host Key Type
: RSA
Host Key Size
: 2048
Ciphers : aes128-cbc,3des-cbc,aes192-cbc,aes256-cbc,rijndael-cbc@lysator.liu.se,aes128-
ctr,aes192-ctr,aes256-ctr
MACs : hmac-sha2-256,hmac-md5,hmac-sha1,hmac-sha1-96,hmac-md5-96
Kex
: ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-
exchange-sha256,
diffie-hellman-group14-sha1
Ses Type
| Source IP
Port
--- -------- + ---------------------------------------- -----
2 ssh
| 10.168.31.114
1722
The command excludes the Telnet session and displays the inbound SSH sessions on the switch.
ip ssh filetransfer
Syntax
ip ssh filetransfer no ip ssh filetransfer
Description
Enables SSH on the switch to connect to an SCP or SFTP client application to transfer files to and from the switch. Use the no ip ssh filetransfer command to disable the switch's ability to perform secure file transfers with an SCP or SFTP client, without disabling SSH on the switch.
Command context
config
Client public-key authentication (login/operator level) with user password authentication (enable/manager level)
This option uses one or more public keys (from clients) that must be stored on the switch. Only a client with a private key that matches a stored public key can gain access to the switch, and the same private key can be stored on one or more clients.
Figure 79 Client public-key authentication model
436
Aruba 2930M/F | Access Security Guide
Switch SSH and user password authentication
This option is a subset of full certificate authentication of the client public-key authentication shown in Client public-key authentication (login/operator level) with user password authentication (enable/manager level) on page 436. It occurs if the switch has SSH enabled but does not have login access (login public-key) configured to authenticate the client's key. As in Client public-key authentication (login/operator level) with user password authentication (enable/manager level) on page 436, the switch authenticates itself to SSH clients. Users on SSH browser then authenticate themselves to the switch (login and/or enable levels) by providing passwords stored locally on the switch or on a TACACS+ or RADIUS server. However, the client does not use a certificate to authenticate itself to the switch.
Figure 80 Switch/user authentication
Prerequisite for using SSH
Before using the switch as an SSH server, install a publicly or commercially available SSH client application on the computers to be used for management access to the switch. For client public-key authentication the client program must have the capability to generate or import keys, see Client public-key authentication (login/operator level) with user password authentication (enable/manager level) on page 436 for more details.
Public key formats
Any client application used for client public-key authentication with the switch must have the capability to export public keys. The switch can accept keys in the PEM-encoded ASCII format or in the non-encoded ASCII format.
Figure 81 Public key in PEM-encoded ASCII format common for SSHv2 clients
Steps for configuring and using SSH for switch and client authentication
For two-way authentication between the switch and an SSH client, you must use the login (operator) level.
Procedure
A. Client preparation
1. Install an SSH client application on a management station to be used for access to the switch. (See the documentation provided with your SSH client application.)
Aruba 2930M/F | Access Security Guide
437
2. OptionalIf you want the switch to authenticate a client public key on the client: a. Either generate a public/private key pair on the client computer (if your client application allows) or import a client key pair generated using another SSH application.
b. Copy the client public key into an ASCII file on a TFTP server accessible to the switch and download the client public-key file to the switch. The client public-key file can hold up to 10 client keys. This topic is covered under Creating a client public-key text file on page 454.
B. Switch preparation
3. Assign a login (operator) and enable (manager) password on the switch, see Configuring the switch for SSH operation on page 440 for details.
4. Generate a public/private key pair on the switch, see Configuring the switch for SSH operation on page 440 for details. You need to do this only once. The key remains in the switch even if you reset the switch to its factorydefault configuration. You can remove or replace this key pair, if necessary.
5. Copy the switch public key to the SSH clients you want to access the switch, see for more details. 6. Enable SSH on the switch, see Configuring the switch for SSH operation on page 440 for more details. 7. Configure the primary and secondary authentication methods for the switch to use. In all cases, the switch
will use its host public key to authenticate itself when initiating an SSH session with a client. n SSH Login (operator) options:
If you want the switch to perform client public-key authentication, you must configure the switch with Option B.
l Option A: Primary: Local, TACACS+, or RADIUS password Secondary: Local password or none.If the primary option is local, the secondary option must be none.
l Option B: Primary: Client public-key authentication (SSH client public-key authentication notes on page 453) Secondary: none
n SSH Enable (manager) options: Primary: Local, TACACS+, or RADIUS Secondary: Local password or none. If the primary option is local, the secondary option must be none.
8. Use your SSH client to access the switch using the switch IP address or DNS name (if allowed by your SSH client application). See the documentation provided with the client application.
438
Aruba 2930M/F | Access Security Guide
SSH options
Table 32: Table 31: SSH options
Switch
Primary SSH
access level authentication
Authenticate switch public key to SSH clients?
Authenticate client public key to the switch?
Primary switch password authentication
operator (login)level
ssh login rsa
Yes
ssh login Local Yes
Yes1
No1
No
Yes
ssh login
Yes
No
Yes
TACACS
ssh login
Yes
No
Yes
RADIUS
manager
ssh enable local Yes
No
Yes
(enable)level
ssh enable
Yes
No
Yes
tacacs
ssh enable
Yes
No
Yes
radius
Secondary switch password authentication local or none none local or none
local or none
none local or none
local or none
General operating rules and notes
n Public keys generated on an SSH client must be exportable to the switch. The switch can store 10 client key pairs.
n The switch public/private key pair and the (optional) client public-key file are stored permanently in the switch memory and are unaffected by the erase startup-config command.
n Once you generate a key pair on the switch, you must avoid regenerating the key pair without a compelling reason. Otherwise, you must reintroduce the switch public key on all management stations (clients) you previously set up for SSH access to the switch. This can temporarily allow security breaches.
n The switch does not support outbound SSH sessions. Thus, if you Telnet from an SSH-secure switch to another SSH-secure switch, the session is not secure.
n With SSH running, the switch allows one console session and up to five other sessions (SSH and/or Telnet).
1For ssh login public key, the switch uses client public-key authentication instead of the switch password options for primary authentication.
Aruba 2930M/F | Access Security Guide
439
Configuring the switch for SSH operation
1. Assign a local login (operator) and enable (manager) password. It is recommended that you always assign at least a manager password to the switch. Otherwise, under some circumstances, anyone with Telnet, web, or serial port access could modify the switch configuration. You can configure both the operator and manager password with one command. password <manager|operator|all>
switch(config)# password all New password for operator: ******** Please retype new password for operator: ******** New password for manager: ******* Please retype new password for manager: *******
2. Generate the switch public and private key pair. See Generating or erasing the switch public/private host key pair on page 440.
3. Provide the switch public key to clients. See Providing the switch public key to clients on page 443.
4. Enable SSH on the switch and anticipate SSH client contact behavior. 5. Configure the switch for SSH authentication.
See Configuring the switch for SSH authentication on page 445. 6. Use an SSH client to access the switch.
Test the SSH configuration on the switch to ensure that you have the level of SSH operation needed for the switch. If you have problems, see "RADIUS-related problems" in the Management and Configuration Guide for your switch.
Generating or erasing the switch public/private host key pair
A public and private host key pair must be generated on the switch. The switch uses this key pair along with a dynamically generated session key pair to negotiate an encryption method and session with an SSH client trying to connect to the switch. The host key pair is stored in the switch flash memory, and only the public key in this pair is readable. The public key should be added to a "known hosts" file (for example, $HOME/.ssh/known_hosts on UNIX systems) on the SSH clients which should have access to the switch. Some SSH client applications automatically add the switch public key to a "known hosts" file. Other SSH applications require you to manually create a known hosts file and place the switch public key in the file. See the documentation for your SSH client application for more details. (The session key pair mentioned above is not visible on the switch. It is a temporary, internally generated pair used for a particular switch/client session, and then discarded.)
440
Aruba 2930M/F | Access Security Guide
When generating a host key pair on the switch, the switch places the key pair in flash memory and not in the running-config file. Also, the switch maintains the key pair across reboots, including power cycles. Consider this key pair to be "permanent" and avoid re-generating the key pair without a compelling reason. Otherwise, you must re-introduce the switch public key on all management stations you have set up for SSH access to the switch using the earlier pair.
Removing (zeroing) the switch public/private key pair renders the switch unable to engage in SSH operation and automatically disables IP SSH on the switch. To verify whether SSH is enabled, execute show ip ssh. However, any active SSH sessions will continue to run, unless explicitly terminated with the CLI kill command.
Because the host key pair is stored in flash instead of the running-config file, it is not necessary to use write memory to save the key pair. Erasing the key pair automatically disables SSH.
Procedure
n To generate the key, enter the appropriate crypto key generate command. For the complete syntax, see crypto key generate on page 441.
n To show the key, enter the show crypto host-public-key command. For the complete syntax, see show crypto host-public-key on page 442. If you compare switch key to the key stored in your client's known-hosts file, note that the formatting and comments need not match.
n To erase the key, enter the appropriate zeroize command.
zeroize
Syntax
zeroize <ssh|cert>
Description
Erases the switch public/private key pair and disables SSH operation.
crypto key generate
Syntax
crypto key generate <cert[rsa] <keysize>|[ssh][dsa|rsa]bits <keysize>>
Description
Installs authentication files for ssh or https server.
Parameters
cert Install RSA key for https certificate. Use your SSL enabled browser to access the switch using the switch IP address or DNS name (if allowed by your browser). See the documentation provided with the browser application for more information.
ssh [dsa|rsa] Install host key for ssh server. Specify the key type as DSA or RSA.
Aruba 2930M/F | Access Security Guide
441
bits <keysize> Specify the key size (in bits). The crypto key generate ssh command allows you to specify the type and length of the generated host key. If <keysize> is not specified, the default value is used.
show crypto host-public-key
Syntax
show crypto host-public-key [babble|fingerprint]
Description
Displays switch public key. Displays the version 1 and version 2 views of the key. If no options are specified, the key is displayed in a nonencoded ASCII numeric string. See SSH client public-key authentication for information about public keys saved in a configuration file.
Parameters
babble Displays hashes of the switch public using phonetic format, displayed as a short series of alphabetic character groups.
fingerprint Displays fingerprints of the switch public key using hexadecimal format.
Example
Zeroization
Certificate and key removal is discussed as part of the no form of each certificate installation command above. The no forms described above delete certificates and keys. The "Zeroize" command simply deletes (unlinks) key files. Full file system zeroization is performed by following with FIPS/Secure Mode commands. The no form is supported only for TA profile and identity profile. It is not supported for local certificate. Zeroization erases keys and related PKI data such as CSRs and TA profiles from the file system. Syntax: crypto pki zeroize This command returns crypto pki configuration to the factory default state by deleting all certificates and related private keys. The Trust Anchor profile and switch identity profile configurations are also removed. zeroize
Removes all pki configuration, including profiles, certificates and keys.
The no form is not available for the certificate command. To remove a certificate from the switch, use the clear command.
442
Aruba 2930M/F | Access Security Guide
Displaying the public key
The switch provides three options for displaying its public key. This is helpful if you need to visually verify that the public key the switch is using for authenticating itself to a client matches the copy of this key in the client's "known hosts" file:
n Non-encoded ASCII numeric string: Requires a client ability to display the keys in the "known hosts" file in the ASCII format. This method is tedious and error-prone due to the length of the keys. See Providing the switch public key to clients on page 443. The switch always uses an ASCII version of its public key, without babble or fingerprint conversion, for file storage and default display format.
n Phonetic hash: Outputs the key as a relatively short series of alphabetic character groups. Requires a client ability to convert the key to this format.
n Hexadecimal hash: Outputs the key as a relatively short series of hexadecimal numbers. Requires a parallel client ability.
Procedure
Enter the show crypto host-public-key command. For example, on the switch, generate the phonetic and hexadecimal versions of the switch public key as follows:
Figure 82 Visual phonetic and hexadecimal conversions of the switch public key
The two commands shown in example convert the displayed format of the switch (host) public key for easier visual comparison of the switch public key to a copy of the key in a client's "known host" file. The switch has only one RSA host key.
The babble and fingerprint options produce two hashes for the key that corresponds to the challenge hash you will see if connecting with a v1 client, and the other corresponding to the hash you will see if connecting with a v2 client. These hashes do not correspond to different keys, but differ only because of the way v1 and v2 clients compute the hash of the same RSA key.
Providing the switch public key to clients
When an SSH client contacts the switch for the first time, the client will challenge the connection unless you have already copied the key into the client's "known host" file. Copying the switch key in this way reduces the chance that an unauthorized device can pose as the switch to learn your access passwords. The most secure way to acquire the switch public key for distribution to clients is to use a direct, serial connection between the switch and a management device (laptop, PC, or UNIX workstation), as described below. The public key generated by the switch consists of three parts, separated by one blank space each:
Aruba 2930M/F | Access Security Guide
443
Figure 83 A public key generated by the switch
Prerequisites
n A direct serial connection from a management station to the switch. n A terminal application such as HyperTerminal
Procedure
1. Use a terminal application such as HyperTerminal to display the switch public key with the show crypto host public-key command, see Displaying the public key on page 443.
2. Bring up the SSH client's "known host" file in a text editor such as Notepad as straight ASCII text, and copy the switch public key into the file.
3. Ensure that there are no changes or breaks in the text string. A public key must be an unbroken ASCII string. Line breaks are not allowed (changes in the line breaks will corrupt the Key.) For example, if you are using Windows® Notepad, ensure that Word Wrap (in the Edit menu) is disabled, and that the key text appears on a single line. Figure 84 Example of a correctly formatted public key
4. Add any data required by your SSH client application. For example, before saving the key to an SSH client's "known hosts" file you may have to insert the switch IP address: Figure 85 Example of a switch public key edited to include the switch's IP address
For more on this topic, see the documentation provided with your SSH client application.
Enabling SSH on the switch and anticipating SSH client contact behavior
When configured for SSH, the switch uses its host public key to authenticate itself to SSH clients. For SSH clients to authenticate themselves to the switch, configure SSH on the switch for client public-key authentication
444
Aruba 2930M/F | Access Security Guide
at the login (operator) level. To enhance security also configure local, TACACS+, or RADIUS authentication at the enable (manager) level. See Configuring the switch for SSH authentication and SSH client contact behavior.
Prerequisites
The public/private key pair for switch must have been generated. See Generating or erasing the switch public/private host key pair.
Procedure
Execute the ip ssh command. For the complete syntax, see ip ssh.
Protect your private key file from access by anyone other than yourself. If someone can access your private key file, they can penetrate SSH security on the switch by appearing to be you.
SSH does not protect the switch from unauthorized access via the WebAgent, Telnet, SNMP, or the serial port. While WebAgent and Telnet access can be restricted by the use of passwords local to the switch, if you are unsure of the security this provides, you may want to disable web-based and/or Telnet access (no web-management and no Telnet). If you need to increase SNMP security, use SNMP version 3 only. To increase the security of your web interface see the section on SSL. For an additional security measure, see the authorized IP managers feature in the management and configuration guide for your switch. To protect against unauthorized access to the serial port (and the Clear button, which removes local password protection), keep physical access to the switch restricted to authorized personnel.
Disabling SSH on the switch
Procedure
1. Do one of the following: n Execute the no ip ssh command (see ip ssh) n Zeroize the switch existing key pair (see Generating or erasing the switch public/private host key pair on page 440 )
Configuring the switch for SSH authentication
Either method you choose for this task results in authentication of the switch public key by an SSH client. However only Option B results in the switch also authenticating the client's public key. See also SSH client public-key authentication notes on page 453.
1. Use one of the following options to configure the switch for SSH authentication n Option A: Configuring SSH access for password-only SSH authentication on page 446 When configured with this option, the switch uses its public key to authenticate itself to a client, but uses only passwords for client authentication. n Option B: Configuring the switch for client Public-Key SSH authentication on page 446 When configured with this option, the switch uses its public key to authenticate itself to a client, but the client must also provide a client public key for the switch to authenticate. This option requires the additional step of copying a client public-key file from a TFTP or SFTP server into the switch.
Aruba 2930M/F | Access Security Guide
445
Using this option results in the switch also authenticating the client's public key.
Option A: Configuring SSH access for password-only SSH authentication
When configured with this option, the switch uses its public key to authenticate itself to a client, but uses only passwords for client authentication.
It is recommended that you always assign a manager-level (enable) password to the switch. Without this level of protection, any user with Telnet, web, or serial port access to the switch can change the switch configuration. If you configure only an operator password, entering the operator password through telnet, web, ssh or serial port access enables full manager privileges. See step on page 440.
Procedure
1. Configure a password method for the primary and secondary login (operator) access. If you do not specify an optional secondary method, it defaults to none. If the primary method is local, the secondary method must be none. The authorized option allows access without authentication. aaa authentication ssh login <local|tacacs|radius|[public-key>] [<local|none|authorized>]
2. Configures a password method for the primary and secondary enable (manager) access. If you do not specify an optional secondary method, it defaults to none. If the primary method is local, the secondary method must be none. The authorized option allows access without authentication. aaa authentication ssh enable <local|tacacs|radius|public-key> [<local|none|authorized>]
Option B: Configuring the switch for client Public-Key SSH authentication
Before you can use this option, you must do the following:
1. Create a key pair on an SSH client. 2. Copy the client's public key into a public-key file (which can contain up to 10 client public keys.) 3. Copy the public-key file into a TFTP or SFTP server accessible to the switch and download the file to the
switch.
Using this option results in the switch also authenticating the client's public key. If configured with this option, the switch uses its public key to authenticate itself to a client, but the client must also provide a client public key for the switch to authenticate. This option requires the additional step of copying a client public-key file from a TFTP or SFTP server into the switch. With the prerequisite steps complete and SSH properly configured on the switch, if an SSH client contacts the switch, login authentication automatically occurs first, using the switch and client public keys. After the client gains login access, the switch controls client access to the manager level by requiring the passwords configured earlier by the aaa authentication ssh enable command.
446
Aruba 2930M/F | Access Security Guide
Hewlett Packard Enterprise recommends that you always assign a manager-level (enable) password to the switch. Without this level of protection, any user with Telnet, web, or serial port access to the switch can change the switch configuration. If you configure only an operator password, entering the operator password through telnet, web, ssh or serial port access enables full manager privileges. See Configuring the switch for SSH operation on page 440.
1. Copy the public-key file into the switch. copy tftp pub-key-file < ip-address > < filename >
2. Configure the switch to authenticate a client public key at the login level with an optional secondary password method. aaa authentication ssh login public-key
Default: none
3. Configure a password method for the primary and secondary enable (manager) access. If you do not specify an optional secondary method, it defaults to none. aaa authentication ssh enable <local|tacacs|radius> <local|none>
If the primary access method is local, you can only specify none for a secondary access method.
The configuration of SSH clients' public keys is stored in flash memory on the switch. You also can save SSH client public-key configurations to a configuration file by entering the following commands:
1.
include-credentials
2.
write memory
For more information about saving security credentials to a configuration file, see Saving security credentials in a config file.
Configuring for SSH access requiring a client public-key match and manager passwords Assume you have a client public-key file named Client-Keys.pub (on a TFTP server at 10.33.18.117) ready for downloading to the switch:
n For SSH access to the switch allow only clients having a private key that matches a public key found in ClientKeys.pub.
n For manager-level (enable) access for successful SSH clients, use TACACS+ for primary password authentication and local for secondary password authentication, with a manager username of "leader" and a password of "m0ns00n".
To set up this operation, configure the switch in a manner similar to the following illustration:
The following illustration shows how to check the results of the above commands.
Aruba 2930M/F | Access Security Guide
447
SSH client contact behavior
At the first contact between the switch and an SSH client, if the switch public key has not been copied into the client, then the client's first connection to the switch will question the connection and, for security reasons, provide the option of accepting or refusing. If it is safe to assume that an unauthorized device is not using the switch IP address in an attempt to gain access to the client's data or network, the connection can be accepted. (As a more secure alternative, the client can be directly connected to the switch serial port to download the switch public key into the client.) When an SSH client connects to the switch for the first time, it is possible for a "man-in-the-middle" attack; that is, for an unauthorized device to pose undetected as the switch, and learn the usernames and passwords controlling access to the switch. This possibility can be removed by directly connecting the management station to the switch serial port, using a show command to display the switch public key, and copying the key from the display into a file. This requires a knowledge of where the client stores public keys, plus the knowledge of what key editing and file format might be required by the client application. However, if the first contact attempt between a client and the switch does not pose a security problem, this is unnecessary.
Disable username prompt for management interface authentication in the Quick Base system
Authentication bypass for the username when logging on to the switch.
Syntax:
448
Aruba 2930M/F | Access Security Guide
aaa authentication disable-username no aaa authentication disable-username
Use the disable-username command in manager mode to by-pass prompting username at the authentication feature of the switch. Execution of the above command on the switch enables the switch to bypass prompting username if applicable and only password is used for authentication only when both operator and manager usernames are default. The disable-username command will display an acceptance option and security warning message similar to the following: Bypass username during authentication while logging into the device to get Manager or Operator access? (y/n) Entering "y/Y" will complete setting the command. The default configuration of the switch is to authenticate based on username and password. This command is disabled by default in the switch configuration. An event log message (warning) will be logged that relates to this command. The event log message with be similar to the following: W 05/22/13 21:02:06 00419 auth: Bypassing the username for Operator and Manager access level is enabled
The protocols SFTP and SCP which are based on SSH will exhibit similar behavior as SSH.
Switch behavior with Telnet
The behavior of the switch software in different management interfaces when the disable-username command is enabled.
Telnet Example: 1
Operator password: Set Operator username: Not set
Manager password: Not set Manager username: Not set
n Entering the operator password will log onto the switch in operator mode. n Entering the enable command in operator mode will provide access to the switch in manager.
Telnet Example: 2
Operator password: Not set Operator username: Not set
Manager password: Set Manager username: Not set
n Entering the manager password will log onto the switch in manager mode. n Entering the enable command in the operator mode will prompt for the password to be entered for manager
mode.
Telnet Example: 3
Operator password: Set Operator username: Not set
Manager password: Set Manager username: Not set
n Entering the operator password will log onto the switch in operator mode. n Entering the enable command in the operator mode will prompt for the password to be entered for manager
mode. n Entering the manager password will log onto the switch in manager mode.
Telnet Example: 4
Aruba 2930M/F | Access Security Guide
449
Operator password: Set
Manager password: Set
Operator username: Not set Manager username: Not set
n Both Operator and Manager Passwords are the same n Entering the common password will log onto the switch in manager mode
Figure 86 User login screen
Switch behavior with SSH
There is no username prompt in SSH, (for example: ssh any_username@IP-address). The following configuration examples are related to SSH:
SSH configuration Example: 1
In the following configuration, the password is entered without the username. Once the enable command is entered, the username prompt will be bypassed.
Operator password: Set Operator username: Not set
Manager password: Not set Manager username: Not set
n Entering the operator password will log onto the switch in operator mode. n Entering the enable command in the operator mode will prompt for the password to be entered for manager
mode.
SSH configuration Example: 2
Operator password: Not set Operator username: Not set
Manager password: Set Manager username: Not set
450
Aruba 2930M/F | Access Security Guide
n Executing any key will log onto the switch in operator mode. n Entering the enable command in the operator mode will prompt for the password to be entered for manager
mode n The manager password will log onto the manager mode.
SSH configuration Example: 3
Operator password: Set Operator username: Not set
Manager password: Set Manager username: Not set
n Entering the operator password will log onto the switch in operator mode. n Entering the enable command in the operator mode will prompt for the password to be entered for manager
mode.
SSH configuration Example: 4
Operator password: Set Operator username: Not set
Manager password: Set Manager username: Not set
Both Operator and Manager passwords are the same Entering the password logs onto the switch in the manager mode.
Figure 87 SSH configuration screen
Switch behavior with WebUI
The user is prompted for both username and password. Any entry including blank in the username field is allowed. This condition is true for all the below configuration.
WebUI configuration Example: 1
Operator password: Set Operator username: Not set
Manager password: Not set Manager username: Not set
Entering only the operator password, logs onto the switch in manager mode because manager password has not been set.
WebUI configuration Example: 2
Aruba 2930M/F | Access Security Guide
451
Operator password: Not set Operator username: Not set
Manager password: Set Manager username: Not set
n Selecting the login link on the WebUI will prompt for log in. n Entering only the manager password, logs onto the switch in manager mode.
WebUI configuration Example: 3
Operator password: Set Operator username: Not set
Manager password: Set Manager username: Not set
n Logging in using the operator password logs onto the switch in operator mode. n Entering only the manager password, logs onto the switch in manager mode.
WebUI configuration Example: 4
Operator password: Set Operator username: Not set
Manager password: Set Manager username: Not set
Both Operator and Manager passwords are the same Entering only the password, logs onto the switch in manager mode.
Figure 88 WebUI logon screen
This feature does not capture solutions for other applications that mandate the username and does not capture the solution based on the type of management interface used.
452
Aruba 2930M/F | Access Security Guide
SSH client public-key authentication notes
When configured for SSH operation, the switch automatically attempts to use its own host public key to authenticate itself to SSH clients. To provide the optional, opposite service--client public-key authentication to the switch--you can configure the switch to store up to 10 public keys for authenticating clients. This requires storing an ASCII version of each client's public key (without babble conversion, or fingerprint conversion) in a client public-key file that you create and TFTP-copy to the switch. In this case, only clients with a private key corresponding to one of the stored public keys can gain access to the switch using SSH. If you use this feature, only the clients whose public keys are in the client public-key file you store on the switch will have SSH access to the switch over the network. If you do not allow secondary SSH login (operator) access via local password the switch will refuse other SSH clients. SSH clients that support client public-key authentication normally provide a utility to generate a key pair. The private key is usually stored in a password-protected file on the local host; the public key is stored in another file and is not protected.
Without using client public-key authentication you can still require authentication from whoever attempts to access the switch from an SSH client-- by employing the local username/password, TACACS+, or RADIUS features. See step on page 440.
If you enable client public-key authentication, the following events occur when a client tries to access the switch using SSH:
1. The client sends its public key to the switch with a request for authentication. 2. The switch compares the client's public key to those stored in the switch client public-key file. As a
prerequisite, use the switch copy tftp command to download this file to flash. 3. If there is no match, and you have not configured the switch to accept a login password as a secondary
authentication method, the switch denies SSH access to the client. 4. If there is a match, the switch:
a. Generates a random sequence of bytes.
b. Uses the client's public key to encrypt this sequence.
c. Send these encrypted bytes to the client.
5. The client uses its private key to decrypt the byte sequence. 6. The client then:
a. Combines the decrypted byte sequence with specific session data.
b. Uses a secure hash algorithm to create a hash version of this information.
c. Returns the hash version to the switch.
7. The switch computes its own hash version of the data from step 6 and compares it to the client's hash version. If they match, the client is authenticated. Otherwise, the client is denied access.
Using client public-key authentication
Procedure
1. Generate a public/private key pair for each client you want to have SSH access to the switch. This can be a separate key for each client or the same key copied to several clients.
Aruba 2930M/F | Access Security Guide
453
2. Copy the public key for each client into a client public-key text file. 3. Use copy tftp to copy the client public-key file into the switch. Note that the switch can hold 100 keys.
The new key is appended to the client public-key file 4. Use the aaa authentication ssh command to enable client public-key authentication.
Creating a client public-key text file
These steps describe how to copy client public keys into the switch for challenge-response authentication, and require an understanding of how to use your SSH client application.
Figure 89 A client public key
Comments in public-key files may appear in a SSH client application's generated public key. While such comments may help to distinguish one key from another, they do not pose any restriction on the use of a key by multiple clients and/or users.
Public key illustrations such as the key shown in Figure 89: A client public key
usually include line breaks as a method for showing the whole key. However, in practice, line breaks in a public key will cause errors resulting in authentication failure.
Procedure
1. Use your SSH client application to create a public/private key pair, and see the documentation provided with your SSH client application for details. The switch supports the following client public-key properties:
Property Key format
Supported value ASCII
Comments
See Providing the switch public key to clients on page 443. The key must be one unbroken ASCII string. If you add more than one client public key to a file, terminate each key (except the last one) with a <CR><LF>. Spaces are allowed within the key to delimit the key's components. Note that, unlike the use of the switch public key in an SSH client application, the format of a client public key used by the switch does not include the client's IP address.
454
Aruba 2930M/F | Access Security Guide
Property Key type
Supported value RSA or DSA
Maximum supported publickey length
3072 bits
Maximum host key sizes in bits
RSA:1024, 2048, 3072DSA:1024
Comments
You can choose either RSA or DSA key types when using the crypto key
generate ssh command. The cert parameter only use RSA key type.
Shorter key lengths allow faster operation, but also mean diminished security.
Includes the bit size, public index, modulus, any comments,<CR>, <LF>, and all blank spaces. If necessary, you can use an editor application to verify the size of a key. For example, placing a client public key into a Word for Windows text file and clicking on File|Properties|Statistics lets you view the number of characters in the file, including spaces.
2. Copy the client's public key into a text file (filename.txt). For example, use the Notepad editor included with the Microsoft®Windows® software. If you want several clients to use client public-key authentication, copy a public key for each of these clients (10) into the file. Each key should be separated from the preceding key by a <CR><LF>.
3. Copy the client public-key file into a TFTP server accessible to the switch.
Copying a client public key into the switch requires the following: n One or more client-generated public keys. See the documentation provided with your SSH client
application. n A copy of each client public key stored in a single text file or individually on a TFTP server to which the
switch has access. Terminate all client public keys in the file except the last one with a <CR><LF>.
The actual content of a public-key entry in a public-key file is determined by the SSH client application generating the key. Although you can manually add or edit any comments the client application adds to the end of the key.
Syntax:
copy <tftp|sftp> pub-key-file <ip-address> <filename>[<append|manager|operator>] Copies a public-key file from a TFTP server into flash memory in the switch. The append option adds the keys for operator access. The manager option replaces the keys for manager access; follow with the 'append' option to add the keys. The operator option replaces the keys for operator access (default); follow with the 'append' option to add the keys. show crypto client-public-key [<manager|operator>][keylist-str][babble|fingerprint] Displays the client public keys in the switch current client public-key file. The babble option converts the key data to phonetic hashes that are easier for visual comparisons. The fingerprint option converts the key data to hexadecimal hashes that are for the same purpose.
Aruba 2930M/F | Access Security Guide
455
The keylist-str selects keys to display (comma-delimited list). The manager option allows you to select manager public keys. The operator option allows you to select operator public keys.
Copying and displaying a client public-key file containing two different client public keys for the same client
To copy a client public-key file named clientkeys.txt from a TFTP server at 10.38.252.195 and then display the file contents:
Replacing or clearing the public-key file
The client public-key file remains in the switch flash memory even if you erase the startup-config file, reset the switch, or reboot the switch. Remove the existing client public-key file or specific keys by executing the clear crypto public-key command. This clears the public keys from both management modules. The module that is not active must be in standby mode.
Syntax:
clear crypto public-key Deletes the client public-key file from the switch.
Syntax:
clear crypto public-key 3 Deletes the entry with an index of 3 from the client public-key file on the switch.
Enabling client public-key authentication
After you TFTP a client public-key file into the switch, configure the switch to allow the following: If an SSH client's public key matches the switch client public-key file, allow that client access to the switch. If there is not a public-key match, then deny access to that client.
Syntax:
aaa authentication ssh login public-key none Allows SSH client access only if the switch detects a match between the client's public key and an entry in the client-public- key file most recently copied into the switch.
456
Aruba 2930M/F | Access Security Guide
To enable client public-key authentication to block SSH clients whose public keys are not in the client public-key file copied into the switch, you must configure the Login Secondary as none. Otherwise, the switch allows such clients to attempt access using the switch operator password.
SSH client and secure sessions
SSH Client provides a method for establishing a secure session from one switch to another. In addition to providing secure sessions, SFTP is enhanced to allow bidirectional secure copying of files between a switch and an SFTP server, initiated from the switch with the copy command. The SFTP server can be another switch or a workstation/server with a running SSH server that supports SFTP. Each switch with the SSH Client feature will have a known hosts file that can contain the public key from switches and servers that have been determined to be genuine. New public keys can be added to the known hosts file when new SSH servers are contacted, up to a maximum of 10 entries (if memory allows). The known hosts file can also be copied to another switch or to a server where it can be edited.
You must be in manager context to use this SSH and SFTP feature.
Opening a secure session to switch
To initiate an SSH client session to another network device, use the following command, executed in the manager context.
Syntax:
ssh [user <username|username@>] <hostname|IPv4|IPv6> [port <1-65535>] Enables an SSH client to open a secure session to an switch. Opening secure sessions to devices other than switches is not supported. [user <username|username@>] Optional, the username on the destination (remote) system. Usernames for operator and manager must be configured. If <username@> is specified, enter the remote system information of either hostname,IPv4 or IPv6 address. If no username is configured, the username of the current login is used. There will be a prompt for a password if needed. hostname: Hostname of the remote system. IPv4: IPv4 address of the remote system. IPv6: IPv6 address of the remote system. [port <1-65535>]: The TCP port running the SSH server on the remote system. If no port number is specified, the default port 22 is used. Default: Port 22
General operating rules and notes
n The SSH server may challenge the client to authenticate itself depending on the authentication methods configured on the destination SSH server. The client first tries the "none" method of authentication; if that is unsuccessful, it examines the list of supported authentication methods from the server, if provided. If the server does not provide such a list, all methods of authentication will be tried in the following order until the
Aruba 2930M/F | Access Security Guide
457
session is successfully opened or rejected by the server: o Authentication method "publickey", if a private key has been loaded onto the switch. o Authentication method "password".
n During "public-key" authentication, the client must use its private key to authenticate itself to the server. There can be only one key pair on the switch for the manager.
n The private key should be passphrase protected for highest security; the user is prompted to enter the passphrase.
n The private key can be configured by copying it to the SSH client switch, using the copy command.
n If the public-key authentication fails or the client has not been configured with a key pair, the "password" method of authentication is used and the user is prompted for a password.
n Successful TACACS or RADIUS logins will give the user either operator or manager privileges. This is important if there are chained SSH sessions.
Copying client key files
Only one ssh client key for authenticating the manager is allowed on a switch. The copy command allows you to copy the client key files using sftp, tftp, and usb or xmodem, allowing encryption and authentication through SSH. There is no way to generate the private key on the switch; it must be copied onto the switch. To load the client private key onto the switch, use one of the following commands:
Syntax:
copy sftp ssh-client-key [user <username>|<username@>] <hostname|IPv4|IPv6> <private-key-filename> [port|<tcp-port-num>]
copy tftp ssh-client-key <hostname|IPv4|IPv6> <private-key-filename> copy usb ssh-client-key <private-key-filename> copy xmodem ssh-client-key Copies the client key file <private-key-filename> onto the switch. ssh-client-key: The client key file being copied to the switch. The file must contain an RSA or DSA key. [user <username|username@>]: Optional, there must be configured usernames for operator and manager. If no username is specified, the client's current username is used. There will be a prompt for a password if needed. hostname: Specifies the hostname of the SFTP or TFTP server. IPv4: Specifies the SFTP or TFTP server's IPv4 address. IPv6: Specifies the SFTP or TFTP server's IPv6 address. <private-key-filename>: The remote filename containing the key. [port <tcp-port-num>] : TCP port of the SSH server on the remote system. The copied private key is stored in the ssh directory of the switch file system and is persistent across switch reboots. After the initial copying is complete, the client key can be overwritten by repeating the copy command. No verification of the validity of the key is done when executing the copy command.
Copying the ssh-client-known-hosts file
Replacing or appending the ssh-client-known-hosts file
There is one SSH client known hosts file per switch, stored in the ssh directory of the switch file system. The SSH client known hosts file can be overwritten or appended using the commands below. If the file already exists
458
Aruba 2930M/F | Access Security Guide
at that location, you are prompted for confirmation before overwriting the existing file:
Warning: The existing known hosts file will be overwritten, continue [y/n] ?
Syntax:
copy sftp ssh-client-known-hosts [user <username|username@>] <hostname|IPv4|IPv6> <filename> [append]
copy tftp ssh-client-known-hosts <hostname|IPv4|IPv6> <filename> [append]
copy usb ssh-client-known-hosts <filename> [append]
copy xmodem ssh-client-known-hosts [append]
Copies the SSH client known hosts file to the switch. ssh-client-known-hosts: The known hosts file. [user <username|username@>]: Optional, there must be configured usernames for operator and manager. If no username is specified, the client's current username is used. There will be a prompt for a password if needed.
hostname: Specifies the hostname of the TFTP server. IPv4: Specifies the TFTP server's IPv4 address. IPv6: Specifies the TFTP server's IPv6 address. <filename>
: The remote filename containing the key. [append]: Append hosts to the existing ssh-client-known hosts file. Default: Replace the existing known hosts file.
Copying the SSH client known hosts file to another location
The SSH client known hosts file can be copied to a location on a remote device using the commands below. If the file already exists on the remote device, you are prompted for confirmation before overwriting the file:
Warning: The remote file will be overwritten, continue [y/n] ?
Syntax:
copy ssh-client-known-hosts sftp [user <username|username@>] <hostname|IPv4|IPv6> <filename>
copy ssh-client-known-hosts tftp <hostname|IPv4|IPv6> <filename>
copy ssh-client-known-hosts <filename> usb
copy ssh-client-known-hosts xmodem
Copies the SSH client known hosts file to another location. ssh-client-known-hosts: The known hosts file. [user <username|username@>]: Optional, there must be configured usernames for operator and manager.
Aruba 2930M/F | Access Security Guide
459
If no username is specified, the client's current username is used. There will be a prompt for a password if needed. hostname: Specifies the hostname of the TFTP server. IPv4: Specifies the TFTP server's IPv4 address. IPv6: Specifies the TFTP server's IPv6 address. <filename>
: The remote filename containing the key.
Copying the host public key
The following copy commands can be used to manage public keys in a known hosts file. The public key can only be coped from the switch to a server or other media, not to another switch.
Syntax:
copy ssh-server-pub-key sftp [user <username|username@>] <hostname|IPv4|IPv6> <filename> copy ssh-server-pub-key tftp <hostname|IPv4|IPv6> <filename> copy ssh-server-pub-key usb copy ssh-server-pub-key xmodem Copies the switch SSH server public key to a server or other media. [user <username|username@>]: Optional, there must be configured usernames for operator and manager. If no username is specified, the client's current username is used. There will be a prompt for a password if needed. hostname: Specifies the hostname of the TFTP server. IPv4: Specifies the TFTP server's IPv4 address. IPv6: Specifies the TFTP server's IPv6 address. <filename>: The name of the file to be copied.
Removing the SSH client key pair
To remove the SSH client key pair file, use this command.
Syntax:
crypto key zeroize ssh-client-key Deletes the SSH client key pair. You are prompted with the message: Warning: The manager key pair will be deleted, continue [y/n] ?
Removing the SSH client known hosts file
To remove the SSH client known hosts file, use this command. Syntax: crypto key zeroize ssh-client-known-hosts Deletes the SSH client known hosts file. You are prompted with the message: Warning: The SSH client known hosts file will be deleted, continue [y/n] ?
460
Aruba 2930M/F | Access Security Guide
Displaying open sessions
Syntax:
show session-list Displays the active incoming and outgoing sessions.
Open sessions listing
switch(config)# show session-list
Session Information
Source IP Selection: Outgoing Interface
--------------------------------------------------------
Session : 1
Privilege: Superuser
From
: Console
To
:
--------------------------------------------------------
Session : 2
Privilege: manager
From
: 172.22.16.3
To
: 10.1.248.198
---------------------------------------------------------
Session : ** 3
Privilege: manager
From
: 10.1.248.179
To
:
Messages related to SSH operation
Message 00000K Peer unreachable.
Meaning
File transfer did not occur. Indicates an error in communicating with the tftp server or not finding the file to download. Causes include such factors as:
n Incorrect IP configuration on the switch n Incorrect IP address in the command n Case (upper/lower) error in the filename used in
the command n Incorrect configuration on the TFTP server n The file is not in the expected location. n Network misconfiguration n No cable connection to the network
Aruba 2930M/F | Access Security Guide
461
Message 00000K Transport error.
Cannot bind reserved TCP port <port-number>.
Client public-key file corrupt or not found. Use 'copy tftp pub-key-file <ip-addr> <filename>' to download new file. Download failed: overlength key in key file. Download failed: too many keys in key file. Download failed: one or more keys is not a valid public key.
Error: Requested keyfile does not exist.
Generating new RSA host key. If the cache is depleted, this could take up to two minutes. Host RSA key file corrupt or not found. Use 'generate ssh [dsa|rsa]' to create new host key.
Meaning
File transfer did not occur. Indicates the switch experienced a problem when trying to copy tftp the requested file. The file may not be in the expected directory, the filename may be misspelled in the command, or the file permissions may be wrong.
The ip SSH port command has attempted to configure a reserved TCP port. Use the default or select another port number.
The client key does not exist in the switch. Use copy tftp to download the key from a TFTP server.
The public-key file you are trying to download has one of the following problems:
n A key in the file is too long. The maximum key length is 1024 characters, including spaces. This could also mean that two or more keys are merged together instead of being separated by a <CR><LF>.
n There are more than 10 public keys in the key file and switch total. Delete some keys from the switch or file. The switch does not detect duplicate keys.
n One or more keys in the file is corrupted or is not a valid public key.
See Creating a client public-key text file on page 454 for information on client public-key properties.
The client key does not exist in the switch. Use copy tftp to download the key from a TFTP server.
After you execute the generate ssh [dsa|rsa] command, the switch displays this message while it is generating the key.
The switch key is missing or corrupt. Use the generate ssh [dsa|rsa] command to generate a new key for the switch.
Logging messages
There are event log messages when a new key is generated and zeroized for the server: ssh: New <num-bits> -bit [rsa|dsa] SSH host key installed ssh: New SSH host key zeroized
There are also messages that indicate when a client public key is installed or removed: ssh: <num-bits> -bit [rsa|dsa] client public key [installed|removed] ([manager|operator]access)(key_comment)
462
Aruba 2930M/F | Access Security Guide
Only up to 39 characters of the key comment are included in the event log message.
Debug logging
To add SSH messages to the debug log output, enter this command: switch# debug ssh LOGLEVEL where LOGLEVEL is one of the following (in order of increasing verbosity):
n fatal n error n info n verbose n debug n debug2 n debug3
Aruba 2930M/F | Access Security Guide
463
Chapter 22
Configuring SSH with two-factor authentication
Configuring SSH with two-factor authentication
Overview
You can add, modify, and delete netdestination entries which are used by one or more alias-based class filters or ACLs. Any changes made to the netdestination entries are applied only when netedit-update command is executed. This feature is supported only on command line interface.
Two-factor authentication configuration commands
aaa authentication ssh
Syntax
aaa authentication ssh [enable | login]
Description
Configure authentication mechanism used to control SSH access to the switch.
This command must be used before using any of the two-factor forms of the aaa authentication ssh command,
Parameters
enable Configure access to the privileged mode commands. login Configure login access to the switch.
aaa authentication ssh two-factor
Syntax aaa authentication ssh [enable | login]
two-factor [local | none | authorized | server-group <server-group> | two-factor-type
Description
Set two-factor authentication method as the primary authentication method.
Parameters
local Use local switch user/password database. none
Aruba 2930M/F | Access Security Guide
464
Do not use backup authentication methods. authorized Allow access without authentication. server-group Specify the server group to use. two-factor-type Use the certificate or public key for the first authentication method and username/password for the second authentication method.
aaa authentication ssh two-factor two-factor-type
aaa authentication ssh [enable | login] two-factor two-factor-type certificate-password [local | tacacs | radius]
Description
Use the certificate or public key for the first authentication method and username/password for the second authentication method.
Parameters publickey-password certificate-password local tacacs radius
Description Use the public key for the first authentication method and username/password for the second authentication method. Use the X.509v3 certificate for the first authentication method and username/password for the second authentication method. Use local switch user/password database.
Use TACACS+ server.
Use RADIUS server.
aaa authentication ssh two-factor two-factor-type publickey-password
Syntax
aaa authentication ssh [enable | login] two-factor two-factor-type publickey-password [local | tacacs | radius]
Description
Use the public key for the first authentication method and username/password for the second authentication method.
Parameters
local Use local switch user/password database. tacacs Use TACACS+ server. radius Use RADIUS server.
465
Aruba 2930M/F | Access Security Guide
aaa authentication ssh two-factor two-factor-type certificate-password
Syntax
aaa authentication ssh [enable | login] two-factor two-factor-type certificate-password [local | tacacs | radius]
Description
Use the X.509v3 certificate for the first authentication method and username/password for the second authentication method.
Parameters
local Use local switch user/password database. tacacs Use TACACS+ server. radius Use RADIUS server.
crypto enforce secure-rsa
crypto enforce secure-rsa
Description
Enable generation of secure RSA key size. Only secure keys will be generated using the RSA key. The recommended secure RSA key size is 2048.
Two-factor authentication restrictions
n When an SSH client establishes a connection by choosing the user authentication method password or public-key and password, the switch will terminate the connection if two-factor authentication or password configuration-control is enabled.
n For successful authentication when Two-factor authentication is enabled, the user authentication method must be public-key and keyboard interactive.
n When password configuration-control alone is enabled, the user authentication method must include keyboard interactive.
Aruba 2930M/F | Access Security Guide
466
Chapter 23 Configuring Secure Sockets Layer
Configuring Secure Sockets Layer
Overview
Switches use Secure Sockets Layer Version 3 (SSLv3) and support for Transport Layer Security (TLSv1) to provide remote web access to the switches through encrypted paths between the switch and management station clients capable of SSL/TLS operation. n Switches use SSL and TLS for all secure web transactions, and all references to SSL mean using one of these
algorithms unless otherwise noted. n SSL provides all the web functions but, unlike standard web access, SSL provides encrypted, authenticated
transactions. The authentication type includes server certificate authentication with user password authentication. SSL in the switches is based on the NanoSSL software toolkit from the Mocana. For more information on NanoSSL, visit https://www.mocana.com/nanossl-lp.
Server certificate authentication with user password authentication
This is a subset of full certificate authentication of the user and host, only available when the switch has SSL enabled. As in Figure 90: Switch/user authentication, the switch authenticates itself to SSL-enabled web browser. Users on SSL browser then authenticate themselves to the switch - operator and manager levels - by providing passwords stored locally on the switch or on a TACACS+ or RADIUS server. However, the client does not use a certificate to authenticate itself to the switch. Figure 90 Switch/user authentication
SSL on the switches covered in this guide supports these data encryption methods: n 3DES (168-bit, 112 Effective) n DES (56-bit) n RC4 (40-bit, 128-bit)
Switches use RSA public-key algorithms and Diffie-Hellman, and all references to a key mean keys generated using these algorithms unless otherwise noted.
Aruba 2930M/F | Access Security Guide
467
Prerequisite for using SSL
Before using the switch as an SSL server, you must install a publicly or commercially available SSL-enabled web browser application on the computer(s) you use for management access to the switch.
Steps for configuring and using SSL for switch and client authentication
Procedure
1. Client preparation: a. Install an SSL capable browser application on a management station you want to use for access to the switch. See the documentation provided with your browser for details.
b. Assign a login (operator) and enable (manager) password on the switch. See Assigning a local login (operator) and enabling (manager) password on page 469.
2. Switch preparation: a. Generate a host certificate on the switch. See Generating the switch's server host certificate on page 469. n Generate certificate key pair n Generate host certificate You need to do this only once. The switch's own public/private certificate key pair and host certificate are stored in the switch flash memory and are not affected by reboots or the erase startup-config command. You can remove or replace this certificate, if necessary. The certificate key pair and the SSH key pair are independent of each other, which means a switch can have two keys pairs stored in flash.
3. Enable SSL on the switch. See SSL client contact behavior on page 472. 4. Use your SSL enabled browser to access the switch using the switch IP address or DNS name (if allowed
by your browser). See the documentation provided with the browser application.
General operating rules and notes
n Public keys generated on an SSH client must be exportable to the switch. The switch can store 10 client key pairs.
n The switch public/private key pair and the (optional) client public-key file are stored permanently in the switch memory and are unaffected by the erase startup-config command.
n Once you generate a key pair on the switch, you must avoid regenerating the key pair without a compelling reason. Otherwise, you must reintroduce the switch public key on all management stations (clients) you previously set up for SSH access to the switch. This can temporarily allow security breaches.
n The switch does not support outbound SSH sessions. Thus, if you Telnet from an SSH-secure switch to another SSH-secure switch, the session is not secure.
n With SSH running, the switch allows one console session and up to five other sessions (SSH and/or Telnet).
468
Aruba 2930M/F | Access Security Guide
Configuring the switch for SSL operation
Assigning a local login (operator) and enabling (manager) password
At a minimum, Hewlett Packard Enterprise recommends that you always assign at least a manager password to the switch. Otherwise, under some circumstances, anyone with Telnet, web, or serial port access could modify the switch's configuration.
Using the WebAgent to configure local passwords
You can configure both the operator and manager password in the WebAgent. To access the WebAgent, see Basic Operation Guide for your switch.
Generating the switch's server host certificate
You must generate a server certificate on the switch before enabling SSL. The switch uses this server certificate, along with a dynamically generated session key pair to negotiate an encryption method and session with a browser trying to connect via SSL to the switch. (The session key pair mentioned above is not visible on the switch. It is a temporary, internally generated pair used for a particular switch/client session, and then discarded.) The server certificate is stored in the switch's flash memory. The server certificate should be added to your certificate folder on the SSL clients who you want to have access to the switch. Most browser applications automatically add the switch's host certificate to there certificate folder on the first use. This method does allow for a security breach on the first access to the switch. (See the documentation for your browser application.) There are two types of certificates that can be used for the switch's host certificate. The first type is a self-signed certificate, which is generated and digitally signed by the switch. Since self-signed certificates are not signed by a third-party certificate authority, there is no audit trail to a root CA certificate and no fool-proof means of verifying authenticity of certificate. The second type is a certificate authority-signed certificate, which is digitally signed by a certificate authority, has an audit trail to a root CA certificate, and can be verified unequivocally.
There is usually a fee associated with receiving a verified certificate and the valid dates are limited by the root certificate authority issuing the certificate.
When you generate a certificate key pair and/or certificate on the switch, the switch places the key pair and/or certificate in flash memory (and not in running config.) Also, the switch maintains the certificate across reboots, including power cycles. You should consider this certificate to be "permanent"; that is, avoid regenerating the certificate without a compelling reason. Otherwise, you will have to reintroduce the switch's host certificate on all management stations you have set up for SSL access to the switch using the earlier certificate. Removing (zeroizing) the switch's certificate key pair or certificate render the switch unable to engage in SSL operation and automatically disables SSL on the switch. (To verify whether SSL is enabled, execute show config.)
To generate or erase the switch's server certificate with the CLI
Since the host certificate is stored in flash instead of the running-config file, it is not necessary to use write memory to save the certificate. Erasing the host certificate automatically disables SSL.
CLI Commands Used to Generate a Server Host Certificate
Syntax
crypto key generate cert [rsa] bits <1024|2048> Generates a key pair for use in the certificate.
Aruba 2930M/F | Access Security Guide
469
crypto key zeroize cert Erases the switch's certificate key and disables SSL operation.
To generate a host certificate from the CLI: Generate a certificate key pair. This is done with the crypto key generate cert command. The default key size is 512.
If a certificate key pair is already present in the switch, it is not necessary to generate a new key pair when generating a new certificate. The existing key pair may be reused and the crypto key generate cert command does not have to be executed.
Comments on certificate fields
There are a number of arguments used in the generation of a server certificate. The following table describes these arguments.
Table 33: Certificate field descriptions Field Name
Valid Start Date Valid End Date
Common Name
Organization Organizational Unit City or Location State Name Country Code
Description
This should be the date you desire to begin using the SSL functionality.
This can be any future date, however good security practices would suggest a valid duration of about one year between updates of passwords and keys.
This should be the IP address or domain name associated with the switch. Your web browser may warn you if this field does not match the URL entered into the web browser when accessing the switch
This is the name of the entity (e.g. company) where the switch is in service.
This is the name of the sub-entity (e.g. department) where the switch is in service.
This is the name of the city where switch is in service
This is the name of the state or province where switch is in service
This is the ISO two-letter country-code where switch is in service
Figure 91 Self-signed server host certificate on the CLI for the switch
470
Aruba 2930M/F | Access Security Guide
"Zeroizing" the switch's server host certificate or key automatically disables SSL (sets web-management ssl to No). Thus, if you zeroize the server host certificate or key and then generate a new key and server certificate, you must also re-enable SSL with the web-management ssl command before the switch can resume SSL operation.
Generate a self-signed host certificate with the WebAgent
You can configure SSL from the WebAgent. For more information on how to access the WebAgent, see Basic Operation Guide for your switch. To generate a self signed host certificate from the WebAgent:
1. In the WebAgent navigation pane, click Security. 2. Click SSL. 3. In the Web Management box, enable SSL if it is not already checked. 4. Complete the fields in the SSL Certificate box and click Create request.
When generating a self-signed host certificate, if no key is present and the current option is selected in the RSA key size box and error will be generated. New key generation can take up to two minutes if the key queue is empty.
Figure 92 Self-signed certificate generation via SSL WebAgent
Generate a CA-Signed server host certificate with the WebAgent
The installation of a CA-signed certificate involves interaction with other entities and consists of three phases. The first phase is the creation of the CA certificate request, which is then copied off from the switch for submission to the certificate authority. The second phase is the actual submission process that involves having the certificate authority verify the certificate request and then digitally signing the request to generate a certificate response (the usable server host certificate). The third phase is the download phase consisting of pasting to the switch web server the certificate response, which is then validated by the switch and put into use by enabling SSL.
To generate a certificate request from the WebAgent:
Aruba 2930M/F | Access Security Guide
471
1. In the navigation pane, click Security. 2. Click SSL. 3. In the Web Management box, enable SSL if it is not already checked. 4. In the SSL Certificate box, fill out the fields and select Create request.
Figure 93 CA certificate generation via SSL WebAgent screen
To access the online help for SSL certificate generation, click "?" in the upper right corner of the screen.
Enabling SSL on the switch and anticipating SSL browser contact behavior
The web-management ssl command enables SSL on the switch and modifies parameters the switch uses for transactions with clients. After you enable SSL, the switch can authenticate itself to SSL enabled browsers. If you want to disable SSL on the switch, use the no web-management ssl command.
Before enabling SSL on the switch you must generate the switch's host certificate and key. If you have not already done so, see Generating the switch's server host certificate on page 469.
When configured for SSL, the switch uses its host certificate to authenticate itself to SSL clients, however unless you disable the standard WebAgent with the no web-management command it will be still available for unsecured transactions.
SSL client contact behavior
At the first contact between the switch and an SSL client, if you have not copied the switch's host certificate into the browser's certificate folder, your browser's first connection to the switch will question the connection and, for security reasons, give you the option of accepting or refusing. If a CA-signed certificate is used on the switch, for which a root certificate exists on the client browser side, then the browser will NOT prompt the user to ensure the validity of the certificate. The browser will be able to verify the certificate chain of the switch server certificate up to the root certificate installed in the browser, thus authenticating the switch unequivocally. As long as you are confident that an unauthorized device is not using the switch's IP address in an attempt to gain access to your data or network, you can accept the connection.
472
Aruba 2930M/F | Access Security Guide
When an SSL client connects to the switch for the first time, it is possible for a "man-in-the-middle" attack; that is, for an unauthorized device to pose undetected as the switch, and learn the usernames and passwords controlling access to the switch. When using self-signed certificates with the switch, there is a possibility for a "man-in-the-middle" attack when connecting for the first time; that is, an unauthorized device could pose undetected as a switch, and learn the usernames and passwords controlling access to the switch. Use caution when connecting for the first time to a switch using self-signed certificates. Before accepting the certificate, closely verify the contents of the certificate (see browser documentation for additional information on viewing contents of certificate.) The security concern described above does not exist when using CA-signed certificates that have been generated by certificate authorities that the web browser already trusts.
Using the CLI interface to enable SSL
Syntax
web-management ssl no web-management ssl Enables or disables SSL on the switch [port <1-65535|default:443>] The TCP port number for SSL connections (default: 443). show config Shows status of the SSL server. When enabled web-management ssl will be present in the config list.
Procedure
1. To enable SSL on the switch: 2. Generate a Host certificate if you have not already done so. (See Generating the switch's server host
certificate on page 469.) 3. Execute the web-management ssl command.
To disable SSL on the switch, do either of the following:
n Execute no web-management ssl. n Zeroize the switch's host certificate or certificate key.
Using the WebAgent to enable SSL
SSL does not protect the switch from unauthorized access via the Telnet, SNMP, or the serial port. While Telnet access can be restricted by the use of passwords local to the switch, if you are unsure of the security this provides, you may want to disable Telnet access (no Telnet). If you need to increase SNMP security, use SNMP version 3 only for SNMP access. Another security measure is to use the authorized IP managers feature described in the switch's Access Security Guide. To protect against unauthorized access to the serial port (and the Clear button, which removes local password protection), keep physical access to the switch restricted to authorized personnel.
Procedure
Aruba 2930M/F | Access Security Guide
473
n To enable SSL on the switch: 1. In the navigation pane, click Security. 2. Click SSL. 3. Click Change. 4. Select SSL Enable to enable SSL. 5. Enter the TCP port you desire to connect on. It is recommended you use the default IP port number of 443.
Hewlett Packard Enterprise recommends using the default IP port number (443). However, you can use web-management ssl tcp-port to specify any TCP port for SSL connections except those reserved for other purposes. Examples of reserved IP ports are 23 (Telnet) and 80 (http). Some other reserved TCP ports on the switches are 49, 80, 1506, and 1513.
6. Click Save. n To disable SSL on the switch:
1. In the navigation pane, click Security. 2. Click SSL. 3. Click Change button. 4. Clear the SSL Enable box to disable SSL. 5. Click Save.
Common errors in SSL setup
Error during Generating host certificate on CLI Enabling SSL on the CLI or WebAgent
Unable to Connect with SSL
Possible cause
You have not generated a certificate key. See CLI Commands Used to Generate a Server Host Certificate on page 469.
You have not generated a host certificate. See Generate a self-signed host certificate with the WebAgent on page 471. You may be using a reserved TCP port.
You may not have SSL enabled. See Enabling SSL on the switch and anticipating SSL browser contact behavior on page 472. Your browser may not support SSLv3 or TLSv1 or it may be disabled. See the documentation provided for your browser.
474
Aruba 2930M/F | Access Security Guide
Chapter 24 Configuring Advanced Threat Protection
Configuring Advanced Threat Protection
Introduction
This chapter provides an overview of the security features included on your switch. Chapter Access security features outlines the access security and authentication features, while Network Security Features highlights the additional features designed to help secure and protect your network. For detailed information on individual features, see the references provided. Before you connect your switch to a network, Hewlett Packard Enterprise strongly recommends that you review the section Getting started with access security. It outlines potential threats for unauthorized switch and network access, and provides guidelines on how to prepare the switch for secure network operation.
IPv6 Network Defense
DSNOOPv6 and DIPLDv6
DSNOOPv6 enables network defenses for IPv6 on switches. It provides protection against network disruption by blocking unintended/rogue servers. DSNOOPv6, when used with Dynamic IP Lockdown (DIPLD), provides network defense against source address spoofing. For example, a wireless access point with a DHCP Server running by default hands out IP addresses to wired clients that fall under a different subnet. DHCPv6 Snooping (DSNOOP) helps protect a network from unintended/rogue DHCP Servers handing out IP address leases to hosts on the network. In an IPv6 network, addresses are predominately assigned via Router Advertisements. However, RA is limited in its ability to provide all of the network configurations to hosts. By managing their networks with DHCP(v4/v6) Servers, administrators can increase their network range and security. Since customer networks have both IPv4 and IPv6 configurations, enabling the DHCPv6-Snooping feature provides an additional network defense level of protection. DSNOOPv6 operates similarly to DSNOOPv4. To decide which switch ports DHCPv6 packets are accepted from and forwarded to, packets are intercepted, examined and validated on DHCPv6 protocol fields. The Client IP address binding information is maintained by the switch in a binding table.
The DIPLDv6 limits will be different on different switch platforms due to hardware limitations.
Configuring DHCPv6 snooping
DHCPv6 snooping is currently configurable through SNMP using MIBs. For more information, see the MIB and Trap Matrix.
Enabling DHCPv6 snooping To globally enable DHCPv6 snooping, enter:
switch(config)# dhcpv6-snooping
Aruba 2930M/F | Access Security Guide
475
Use the no form of the command to disable DHCPv6 snooping.
Enabling DHCPv6 snooping on VLANs After you globally enable DHCPv6, use this command to enable DHCPv6 snooping on a VLAN or range of VLANs.
Syntax
dhcpv6-snooping <vlan-id-range> no dhcpv6-snooping <vlan-id-range> Use the no form of the command to disable DHCPv6 snooping on a VLAN.
vlan-id-range
Specifies the VLAN or range of VLANs on which to enable DHCPv6 snooping.
Configuring an authorized DHCPv6 server for snooping Use this command to configure an authorized DHCPv6 server.
Syntax
dhcpv6-snooping authorized-server <IPv6-address>
IPv6-address
Specifies the IP address of a trusted DHCP server. If no authorized servers are configured, all DHCP server addresses are considered valid. Maximum: 20 authorized servers.
Configuring a lease entry file for DHCPv6 snooping Use this command to configure lease database transfer options for DHCPv6 snooping
Syntax
dhcpv6-snooping database [file <ASCII string>] [delay <15-86400>] [timeout <0-86400> no dhcpv6-snooping database [file <ASCII string>] [delay <15-86400>] [timeout <0-86400>]
file <ASCII string>
Specifies the database URL in the form: "tftp://<IP-ADDR>/<FILENAME>" with a maximum length of 255 characters, IP-ADDR can be an IPv4 or an IPv6 address. IPv6 addresses must be enclosed in square brackets.
delay <15-86400>
Specifies the seconds to delay before writing to the lease database file. Valid values are 15 to -86400. Default is 300 seconds.
timeout <0-86400>
Specifies the seconds to wait for the lease file transfer to finish before a failure message is displayed. Valid values are 0 to 86400. Default is 300 seconds. If 0 is specified, the file transfer is retried indefinitely.
Configuring DHCPv6 snooping max binding Use this command to configure the maximum number of binding addresses allowed per port. If you configure the max-bindings value before enabling DHCPv6-snooping, the limit you enter is immediately applied, and the bindings are not allowed to exceed the max-bindings value. If you set the max-bindings value after enabling DHCPv6-snooping, the following occurs:
476
Aruba 2930M/F | Access Security Guide
n If current bindings are greater than the max-binding value, the configuration is applied when clients release their IPv6 addresses.
n If current bindings are lesser than that of the max-binding value, the configuration is immediately applied.
Syntax
dhcpv6-snooping max-bindings <port-list> <1-8192> no dhcpv6-snooping max-bindings <port-list> <1-8192>
port-list
Specifies the ports on which to apply max-bindings.
1-8192
Specifies the maximum number of binding addresses. DHCP Snooping Rate Limiter for dhcpv6
Syntax
dhcpv6-snooping rate-limit <Range> no dhcpv6-snooping rate-limit <Range>
Description
Configures the packet transfer rate in packets per second (PPS) for DHCPv6 snooping. The no form of the command removes the packet transfer configuration for DHCPv6 snooping.
Command context
config
Parameter
Range Specifies the value for rate limit. It ranges from 100 to 500 packets per second. The default value is 100 PPS.
Example
switch (config)# dhcpv6-snooping rate-limit
<100-500>
Configure the DHCPV6 packet transfer rate in PPS
for dhcp-snooping.
switch (config)# dhcp-snooping rate-limit 250 switch (config)# show dhcpv6-snooping
DHCPv6 Snooping Information
DHCPv6 Snooping Enabled Vlans Store lease database Rate-Limit (PPS)
: Yes : : Not configured : 250
Max
Current Binding
Port Trust Bindings Static Dynamic
------- ----- -------- ------ -------
Ports A3-A8,B1-B24,C1-C8,Trk1 are untrusted
Aruba 2930M/F | Access Security Guide
477
Configuring traps for DHCPv6 snooping Use this command to configure traps for DHCPv6 snooping.
Syntax
snmp-server enable traps dhcpv6-snooping [[out-of-resources] | [errant-reply]] no snmp-server enable traps dhcpv6-snooping [[out-of-resources] | [errant-reply]]
out-of-resources
Sends a trap message when the number of bindings exceeds the maximum limit of 8192 bindings.
errant-reply
Sends a trap message when a DHCPv6 reply packet is received on an untrusted port or from an unauthorized server. Clearing DHCPv6 snooping statistics Use this command in switch config mode to clear DHCPv6 snooping statistics.
Syntax
clear dhcpv6-snooping statistics
Enabling debug logging for DHCPv6 snooping To enable debug logging for DHCPv6 snooping, use this command.
Syntax
debug security dhcpv6-snooping [config|event|packet] no debug security dhcpv6-snooping [config|event|packet]
config
Displays DHCPv6 snooping configuration messages.
event
Displays DHCPv6 snooping event messages.
packet
Displays DHCPv6 snooping packet messages. DHCPv6 show commands Use this command to show DHCPv6 snooping information.
Syntax
show dhcpv6-snooping [stats] [bindings]
stats
Shows DHCPv6 snooping statistics.
bindings
Shows DHCPv6 binding state entries in a tabular format.
Examples
478
Aruba 2930M/F | Access Security Guide
The following example shows all available DHCPv6 snooping information.
switch(config)# show dhcpv6-snooping
DHCPv6 Snooping Information DHCPv6 Snooping : Yes Enabled Vlans : Store lease database : Not configured Rate-Limit (PPS) : 250 Max Current Binding Port Trust Bindings Static Dynamic ------- ----- -------- ------ ------Ports A3-A8,B1-B24,C1-C8,Trk1 are untrusted
The following example shows DHCPv6 snooping statistics.
switch(config)# show dhcpv6 snooping stats
Packet Type ___________ server client server server client client client client client
Action ______ forward forward drop drop drop drop drop drop drop
Reason ______ from trusted port to trusted port received on validating port unauthorized server destination on validating port relay reply on validating port bad DHCPv6 release request failed verify MAC check failed on max-binding limit
Count _____ 0 0 0 0 0 0 0 0 0
Dynamic ARP protection
On the VLAN interfaces of a routing switch, dynamic ARP protection ensures that only valid ARP requests and responses are relayed or used to update the local ARP cache. ARP packets with invalid IP-to-MAC address bindings advertised in the source protocol address and source physical address fields are discarded. For more information about the ARP cache, see "ARP Cache Table" in the multicast and routing guide.
ARP requests are ordinarily broadcast and received by all devices in a broadcast domain. Most ARP devices update their IP-to-MAC address entries each time they receive an ARP packet even if they did not request the information. This behavior makes an ARP cache vulnerable to attacks.
Because ARP allows a node to update its cache entries on other systems by broadcasting or unicasting a gratuitous ARP reply, an attacker can send his own IP-to-MAC address binding in the reply that causes all traffic destined for a VLAN node to be sent to the attacker's MAC address. As a result, the attacker can intercept traffic for other hosts in a classic "man-in-the-middle" attack. The attacker gains access to any traffic sent to the poisoned address and can capture passwords, e-mail, and VoIP calls or even modify traffic before resending it.
Another way in which the ARP cache of known IP addresses and associated MAC addresses can be poisoned is through unsoliEmphasisd ARP responses. For example, an attacker can associate the IP address of the network gateway with the MAC address of a network node. In this way, all outgoing traffic is prevented from leaving the network because the node does not have access to outside networks. As a result, the node is overwhelmed by outgoing traffic destined to another network.
Dynamic ARP protection is designed to protect your network against ARP poisoning attacks in the following ways:
n Allows you to differentiate between trusted and untrusted ports. n Intercepts all ARP requests and responses on untrusted ports before forwarding them.
Aruba 2930M/F | Access Security Guide
479
n Verifies IP-to-MAC address bindings on untrusted ports with the information stored in the lease database maintained by DHCP snooping and user-configured static bindings (in non-DHCP environments): l If a binding is valid, the switch updates its local ARP cache and forwards the packet. l If a binding is invalid, the switch drops the packet, preventing other network devices from receiving the invalid IP-to-MAC information.
DHCP snooping intercepts and examines DHCP packets received on switch ports before forwarding the packets. DHCP packets are checked against a database of DHCP binding information. Each binding consists of a client MAC address, port number, VLAN identifier, leased IP address, and lease time. The DHCP binding database is used to validate packets by other security features on the switch. If you have already enabled DHCP snooping on a switch, you may also want to add static IP-to-MAC address bindings to the DHCP snooping database so that ARP packets from devices that have been assigned static IP addresses are also verified. Supports additional checks to verify source MAC address, destination MAC address, and IP address.ARP packets that contain invalid IP addresses or MAC addresses in their body that do not match the addresses in the Ethernet header are dropped. When dynamic ARP protection is enabled, only ARP request and reply packets with valid IP-to-MAC address bindings in their packet header are relayed and used to update the ARP cache. Dynamic ARP protection is implemented in the following ways on a switch:
n You can configure dynamic ARP protection only from the CLI; you cannot configure this feature from the WebAgent or menu interfaces.
n Line rate--Dynamic ARP protection copies ARP packets to the switch CPU, evaluates the packets, and then re-forwards them through the switch software. During this process, if ARP packets are received at too high a line rate, some ARP packets may be dropped and will need to be retransmitted.
n The SNMP MIB, HP-ICF-ARP-PROTECT-MIB, is created to configure dynamic ARP protection and to report ARP packet-forwarding status and counters.
Enabling Dynamic ARP Protection
To enable dynamic ARP protection for VLAN traffic on a routing switch, enter the arp-protect vlan command at the global configuration level.
Syntax
arp-protect vlan [vlan-range] no arp-protect vlan [vlan-range] vlan-range: Specifies a VLAN ID or a range of VLAN IDs from one to 4094; for example, 1200. An example of the arp-protect vlan command is shown here:
switch(config)# arp-protect vlan 1-101
Configuring trusted ports
In a similar way to DHCP snooping, dynamic ARP protection allows you to configure VLAN interfaces in two categories: trusted and untrusted ports. ARP packets received on trusted ports are forwarded without validation. By default, all ports on a switch are untrusted. If a VLAN interface is untrusted:
480
Aruba 2930M/F | Access Security Guide
n The switch intercepts all ARP requests and responses on the port. n Each intercepted packet is checked to see if its IP-to-MAC binding is valid. If a binding is invalid, the switch
drops the packet.
Configure trusted ports carefully. For example, in the topology in Figure 94: Trusted ports for dynamic ARP protection, Switch B may not see the leased IP address that Host 1 receives from the DHCP server. If the port on Switch B that is connected to Switch A is untrusted and if Switch B has dynamic ARP protection enabled, it will see ARP packets from Host 1 as invalid, resulting in a loss of connectivity. In contrast, if Switch A does not support dynamic ARP protection and you configure the port on Switch B connected to Switch A as trusted, Switch B opens itself to possible ARP poisoning from hosts attached to Switch A.
Figure 94 Trusted ports for dynamic ARP protection
Consider the following configuration guidelines when you use dynamic ARP protection in your network:
n Configure ports connected to other switches in the network as trusted ports. In this way, all network switches can exchange ARP packets and update their ARP caches with valid information.
n Switches that do not support dynamic ARP protection must be separated by a router in their own Layer 2 domain. Because ARP packets do not cross Layer 3 domains, the unprotected switches cannot unknowingly accept ARP packets from an attacker and forward them to protected switches through trusted ports.
To configure one or more Ethernet interfaces that handle VLAN traffic as trusted ports, enter the arp-protect trust command at the global configuration level. The switch does not check ARP requests and responses received on a trusted port.
Syntax
arp-protect trust <port-list> no arp-protect trust <port-list> port-list: Specifies a port number or a range of port numbers. Separate individual port numbers or ranges of port numbers with a comma; for example: 13-15, 17. An example of the arp-protect trust command is shown here:
switch(config)# arp-protect trust 5-8, 17
Adding an IP-to-MAC binding to the DHCP database
A routing switch maintains a DHCP binding database, which is used for DHCP and ARP packet validation. Both the DHCP snooping and DHCP Option 82 insertion features maintain the lease database by learning the IP-toMAC bindings on untrusted ports. Each binding consists of the client MAC address, port number, VLAN identifier, leased IP address, and lease time.
Aruba 2930M/F | Access Security Guide
481
If your network does not use DHCP or if some network devices have fixed, user-configured IP addresses, you can enter static IP-to-MAC address bindings in the DHCP binding database. The switch uses manually configured static bindings for DHCP snooping and dynamic ARP protection.
Clearing the DHCP snooping binding table
To remove the IP-to-MAC binding from the database, use the no form of the ip source-binding command.
Adding a static binding
To add the static configuration of an IP-to-MAC binding for a port to the database, enter the ip source-binding command at the global configuration level. Use the no form of the command to remove the IP-to-MAC binding from the database.
Syntax
ip source-binding <mac-address> vlan <vlan-id> <ip-address> interface <port-number> no ip source-binding <mac-address> vlan <vlan-id> <ip-address> interface <port-number> <mac-address>
Specifies a MAC address to bind with a VLAN and IP address on the specified port in the DHCP binding database. <vlan-id> Specifies a VLAN ID number to bind with the specified MAC and IP addresses on the specified port in the DHCP binding database. <ip-address> Specifies an IP address to bind with a VLAN and MAC address on the specified port in the DHCP binding database. interface <port-number> Specifies the port number on which the IP-to- MAC address and VLAN binding is configured in the DHCP binding database. An example of the ip source-binding command is shown here:
switch(config)# ip source-binding 0030c1-7f49c0 interface vlan 100 10.10.20.1 interface A4
The ip source-binding command is the same command used by the Dynamic IP Lockdown feature to configure static bindings. The Dynamic ARP Protection and Dynamic IP Lockdown features share a common list of source IP-to-MAC bindings.
Configuring additional validation checks on ARP packets
Dynamic ARP protection can be configured to perform additional validation checks on ARP packets. By default, no additional checks are performed. To configure additional validation checks, enter the arp-protect validate command at the global configuration level.
Syntax:
arp-protect validate <[src-mac]|[dest-mac]|[ip]> no arp-protect validate <[src-mac]|[dest-mac]|[ip]> src-mac
482
Aruba 2930M/F | Access Security Guide
(Optional) Drops any ARP request or response packet in which the source MAC address in the Ethernet header does not match the sender MAC address in the body of the ARP packet. dest-mac
(Optional) Drops any unicast ARP response packet in which the destination MAC address in the Ethernet header does not match the target MAC address in the body of the ARP packet. ip
(Optional) Drops any ARP packet in which the sender IP address is invalid. Drops any ARP response packet in which the target IP address is invalid. Invalid IP addresses include: 0.0.0.0, 255.255.255.255, all IP multicast addresses, and all Class E IP addresses. You can configure one or more of the validation checks. The following example of the arp-protect validate command shows how to configure the validation checks for source MAC address and destination AMC address:
switch(config)# arp-protect validate src-mac dest-mac
Verifying the configuration of dynamic ARP protection
To display the current configuration of dynamic ARP protection, including the additional validation checks and the trusted ports that are configured, enter the show arp-protect command:
Output for the show arp-protect command
switch(config)# show arp-protect
ARP Protection Information
Enabled Vlans : 1-4094 Validate : dest-mac, src-mac
Port Trust
----- -----
5
Yes
6
Yes
7
No
8
No
9
No
Displaying ARP packet statistics
To display statistics about forwarded ARP packets, dropped ARP packets, MAC validation failure, and IP validation failures, enter the show arp-protect statistics <vid-range> command:
Output for the show arp-protect statistics command
switch(config)#show arp-protect statistics 1-2
Status and Counters - ARP Protection Counters for VLAN 1
Forwarded pkts : 10 Bad bindings : 1 Malformed pkts : 0
Bad source mac
:2
Bad destination mac: 1
Bad IP address
:0
Status and Counters - ARP Protection Counters for VLAN 2
Forwarded pkts : 1 Bad bindings : 1 Malformed pkts : 1
Bad source mac
:1
Bad destination mac: 1
Bad IP address
:1
Aruba 2930M/F | Access Security Guide
483
Monitoring dynamic ARP protection
When dynamic ARP protection is enabled, you can monitor and troubleshoot the validation of ARP packets with the debug arp-protect command. Use this command when you want to debug the following conditions:
n The switch is dropping valid ARP packets that should be allowed. n The switch is allowing invalid ARP packets that should be dropped.
Output for the debug arp-protect command
switch(config)# debug arp-protect
1. ARP request is valid "DARPP: Allow ARP request 000000-000001,10.0.0.1 for 10.0.0.2 port 1, vlan "
2. ARP request detected with an invalid binding "DARPP: Deny ARP request 000000-000003,10.0.0.1 port 1, vlan 1"
3. ARP response with a valid binding "DARPP: Allow ARP reply 000000-000002,10.0.0.2 port 2, vlan 1"
4. ARP response detected with an invalid binding "DARPP: Deny ARP reply 000000-000003,10.0.0.2 port 2, vlan 1"
Dynamic IP lockdown
The Dynamic IP lockdown feature is used to prevent IP source address spoofing on a per-port and per-VLAN basis. When dynamic IP lockdown is enabled, IP packets in VLAN traffic received on a port are forwarded only if they contain a known source IP address and MAC address binding for the port. The IP-to-MAC address binding can either be statically configured or learned by the DHCP Snooping feature.
Protection against IP source address spoofing
Many network attacks occur when an attacker injects packets with forged IP source addresses into the network. Also, some network services use the IP source address as a component in their authentication schemes. For example, the BSD "r" protocols (rlogin, rcp, rsh) rely on the IP source address for packet authentication. SNMPv1 and SNMPv2c also frequently use authorized IP address lists to limit management access. An attacker that is able to send traffic that appears to originate from an authorized IP source address may gain access to network services for which he is not authorized. Dynamic IP lockdown provides protection against IP source address spoofing by means of IP-level port security. IP packets received on a port enabled for dynamic IP lockdown are only forwarded if they contain a known IP source address and MAC address binding for the port. Dynamic IP lockdown uses information collected in the DHCP Snooping lease database and through statically configured IP source bindings to create internal, per-port lists. The internal lists are dynamically created from known IP-to-MAC address bindings to filter VLAN traffic on both the source IP address and source MAC address.
Prerequisite: DHCP snooping
Dynamic IP lockdown requires that you enable DHCP snooping as a prerequisite for its operation on ports and VLAN traffic:
n Dynamic IP lockdown only enables traffic for clients whose leased IP addresses are already stored in the lease database created by DHCP snooping or added through a static configuration of an IP-to-MAC
484
Aruba 2930M/F | Access Security Guide
binding.Therefore, if you enable DHCP snooping after dynamic IP lockdown is enabled, clients with an existing DHCP-assigned address must either request a new leased IP address or renew their existing DHCPassigned address. Otherwise, a client's leased IP address is not contained in the DHCP binding database. As a result, dynamic IP lockdown will not allow inbound traffic from the client. n It is recommended that you enable DHCP snooping a week before you enable dynamic IP lockdown to allow the DHCP binding database to learn clients' leased IP addresses. You must also ensure that the lease time for the information in the DHCP binding database lasts more than a week. Alternatively, you can configure a DHCP server to re-allocate IP addresses to DHCP clients. In this way, you repopulate the lease database with current IP-to-MAC bindings. n The DHCP binding database allows VLANs enabled for DHCP snooping to be known on ports configured for dynamic IP lockdown. As new IP-to-MAC address and VLAN bindings are learned, a corresponding permit rule is dynamically created and applied to the port (preceding the final deny any vlan <VLAN_IDs> rule. These VLAN_IDs correspond to the subset of configured and enabled VLANs for which DHCP snooping has been configured. n For dynamic IP lockdown to work, a port must be a member of at least one VLAN that has DHCP snooping enabled. n Disabling DHCP snooping on a VLAN causes Dynamic IP bindings on Dynamic IP Lockdown-enabled ports in this VLAN to be removed. The port reverts back to switching traffic as usual.
Filtering IP and MAC addresses per-port and per-VLAN
This section contains an example that shows the following aspects of the Dynamic IP Lockdown feature:
n Internal Dynamic IP lockdown bindings dynamically applied on a per-port basis from information in the DHCP Snooping lease database and statically configured IP-to-MAC address bindings.
n Packet filtering using source IP address, source MAC address, and source VLAN as criteria.
In this example, the following DHCP leases have been learned by DHCP snooping on port 5. VLANs 2 and 5 are enabled for DHCP snooping.
Table 34: Sample DHCP snooping entries
IP Address 10.0.8.5 10.0.8.7 10.0.10.3
MAC Address 001122334455 001122334477 001122334433
VLAN ID 2 2 5
The following example shows an IP-to-MAC address and VLAN binding that have been statically configured in the lease database on port 5.
IP Address 10.0.10.1
MAC Address 001122110011
VLAN ID 5
Assuming that DHCP snooping is enabled and that port 5 is untrusted, dynamic IP lockdown applies the following dynamic VLAN filtering on port 5:
Aruba 2930M/F | Access Security Guide
485
Internal statements used by dynamic IP lockdown
permit 10.0.8.5 001122-334455 vlan 2 permit 10.0.8.7 001122-334477 vlan 2 permit 10.0.10.3 001122-334433 vlan 5 permit 10.0.10.1 001122-110011 vlan 5 deny any vlan 1-10 permit any
The deny any statement is applied only to VLANs for which DHCP snooping is enabled. The permit any statement is applied only to all other VLANs.
Enabling Dynamic IP Lockdown
Dynamic IPv6 Lockdown (DIPLDv6) is currently configurable through SNMP using MIBs. For more information, see the MIB and Trap Matrix.
IPv4
To enable dynamic IP lockdown on all ports or specified ports, enter this command at the global configuration level.
Syntax
ip source-lockdown <port-list> no ip source-lockdown <port-list>
port-list
Specifies one or more ports on which to enable IP source lockdown. Use the no form of the command to disable dynamic IP lockdown.
IPv4
To enable dynamic IP lockdown on all ports or specified ports, enter this command at the global configuration level.
Syntax
ip source-lockdown <port-list> no ip source-lockdown <port-list>
port-list
Specifies one or more ports on which to enable IP source lockdown. Use the no form of the command to disable dynamic IP lockdown. Enabling dynamic IPv6 source lockdown To enable dynamic IPv6 lockdown on all ports or specified ports, enter this command at the global configuration level.
486
Aruba 2930M/F | Access Security Guide
Syntax
ipv6 source-lockdown <port-list> no ipv6 source-lockdown <port-list>
port-list
Specifies one or more ports on which to enable IP source lockdown. Use the no form of the command to disable dynamic IP lockdown.
Enabling traps for dynamic IPv6 source lockdown Use this command to configure traps for IPv6 source lockdown.
Syntax
snmp-server enable traps dyn-ipv6-lockdown [[out-of-resources] | [violations]] no snmp-server enable traps dyn-ipv6-lockdown [[out-of-resources] | [violations]]
out-of-resources
Sends a trap message when resources are unavailable for configuring dynamic IPv6 source lockdown.
violations
Sends a trap message when a source lockdown violation occurs.
Enabling debug logging for dynamic IPv6 source lockdown
Syntax
debug dynamic-ipv6-lockdown [config|event|packet] no debug dynamic-ipv6-lockdown [config|event|packet]
config
Displays dynamic lockdown configuration messages.
event
Displays dynamic lockdown event messages.
packet
Displays dynamic lockdown packet messages.
Operational notes
n Dynamic IP lockdown is enabled at the port configuration level and applies to all bridged or routed IP packets entering the switch. The only IP packets that are exempt from dynamic IP lockdown are broadcast DHCP request packets, which are handled by DHCP snooping.
n DHCP snooping is a prerequisite for Dynamic IP Lockdown operation. The following restrictions apply: l DHCP snooping is required for dynamic IP lockdown to operate. To enable DHCP snooping, enter the dhcp-snooping command at the global configuration level. l Dynamic IP lockdown only filters packets in VLANs that are enabled for DHCP snooping. In order for Dynamic IP lockdown to work on a port, the port must be configured for at least one VLAN that is enabled for DHCP snooping. To enable DHCP snooping on a VLAN, enter the dhcp-snooping vlan [vlan-idrange] command at the global configuration level or the dhcp-snooping command at the VLAN configuration level.
Aruba 2930M/F | Access Security Guide
487
l Dynamic IP lockdown is not supported on a trusted port. (However, note that the DHCP server must be connected to a trusted port when DHCP snooping is enabled). By default, all ports are untrusted. To remove the trusted configuration from a port, enter the no dhcp-snooping trust <port-list> or no dhcp6snooping trust <port-list> command at the global configuration level.
n After you enter the ip source-lockdown command (enabled globally with the desired ports entered in <portlist> the dynamic IP lockdown feature remains disabled on a port if any of the following conditions exist: l If DHCP snooping has not been globally enabled on the switch. l If the port is not a member of at least one VLAN that is enabled for DHCP snooping. l If the port is configured as a trusted port for DHCP snooping. Dynamic IP lockdown is activated on the port only after you make the following configuration changes: l Enable DHCP snooping on the switch. l Configure the port as a member of a VLAN that has DHCP snooping enabled. l Remove the trusted-port configuration.
n You can configure dynamic IP lockdown only from the CLI; this feature cannot be configured from the WebAgent or menu interface.
n If you enable dynamic IP lockdown on a port, you cannot add the port to a trunk. n Dynamic IP lockdown must be removed from a trunk before the trunk is removed.
Adding an IP-to-MAC binding to the DHCP binding database
A switch maintains a DHCP binding database, which is used for dynamic IP lockdown as well as for DHCP and ARP packet validation. The DHCP snooping feature maintains the lease database by learning the IP-to-MAC bindings of VLAN traffic on untrusted ports. Each binding consists of the client MAC address, port number, VLAN identifier, leased IP address, and lease time. Dynamic IP lockdown supports a total of 4K static and dynamic bindings with up to 64 bindings per port. When DHCP snooping is enabled globally on a VLAN, dynamic bindings are learned when a client on the VLAN obtains an IP address from a DHCP server. Static bindings are created manually with the CLI or from a downloaded configuration file. When dynamic IP lockdown is enabled globally or on ports the bindings associated with the ports are written to hardware. This occurs during these events:
n Switch initialization n Hot swap n A dynamic IP lockdown-enabled port is moved to a DHCP snooping enabled VLAN n DHCP snooping or dynamic IP lockdown characteristics are changed such that dynamic IP lockdown is
enabled on the ports.
Potential issues with bindings
n When dynamic IP lockdown enabled, and a port or switch has the maximum number of bindings configured, the client DHCP request will be dropped and the client will not receive an IP address through DHCP.
n When dynamic IP lockdown is enabled and a port is configured with the maximum number of bindings, adding a static binding to the port will fail.
n When dynamic IP lockdown is enabled globally, the bindings for each port are written to hardware. If global dynamic IP lockdown is enabled and disabled several times, it is possible to run out of buffer space for additional bindings. The software will delay adding the bindings to hardware until resources are available.
488
Aruba 2930M/F | Access Security Guide
Adding a static binding
To add the static configuration of an IP-to-MAC binding for a port to the database, enter the ip source-binding command at the global configuration level. Use the no form of the command to remove the IP-to-MAC binding from the database.
Syntax
ip source-binding <mac-address> vlan <vlan-id> <ip-address> interface <port-number> no ip source-binding <mac-address> vlan <vlan-id> <ip-address> interface <port-number> <mac-address>
Specifies a MAC address to bind with a VLAN and IP address on the specified port in the DHCP binding database. <vlan-id> Specifies a VLAN ID number to bind with the specified MAC and IP addresses on the specified port in the DHCP binding database. <ip-address> Specifies an IP address to bind with a VLAN and MAC address on the specified port in the DHCP binding database. interface <port-number> Specifies the port number on which the IP-to- MAC address and VLAN binding is configured in the DHCP binding database. An example of the ip source-binding command is shown here:
switch(config)# ip source-binding 0030c1-7f49c0 interface vlan 100 10.10.20.1 interface A4
The ip source-binding command is the same command used by the Dynamic IP Lockdown feature to configure static bindings. The Dynamic ARP Protection and Dynamic IP Lockdown features share a common list of source IP-to-MAC bindings.
For IPv4
Syntax
ip source-binding <mac-address> vlan <vlan-id> <ip-address>interface <port-number> no ip source-binding <mac-address> vlan <vlan-id> <ip-address>interface <port-number>
mac-address
Specifies a MAC address to bind with a VLAN and IP address on the specified port in the DHCP binding database.
vlan-id
Specifies a VLAN ID number to bind with the specified MAC and IP addresses on the specified port in the DHCP binding database.
ip-address
Specifies an IP address to bind with a VLAN and MAC address on the specified port in the DHCP binding database.
Aruba 2930M/F | Access Security Guide
489
<port-number>
Specifies the port number on which the IP-to- MAC address and VLAN binding is configured in the DHCP binding database. An example of the ip source-binding command is shown here:
switch(config)# ip source-binding 0030c1-7f49c0 interface vlan 100 10.10.20.1 interface A4
The ip source-binding command is the same command used by the Dynamic IP Lockdown feature to configure static bindings. The Dynamic ARP Protection and Dynamic IP Lockdown features share a common list of source IP-to-MAC bindings.
For IPv6
Syntax
show ipv6 source-lockdown bindings [port-number]
Verifying the dynamic IP lockdown configuration
To display the ports on which dynamic IP lockdown is configured, enter the show ip source-lockdown status command at the global configuration level.
For IPv4
Syntax
ip source-binding <mac-address> vlan <vlan-id> <ip-address>interface <port-number> no ip source-binding <mac-address> vlan <vlan-id> <ip-address>interface <port-number>
mac-address
Specifies a MAC address to bind with a VLAN and IP address on the specified port in the DHCP binding database.
vlan-id
Specifies a VLAN ID number to bind with the specified MAC and IP addresses on the specified port in the DHCP binding database.
ip-address
Specifies an IP address to bind with a VLAN and MAC address on the specified port in the DHCP binding database.
<port-number>
Specifies the port number on which the IP-to- MAC address and VLAN binding is configured in the DHCP binding database. An example of the ip source-binding command is shown here:
switch(config)# ip source-binding 0030c1-7f49c0 interface vlan 100 10.10.20.1 interface A4
490
Aruba 2930M/F | Access Security Guide
The ip source-binding command is the same command used by the Dynamic IP Lockdown feature to configure static bindings. The Dynamic ARP Protection and Dynamic IP Lockdown features share a common list of source IP-to-MAC bindings.
For IPv6
Syntax
show ipv6 source-lockdown bindings [port-number]
Displaying the static configuration of IP-to-MAC bindings
To display the static configurations of IP-to-MAC bindings stored in the DHCP lease database, enter the show ip source-lockdown bindings or show ipv6 source-lockdown bindings command.
For IPv4
Syntax
ip source-binding <mac-address> vlan <vlan-id> <ip-address>interface <port-number> no ip source-binding <mac-address> vlan <vlan-id> <ip-address>interface <port-number>
mac-address
Specifies a MAC address to bind with a VLAN and IP address on the specified port in the DHCP binding database.
vlan-id
Specifies a VLAN ID number to bind with the specified MAC and IP addresses on the specified port in the DHCP binding database.
ip-address
Specifies an IP address to bind with a VLAN and MAC address on the specified port in the DHCP binding database.
<port-number>
Specifies the port number on which the IP-to- MAC address and VLAN binding is configured in the DHCP binding database. An example of the ip source-binding command is shown here: switch(config)# ip source-binding 0030c1-7f49c0 interface vlan 100 10.10.20.1 interface A4
The ip source-binding command is the same command used by the Dynamic IP Lockdown feature to configure static bindings. The Dynamic ARP Protection and Dynamic IP Lockdown features share a common list of source IP-to-MAC bindings.
For IPv6
Syntax
show ipv6 source-lockdown bindings [port-number]
Aruba 2930M/F | Access Security Guide
491
Debugging dynamic IP lockdown
To enable the debugging of packets dropped by dynamic IP lockdown, enter the debug dynamic-ip-lockdown command.
Syntax
debug dynamic-ip-lockdown
To send command output to the active CLI session, enter the debug destination session command.
Counters for denied packets are displayed in the debug dynamic-ip-lockdown command output. Packet counts are updated every five minutes. An example of the command output is shown in Output for the debug dynamic-iplockdown command on page 492. When dynamic IP lockdown drops IP packets in VLAN traffic that do not contain a known source IP-to-MAC address binding for the port on which the packets are received, a message is entered in the event log.
Output for the debug dynamic-ip-lockdown command
switch(config)# debug dynamic-ip-lockdown
DIPLD 01/01/90 00:01:25 : denied ip 192.168.2.100 (0) (PORT 4) -> 192.168.2.1 (0), 1 packets DIPLD 01/01/90 00:06:25 : denied ip 192.168.2.100 (0) (PORT 4) -> 192.168.2.1 (0), 294 packets DIPLD 01/01/90 00:11:25 : denied ip 192.168.2.100 (0) (PORT 4) -> 192.168.2.1 (0), 300 packets DIPLD 01/01/90 00:16:25 : denied ip 192.168.2.100 (0) (PORT 4) -> 192.168.2.1 (0), 300 packets DIPLD 01/01/90 00:21:25 : denied ip 192.168.2.100 (0) (PORT 4) -> 192.168.2.1 (0), 299 packets DIPLD 01/01/90 00:26:25 : denied ip 192.168.2.100 (0) (PORT 4) -> 192.168.2.1 (0), 300 packets DIPLD 01/01/90 00:31:25 : denied ip 192.168.2.100 (0) (PORT 4) -> 192.168.2.1 (0), 300 packets DIPLD 01/01/90 00:36:25 : denied ip 192.168.2.100 (0) (PORT 4) -> 192.168.2.1 (0), 299 packets DIPLD 01/01/90 00:41:25 : denied ip 192.168.2.100 (0) (PORT 4) -> 192.168.2.1 (0), 300 packets
Using the instrumentation monitor
The instrumentation monitor can be used to detect anomalies caused by security attacks or other irregular operations on the switch. The following table shows the operating parameters that can be monitored at predetermined intervals, and the possible security attacks that may trigger an alert:
Table 35: Parameters for monitoring
Parameter name pkts-to-closed-ports
Description
The count of packets per minute sent to closed TCP/UDP ports. An excessive amount of packets could indicate a port scan, in which an attacker is attempting to expose a vulnerability in the switch.
492
Aruba 2930M/F | Access Security Guide
Parameter name arp-requests ip-address-count system-resource-usage
login-failures/min
port-auth-failures/min system-delay
mac-address-count mac-moves/min learn-discards/min
Description
The count of ARP requests processed per minute. A large amount of ARP request packets could indicate an host infected with a virus that is trying to spread itself.
The number of destination IP addresses learned in the IP forwarding table. Some attacks fill the IP forwarding table causing legitimate traffic to be dropped.
The percentage of system resources in use. Some Denial-of- Service (DoS) attacks will cause excessive system resource usage, resulting in insufficient resources for legitimate traffic.<12147483647> Set the threshold valuelow Low thresholdmed Medium thresholdhigh High threshold
The count of failed CLI login attempts or SNMP management authentication failures. This indicates an attempt has been made to manage the switch with an invalid login or password. Also, it might indicate a network management station has not been configured with the correct SNMP authentication parameters for the switch.
The count of times a client has been unsuccessful logging into the network.
The response time, in seconds, of the CPU to new network events such as BPDU packets or packets for other network protocols. Some DoS attacks can cause the CPU to take too long to respond to new network events, which can lead to a breakdown of Spanning Tree or other features. A delay of several seconds indicates a problem.
The number of MAC addresses learned in the forwarding table. Some attacks fill the forwarding table so that new conversations are flooded to all parts of the network.
The average number of MAC address moves from one port to another per minute. This usually indicates a network loop, but can also be caused by DoS attacks.
Number of MAC address learn events per minute discarded to help free CPU resources when busy.
Operating notes
n To generate alerts for monitored events, you must enable the instrumentation monitoring log and/or SNMP trap. The threshold for each monitored parameter can be adjusted to minimize false alarms (see Configuring instrumentation monitor on page 494.
n When a parameter exceeds its threshold, an alert (event log message and/or SNMP trap) is generated to inform network administrators of this condition. The following example shows an event log message that occurs when the number of MAC addresses learned in the forwarding table exceeds the configured threshold:
Figure 95 Event log message generated by instrumentation monitor
Aruba 2930M/F | Access Security Guide
493
Alerts are automatically rate limited to prevent filling the log file with redundant information. The following is an example of alerts that occur when the device is continually subject to the same attack (too many MAC addresses in this instance):
Figure 96 Rate limiting when multiple messages are generated
In the preceding example, if a condition is reported 4 times (persists for more than 15 minutes) then alerts cease for 15 minutes. If after 15 minutes the condition still exists, the alerts cease for 30 minutes, then for 1 hour, 2 hours, 4 hours, 8 hours, and after that the persisting condition is reported once a day. As with other event log entries, these alerts can be sent to a server. Known Limitations: The instrumentation monitor runs once every five minutes. The current implementation does not track information such as the port, MAC, and IP address from which an attack is received.
Configuring instrumentation monitor
The following commands and parameters are used to configure the operational thresholds that are monitored on the switch. By default, the instrumentation monitor is disabled.
Syntax
instrumentation monitor [parameterName|all] [<low|med|high|limitValue>] no instrumentation monitor [parameterName|all] [<low|med|high|limitValue>] [log]
Enables/disables instrumentation monitoring log so that event log messages are generated every time there is an event which exceeds a configured threshold. (Default threshold setting when instrumentation monitoring is enabled: enabled) [all]
Enables/disables all counter types on the switch but does not enable/disable instrumentation monitor logging. (Default threshold setting when enabled: see parameter listings below) [arp-requests]
The number of arp requests that are processed each minute. (Default threshold setting when enabled: 1000 med) [ip-address-count]
The number of destination IP addresses learned in the IP forwarding table. (Default threshold setting when enabled: 1000 med) [learn-discards]
The number of MAC address learn events per minute discarded to help free CPU resources when busy. (Default threshold setting when enabled: 100 med) [login-failures]
The count of failed CLI login attempts or SNMP management authentication failures per hour. (Default threshold setting when enabled: 10 med) [mac-address-count]
The number of MAC addresses learned in the forwarding table. You must enter a specific value in order to enable this feature. (Default threshold setting when enabled: 1000 med)
494
Aruba 2930M/F | Access Security Guide
[mac-moves] The average number of MAC address moves per minute from one port to another. (Default threshold setting when enabled: 100 med)
[pkts-to-closed-ports] The count of packets per minute sent to closed TCP/UDP ports. (Default threshold setting when enabled: 10 med)
[port-auth-failures] The count of times per minute that a client has been unsuccessful logging into the network. (Default threshold setting when enabled: 10 med)
[system-resource-usage] The percentage of system resources in use. (Default threshold setting when enabled: 50 med) <12147483647> Set the threshold value low Low threshold med Medium threshold high High threshold
[system-delay] The response time, in seconds, of the CPU to new network events such as BPDU packets or packets for other network protocols. (Default threshold setting when enabled: 3 seconds med)
[trap] Enables or disables SNMP trap generation. (Default setting when instrumentation monitoring is enabled: disabled)
To enable instrumentation monitor using the default parameters and thresholds, enter the general instrumentation monitor command. To adjust specific settings, enter the name of the parameter that you wish to modify, and revise the threshold limits as needed.
Examples
To turn on monitoring and event log messaging with the default medium values:
switch(config)# instrumentation monitor
To turn off monitoring of the system delay parameter:
switch(config)# no instrumentation monitor system-delay
To adjust the alert threshold for the MAC address count to the low value:
switch(config)# instrumentation monitor mac-address-count low
To adjust the alert threshold for the MAC address count to a specific value:
switch(config)# instrumentation monitor mac-address-count 767
To enable monitoring of learn discards with the default medium threshold value:
switch(config)# instrumentation monitor learn-discards
To disable monitoring of learn discards:
switch(config)# no instrumentation monitor learn-discards
To enable or disable SNMP trap generation:
Aruba 2930M/F | Access Security Guide
495
switch(config)# no instrumentation monitor trap
Viewing the current instrumentation monitor configuration
The show instrumentation monitor configuration command displays the configured thresholds for monitored parameters.
Viewing the instrumentation monitor configuration
switch# show instrumentation monitor configuration
PARAMETER
LIMIT
------------------------- ---------------
mac-address-count
1000 (med)
ip-address-count
1000 (med)
system-resource-usage
50 (med)
system-delay
5 (high)
mac-moves/min
100 (med)
learn-discards/min
100 (med)
ip-port-scans/min
10 (med)
arp-requests/min
100 (low)
login-failures/min
10 (med)
port-auth-failures/min 10 (med)
SNMP trap generation for alerts: enabled Instrumentation monitoring log : enabled
An alternate method of determining the current Instrumentation Monitor configuration is to use the show run command. However, the show run command output does not display the threshold values for each limit set.
496
Aruba 2930M/F | Access Security Guide
Chapter 25 Traffic/Security Filters and Monitors
Traffic/Security Filters and Monitors
Overview
You can add, modify, and delete netdestination entries which are used by one or more alias-based class filters or ACLs. Any changes made to the netdestination entries are applied only when netedit-update command is executed. This feature is supported only on command line interface.
Filter limits
The switch accepts up to 101 static filters. These limitations apply:
n Source-port filters: up to 78 n Multicast filters: up to 16 with 1024 or fewer VLANs configured. Up to 8 with more than 1024 VLANs
configured. n Protocol filters: up to 7
Using port trunks with filter
The switch manages a port trunk as a single source or destination for sourceport filtering. If you configure a port for filtering before adding it to a port trunk, the port retains the filter configuration, but suspends the filtering action while a member of the trunk. If you want a trunk to perform filtering, first configure the trunk, then configure the trunk for filtering. See Configuring a filter on a port trunk on page 507.
Filter types and operation
The following table represents the types of static filters and their selection criteria:
Table 36: Filter types and criteria
Static filter type Source-port Multicast Protocol
Selection criteria
Inbound traffic from a designated, physical source-port will be forwarded or dropped on a per-port (destination) basis.
Inbound traffic having a specified multicast MAC address will be forwarded to outbound ports (the default) or dropped on a per-port (destination) basis.
Inbound traffic having the selected frame (protocol) type will be forwarded or dropped on a per-port (destination) basis.
Source-port filters
This filter type enables the switch to forward or drop traffic from all end nodes on the indicated source-port to specific destination ports.
Aruba 2930M/F | Access Security Guide
497
Figure 97 Source-port filer application
Operating rules for source-port filters
n You can configure one source-port filter for each physical port and port trunk on the switch. (See Defining and configuring named source-port filters.)
n You can include all destination ports and trunks in the switch on a single source-port filter. n Each source-port filter includes:
l One source port or port trunk (trk1, trk2, ...trkn) l A set of destination ports and/or port trunks that includes all untrunked LAN ports and port trunks on the
switch l An action (forward or drop) for each destination port or port trunk When you create a source-port filter, the switch automatically sets the filter to forward traffic from the designated source to all destinations for which you do not specifically configure a "drop" action. Thus, it is not necessary to configure a source-port filter for traffic you want the switch to forward unless the filter was previously configured to drop the desired traffic. n When you create a source port filter, all ports and port trunks (if any) on the switch appear as destinations on the list for that filter, even if routing is disabled and separate VLANs and/or subnets exist. Where traffic would normally be allowed between ports and/or trunks, the switch automatically forwards traffic to the outbound ports and/or trunks you do not specifically configure to drop traffic. (Destination ports that comprise a trunk are listed collectively by the trunk name--such as Trk1-- instead of by individual port name.) n Packets allowed for forwarding by a source-port filter are subject to the same operation as inbound packets on a port that is not configured for source-port filtering.
n With multiple IP addresses configured on a VLAN, and routing enabled on the switch, a single port or trunk can be both the source and destination of packets moving between subnets in that same VLAN. In this case, you can prevent the traffic of one subnet from being routed to another subnet of the same port by configuring the port or trunk as both the source and destination for traffic to drop.
Example
If you wanted to prevent server "A" from receiving traffic sent by workstation "X", but do not want to prevent any other servers or end nodes from receiving traffic from workstation "X", you would configure a filter to drop traffic from port 5 to port 7. The resulting filter would drop traffic from port 5 to port 7, but would forward all other traffic
498
Aruba 2930M/F | Access Security Guide
from any source port to any destination port. (See Figure 98: Filter blocking traffic only from Port 5 to Server A and Figure 99: Filter for the actions shown in Filter blocking traffic only from Port 5 to Server A. Figure 98 Filter blocking traffic only from Port 5 to Server A
Figure 99 Filter for the actions shown in Filter blocking traffic only from Port 5 to Server A
Name source-port filters
You can specify named source-port filters that may be used on multiple ports and port trunks. A port or port trunk can only have one source-port filter, but by using this capability you can define a source-port filter once and apply it to multiple ports and port trunks. This can make it easier to configure and manage source-port filters on your switch. The commands to define, configure, apply, and display the status of named source-port filters are described below.
Operating rules for named source-port filters
n A port or port trunk may only have one source-port filter, named or not named. n A named source-port filter can be applied to multiple ports or port trunks. n Once a named source-port filter is defined, subsequent changes only modify its action, they don't replace it. n To change the named source-port filter used on a port or port trunk, the current filter must first be removed,
using the no filter source-port named-filter <filter-name> command. n A named source-port filter can only be deleted when it is not applied to any ports.
Aruba 2930M/F | Access Security Guide
499
Defining and configuring named source-port filters
The named source-port filter command operates from the global configuration level.
Syntax
filter source-port named-filter <filter-name> no filter source-port named-filter <filter-name> Defines or deletes a named source-port filter. The <filter-name> may contain a maximum of 20 alpha-numeric characters (longer names may be specified, but they are not displayed.) A filter-name cannot be a valid port or port trunk name. The maximum number of named source-port filters that can be used is equal to the number of ports on a switch. A named source-port filter can only be removed if it is not in use (use the show filter source-port command to check the status). Named source-port filters are not automatically deleted when they are no longer used. Use the no option to delete an unused named source-port filter.
Syntax
filter source-port named-filter <filter-name> drop <destination-port-list> Configures the named source-port filter to drop traffic having a destination on the ports and/or port trunks in the <destination-port-list>. Can be followed by the forwardoption if you have other destination ports or port trunks previously set to drop that you want to change to forward. For example:
filter source-port named-filter <filter-name> drop <destination-port-list> forward <destination-port-list
The destination-port-list may contain ports, port trunks, and ranges (for example 3-7 or trk4-trk9) separated by commas.
Syntax
filter source-port named-filter <filter-name> forward <destination-port-list> Configures the named source-port filter to forward traffic having a destination on the ports and/or port trunks in the <destination-port-list>. Since "forward" is the default state for destinations in a filter, this command is useful when destinations in an existing filter are configured for "drop" and you want to change them to "forward". Can be followed by the dropoption if you have other destination ports set to forward that you want to change to drop. For example:
filter source-port named-filter <filter-name> forward <destination-port-list> drop <destination-port-list>
A named source-port filter must first be defined and configured before it can be applied. In the following example two named source-port filters are defined, web-only and accounting. switch(config)# filter source-port named-filter web-only switch(config)# filter source-port named-filter accounting By default, these two named source-port filters forward traffic to all ports and port trunks. To configure a named source-port filter to prevent inbound traffic from being forwarded to specific destination switch ports or port trunks, the dropoption is used. For example, on a 26-port switch, to configure the named source-port filter web-only to drop any traffic except that for destination ports 1 and 2, the following command would be used: switch(config)# filter source-port named-filter web-only drop 3-26
500
Aruba 2930M/F | Access Security Guide
A named source-port filter can be defined and configured in a single command by adding the drop option, followed by the required destination-port-list.
Viewing a named source-port filter
You can list all source-port filters configured in the switch, both named and unnamed, and their action using the show command below.
Syntax
show filter source-port Displays a listing of configured source-port filters, where each filter entry includes a Filter Name, Port List, and Action:
Filter Name
The filter-name used when a named source-port filter is defined. Non-named source-port filters are automatically assigned the port or port trunk number of the source port.
Port List
Lists the port and port trunk destinations using the filter. Named source-port filters that are not in use display NOT USED.
Action
Lists the ports and port trunks dropped by the filter. If a named source-port filter has been defined but not configured, this field is blank.
[index]
For the supplied index (IDX) displays the action taken (Drop or Forward) for each destination port on the switch.
Using named source-port filters
A company wants to manage traffic to the Internet and its accounting server on a 26-port switch. Their network is pictured in Figure 100: Network configuration for named source-port filters. Switch port 1 connects to a router that provides connectivity to a WAN and the Internet. Switch port 7 connects to the accounting server. Two workstations in accounting are connected to switch ports 10 and 11.
Figure 100 Network configuration for named source-port filters
Example
Aruba 2930M/F | Access Security Guide
501
While named source-port filters may be defined and configured in two steps, this is not necessary. Here we define and configure each of the named source-port filters for our example network in a single step. Figure 101 Applying example named source-port filters
Once the named source-port filters have been defined and configured we now apply them to the switch ports. Figure 102 Source port filters applied to switch ports The show filter command shows what ports have filters applied.
502
Aruba 2930M/F | Access Security Guide
Figure 103 Example of the show filter command
Using the IDX value in the show filter command, we can see how traffic is filtered on a specific port (Value). The two outputs below show a non-accounting and an accounting switch port. Figure 104 Showing traffic filtered on specific ports
The same command, using IDX 26, shows how traffic from the Internet is handled.
Aruba 2930M/F | Access Security Guide
503
Figure 105 Source port filtering with internet traffic
As the company grows, more resources are required in accounting. Two additional accounting workstations are added and attached to ports 12 and 13. A second server is added attached to port8.
Figure 106 Expanded network configuration for named source-port filters
The following revisions to the named source-port filter definitions maintain the desired network traffic management, as shown in the Action column of the show command.
Network traffic management with source port filters
switch(config)# filter source-port named-filter accounting forward 8,12,13 switch(config)# filter source-port named-filter no-incoming-web drop 8,12,13 switch(config)# show filter source-port
Traffic/Security Filters
Filter Name
| Port List
| Action
------------------ + ----------------- + ----------------
web-only
| 2-6,8-9,12-26
| drop 2-26
accounting
| 7,10-11
| drop 1-6,9,14-26
no-incoming-web | 1
| drop 7-8,10-13
504
Aruba 2930M/F | Access Security Guide
We next apply the updated named source-port filters to the appropriate switch ports. As a port can only have one source-port filter (named or not named), before applying the new named source-port filters we first remove the existing source-port filters on the port.
No filter source-port
switch(config)# no filter source-port 8,12,13 switch(config)# filter source-port 8,12,13 named-filter accounting
The named source-port filters now manage traffic on the switch ports as shown below, using the show filter source-port command.
Named source-port filters managing traffic
switch(config)# show filter source-port
Traffic/Security Filters
Filter Name
| Port List
| Action
------------------ + ----------------- + ----------------
web-only
| 2-6,8-9,14-26
| drop 2-26
accounting
| 7-8,10-13
| drop 1-6,9,14-26
no-incoming-web | 1
| drop 7-8,10-13
Static multicast filters
This filter type enables the switch to forward or drop multicast traffic to a specific set of destination ports. This helps to preserve bandwidth by reducing multicast traffic on ports where it is unnecessary, and to isolate multicast traffic to enhance security.
You can configure up to 16 static multicast filters (defined by the filter command). However, if an IGMPcontrolled filter for a joined multicast group has the same multicast address as a static multicast filter configured on a given port, the IGMP-controlled filter overrides the static multicast filter configured on that port. Note that in the default configuration, IGMP is disabled on VLANs configured in the switch. To enable IGMP on a specific VLAN, use the vlan <vid> ip igmp command. (For more on this command, see "Multimedia Traffic Control with IP Multicast (IGMP)" in the multicast and routing guide for your switch.)
The total of static multicast filters and IGMP multicast filters together can range from 389 to 420, depending on the current max-vlans setting in the switch. If multiple VLANs are configured, then each filter is counted once per VLAN in which it is used.
Table 37: Multicast filer limits Max-VLANs setting
1 (minimum) 8 (default) 32 or higher
Max # multicast filters (static and IGMP combined) 420
413
389
Per-Port IP Multicast Filters
Aruba 2930M/F | Access Security Guide
505
The static multicast filters described in this section filter traffic having a multicast address you specify. To filter all multicast traffic on a per-VLAN basis, see "Configuring and Displaying IGMP" in the multicast and routing guide for your switch.
IP Multicast Filters
Multicast filters are configured using the Ethernet format for the multicast address. IP multicast addresses occur in the range of 224.0.0.0 through 239.255.255.255 (which corresponds to the Ethernet multicast address range of 01005e-000000 through 01005e-7fffff). Any static Traffic/ Security filters configured with a multicast filter type and a multicast address in this range will continue to be in effect unless IGMP learns of a multicast group destination in this range. In this case, IGMP takes over the filtering function for the multicast destination address (es) for as long as the IGMP group is active. If the IGMP group subsequently deactivates, the static filter resumes control over traffic to the multicast address.
If Spanning Tree is enabled, then the MSTP multicast MAC address (0180c2- 000000) should not be filtered. (STP will not operate properly if the MSTP multicast MAC address is filtered.)
Protocol filters
This filter type enables the switch to forward or drop, on the basis of protocol type, traffic to a specific set of destination ports on the switch. Filtered protocol types include:
n Appletalk n ARP n IPX n NetBEUI n SNA
Only one filter for a particular protocol type can be configured at any one time. For example, a separate protocol filter can be configured for each of the protocol types listed above, but only one of those can be an IP filter. Also, the destination ports for a protocol filter can be on different VLANs. You can configure up to seven protocol filters.
Configuring traffic/security filters
Use this procedure to specify the type of filters to use on the switch and whether to forward or drop filtered packets for each filter you specify.
Procedure
1. Select the static filter type(s). 2. For inbound traffic matching the filter type, determine the filter action you want for each outbound
(destination) port on the switch (forward or drop). The default action for a new filter is to forward traffic of the specified type to all outbound ports. 3. Configure the filter. 4. Use show filter to check the filter listing to verify that you have configured correct action for the desired outbound ports.
506
Aruba 2930M/F | Access Security Guide
Configuring a source-port traffic filter
Syntax
filter [source-port <port-number|trunk-name>] no filter [source-port <port-number|trunk-name>] Specifies one inbound port or trunk. Traffic received inbound on this interface from other devices will be filtered. The no form of the command deletes the source-port filter for <port-number> and returns the destination ports for that filter to the Forward action. (Default: Forward on all ports.)
If multiple VLANs are configured, the source-port and the destination port(s) must be in the same VLAN unless routing is enabled. Similarly, if a VLAN containing both the source and destination is multinetted, the source and destination ports and/or trunks must be in the same subnet unless routing is enabled.
Syntax
[drop] <destination-port-list> [forward <port-list>] Configures the filter to drop traffic for the ports and/or trunks in the designated <destination-port-list>. Can be followed by forward <destination-port-list> if you have other destination ports set to dropthat you want to change to forward. If no drop or forward action is specified, the switch automatically creates a filter with a forward action from the designated source port (or trunk) to all destination ports (or trunks) on the switch.
Syntax
[forward] <port-list> Configures the filter to forward traffic for the ports and/ or trunks in the designated <destination-port-list>. Because forwardis the default state for destinations in a filter, this command is useful when destinations in an existing filter are configured for drop and you want to change them to forward. Can be followed by drop <destination-port-list> if you have other destination ports set to forward that you want to change to drop. If no drop or forward action is specified, the switch automatically creates a filter with a forward action from the designated source port (or trunk) to all destination ports (or trunks) on the switch.
Example
For example, assume that you want to create a source-port filter that drops all traffic received on port 5 with a destination of port trunk 1 (Trk1) and any port in the range of port 10 to port 15. To create this filter you would execute this command:
switch(config)# filter source-port 5 drop trk1,10-15
Later, suppose you wanted to shift the destination port range for this filter up by two ports; that is, to have the filter drop all traffic received on port 5 with a destination of any port in the range of port 12 to port 17. (The Trk1 destination is already configured in the filter and can remain as-is.)With one command you can restore forwarding to ports 10 and 11 while adding ports 16 and 17 to the "drop" list:
switch(config)# filter source-port 5 forward 10-11 drop 16-17
Configuring a filter on a port trunk
This operation uses the same command as is used for configuring a filter on an individual port. However, the configuration process requires two steps:
Aruba 2930M/F | Access Security Guide
507
1. Configure the port trunk. 2. Configure a filter on the port trunk by using the trunk name (trk1, trk2, ...trk6) instead of a port name.
For example, to create a filter on port trunk 1 to drop traffic received inbound for trunk 2 and ports 10-15:
switch(config)# filter source-port trk1 drop trk2,10-15
Note that if you first configure a filter on a port and then later add the port to a trunk, the port remains configured for filtering but the filtering action will be suspended while the port is a member of the trunk. That is, the trunk does not adopt filtering from the port configuration. You must still explicitly configure the filter on the port trunk. If you use the show filter <index> command for a filter created before the related source port was added to a trunk, the port number appears between asterisks ( * ), indicating that the filter action has been suspended for that filter. For example, if you create a filter on port 5, then create a trunk with ports 5 and 6, and display the results, you would see the following:
Figure 107 Switch response to adding a filtered source port to a trunk
Editing a source-port filter
The switch includes in one filter the action(s) for all destination ports and/or trunks configured for a given source port or trunk. Thus, if a source-port filter already exists and you want to change the currently configured action for some destination ports or trunks, use the filter source-port command to update the existing filter. For example, suppose you configure a filter to drop traffic received on port 8 and destined for ports 1 and 2. The resulting filter is shown on the left in Assigning additional destination ports to an existing filter on page 509. Later, you update the filter to drop traffic received on port 8 and destined for ports 3 through 5. Since only one filter exists
508
Aruba 2930M/F | Access Security Guide
for a given source port, the filter on traffic from port 8 appears as shown on the right in Assigning additional destination ports to an existing filter on page 509:
Assigning additional destination ports to an existing filter
switch(config)# show filter 1 Traffic/Security Filters Filter Type : Source Port Source Port : 8
switch(config)# show filter 1 Traffic/Security Filters Filter Type : Source Port Source Port : 8
Dest Port Type
| Action
--------- --------- + -------
1
100/1000T | Drop
2
100/1000T | Drop
3
100/1000T | Forward
4
100/1000T | Forward
5
100/1000T | Forward
6
100/1000T | Forward
7
100/1000T | Forward
Dest Port Type
| Action
--------- --------- + -------
1
100/1000T | Drop
2
100/1000T | Drop
3
100/1000T | Drop
4
100/1000T | Drop
5
100/1000T | Drop
6
100/1000T | Forward
7
100/1000T | Forward
Configuring a multicast filter
Syntax
filter no filter [multicast <mac-address>]
Specifies a multicast address. Inbound traffic received (on any port) with this multicast address will be filtered. (Default: Forward on all ports.) The no form of the command deletes the multicast filter for the <mac-address> multicast address and returns the destination ports for that filter to the Forward action. [<forward|drop> <port-list>] Specifies whether the designated destination port(s) should forward or drop the filtered traffic.
Example
Suppose you wanted to configure the filters in the following table on a switch. (For more on source-port filters, see Configuring a source-port traffic filter on page 507.
Table 38: Filter example
Filter type Filter value
Action
source-port Inbound ports: 1, 21 Drop
multicast
010000-123456
Drop
multicast
010000-224466
Drop
protocol
Appletalk
Drop
protocol
ARP
Drop
Destination ports 1-4 5-8, 9-12 13-15 16-19, 1 22, 23-24
1*Because the switch allows one inbound port in a source-port filter, the requirement to filter ports 1 and 2 means you will configure two separate source-port filters.
Aruba 2930M/F | Access Security Guide
509
The following commands configure the filters listed above:
Configuring various traffic/security filters
switch(config)# filter source-port 1 drop e 1-4 switch(config)# filter source-port 2 drop 1-4 switch(config)# filter multicast 010000-123456 drop e 5-8,9-12 switch(config)# filter multicast 010000-224466 drop e 13-15 switch(config)# filter protocol appletalk drop e 16-19,1 switch(config)# filter protocol arp drop e 22,23-24
Filtering index
The switch automatically assigns each new filter to the lowest-available index (IDX) number. The index numbers are included in the show filter command described in the next section and are used with the show filter <index> command to display detailed information about a specific filter. If there are no filters currently configured, and you create three filters in succession, they will have index numbers 1-3. However, if you then delete the filter using index number "2" and then configure two new filters, the first new filter will receive the index number "2" and the second new filter will receive the index number "4". This is because the index number "2" was made vacant by the earlier deletion, and was therefore the lowest index number available for the next new filter.
Displaying traffic/security filters
This command displays a listing of all filters by index number and also enables you to use the index number to display the details of individual filters.
Syntax
show filter Lists the filters configured in the switch, with corresponding filter index (IDX) numbers. IDX: An automatically assigned index number used to identify the filter for a detailed information listing. A filter retains its assigned IDX number for as long as the filter exists in the switch. The switch assigns the lowest available IDX number to a new filter. This can result in a newer filter having a lower IDX number than an older filter if a previous filter deletion created a gap in the filter listing.
Filter Type
Indicates the type of filter assigned to the IDX number (source-port, multicast, or protocol).
Value
Indicates the port number or port-trunk name of the source port or trunk assigned to the filter. [index]
Lists the filter type and other data for the filter corresponding to the index number in the show filter output. Also lists, for each outbound destination port in the switch, the port number, port type, and filter action (forward or drop). The switch assigns the lowest available index number to a new filter. If you delete a filter, the index number for that filter becomes available for the next filter you create.
510
Aruba 2930M/F | Access Security Guide
Figure 108 Displaying filter data
Advanced Threat Detection
Enables an Aruba OS switch to accept different filters for different syslog servers. Filtering of syslog messages is a requirement for ClearPass, Niara, or any other threat detection systems in an effort to curb security threats.
logging
Syntax
logging <IP-ADDR> [UDP 1024-49151 | TCP 1024-49151] filter <FILTER-NAME>
no logging <IP-ADDR> [UDP 1024-49151 | TCP 1024-49151] filter <FILTER-NAME>
Description
Enables the configuration of a named filter to a specific server. The attributes associated with this defined filter will be applied to the chosen server. The no form of this command removes the associated filter from the designated server.
Command context
Config
Parameters
Aruba 2930M/F | Access Security Guide
511
<p-addr>
Specifies the IP address for logging into the syslog server.
<udp 1024-65535 | tcp 1024-65535>
Specifies the configuration of the UDP or TCP transport protocol for the transmission of logging messages to a syslog server.
<filter-name>
Specifies the file to be filtered in syslog server.
Examples
Logging to syslog server using IP address
switch# logging <IP-ADDR><UDP 1024-49151 | TCP 1024-49151> filter <FILTER-NAME> logging 10.10.10.1 tcp 2500 filter cppm_filter
switch# logging <IP-ADDR> filter <FILTER-NAME> logging 10.10.10.1 filter cppm_filter
logging filter
Syntax
logging filter <NAME> [per-ip] [severity <SEVERITY> | event-list <NUM-RANGE> [permit|deny] | system-module <MODULE-NAME>] no logging filter <NAME> [per-ip] [severity <SEVERITY> | event-list <NUM-RANGE> [permit|deny]| system-module <MODULE-NAME>]
Description
Creates a syslog filter in the logging context. The per-ip filter is enabled by default. Using PER-IP filter, you can create the global filter to match on few event logs to be sent to the syslog servers. However, this filter will automatically get applied on all the syslog servers configured on switch. It is not possible to apply the filter on few servers. Hence, PER-IP filter is created to match on few event logs based on event-id, severity and system modules. For more information on PER-IP filters, see the IPv6 Guide for your switch. The no form of this command removes the per-ip filter.
Command context
Config
Parameters
<NAME>
Specifies the name that identifies the filter.
<SEVERITY>
Specifies the severity of an event-major, warning, error, info or debug.
<NUM-RANGE>
Specifies an event number list to match. User can create either permit list or deny list.
512
Aruba 2930M/F | Access Security Guide
<MODULE-NAME>
Specifies the system module name.
Example
Creating Per IP severity: switch# logging filter <NAME> [per-ip] [severity <SEVERITY>] logging filter cppm_filter per-ip severity major
Creating Per IP Event list: switch# logging filter <NAME> [per-ip] [event-list <EVENT-NUM-RANGE>] [permit|deny] logging filter cppm_filter per-ip event-list 2-4 permit
Creating Per IP System Module: switch# logging filter <NAME> [per-ip] [system-module <module-name>] logging filter cppm_filter per-ip system-module igmp
Creating a Default Per IP filter: switch# logging filter <NAME> [per-ip] [default] logging filter cppm_filter per-ip default
Creating Per IP filter on server: switch# logging filter <IP> filter [per-ip] logging 192.123.4.5 filter cppm_filter
logging filter enable | disable
Syntax
logging filter <NAME> enable | disable no logging filter <NAME> enable | disable
Description
Enables a log filter. In case of global filter, only one filter can be enabled at a time. An enabled filter automatically disables a previously enabled filter. The no form of this command will remove the enable | disable filter.
Command context
Config
Parameters
<NAME>
Specifies the name that identifies the filter.
Examples
switch# logging filter <NAME> enable | disable logging filter cppm_filter enable
show logging filter
Syntax
Show logging filter [<NAME> | per-ip]
Description
Aruba 2930M/F | Access Security Guide
513
This command displays the filter information of syslog server.
Command context
config
Examples
switch (config)# show logging filter
Name -----------aaa bbb global
Enabled ---------Yes Yes No
IP Address ---------------111.222.222.111... 1.2.3.4
switch (config)# show logging filter per-ip Status and Counters - Per IP Log Filters Information
Name
: Policy1
Severity
: MAJOR
System Module
: snmp dldp
Event Action
: Permit
Event List
: permit
Regular Exp Action : Permit
Regular Exp
: Null
Name
: Policy2
Severity
: MAJOR
System Module
: snmp dldp
Event Action
: Permit
Event List
: 1-45
Regular Exp Action : Permit
Regular Exp
: Null
switch (config)# show logging filter aaa Status and Counters - Per IP Log Filters Information
Name
: aaa
IP Support : Yes
URL Support : No
IP Address -------------1.2.3.4 4.3.2.1 10.1.2.3 20.1.2.3 40.1.2.3
URL ----https://ARUBA-CENTRAL-URL1:8080/
Type
Value
Action
-------------- -------------- --------------
Severity
major
Default
show syslog configuration Syntax
514
Aruba 2930M/F | Access Security Guide
show syslog configuration
Description
This command display the syslog server configuration. If the server is associated with the Per IP filter, then the show command will display the Per IP as Yes.
Command context
config
Example
switch (config)# show syslog configuration
Syslog Facility
: user
Syslog Severity
: debug
Syslog System Module
: all-pass
Syslog Priority Description :
Syslog Server Details:
Syslog Server Address ----------------------1.2.3.4 2.3.4.5
L4 ---UDP UDP
Port -----514 2500
Syslog Control Descr ----------------------
PerIp ----No Yes
Aruba 2930M/F | Access Security Guide
515
Chapter 26 Configuring Port and User-Based Access
Control (802.1X)
Configuring Port and User-Based Access Control (802.1X)
Overview
Why use port or user-based access control?
Local Area Networks are often deployed in a way that allows unauthorized clients to attach to network devices, or allows unauthorized users to get access to unattended clients on a network. Also, the use of DHCP services and zero configuration make access to networking services easily available. This exposes the network to unauthorized use and malicious attacks. While access to the network should be made easy, uncontrolled and unauthorized access is usually not desirable. 802.1X simplifies security management by providing access control along with the ability to control user profiles from up to three RADIUS servers while allowing a given user to use the same entering valid user credentials for access from multiple points within the network.
General features
802.1X on the switches covered in this guide includes the following:
n Switch operation as both an authenticator (for supplicants having a point-to-point connection to the switch) and as a supplicant for point-to-point connections to other 802.1X-aware switches. l Authentication of 802.1X access using a RADIUS server and either the EAP or CHAP protocol. l Provision for enabling clients that do not have 802.1 supplicant software to use the switch as a path for downloading the software and initiating the authentication process (802.1X Open VLAN mode). l User-Based access control option with support for up to 32 authenticated clients per-port. l Port-Based access control option allowing authentication by a single client to open the port. This option does not force a client limit and, on a port opened by an authenticated client, allows unlimited client access without requiring further authentication. l Supplicant implementation using CHAP authentication and independent user credentials on each port.
n The local operator password configured with the password command for management access to the switch is no longer accepted as an 802.1X authenticator credential. The password port-access command configures the local operator username and password used as 802.1X authentication credentials for access to the switch. The values configured can be stored in a configuration file using the include-credentials command. For information about the password port-access command, see General setup procedure for 802.1X access control.
n On-demand change of a port's configured VLAN membership status to support the current client session. n Session accounting with a RADIUS server, including the accounting update interval.
n Use of show commands to display session counters.
n Support for concurrent use of 802.1X and either Web authentication or MAC authentication on the same port. n For unauthenticated clients that do not have the necessary 802.1X supplicant software (or for other reasons
related to unauthenticated clients), there is the option to configure an Unauthorized-Client VLAN. This mode
Aruba 2930M/F | Access Security Guide
516
allows you to assign unauthenticated clients to an isolated VLAN through which you can provide the necessary supplicant software and/or other services you want to extend to these clients.
User authentication methods
The switch offers two methods for using 802.1X access control. Generally, the "Port Based" method supports one 802.1X-authenticated client on a port, which opens the port to an unlimited number of clients. The "UserBased" method supports up to 32 802.1X-authenticated clients on a port. In both cases, there are operating details to be aware of that can influence your choice of methods.
802.1X user-based access control
802.1X operation with access control on a per-user basis provides client-level security that allows LAN access to individual 802.1X clients (up to 32 per port), where each client gains access to the LAN by entering valid user credentials. This operation improves security by opening a given port only to individually authenticated clients, while simultaneously blocking access to the same port for clients that cannot be authenticated. All sessions must use the same untagged VLAN. Also, an authenticated client can use any tagged VLAN memberships statically configured on the port, provided the client is configured to use the tagged VLAN memberships available on the port. Note: The session total includes any sessions begun by the Web Authentication or MAC Authentication features covered in Option for authenticator ports: configure port-security to allow only 802.1X-authenticated devices on page 538.
802.1X port-based access control
802.1X port-based access control provides port-level security that allows LAN access only on ports where a single 802.1X-capable client (supplicant) has entered authorized RADIUS user credentials. For reasons outlined below, this option is recommended for applications where only one client at a time can connect to the port. Using this option, the port processes all IP traffic as if it comes from the same client. Thus, in a topology where multiple clients can connect to the same port at the same time:
n If the first client authenticates and opens the port, and then another client authenticates, the port responds as if the original client has initiated a reauthentication. With multiple clients authenticating on the port, the RADIUS configuration response to the latest client authentication replaces any other configuration from an earlier client authentication. If all clients use the same configuration this should not be a problem. But if the RADIUS server responds with different configurations for different clients, then the last client authenticated will effectively lock out any previously authenticated client. When any client to authenticate closes its session, the port will also close and remain so until another client successfully authenticates.
n The most recent client authentication determines the untagged VLAN membership for the port. Also, any client able to use the port can access any tagged VLAN memberships statically configured on the port, provided the client is configured to use the available, tagged VLAN memberships.
n If the first client authenticates and opens the port, and then one or more other clients connect without trying to authenticate, then the port configuration as determined by the original RADIUS response remains unchanged and all such clients will have the same access as the authenticated client. When the authenticated client closes the session, the port will also be closed to any other, unauthenticated clients that may have also been using the port.
This operation unblocks the port while an authenticated client session is in progress. In topologies where simultaneous, multiple client access is possible this can allow unauthorized and unauthenticated access by another client while an authenticated client is using the port. If you want to allow only authenticated clients on the port, then user-based access control should be used instead of port-based access control. Using the user-based method enables you to specify up to 32 authenticated clients. See 802.1X user-based access control on page 517.
517
Aruba 2930M/F | Access Security Guide
Alternative to using a RADIUS server
Note that you can also configure 802.1X for authentication through the switch local username and password instead of a RADIUS server, but doing so increases the administrative burden, decentralizes user credential administration, and reduces security by limiting authentication to one operator password set for all users.
Accounting
The switches covered in this guide also provide RADIUS Network accounting for 802.1X access. See RADIUS Authentication, Authorization, and Accounting on page 164.
General 802.1X authenticator operation
This operation provides security on a point-to-point link between a client and the switch, where both devices are 802.1X-aware. If you expect desirable clients that do not have the necessary 802.1X supplicant software, you can provide a path for downloading such software by using the 802.1X Open VLAN mode, see 802.1X Open VLAN mode on page 530.
Example of the authentication process
Suppose that you have configured a port on the switch for 802.1X authentication operation, which blocks access to the LAN through that port. If you then connect an 802.1X-aware client (supplicant) to the port and attempt to log on:
1. The switch responds with an identity request. 2. The client responds with a user name that uniquely defines this request for the client. 3. The switch responds in one of the following ways:
n If 802.1X on the switch is configured for RADIUS authentication, the switch then forwards the request to a RADIUS server. a. The server responds with an access challenge which the switch forwards to the client. b. The client then provides identifying credentials (such as a user certificate), which the switch forwards to the RADIUS server. c. The RADIUS server then checks the credentials provided by the client. d. If the client is successfully authenticated and authorized to connect to the network, then the switch allows access to the client. Otherwise, access is denied and the port remains blocked for that client.
n If 802.1X on the switch is configured for local authentication, then: a. The switch compares the client credentials to the username and password configured in the switch (operator level). b. If the client is successfully authenticated and authorized to connect to the network, then the server notifies the switch to allow access to the client. Otherwise, access is denied and the port remains blocked.
VLAN membership priority
Following client authentication, an 802.1X port resumes membership in any tagged VLANs for which it is already assigned in the switch configuration. The port also becomes an untagged member of one VLAN according to the following order of options:
Procedure
Aruba 2930M/F | Access Security Guide
518
1. 1st Priority: The port joins a VLAN to which it has been assigned by a RADIUS server during client authentication.
2. 2nd Priority: If RADIUS authentication does not include assigning the port to a VLAN, then the switch assigns the port to the VLAN entered in the port's 802.1X configuration as an Authorized-Client VLAN, if configured.
3. 3rd Priority: If the port does not have an Authorized-Client VLAN configured, but does have a static, untagged VLAN membership in its configuration, then the switch assigns the port to this VLAN.
A port assigned to a VLAN by an Authorized-Client VLAN configuration (or a RADIUS server) will be an untagged member of the VLAN for the duration of the authenticated session. This applies even if the port is also configured in the switch as a tagged member of the same VLAN.
After client authentication, the port resumes membership in any tagged VLANs for which it is configured. If the port belongs to a tagged VLAN used for 1 or 2 above, then it operates as an untagged member of that VLAN while the client is connected. When the client disconnects, the port reverts to tagged membership in the VLAN.
General operating rules and notes
n Public keys generated on an SSH client must be exportable to the switch. The switch can store 10 client key pairs.
n The switch public/private key pair and the (optional) client public-key file are stored permanently in the switch memory and are unaffected by the erase startup-config command.
n Once you generate a key pair on the switch, you must avoid regenerating the key pair without a compelling reason. Otherwise, you must reintroduce the switch public key on all management stations (clients) you previously set up for SSH access to the switch. This can temporarily allow security breaches.
n The switch does not support outbound SSH sessions. Thus, if you Telnet from an SSH-secure switch to another SSH-secure switch, the session is not secure.
n With SSH running, the switch allows one console session and up to five other sessions (SSH and/or Telnet).
General setup procedure for 802.1X access control
Do these steps before you configure 802.1X operation.
Procedure
1. Configure a local username and password on the switch for both the operator (login) and manager (enable) access levels. (While this may or may not be required for your 802.1X configuration, Hewlett Packard Enterprise recommends that you use a local username and password pair at least until your other security measures are in place.)
password <operator|manager|all> [user-name <name>] <password> Configures the operator username and password used to access the network through 802.1X authentication. 2. Determine the switch ports that you want to configure as authenticators and/or supplicants, and disable LACP on these ports. To display the current configuration of 802.1X, Web-based, and MAC authentication on all switch ports, enter the show port-access config command.
519
Aruba 2930M/F | Access Security Guide
Output for the show port-access config command switch (config)# show port-access config
Port-access authenticator activated [No] : No Allow RADIUS-assigned dynamic (GVRP) VLANs [No] : No
Supplicant Authenticator Web-Auth Mac-Auth LMA-Auth Ctrl
Port Enabled Enabled
Enabled Enabled Enabled Dir
---- --------- ------------ -------- -------- -------- -----
C1 No
Yes
No
No
No
In
C2 No
Yes
No
No
No
Both
C3 No
Yes
No
No
No
Both
C4 No
Yes
No
No
Yes
Both
...
Mixed Speed Mode VSA MBV ---- ---- --No Yes Yes Yes Yes Yes No No Yes No Yes Yes
3. Determine whether to use user-based access control or port-based access control.
4. Determine whether to use the optional 802.1X Open VLAN mode for clients that are not 802.1X-aware; that is, for clients that are not running 802.1X supplicant software. (This will require you to provide downloadable software that the client can use to enable an authentication session.) See 802.1X Open VLAN mode on page 530.
5. For any port you want to operate as a supplicant, determine the user credentials. You can either use the same credentials for each port or use unique credentials for individual ports or subgroups of ports. (This can also be the same local username/password pair that you assign to the switch.)
6. Unless you are using only the switch's local username and password for 802.1X authentication, configure at least one RADIUS server to authenticate access requests coming through the ports on the switch from external supplicants (including switch ports operating as 802.1X supplicants). You can use up to three RADIUS servers for authentication; one primary and two backups. See the documentation provided with your RADIUS application.
Overview: configuring 802.1X authentication on the switch
This section outlines the steps for configuring 802.1X on the switch. For detailed information on each step, see the following:
n 802.1X user-based access control on page 517 n 802.1X port-based access control on page 517 n Configuring switch ports to operate as supplicants for 802.1X connections to other switches on page 539
1. Enable 802.1X user-based or port-based authentication on the individual ports you want to serve as authenticators. On the ports you will use as authenticators, either accept the default 802.1X settings or change them, as necessary. Note that, by default, the port-control parameter is set to auto for all ports on the switch. This requires a client to support 802.1X authentication and to provide valid credentials to get network access. See Enable 802.1X authentication on selected ports on page 521.
2. If you want to provide a path for clients without 802.1X supplicant software to download the software so that they can initiate an authentication session, enable the 802.1X Open VLAN mode on the ports you want to support this feature. See 802.1X Open VLAN mode on page 530.
3. Configure the 802.1X authentication type. Options include: n Local operator username and password (the default). This option allows a client to use the switch's local username and password as valid 802.1X credentials for network access.. n EAP RADIUS: This option requires your RADIUS server application to support EAP authentication for 802.1X
Aruba 2930M/F | Access Security Guide
520
n CHAP (MD5) RADIUS: This option requires your RADIUS server application to support CHAP (MD5) authentication. See Configuring the 802.1X authentication method on page 525.
4. If you select either eap-radius or chap-radius for step 3, use the radius host command to configure up to three RADIUS server IP address(es) on the switch. See Enter the RADIUS host IP address(es) on page 526.
5. Enable 802.1X authentication on the switch. See Enable 802.1X authentication on selected ports on page 521.
6. Test both the authorized and unauthorized access to your system to ensure that the 802.1X authentication works properly on the ports you have configured for port-access.
If you want to implement the optional port security feature (step 7) on the switch, you should first ensure that the ports you have configured as 802.1X authenticators operate as expected.
7. If you are using Port Security on the switch, configure the switch to allow only 802.1X access on ports configured for 802.1X operation, and (if desired) the action to take if an unauthorized device attempts access through an 802.1X port. See Port-Security on page 539.
8. If you want a port on the switch to operate as a supplicant on a port operating as an 802.1X authenticator on another device, then configure the supplicant operation. (See Configuring switch ports to operate as supplicants for 802.1X connections to other switches on page 539.
Configuring switch ports as 802.1X authenticators
Enable 802.1X authentication on selected ports
This task configures the individual ports you want to operate as 802.1X authenticators for point-to-point links to 802.1X-aware clients or switches, and consists of two steps:
1. Enable the selected ports as authenticators. 2. Specify either user-based or port-based 802.1X authentication.
(Actual 802.1X operation does not commence until you activate 802.1X authentication on the switch.)
If you enable 802.1X authentication on a port, the switch automatically disables LACP on that port. However, if the port is already operating in an LACP trunk, you must remove the port from the trunk before you can configure it for 802.1X authentication.
Enable the selected ports as authenticators and enable the (default) port-based authentication
Syntax
aaa port-access authenticator <port-list> no aaa port-access authenticator <port-list> Enables specified ports to operate as 802.1X authenticators and enables port-based authentication. (To enable user-based authentication, execute this command first, and then execute the client-limit <port-list> version of this command described in the next section.) The no form of the command removes 802.1X authentication from <portlist>. To activate configured 802.1X operation, you must enable 802.1X authentication. See Enable 802.1X authentication on the switchAfter configuring 802.1X authentication as described in the preceding four sections, activate it with this command: Syntaxaaa port-access authenticator activeActivates 802.1X port-access on ports you have configured as authenticators. on page 1.
521
Aruba 2930M/F | Access Security Guide
Specify user-based authentication or return to port-based authentication
User-based 802.1X authentication:
Syntax
aaa port-access authenticator <port-list> client-limit <1-32> Used after executing aaa port-access authenticator <port-list> to convert authentication from portbased to user-based. Specifies user-based 802.1X authentication and the maximum number of 802.1Xauthenticated client sessions allowed on each of the ports in <port-list>. If a port currently has no authenticated client sessions, the next authenticated client session the port accepts determines the untagged VLAN membership to which the port is assigned during the session. If another client session begins later on the same port while an earlier session is active, the later session will be on the same untagged VLAN membership as the earlier session.
Port-based 802.1X authentication:
Syntax
aaa port-access authenticator <port-list> client-limit no aaa port-access authenticator <port-list> client-limit Used to convert a port from user-based authentication to port-based authentication, which is the default setting for ports on which authentication is enabled. (Executing aaa port-access authenticator <port-list> enables 802.1X authentication on <port-list> and enables port-based authentication.) If a port currently has no authenticated client sessions, the next authenticated client session the port accepts determines the untagged VLAN membership to which the port is assigned during the session. If another authenticated client session begins later on the same port while an earlier session is active, the later session replaces the currently active session and will be on the untagged VLAN membership specified by the RADIUS server for the later session. Configuring user-based 802.1X authentication on page 522 Enables ports 10-12 to operate as authenticators, and then configures the ports for user-based authentication.
Configuring user-based 802.1X authentication
switch(config)# aaa port-access authenticator 10-12 switch(config)# aaa port-access authenticator 10-12 client-limit 4
Configuring port-based 802.1X authentication
switch(config)# aaa port-access authenticator 13-15 switch(config)# no aaa port-access authenticator 13-15 client-limit
Reconfigure settings for port-access
The commands in this section are initially set by default and can be reconfigured as needed.
Syntax
aaa port-access authenticator <port-list> [<item>]
Parameters
<port-list> Specifies the ports acted on by this command.
<item> Specifies one of these items:
Aruba 2930M/F | Access Security Guide
522
auth-vid <vlan-id> Configures an existing, static VLAN to be the Authorized-Client VLAN.
clear-statistics Clears authenticator statistics counters.
client-limit <1-32> Set the maximum number of clients to allow on the port. With no client limit, authentication happens in portbased mode, otherwise it happens in client-based mode.
control {authorized | auto | unauthorized} Controls authentication mode on the specified port.
authorized Also termed "Force Authorized". Gives access to a device connected to the port. In this case, the device does not have to provide 802.1X credentials or support 802.1X authentication. (You can still configure console, Telnet, or SSH security on the port.) auto This is the default. The device connected to the port must support 802.1X authentication and provide valid credentials to get network access. (Optional: You can use the Open VLAN mode to provide a path for clients without 802.1X supplicant software to download this software and begin the authentication process.) initialize On the specified ports, blocks inbound and outbound traffic and restarts the 802.1X authentication process. This happens only on ports configured with control auto and actively operating as 802.1X authenticators.
If a specified port is configured with control authorized and port-security, and the port has learned an authorized address, the port will remove this address and learn a new one from the first packet it receives.
logoff-period <1-999999999> Configures the time the switch waits for client activity before removing an inactive client from the port. (Default: 300 seconds)
max-requests<1-10> Sets the number of authentication attempts that must time out before authentication fails and the authentication session ends. If you are using the Local authentication option, or are using RADIUS authentication with only one host server, the switch will not start another session until a client tries a new access attempt. If you are using RADIUS authentication with two or three host servers, the switch will open a session with each server, in turn, until authentication occurs or there are no more servers to try. During the quiet-period, if any, you cannot reconfigure this parameter. (Default: 2)
quiet-period <0-65535> Sets the period during which the port does not try to acquire a supplicant. The period begins after the last attempt authorized by the max-requests parameter fails. (Default: 60 seconds)
reauth-period <0-9999999> Sets the time after which clients connected must be reauthenticated. When the timeout is set to 0, the reauthentication is disabled (Default: 0 second)
reauthenticate Forces reauthentication (unless the authenticator is in 'HELD' state).
server-timeout <1-300>
523
Aruba 2930M/F | Access Security Guide
Sets the time the switch waits for a server response to an authentication request. If there is no response within the configured time frame, the switch assumes that the authentication attempt has timed out. Depending on the current max-requests setting, the switch will either send a new request to the server or end the authentication session. (Default: 30 seconds)
supplicant-timeout <1-300>
Sets the time the switch waits for a supplicant response to an EAP request. If the supplicant does not respond within the configured time frame, the session times out. (Default: 30 seconds)
tx-period <0-65535> Sets the time the port waits to retransmit the next EAPOL PDU during an authentication session. (Default: 30 seconds)
unauth-period <0-255> Specifies a delay in seconds for placing a port on the Unauthorized-Client VLAN. This delay allows more time for a client with 802.1X supplicant capability to initiate an authentication session. If a connected client does not initiate a session before the timer expires, the port is assigned to the Unauthenticated-Client VLAN. (Default: 0 seconds)
unauth-vid <vlan-id>
Configures an existing static VLAN to be the Unauthorized-Client VLAN. This enables you to provide a path for clients without supplicant software to download the software and begin an authentication session.
Aruba 2930M/F | Access Security Guide
524
About tx-period and identity request triggers
The actual period between EAPOL PDU retransmits is influenced by the state of authenticating or connecting clients. The trigger for EAPOL identity requests depends on the following:
n The tx-period configured. n The number of clients connected to the switch and the state of the clients.
If there is one client connected and:
n The client is in the authenticated state, tx-period expiry will not trigger an identity request. n The client is in the connecting state, tx-period expiry will trigger an identity request to the client
MAC. n The client MAC address is not known, then upon tx-period expiry, the switch will send the next
identity request to the well-known client MAC (EAPOL group multicast address).
If there are two clients connected, and:
n One client is in the connecting state, tx-period expiry will trigger an identity request to the client MAC. In this case, it is assumed that there is no traffic from the second client and that the switch is not aware of the second client.
n Two clients are in the connecting state (and if the logoff period does not expire before tx-period expiry), then each client will maintain separate timers and identity requests will be sent at regular intervals.
n One client is in the authenticated state and the second client is in the connecting state, then the identity request will be triggered upon expiry of any client timer. In this case, if the first client timer expires, then the first client MAC will send an identity request to the second client MAC. Therefore, the identity request send interval may be different than what is set for tx-period.
n Two clients are in the authenticated state, upon tx-period expiry, the switch will not send an identity request.
n Both clients are not sending any traffic, the switch will send identity requests to the well-known client MAC (EAPOL group multicast address).
Configuring the 802.1X authentication method
This task specifies how the switch authenticates the credentials provided by a supplicant connected to a switch port configured as an 802.1X authenticator.
Syntax
aaa authentication port-access <chap-radius|eap-radius|local> Configures local, chap-radius, or eap-radius as the primary password authentication method for port-access. The default primary authentication is local. (See the documentation for your RADIUS server application.) For switches covered in this guide, you must use the password port-access command to configure the operator username and password for 802.1X access. [<none|authorized>]
525
Aruba 2930M/F | Access Security Guide
Provides options for secondary authentication. The none option specifies that a backup authentication method is not used. The authorized option allows access without authentication. (default: none). To enable the switch to perform 802.1X authentication using one or more EAP-capable RADIUS servers:
Figure 109 802.1X (port-access) authentication
Enter the RADIUS host IP address(es)
If you select either eap-radius or chap-radius for the authentication method, configure the switch to use 1, 2, or 3 RADIUS servers for authentication. The following syntax shows the basic commands. For coverage of all commands related to RADIUS server configuration, see RADIUS Authentication, Authorization, and Accounting on page 164.
Syntax
radius host <ip-address> Adds a server to the RADIUS configuration. [key <server-specific key-string>] Optional. Specifies an encryption key for use during authentication (or accounting) sessions with the specified server. This key must match the key used on the RADIUS server. Use this option only if the specified server requires a different key than configured for the global encryption key. The tilde (~) character is allowed in the string. It is not backward compatible; the "~" character is lost if you use a software version that does not support the "~" character.
Syntax
radius-server key <global key-string> Specifies the global encryption key the switch uses for sessions with servers for which the switch does not have a server-specific key. This key is optional if all RADIUS server addresses configured in the switch include a server-specific encryption key. The tilde (~) character is allowed in the string, for example, radius-server key aruba~switch. It is not backward compatible; the "~" character is lost if you use a software version that does not support the "~" character.
Aruba 2930M/F | Access Security Guide
526
Default: Null The no form of the command removes the global encryption key.
Enable 802.1X authentication on the switch
After configuring 802.1X authentication as described in the preceding four sections, activate it with this command:
Syntax
aaa port-access authenticator active
Activates 802.1X port-access on ports you have configured as authenticators.
Reset authenticator operation (optional)
While 802.1X authentication is operating, you can use the following aaa port-access authenticator commands to reset 802.1X authentication and statistics on specified ports.
Syntax
aaa port-access authenticator <port-list> [initialize] On the specified ports, blocks inbound and outbound traffic and restarts the 802.1X authentication process. This happens only on ports configured with control auto and actively operating as 802.1X authenticators. [reauthenticate] On the specified ports, forces reauthentication (unless the authenticator is in "HELD" state). [clear-statistics] On the specified ports, clears authenticator statistics counters.
Configure 802.1X controlled direction (optional)
After you enable 802.1X authentication on specified ports, you can use the aaa port-access controlleddirection command to configure how a port transmits traffic before it successfully authenticates a client and enters the authenticated state. As documented in the IEEE 802.1X standard, an 802.1X-aware port that is unauthenticated can control traffic in either of the following ways:
n In both ingress and egress directions by disabling both the reception of incoming frames and transmission of outgoing frames
n Only in the ingress direction by disabling only the reception of incoming frames.
Syntax
aaa port-access <port-list> controlled-direction <both|in> <port-list>
Specifies the list of ports on which this command will be applied. both
(default) Specifies that incoming and outgoing traffic is blocked on an 802.1X-aware port before authentication occurs. in Specifies that incoming traffic is blocked on an 802.1X-aware port before authentication occurs. Outgoing traffic with unknown destination addresses is flooded on unauthenticated 802.1X-aware ports.
527
Aruba 2930M/F | Access Security Guide
Wake-on-LAN Traffic
The Wake-on-LAN feature is used by network administrators to remotely power on a sleeping workstation (for example, during early morning hours to perform routine maintenance operations, such as patch management and software updates). The aaa port-access controlled-direction in command allows Wake-on-LAN traffic to be transmitted on an 802.1X-aware egress port that has not yet transitioned to the 802.1X authenticated state; the controlleddirection both setting prevents Wake-on-LAN traffic to be transmitted on an 802.1X-aware egress port until authentication occurs.
Although the controlled-direction in setting allows Wake-on-LAN traffic to traverse the switch through unauthenticated 802.1X-aware egress ports, it does not guarantee that the Wake-on-LAN packets will arrive at their destination. For example, firewall rules on other network devices and VLAN rules may prevent these packets from traversing the network.
Operating notes
n Using the aaa port-access controlled-direction in command, you can enable the transmission of Wake-on-LAN traffic on unauthenticated egress ports that are configured for any of the following port-based security features:
o 802.1X authentication o MAC authentication o Web authentication
Because a port can be configured for more than one type of authentication to protect the switch from unauthorized access, the last setting you configure with the aaa port-access controlled-direction command is applied to all authentication methods configured on the switch. See Web and MAC Authentication.
n To display the currently configured 802.1X Controlled Direction value, enter the show port-access authenticator config command.
n When an 802.1X-authenticated port is configured with the controlled-direction in setting, eavesdrop prevention is not supported on the port.
The following example shows how to enable the transmission of Wake-on-LAN traffic in the egress direction on an 802.1X-aware port before it transitions to the 802.1X authenticated state and successfully authenticates a client device.
Configuring 802.1X controlled directions
switch(config)# aaa port-access authenticator a10 switch(config)# aaa authentication port-access eap-radius switch(config)# aaa port-access authenticator active switch(config)# aaa port-access a10 controlled-direction in
Unauthenticated VLAN access (guest VLAN access)
When a PC is connected through an IP phone to a switch port that has been authorized using 802.1X or Web/MAC authentication, the IP phone is authenticated using client-based 802.1X or Web/MAC authentication and has access to secure, tagged VLANs on the port. If the PC is unauthenticated, it needs to have access to the insecure guest VLAN (unauthenticated VLAN) that has been configured for 802.1X or Web/MAC authentication.
Aruba 2930M/F | Access Security Guide
528
802.1X and Web/MAC authentication normally do not allow authenticated clients (the phone) and unauthenticated clients (the PC) on the same port. Mixed port access mode allows 802.1X and Web/MAC authenticated and unauthenticated clients on the same port when the guest VLAN is the same as the port's current untagged authenticated VLAN for authenticated clients, or when none of the authenticated clients are authorized on the untagged authenticated VLAN. Instead of having just one client per port, multiple clients can use the guest VLAN. Authenticated clients always have precedence over guests (unauthenticated clients) if access to a client's untagged VLAN requires removal of a guest VLAN from the port. If an authenticated client becomes authorized on its untagged VLAN as the result of initial authentication or because of an untagged packet from the client, then all 802.1X or Web/MAC authenticated guests are removed from the port and the port becomes an untagged member of the client's untagged VLAN.
Characteristics of mixed port access mode
n The port keeps tagged VLAN assignments continuously. n The port sends broadcast traffic from the VLANs even when there are only guests authorized on the port. n Guests cannot be authorized on any tagged VLANs. n Guests can use the same bandwidth, rate limits and QoS settings that may be assigned for authenticated
clients on the port (via RADIUS attributes). n When no authenticated clients are authorized on the untagged authenticated VLAN, the port becomes an
untagged member of the guest VLAN for as long as no untagged packets are received from any authenticated clients on the port. n New guest authorizations are not allowed on the port if at least one authenticated client is authorized on its untagged VLAN and the guest VLAN is not the same as the authenticated client's untagged VLAN.
If you disable mixed port access mode, this does not automatically remove guests that have already been authorized on a port where an authenticated client exists. New guests are not allowed after the change, but the existing authorized guests will still be authorized on the port until they are removed by a new authentication, an untagged authorization, a port state change, and so on.
Configuring mixed port access mode
Syntax: aaa port-access <port-list> mixed no aaa port-access <port-list> mixed Enables or disables guests on ports with authenticated clients. Default: Disabled; guests do not have access
Configuring mixed port access mode
switch(config)# aaa port-access 6 mixed
Customer self repair
Hewlett Packard Enterprise customer self repair (CSR) programs allow you to repair your product. If a CSR part needs to be replaced, it will be shipped directly to you so that you can install it at your convenience. Some parts do not qualify for CSR. Your Hewlett Packard Enterprise authorized service provider will determine whether a repair can be accomplished by CSR.
529
Aruba 2930M/F | Access Security Guide
For more information about CSR, contact your local service provider or go to the CSR website: http://www.hpe.com/support/selfrepair
802.1X Open VLAN mode
Introduction
This chapter provides an overview of the security features included on your switch. Chapter Access security features outlines the access security and authentication features, while Network Security Features highlights the additional features designed to help secure and protect your network. For detailed information on individual features, see the references provided. Before you connect your switch to a network, Hewlett Packard Enterprise strongly recommends that you review the section Getting started with access security. It outlines potential threats for unauthorized switch and network access, and provides guidelines on how to prepare the switch for secure network operation.
VLAN membership priorities
Following client authentication, an 802.1X port resumes membership in any tagged VLANs for which it is already assigned in the switch configuration. The port also becomes an untagged member of one VLAN according to the following order of options:
n 1st Priority: The port joins a VLAN to which it has been assigned by a RADIUS server during client authentication.
n 2nd Priority: If RADIUS authentication does not include assigning the port to a VLAN, then the switch assigns the port to the VLAN entered in the port's 802.1X configuration as an Authorized-Client VLAN, if configured.
n 3rd Priority: If the port does not have an Authorized-Client VLAN configured, but does have a static, untagged VLAN membership in its configuration, then the switch assigns the port to this VLAN.
A port assigned to a VLAN by an Authorized-Client VLAN configuration (or a RADIUS server) will be an untagged member of the VLAN for the duration of the authenticated session. This applies even if the port is also configured in the switch as a tagged member of the same VLAN.
After client authentication, the port resumes membership in any tagged VLANs for which it is configured. If the port is a tagged member of a VLAN used for 1 or 2 listed above, then it also operates as an untagged member of that VLAN while the client is connected. When the client disconnects, the port reverts to tagged membership in the VLAN.
Use models for 802.1X Open VLAN modes
You can apply the 802.1X Open VLAN mode in more than one way. Depending on your use, you will need to create one or two static VLANs on the switch for exclusive use by per-port 802.1X Open VLAN mode authentication:
n Unauthorized-Client VLAN: Configure this VLAN when unauthenticated, friendly clients will need access to some services before being authenticated or instead of being authenticated.
Aruba 2930M/F | Access Security Guide
530
n Authorized-Client VLAN:
Configure this VLAN for authenticated clients when the port is not statically configured as an untagged member of a VLAN you want clients to use, or when the port is statically configured as an untagged member of a VLAN you do not want clients to use. (A port can be configured as untagged on only one port-based VLAN. When an Authorized-Client VLAN is configured, it will always be untagged and will block the port from using a statically configured, untagged membership in another VLAN.) After client authentication, the port returns to membership in any tagged VLANs for which it is configured. See VLAN membership priorities on page 530.
Table 39: 802.1X per-port configuration
802.1X per-port configuration No Open VLAN mode:
Open VLAN mode with both of the following configured:
Port response
The port automatically blocks a client that cannot initiate an authentication session.
n Unauthorized-client VLAN: When the port detects a client without 802.1X supplicant capability, it automatically becomes an untagged member of this VLAN. If you previously configured the port as a static, tagged member of the VLAN, membership temporarily changes to untagged while the client remains unauthenticated.
n If the port already has a statically configured, untagged membership in another VLAN, then the port temporarily closes access to this other VLAN while in the Unauthorized-Client VLAN.
n To limit security risks, the network services and access available on the Unauthorized-Client VLAN must include only what a client requires to enable an authentication session. If the port is statically configured as a tagged member of any other VLANs, access to these VLANs is blocked while the port is a member of the Unauthorized-Client VLAN.
NOTE: For a port configured to allow multiple client sessions: If any previously authenticated clients are using a port assigned to a VLAN other than the Unauthorized-Client VLAN, then a later client that is not running 802.1X supplicant software is blocked on the port until all other, authenticated clients on the port have disconnected.
n Authorized-client VLAN:
After client authentication, the port drops membership in the Unauthorized-Client VLAN and becomes an untagged member of this VLAN.
NOTE: If the client is running an 802.1X supplicant application when the authentication session begins, and is able to authenticate itself before the switch assigns the port to the Unauthorized-Client VLAN, then the port does not become a member of the Unauthorized-Client VLAN. On the switches covered in this guide, you can use the unauth-
period command to delay moving the port into the UnauthorizedClient VLAN.
If RADIUS authentication assigns a VLAN and there are no other authenticated clients on the port, then the port becomes a member of the RADIUS-assigned VLAN--instead of the Authorized-Client VLAN-- while the client is connected.
531
Aruba 2930M/F | Access Security Guide
802.1X per-port configuration
VLAN mode with only an unauthorized-client VLAN configured:
Port response
n If the port is statically configured as a tagged member of a VLAN, and this VLAN is used as the Authorized-Client VLAN, then the port temporarily becomes an untagged member of this VLAN when the client becomes authenticated.
n If the port is statically configured as a tagged member of a VLAN, the port returns to tagged membership in this VLAN upon successful authentication. This happens even if the RADIUS server assigns the port to another, authorized VLAN. If the port is already configured as a tagged member of a VLAN that RADIUS assigns as an authorized VLAN, then the port becomes an untagged member of that VLAN for the duration of the client connection. After the client disconnects, the port returns to tagged membership in that VLAN.
n When the port detects a client, it automatically becomes an untagged member of this VLAN. To limit security risks, the network services and access available on this VLAN should include only what a client requires to enable an authentication session. If the port is statically configured as an untagged member of another VLAN, the switch temporarily removes the port from membership in this other VLAN while membership in the Unauthorized-Client VLAN exists.
n After the client is authenticated, and if the port is statically configured as
an untagged member of another VLAN, the port access to this other
VLAN is restored.
NOTE: If RADIUS authentication assigns the port to a VLAN, this assignment overrides any statically configured, untagged VLAN membership on the port (while the client is connected).
n If the port is statically configured as a tagged member of a VLAN, the port returns to tagged membership in this VLAN upon successful client authentication. This happens even if the RADIUS server assigns the port to another, authorized VLAN. If the port is already configured as a tagged member of a VLAN that RADIUS assigns as an authorized VLAN, then the port becomes an untagged member of that VLAN for the duration of the client connection.
NOTE: For a port configured to allow multiple client sessions: If any previously authenticated clients are using a port assigned to a VLAN other than the Unauthorized-Client VLAN (such as a RADIUS-assigned VLAN), then a later client that is not running 802.1X supplicant software is blocked on the port until all other, authenticated clients on the port have disconnected.
Open VLAN mode with only an authorized-client VLAN configured:
n Port automatically blocks a client that cannot initiate an authentication session.
n If the client successfully completes an authentication session, the port becomes an untagged member of this VLAN.
n If the port is statically configured as a tagged member of any other VLAN, the port returns to tagged membership in this VLAN upon successful client authentication. This happens even if the RADIUS server assigns the port to another, authorized VLAN. If the port is already configured as a tagged member of a VLAN that RADIUS assigns as an authorized VLAN, then the port becomes an untagged member of that VLAN for the duration of the client connection. After the client disconnects, the port returns to tagged membership in that VLAN.
NOTE: An authorized-client VLAN configuration can be overridden by a RADIUS authentication that assigns a VLAN.
Aruba 2930M/F | Access Security Guide
532
Operating rules for authorized and unauthorized-client VLANs
Table 40: Condition for authorized client and unauthorized client VLANs
Condition
Rule
Static VLANs used as authorized-client or unauthorized-client VLANs
These must be configured on the switch before you configure an 802.1X authenticator port to use them. (Use the vlan <vlan-id> command or the VLAN Menu screen in the Menu interface.)
VLAN assignment received from a RADIUS server
If the RADIUS server specifies a VLAN for an authenticated supplicant connected to an 802.1X authenticator port, this VLAN assignment overrides any Authorized-Client VLAN assignment configured on the authenticator port. This is because membership in both VLANs is untagged, and the switch allows only one untagged, port-based VLAN membership per-port. For example, suppose you configured port A4 to place authenticated supplicants in VLAN 20. If a RADIUS server authenticates supplicant "A" and assigns this supplicant to VLAN 50, then the port can access VLAN 50 as an untagged member while the client session is running. When the client disconnects from the port, then the port drops these assignments and uses the untagged VLAN memberships for which it is statically configured. (After client authentication, the port resumes any tagged VLAN memberships for which it is already configured.
Temporary VLAN membership during a client session
n Port membership in a VLAN assigned to operate as the Unauthorized-Client VLAN is temporary, and ends when the client receives authentication or the client disconnects from the port, whichever is first. In the case of the multiple clients allowed on switches covered in this guide, the first client to authenticate determines the untagged VLAN membership for the port until all clients have disconnected. Any other clients that cannot operate in that VLAN are blocked at that point.
n Port membership in a VLAN assigned to operate as the Authorized-Client VLAN ends when the client disconnects from the port. If a VLAN assignment from a RADIUS server is used instead, the same rule applies. In the case of the multiple clients allowed on switches, the port maintains the same VLAN as long as there is any authenticated client using the VLAN. When the last client disconnects, then the port reverts to only the VLAN(s) for which it is statically configured as a member.
Effect of unauthorized-client VLAN session on untagged port VLAN membership
n When an unauthenticated client connects to a port that is already configured with a static, untagged VLAN, the switch temporarily moves the port to the Unauthorized-Client VLAN (also untagged). (While the Unauthorized-Client VLAN is in use, the port does not access any other VLANs.)
n If the client disconnects, the port leaves the Unauthorized-Client VLAN and re-acquires membership in all the statically configured VLANs to which it belongs.
n If the client becomes authenticated, the port leaves the UnauthenticatedClient VLAN and joins the appropriate VLAN. See VLAN membership priorities on page 530.
n In the case of the multiple clients allowed on switches, if an authenticated client is already using the port for a different VLAN, then any other unauthenticated clients needing to use the Unauthorized-Client VLAN are blocked.
Effect of authorized-client VLAN session on untagged port VLAN membership.
n When a client becomes authenticated on a port that is already configured with a static, untagged VLAN, the switch temporarily moves the port to the Authorized-Client VLAN (also untagged). While the Authorized-Client VLAN is in use, the port does not have access to the statically configured, untagged VLAN.
533
Aruba 2930M/F | Access Security Guide
Condition
Rule
n When the authenticated client disconnects, the switch removes the port from the Authorized-Client VLAN and moves it back to the untagged membership in the statically configured VLAN. (After client authentication, the port resumes any tagged VLAN memberships for which it is already configured.
NOTE: This rule assumes:
n No alternate VLAN has been assigned by a RADIUS server. n No other authenticated clients are already using the port.
Multiple authenticator ports using the same unauthorizedclient and authorized-client VLANs
You can use the same static VLAN as the Unauthorized-Client VLAN for all 802.1X authenticator ports configured on the switch. Similarly, you can use the same static VLAN as the Authorized-Client VLAN for all 802.1X authenticator ports configured on the switch.
CAUTION: Do not use the same static VLAN for both the unauthorized-client VLAN and the authorized-client VLAN. Using one VLAN for both creates a security risk by defeating the isolation of unauthenticated clients.
Effect of filed client authentication attempt. This rule assumes no other authenticated clients are already using the port on a different VLAN.
When there is an Unauthorized-Client VLAN configured on an 802.1X authenticator port, an unauthorized client connected to the port has access only to the network resources belonging to the Unauthorized- Client VLAN. This access continues until the client disconnects from the port. (If there is no Unauthorized-Client VLAN configured on the authenticator port, the port simply blocks access for any unauthorized client.)
Effect of RADIUS-assigned VLAN. This rule assumes no other authenticated clients are already using the port on a different VLAN.
The port joins the RADIUS-assigned VLAN as an untagged member.
IP Addressing for a client connected to a port configured for 802.1X Open VLAN mode
A client can either acquire an IP address from a DHCP server or use a manually configured IP address before connecting to the switch.
802.1X supplicant software for a client connected to a port configured for 802.1X Open VLAN mode
A friendly client, without 802.1X supplicant software, connecting to an authenticator port must be able to download this software from the Unauthorized-Client VLAN before authentication can begin.
Switch with a port configured to allow multiple authorized-client sessions
When a new client is authenticated on a given port: n If no other clients are authenticated on that port, then the port joins one
VLAN in the following order of precedence: 1. A RADIUS-assigned VLAN, if configured.
2. An Authenticated-Client VLAN, if configured.
3. A static, port-based VLAN to which the port belongs as an untagged member.
4. Any VLAN(s) to which the port is configured as a tagged member (provided that the client can operate in that VLAN).
n If another client is already authenticated on the port, then the port is already assigned to a VLAN for the previously-existing client session, and the new client must operate in this same VLAN, regardless of other factors. (This means that a client without 802.1X client authentication software cannot access a configured, Unauthenticated-Client VLAN if another, authenticated client is already using the port.)
Aruba 2930M/F | Access Security Guide
534
Condition
Rule
Limitation on using an unauthorized-client VLAN on an 802.1X port configured to allow multiple-client access
You can optionally enable switches to allow up to 32 clients per-port. The Unauthorized-Client VLAN feature can operate on an 802.1X-configured port regardless of how many clients the port is configured to support. However, all clients on the same port must operate through the same untagged VLAN membership.(See MAC-based VLANs). This means that any client accessing a given port must be able to authenticate and operate on the same VLAN as any other previously authenticated clients that are currently using the port. Thus, an Unauthorized-Client VLAN configured on a switch port that allows multiple 802.1X clients cannot be used if there is already an authenticated client using the port on another VLAN. Also, a client using the Unauthenticated-Client VLAN will be blocked when another client becomes authenticated on the port. For this reason, the best utilization of the Unauthorized-Client VLAN feature is in instances where only one client is allowed per-port. Otherwise, unauthenticated clients are subject to being blocked at any time by authenticated clients using a different VLAN. (Using the same VLAN for authenticated and unauthenticated clients can create a security risk and is not recommended.)
If you use the same VLAN as the Unauthorized-Client VLAN for all authenticator ports, unauthenticated clients on different ports can communicate with each other.
Setting up and configuring 802.1X Open VLAN mode
Preparation:
This section assumes use of both the unauthorized-client and authorized-client VLANs. Before you configure the 802.1X Open VLAN mode on a port:
n Statically configure an Unauthorized-Client VLAN in the switch. The only ports that should belong to this VLAN are ports offering services and access you want available to unauthenticated clients. (802.1X authenticator ports do not have to be members of this VLAN.)
Do not allow any port memberships or network services on this VLAN that would pose a security risk if exposed to an unauthorized client.
n Statically configure an Authorized-Client VLAN in the switch. The only ports that should belong to this VLAN are ports offering services and access you want available to authenticated clients. 802.1X authenticator ports do not have to be members of this VLAN. Note that if an 802.1X authenticator port is an untagged member of another VLAN, the port's access to that other VLAN will be temporarily removed while an authenticated client is connected to the port.For example, if: 1. Port 5 is an untagged member of VLAN 1 (the default VLAN). 2. You configure port 5 as an 802.1X authenticator port. 3. You configure port 5 to use an Authorized-Client VLAN. Then, if a client connects to port 5 and is authenticated, port 5 becomes an untagged member of the Authorized-Client VLAN and is temporarily suspended from membership in the default VLAN.
n If you expect friendly clients to connect without having 802.1X supplicant software running, provide a server on the Unauthorized-Client VLAN for downloading 802.1X supplicant software to the client, and a procedure by which the client initiates the download.
535
Aruba 2930M/F | Access Security Guide
n A client must either have a valid IP address configured before connecting to the switch, or download one through the Unauthorized-Client VLAN from a DHCP server. In the latter case, you will need to provide DHCP services on the Unauthorized-Client VLAN.
n Ensure that the switch is connected to a RADIUS server configured to support authentication requests from clients using ports configured as 802.1X authenticators. (The RADIUS server should not be on the Unauthorized-Client VLAN.)
As an alternative, you can configure the switch to use local password authentication instead of RADIUS authentication. However, this is less desirable because it means that all clients use the same passwords and have the same access privileges. Also, you must use 802.1X supplicant software that supports the use of local switch passwords.
Ensure that you do not introduce a security risk by allowing Unauthorized- Client VLAN access to network services or resources that could be compromised by an unauthorized client.
Configuring general 802.1X operation
These steps enable 802.1X authentication, and must be done before configuring 802.1X VLAN operation.
1. Enable 802.1X authentication on the individual ports you want to serve as authenticators. (The switch automatically disables LACP on the ports on which you enable 802.1X.) On the ports you will use as authenticators with VLAN operation, ensure that the port-control parameter is set to auto (the default). (See Enable 802.1X authentication on selected ports on page 521.) This setting requires a client to support 802.1X authentication (with 802.1X supplicant operation) and to provide valid credentials to get network access. aaa port-access authenticator <port-list> control auto Activates 802.1X port-access on ports you have configured as authenticators.
2. Configure the 802.1X authentication type. Options include: aaa authentication port-access <local|eap-radius|chap-radius> Determines the type of RADIUS authentication to use.
3. If you selected either eap-radius or chap-radius for step 2, use the radius host command to configure up to three RADIUS server IP address(es) on the switch. radius host <ip-address> Adds a server to the RADIUS configuration. [key <server-specific key-string>] Optional. Specifies an encryption key for use with the specified server. This key must match the key used on the RADIUS server. Use this option only if the specified server requires a different key than configured for the global encryption key The tilde (~) character is allowed in the string. It is not backward compatible; the "~" character is lost if you use a software version that does not support the "~" character. radius-server key <global key-string> Specifies the global encryption key the switch uses for sessions with servers for which the switch does not have a server-specific key. This key is optional if all RADIUS server addresses configured in the switch include a server- specific encryption key. The tilde (~) character is allowed in the string, for example, radius-server key aruba~switch. It is not backward compatible; the "~" character is lost if you use a software version that does not support the "~" character. Default: Null The no form of the command removes the global encryption key.
Aruba 2930M/F | Access Security Guide
536
4. Activate authentication on the switch. aaa port-access authenticator active Activates 802.1X port-access on ports you have configured as authenticators.
5. Test both the authorized and unauthorized access to your system to ensure that the 802.1X authentication works properly on the ports you have configured for port-access.
If you want to implement the optional port-security feature on the switch, you should first ensure that the ports you have configured as 802.1X authenticators operate as expected. Then see Option for authenticator ports: configure port-security to allow only 802.1X-authenticated devices .
After you complete steps 1 and 2, the configured ports are enabled for 802.1X authentication (without VLAN operation), and you are ready to configure VLAN Operation.
Configuring 802.1X Open VLAN mode
Use these commands to configure Open VLAN mode. For a listing of the steps needed to prepare the switch for using Open VLAN mode, see Setting up and configuring 802.1X Open VLAN mode on page 535.
Syntax
aaa port-access authenticator <port-list> [auth-vid <vlan-id>] Configures an existing, static VLAN to be the Authorized-Client VLAN. [<unauth-vid <vlan-id>] Configures an existing, static VLAN to be the Unauthorized-Client VLAN. For example, suppose you want to configure 802.1X port-access with Open VLAN mode on ports 10-20 and
n These two static VLANs already exist on the switch: l Unauthorized, VID = 80 l Authorized, VID = 81
n Your RADIUS server has an IP address of 10.28.127.101. The server uses rad4all as a server-specific key string. The server is connected to a port on the Default VLAN.
n The switch's default VLAN is already configured with an IP address of 10.28.127.100 and a network mask of 255.255.255.0
switch(config)# aaa authentication port-access eap-radius Configures the switch for 802.1X authentication using an EAP-RADIUS server. switch(config)# aaa port-access authenticator 10-20 Configures ports 10 - 20 as 802.1 authenticator ports. switch(config)# radius host 10.28.127.101 key rad4all Configures the switch to look for a RADIUS server with an IP address of 10.28.127.101 and an encryption key of rad4all. switch(config)# aaa port-access authenticator e 10-20 unauth-vid 80 Configures ports 10 - 20 to use VLAN 80 as the Unauthorized-Client VLAN. switch(config)# aaa port-access authenticator e 10-20 auth-vid 81 Configures ports 10 - 20 to use VLAN 81 as the Authorized-Client VLAN. switch(config)# aaa port-access authenticator active Activates 802.1X port-access on ports you have configured as authenticators.
537
Aruba 2930M/F | Access Security Guide
Inspecting 802.1X Open VLAN mode operation
For information and an example on viewing current Open VLAN mode operation, see Viewing 802.1X Open VLAN mode status on page 547.
802.1X Open VLAN operating notes
n Although you can configure Open VLAN mode to use the same VLAN for both the Unauthorized-Client VLAN and the Authorized-Client VLAN, this is not recommended. Using the same VLAN for both purposes allows unauthenticated clients access to a VLAN intended only for authenticated clients, which poses a security breach.
n While an Unauthorized-Client VLAN is in use on a port, the switch temporarily removes the port from any other statically configured VLAN for which that port is configured as a member. Note that the Menu interface will still display the port's statically configured VLAN(s).
n A VLAN used as the Unauthorized-Client VLAN should not allow access to resources that must be protected from unauthenticated clients.
n If a port is configured as a tagged member of VLAN "X", then the port returns to tagged membership in VLAN "X" upon successful client authentication. This happens even if the RADIUS server assigns the port to another, authorized VLAN "Y". Note that if RADIUS assigns VLAN "X" as an authorized VLAN, then the port becomes an untagged member of VLAN "X" for the duration of the client connection. (If there is no AuthorizedClient or RADIUS-assigned VLAN, then an authenticated client without tagged VLAN capability can access only a statically configured, untagged VLAN on that port.)
n When a client's authentication attempt on an Unauthorized-Client VLAN fails, the port remains a member of the Unauthorized-Client VLAN until the client disconnects from the port.
n During an authentication session on a port in 802.1X Open VLAN mode, if RADIUS specifies membership in an untagged VLAN, this assignment overrides port membership in the Authorized-Client VLAN. If there is no Authorized-Client VLAN configured, then the RADIUS assignment overrides any untagged VLAN for which the port is statically configured.
n If the only authenticated client on a port loses authentication during a session in 802.1X Open VLAN mode, the port VLAN membership reverts back to the Unauthorized-Client VLAN. If there is no Unauthorized-Client VLAN configured, then the client loses access to the port until it can reauthenticate itself. If there are multiple clients authenticated on the port, if one client loses access and attempts to re-authenticate, that client will be handled as a new client on the port.
n The first client to authenticate on a port configured to support multiple clients will determine the port's VLAN membership for any subsequent clients that authenticate while an active session is already in effect.
Option for authenticator ports: configure port-security to allow only 802.1X-authenticated devices
If 802.1X authentication is disabled on a port or set to authorized (Force Authorize), the port can allow access to an unauthenticated client. Port-Security operates with 802.1X authentication only if the selected ports are configured as 802.1X with the control mode in the port-access authenticator command set to auto (the default setting). For example, if port 10 was at a nondefault 802.1X setting and you wanted to configure it to support the port-security option, you would use the following aaa port-access command:
Port-access support for port-security operation
switch(config)# aaa port-access authenticator 10 control auto switch(config)# show port-access authenticator 10 config
Aruba 2930M/F | Access Security Guide
538
Port Access Authenticator Configuration
Port-access authenticator activated [No] : Yes Allow RADIUS-assigned dynamic (GVRP) VLANs [No] : No
| Re-auth Access Max Quiet TX
Supplicant Server Cntrl
Port | Period Control Reqs Period Timeout Timeout Timeout Dir
---- + ------- ------- ---- ------ ------- ---------- ------- -----
10 | No
Auto 2 60
30
30
30
both
Port-Security
If 802.1X port-access is configured on a given port, then port-security learn-mode for that port must be set to either continuous (the default) or port-access.
In addition to the above, to use port-security on an authenticator port, use the per-port client-limit option to control how many MAC addresses of 802.1X-authenticated devices the port is allowed to learn. (Using clientlimit sets 802.1X to user-based operation on the specified ports.) When this limit is reached, no further devices can be authenticated until a currently authenticated device disconnects and the current delay period or logoff period has expired.
Configure the port access type
Syntax
aaa port-access authenticator <port-list> client-limit <1-32> aaa port-access authenticator <port-list> client-limit <1-2> Configures user-based 802.1X authentication on the specified ports and sets the number of authenticated devices the port is allowed to learn. For more on this command, see Configuring switch ports as 802.1X authenticators on page 521. or
Syntax
no aaa port-access authenticator <port-list> client-limit Configures port-based 802.1X authentication on the specified ports, which opens the port. (See User authentication methods on page 517.)
Configuring switch ports to operate as supplicants for 802.1X connections to other switches
A switch port can operate as a supplicant in a connection to a port on another 802.1X-aware switch to provide security on links between 802.1X-aware switches. (A port can operate as both an authenticator and a supplicant.)
Example
Suppose that you want to connect two switches, where:
n Switch "A" has port 1 configured for 802.1X supplicant operation. n You want to connect port 1 on switch "A" to port 5 on switch "B".
539
Aruba 2930M/F | Access Security Guide
Figure 110 Supplicant operation
Procedure
1. When port 1 on switch "A" is first connected to a port on switch "B", or if the ports are already connected and either switch reboots, port 1 begins sending start packets to port 5 on switch "B". n If, after the supplicant port sends the configured number of start packets, it does not receive a response, it assumes that switch "B" is not 802.1X-aware, and transitions to the authenticated state. If switch "B" is operating properly and is not 802.1X-aware, then the link should begin functioning normally, but without 802.1X security. and password. n If, after sending one or more start request packets, port 1 receives a request packet from port 5, then switch "B" is operating as an 802.1X authenticator. The supplicant port then sends a response/ID packet. If switch "B" is configured for RADIUS authentication, it forwards this request to a RADIUS server. If switch "B" is configured for Local 802.1X authentication, the authenticator compares the switch "A" response to its local username.
2. The RADIUS server then responds with an MD5 access challenge that switch "B" forwards to port 1 on switch "A".
3. Port 1 replies with an MD5 hash response based on its username and password or other unique credentials. Switch "B" forwards this response to the RADIUS server.
4. The RADIUS server then analyzes the response and sends either a "success" or "failure" packet back through switch "B" to port 1. n A "success" response unblocks port 5 to normal traffic from port 1. n A "failure" response continues the block on port 5 and causes port 1 to wait for the "held-time" period before trying again to achieve authentication through port 5.
Supplicant port configuration
Enabling a switch port as a supplicant
You can configure a switch port as a supplicant for a point-to-point link to an 802.1X-aware port on another switch. Configure the port as a supplicant before configuring any supplicant-related parameters.
Syntax
aaa port-access supplicant [ethernet] <port-list> no aaa port-access supplicant [ethernet] <port-list> Configures a port as a supplicant with either the default supplicant settings or any previously configured supplicant settings, whichever is most recent. The no form of the command disables supplicant operation on the specified ports.
Configuring a supplicant switch port
Enable supplicant operation on a port before changing the supplicant configuration. Execute the supplicant command once without any other parameters, then execute it again with a supplicant parameter that you want to
Aruba 2930M/F | Access Security Guide
540
configure. If the intended authenticator port uses RADIUS authentication, then use the identity and secret options to configure the RADIUS-expected credentials on the supplicant port. If the intended authenticator port uses Local 802.1X authentication, then use the identity and secret options to configure the authenticator switch local username and password on the supplicant port.
Syntax
aaa port-access supplicant [ethernet] <port-list> To enable supplicant operation on the designated ports, execute this command without any other parameters. To configure supplicant operation, use the same command again with the following parameters. Use one instance of the command for each parameter you want to configure. The no form disables supplicant operation on the designated ports. [identity <username>] Sets the username and password to send in response to an authentication request. If the intended authenticator port is configured for RADIUS authentication, then <username> and <password> must be the username and password expected by the RADIUS server. If the intended authenticator port is configured for Local authentication, then <username> and <password> must be the username and password configured on the Authenticator switch. (Default: Null.) [secret]
Enter secret:<password>
Repeat secret:<password>
Sets the secret password to be used by the port supplicant when an MD5 authentication request is received from an authenticator. The switch prompts you to enter the secret password after the command is invoked. [auth-timeout <1-300>]
Sets the delay period that the port waits to receive a challenge from the authenticator. If the request times out, the port sends another request, up to the number of attempts specified by the max-start parameter. (Default: 30 seconds). [max-start <1-10>]
Defines the maximum number of times the supplicant port requests authentication. See step 1 in Configuring switch ports to operate as supplicants for 802.1X connections to other switches on page 539 for a description of how the port reacts to the authenticator response. (Default: 3). [held-period <0-65535>]
Sets the time period that the supplicant port waits after an active 802.1X session fails before trying to reacquire the authenticator port. (Default: 60 seconds) [start-period <1-300>]
Sets the delay between Start packet retransmissions. That is, after a supplicant sends a start packet, it waits during the start-period for a response. If no response comes during the start-period, the supplicant sends a new start packet. The max-start setting specifies how many start attempts are allowed in the session. (Default: 30 seconds) [initialize]
On the specified ports, blocks inbound and outbound traffic and restarts the 802.1X authentication process. Affects only ports configured as 802.1X supplicants. [clear-statistics]
Clears and restarts the 802.1X supplicant statistics counters.
541
Aruba 2930M/F | Access Security Guide
Displaying 802.1X configuration, statistics, and counters
Show commands for port-access authenticator
show port-access authenticator
The port-access authenticator command
Syntax:
show port-access authenticator [port-list] [config|statistics|sessioncounters|vlan|clients]|[detailed] If you enter the show port-access authenticator command without an optional value, the following configuration information is displayed for all switch ports, or specified ports, that are enabled for 802.1X portaccess authentication:
n Port-access authenticator activated: Are any switch ports configured to operate as 802.1X authenticators using the aaa port-access authenticator command? Yes or No
n Allow RADIUS-assigned dynamic (GVRP) VLANs: Are RADIUS-assigned dynamic (GVRP-learned) VLANs supported for authenticated and unauthenticated client sessions on the switch? Yes or No
n Auth Clients: Number of authorized clients
n Unauth Clients: Number of unauthorized clients
n Untagged VLAN: VLAN ID number of the untagged VLAN used in client sessions. If the switch supports MAC-based (untagged) VLANs, MAC-based is displayed to show that multiple untagged VLANs are configured for authentication sessions.
n Tagged VLANs: Are tagged VLANs (statically configured or RADIUS-assigned) used for authenticated clients? Yes or No
n Port CoS: o Yes Client-specific CoS (Class of Service) values are applied to more than one authenticated client on the
port. o No No client-specific CoS values are applied to any authenticated client on the port. o <CoS value> Numerical value of the CoS (802.1p priority) applied to inbound traffic from one authenticated
client. For client-specific per-port CoS values, enter the show port-access web-based clients detailed command.
n % In Limit: Inbound rate limit applied.
n RADIUS ACL: Are RADIUS-assigned ACLs used for authenticated clients? Yes or No
n Cntrl Dir: Direction in which flow of incoming and outgoing traffic is blocked on 802.1X-aware port that has not yet entered the authenticated state:
o Both: Incoming and outgoing traffic is blocked on port until authentication occurs. o In: Only incoming traffic is blocked on port before authentication occurs. Outgoing traffic with unknown
destination addresses is flooded on the unauthenticated 802.1X-aware port.
Aruba 2930M/F | Access Security Guide
542
The show port-access authenticator command
switch(config)#show port-access authenticator
Port Access Authenticator Status
Port-access authenticator activated [No] : Yes Allow RADIUS-assigned dynamic (GVRP) VLANs [No] : Yes
Auth Unauth Untagged Tagged
% In RADIUS Cntrl
Port Clients Clients VLAN
VLANs Port COS Limit ACL Dir
---- ------- -------- -------- ------ --------- ------ ------ -----
11
1
4006
Yes 77777777 No
Yes both
22
0
MACbased No
No
No
Yes both
34
0
1
Yes No
No
No
both
show port-access authenticator config
The show port-access authenticator config command
Syntax:
show port-access authenticator config [port-list] Displays 802.1X port-access authenticator configuration settings, including:
n Whether port-access authentication is enabled.
n Whether RADIUS-assigned dynamic VLANs are supported.
n 802.1X configuration of ports that are enabled as 802.1X authenticators. Use the show running command to view the current client-limit configuration available for switches.
You can display 802.1X port-access authenticator configuration for all switch ports or specified ports. 802.1X configuration information for ports that are not enabled as 802.1X authenticators is not displayed.
switch(config)# show port-access authenticator config
Port Access Authenticator Configuration
Port-access authenticator activated [No] : Yes Allow RADIUS-assigned dynamic (GVRP) VLANs [No] : No
| Re-auth Access Max Quiet TX
Supplicant Server Cntrl
Port | Period Control Reqs Period Timeout Timeout Timeout Dir
---- + ------- -------- ----- ------- -------- ---------- -------- -----
1 | No
Auto
2
60
30
30
30
both
2 | No
Auto
2
60
30
30
30
in
Table 41: Field table Field
Port-access authenticator activated
Port
Description 802.1X authentication enabled/disabled status for specified ports.
Port number on switch.
543
Aruba 2930M/F | Access Security Guide
Field Re-auth Period Access Control
Max reqs Quiet Period TX Timeout Supplicant Timeout Server Timeout Cntrl Dir
Description
Time period (in seconds) after which clients connected to the port must be reauthenticated.
Authentication mode of port: Auto: Network access is allowed to any connected device that supports 802.1X authentication and provides valid 802.1X credentials. Authorized: Network access is allowed to any device connected to the port, regardless of whether it meets 802.1X criteria. Unauthorized: Network access is blocked to any device connected to the port, regardless of whether the device meets 802.1X criteria.
Number of authentication attempts that must time out before authentication fails and the authentication session ends.
Time period (in seconds) during which the port does not try to acquire a supplicant.
Time period (in seconds) that the port waits to retransmit the next EAPOL PDU during an authentication session.
Time period (in seconds) that the switch waits for a supplicant response to an EAP request.
Time period (in seconds) that the switch waits for a server response to an authentication request.
Direction in which flow of incoming and outgoing traffic is blocked on 802.1X-aware port that has not yet entered the authenticated state: Both: Incoming and outgoing traffic is blocked on port until authentication occurs. In: Only incoming traffic is blocked on port before authentication occurs. Outgoing traffic with unknown destination addresses is flooded on the unauthenticated 802.1Xaware port.
show port-access authenticator statistics
The show port-access authenticator statistics command
Syntax:
show port-access authenticator statistics [port-list] Displays statistical information for all switch ports or specified ports that are enabled as 802.1X authenticators, including:
n Whether port-access authentication is enabled n Whether RADIUS-assigned dynamic VLANs are supported
Aruba 2930M/F | Access Security Guide
544
n 802.1X supplicant's MAC address as determined by the content of the last EAPOL frame received on the port n 802.1X traffic statistics from received and transmitted packets
802.1X configuration information for ports that are not enabled as an 802.1X authenticators is not displayed.
Switch(config)# show port-access authenticator statistics
Port Access Authenticator Statistics
Port-access authenticator activated [No] : Yes Allow RADIUS-assigned dynamic (GVRP) VLANs [No] : No
Source
TX TX RX RX
RX
RX RX
Port MAC address ReqId Req Star Logoff RespId Resp Errors
---- ------------- ----- ---- ----- ------ ------ ---- ------
2 001560-b3ea48 1
0
0
0
0
00
show port-access authenticator session-counters
The show port-access authenticator session-counters command
Syntax:
show port-access authenticator session-counters [port-list] Displays information for active 802.1X authentication sessions on all switch ports or specified ports that are enabled as 802.1X authenticators, including:
n 802.1X frames received and transmitted on each port n Duration and status of active 802.1X authentication sessions (in-progress or terminated) n User name of 802.1X supplicant included in 802.1X response packets, configured with the aaa port-access
supplicant identity <username> command
802.1X configuration information for ports that are not enabled as an 802.1X authenticators is not displayed.
Port Access Authenticator Session Counters
Port-access authenticator activated [No] : Yes Allow RADIUS-assigned dynamic (GVRP) VLANs [No] : No
Session Session
Port Frames In Frames Out Time(sec.) Status
User
---- ---------- ----------- ---------- ----------- -----
2 45623
45623
20
in-progress bert
show port-access authenticator vlan
Syntax:
show port-access authenticator vlan [port-list] Displays the following information on the VLANs configured for use in 802.1X port-access authentication on all switch ports, or specified ports, that are enabled as 802.1X authenticator:
n Authentication mode used on each port, configured with the aaa port-access authenticator control command
545
Aruba 2930M/F | Access Security Guide
n VLAN ID (if any) to be used for traffic from 802.1X-authenticated clients n VLAN ID (if any) to be used for traffic from unauthenticated clients
802.1X configuration information for ports that are not enabled as an 802.1X authenticators is not displayed.
Switch(config)# show port-access authenticator vlan
Port Access Authenticator VLAN Configuration
Port-access authenticator activated [No] : Yes Allow RADIUS-assigned dynamic (GVRP) VLANs [No] : No
Access Unauth Auth
Port Control VLAN ID VLAN ID
---- -------- -------- --------
2 Auto
0
0
Syntax:
show port-access authenticator clients [port-list] Displays the session status, name, and address for each 802.1X port-access-authenticated client on the switch. Multiple authenticated clients may be displayed for the same port. The IP address displayed is taken from the DHCP binding table (learned through the DHCP Snooping feature).
n If DHCP snooping is not enabled on the switch, n/a (not available) is displayed for a client IP address.
n If an 802.1X-authenticated client uses an IPv6 address, n/a - IPv6 is displayed.
n If DHCP snooping is enabled but no MAC-to-IP address binding for a client is found in the DHCP binding table, n/a - no info is displayed.
show port-access authenticator clients
The show port-access authenticator clients command
Syntax:
show port-access authenticator clients [port-list] Displays the session status, name, and address for each 802.1X port-access-authenticated client on the switch. Multiple authenticated clients may be displayed for the same port. The IP address displayed is taken from the DHCP binding table (learned through the DHCP Snooping feature).
n If DHCP snooping is not enabled on the switch, n/a (not available) is displayed for a client IP address.
n If an 802.1X-authenticated client uses an IPv6 address, n/a - IPv6 is displayed.
n If DHCP snooping is enabled but no MAC-to-IP address binding for a client is found in the DHCP binding table, n/a - no info is displayed.
The show port-access authenticator clients command output
Switch (config)# show port-access authenticator clients
Port Access Authenticator Client Status
Port Client Name MAC Address IP Address
Session Status
----- ----------- ------------- --------------- --------------
1
webuser1 001321-eb8063 192.192.192.192 Authenticated
1
webuser2 001560-b3ea48 n/a - no info Authenticating
Aruba 2930M/F | Access Security Guide
546
1
webuser3 000000-111111 n/a - IPv6
3
webuser4 000000-111112 n/a
Authenticating Authenticating
Syntax:
show port-access authenticator clients <port-list> detailed Displays detailed information on the status of 802.1X-authenticated client sessions on specified ports, including the matches the switch detects for individual ACEs configured with the cnt(counter) option in an ACL assigned to the port by a RADIUS server.
Output for the show port-access authenticator clients detailed command
Switch (config)# show port-access authenticator clients 5 detailed
Port Access Authenticator Client Status Detailed
Client Base Details :
Port
:5
Session Status : Open
Session Time(sec) : 999999999
Frames In
: 999999999
Frames Out
: 99999999
Username
: webuser1
MAC Address
: 001321-eb8063
IP
: 2001:fecd:ba23:cd1f:dcb1:1010:9234:4088
Access Policy Details :
COS Map
: 70000000
In Limit % : 87
Untagged VLAN : 3096
Out Limit % : 100
Tagged VLANs : 1, 3, 5, 6, 334, 2066
RADIUS-ACL List :
deny in udp from any to 10.2.8.233 CNT
Hit Count: 10
permit in udp from any to 10.2.8.233 CNT
Hit Count: 17
deny in tcp from any to 10.2.8.233 CNT
Hit Count: 1
permit in tcp from any to 10.2.8.233 CNT
Hit Count: 11
permit in ip from any to any cnt
Hit Count: 42
Viewing 802.1X Open VLAN mode status
You can examine the switch's current VLAN status by using the show port-access authenticator vlan and show port-access authenticator <port-list> commands as shown in this section. The table describes the data that these two commands display. Figure 111: Example showing ports configured for Open VLAN mode shows related VLAN data that can help you to see how the switch is using statically configured VLANs to support 802.1X operation.
547
Aruba 2930M/F | Access Security Guide
Figure 111 Example showing ports configured for Open VLAN mode
Notes on the above image:
n When the Auth VLAN ID is configured and matches the Current VLAN ID, an authenticated client is connected to the port. (This assumes the port is not a statically configured member of the VLAN you are using for Auth VLAN.)
n When the Unauth VLAN ID is configured and matches the Current VLAN ID, an unauthenticated client is connected to the port. (This assumes the port is not a statically configured member of the VLAN you are using for Unauth VLAN.)
Because a temporary Open VLAN port assignment to either an authorized or unauthorized VLAN is an untagged VLAN membership, these assignments temporarily replace any other untagged VLAN membership that is statically configured on the port. For example, if port 12 is statically configured as an untagged member of VLAN 1, but is configured to use VLAN 25 as an authorized VLAN, then the port's membership in VLAN 1 will be temporarily suspended whenever an authenticated 802.1X client is attached to the port.
Table 42: Output for determining Open VLAN mode status
Status Indicator Port
Meaning
Lists the ports configured as 802.1X port-access authenticators.
Aruba 2930M/F | Access Security Guide
548
Status Indicator
Meaning
Status
Closed: Either no client is connected or the connected client has not received authorization through 802.1X authentication.Open: An authorized 802.1X supplicant is connected to the port.
Access Control
This state is controlled by the following port-access Command syntax:
Switch(config)# aaa port-access authenticator <port-list> control <authorized|auto|unauthorized>
Authenticator State
Authenticator Backend State Unauthorized VLAN ID
Auto: Configures the port to allow network access to any connected device that supports 802.1X authentication and provides valid 802.1X credentials. (This is the default authenticator setting.)
FA: Configures the port for "Force Authorized", which allows access to any device connected to the port, regardless of whether it meets 802.1X criteria. (You can still configure console, Telnet, or SSH security on the port.)
FU: Configures the port for "Force Unauthorized", which blocks access to any device connected to the port, regardless of whether the device meets 802.1X criteria.
Connecting: A client is connected to the port, but has not received 802.1X authentication. Force Unauth: Indicates the "Force Unauthorized" state. Blocks access to the network, regardless of whether the client supports 802.1X authentication or provides 802.1X credentials. Force Auth: Indicates the "Force Authorized" state. Grants access to any device connected to the port. The device does not have to support 802.1X authentication or provide 802.1X credentials. Authorized: The device connected to the port supports 802.1X authentication, has provided 802.1X credentials, and has received access to the network. This is the default state for access control. Disconnected: No client is connected to the port.
Idle: The switch is not currently interacting with the RADIUS authentication server. Other states (Request, Response, Success, Fail, Timeout, and Initialize) may appear temporarily to indicate interaction with a RADIUS server. However, these interactions occur quickly and are replaced by Idle when completed.
<vlan-id>: Lists the VID of the static VLAN configured as the unauthorized VLAN for the indicated port. 0: No unauthorized VLAN has been configured for the indicated port.
549
Aruba 2930M/F | Access Security Guide
Status Indicator Authorized VLAN ID
Status
Current VLAN ID
Meaning
<vlan-id>: Lists the VID of the static VLAN configured as the authorized VLAN for the indicated port. 0: No authorized VLAN has been configured for the indicated port.
Closed: Either no client is connected or the connected client has not received authorization through 802.1X authentication.Open: An authorized 802.1X supplicant is connected to the port.
<vlan-id>: Lists the VID of the static, untagged VLAN to which the port currently belongs. No PVID: The port is not an untagged member of any VLAN.
Syntax
show vlan <vlan-id> Displays the port status for the selected VLAN, including an indication of which port memberships have been temporarily overridden by Open VLAN mode.
Figure 112 Example showing a VLAN with ports configured for Open VLAN mode
Show commands for port-access supplicant
Syntax: show port-access supplicant [<port-list>] [statistics] show port-access supplicant [<port-list>]
Aruba 2930M/F | Access Security Guide
550
Shows the port-access supplicant configuration (excluding the secret parameter) for all ports or <port-list> ports configured on the switch as supplicants. The Supplicant State can include the following:
Connecting
Starting authentication.
Authenticated
Authentication completed (regardless of whether the attempt was successful).
Acquired
The port received a request for identification from an authenticator.
Authenticating
Authentication is in progress.
Held
Authenticator sent notice of failure. The supplicant port is waiting for the authenticator's held-period. For descriptions of the supplicant parameters, see Configuring a supplicant switch port on page 540. show port-access supplicant [<port-list>] statistics Shows the port-access statistics and source MAC address(es) for all ports or <port-list> ports configured on the switch as supplicants. See Note on supplicant statistics on page 551.
Note on supplicant statistics
For each port configured as a supplicant, show port-access supplicant statistics <port-list>] displays the source MAC address and statistics for transactions with the authenticator device most recently detected on the port. If the link between the supplicant port and the authenticator device fails, the supplicant port continues to show data received from the connection to the most recent authenticator device until one of the following occurs:
n The supplicant port detects a different authenticator device. n You use the aaa port-access supplicant <port-list> clear-statistics command to clear the
statistics for the supplicant port. n The switch reboots.
Thus, if the supplicant's link to the authenticator fails, the supplicant retains the transaction statistics it most recently received until one of the above events occurs. Also, if you move a link with an authenticator from one supplicant port to another without clearing the statistics data from the first port, the authenticator's MAC address will appear in the supplicant statistics for both ports.
How RADIUS/802.1X authentication affects VLAN operation
Static VLAN requirement:
RADIUS authentication for an 802.1X client on a given port can include a (static) VLAN requirement. (Refer to the documentation provided with your RADIUS application.) The static VLAN to which a RADIUS server assigns a client must exist on the switch. If it does not exist or is a dynamic VLAN (created by GVRP), authentication fails. Also, for the session to proceed, the port must be an untagged member of the required VLAN. If it is not, the switch temporarily reassigns the port.
If the port used by the client is not configured as an untagged member of the required static VLAN:
551
Aruba 2930M/F | Access Security Guide
When a client is authenticated on port "N", if port "N" is not already configured as an untagged member of the static VLAN specified by the RADIUS server, then the switch temporarily assigns port "N" as an untagged member of the required VLAN (for the duration of the 802.1X session). At the same time, if port "N" is already configured as an untagged member of another VLAN, port "N" loses access to that other VLAN for the duration of the session. (This loss of access occurs because a port can be an untagged member of only one VLAN at a time.)
VLAN assignment on a port
Following client authentication, VLAN configurations on a port are managed as follows when you use 802.1X, MAC, or Web authentication:
n The port resumes membership in any tagged VLANs for which it is already assigned in the switch configuration. Tagged VLAN membership allows a port to be a member of multiple VLANs simultaneously.
n The port is temporarily assigned as a member of an untagged (static or dynamic) VLAN for use during the client session according to the following order of options. 1. The port joins the VLAN to which it has been assigned by a RADIUS server during client authentication. 2. If RADIUS authentication does not include assigning the port to a VLAN, then the switch assigns the port to the authorized-client VLAN configured for the authentication method. 3. If the port does not have an authorized-client VLAN configured, but is configured for membership in an untagged VLAN, the switch assigns the port to this untagged VLAN.
Operating notes
During client authentication, a port assigned to a VLAN by a RADIUS server or an authorized-client VLAN configuration is an untagged member of the VLAN for the duration of the authenticated session. This applies even if the port is also configured in the switch as a tagged member of the same VLAN. The following restrictions apply: If the port is assigned as a member of an untagged static VLAN, the VLAN must already be configured on the switch. If the static VLAN configuration does not exist, the authentication fails. If the port is assigned as a member of an untagged dynamic VLAN that was learned through GVRP, the dynamic VLAN configuration must exist on the switch at the time of authentication and GVRP-learned dynamic VLANs for port-access authentication must be enabled. If the dynamic VLAN does not exist or if you have not enabled the use of a dynamic VLAN for authentication sessions on the switch, the authentication fails.
n To enable the use of a GVRP-learned (dynamic) VLAN as the untagged VLAN used in an authentication session, enter the aaa port-access gvrp-vlans command.
n Enabling the use of dynamic VLANs in an authentication session offers the following benefits: l You avoid the need of having static VLANs pre-configured on the switch. l You can centralize the administration of user accounts (including user VLAN IDs) on a RADIUS server. For information on how to enable the switch to dynamically create 802.1Q-compliant VLANs on links to other devices using the GARP VLAN Registration Protocol (GVRP), see "GVRP" in the advanced traffic management guide.
n For an authentication session to proceed, a port must be an untagged member of the (static or dynamic) VLAN assigned by the RADIUS server (or an authorized-client VLAN configuration). The port temporarily drops any current untagged VLAN membership.If the port is not already a member of the RADIUS-assigned (static or dynamic) untagged VLAN, the switch temporarily reassigns the port as an untagged member of the required VLAN (for the duration of the session). At the same time, if the port is already configured as an untagged member of a different VLAN, the port loses access to the other VLAN for the duration of the session. (A port can be an untagged member of only one VLAN at a time.)When the authentication session ends, the switch
Aruba 2930M/F | Access Security Guide
552
removes the temporary untagged VLAN assignment and re-activates the temporarily disabled, untagged VLAN assignment. n If GVRP is already enabled on the switch, the temporary untagged (static or dynamic) VLAN created on the port for the authentication session is advertised as an existing VLAN. If this temporary VLAN assignment causes the switch to disable a different untagged static or dynamic VLAN configured on the port (as described in the preceding bullet) the disabled VLAN assignment is not advertised. When the authentication session ends, the switch: l Removes the temporary untagged VLAN assignment and stops advertising it. l Re-activates and resumes advertising the temporarily disabled, untagged VLAN assignment.
n If you modify a VLAN ID configuration on a port during an 802.1X, MAC, or Web authentication session, the changes do not take effect until the session ends.
n When a switch port is configured with RADIUS-based authentication to accept multiple 802.1X and/or MAC or Web authentication client sessions, all authenticated clients must use the same port-based, untagged VLAN membership assigned for the earliest, currently active client session.Therefore, on a port where one or more authenticated client sessions are already running, all such clients are on the same untagged VLAN. If a RADIUS server subsequently authenticates a new client, but attempts to re-assign the port to a different, untagged VLAN than the one already in use for the previously existing, authenticated client sessions, the connection for the new client will fail.
Example of untagged VLAN assignment in a RADIUS-based authentication session
The following example shows how an untagged static VLAN is temporarily assigned to a port for use during an 802.1X authentication session. In the example, an 802.1X-aware client on port A2 has been authenticated by a RADIUS server for access to VLAN 22. However, port A2 is not configured as a member of VLAN 22 but as a member of untagged VLAN 33 as shown here:
Figure 113 Active VLAN configuration
In this example, if RADIUS authorizes an 802.1X client on port A2 with the requirement that the client use VLAN 22, then:
n VLAN 22 becomes available as Untagged on port A2 for the duration of the session. n VLAN 33 becomes unavailable to port A2 for the duration of the session (because there can be only one
untagged VLAN on any port).
To view the temporary VLAN assignment as a change in the active configuration, use the show vlan <vlan-id> command where <vlan-id> is the (static or dynamic) VLAN used in the authenticated client session.
553
Aruba 2930M/F | Access Security Guide
Figure 114 The active configuration for VLAN 22 temporarily changes for the 802.1X session
However, as shown in Figure 113: Active VLAN configuration, because VLAN 33 is configured as untagged on port A2 and because a port can be untagged on only one VLAN, port A2 loses access to VLAN 33 for the duration of the 802.1X session on VLAN 22. You can verify the temporary loss of access to VLAN 33 by entering the show vlan 33 command.
Figure 115 The active configuration for VLAN 33 temporarily drops port 22 for the 802.1X session
When the 802.1X client's session on port A2 ends, the port removes the temporary untagged VLAN membership. The static VLAN (VLAN 33) that is "permanently" configured as untagged on the port becomes available again. Therefore, when the RADIUS-authenticated 802.1X session on port A2 ends, VLAN 22 access on port A2 also ends, and the untagged VLAN 33 access on port A2 is restored.
Aruba 2930M/F | Access Security Guide
554
Figure 116 The active configuration for VLAN 33 restores port A2 after the 802.1X session ends
Enabling the use of GVRP-learned dynamic VLANs in authentication sessions
Syntax
aaa port-access gvrp-vlans Enables the use of dynamic VLANs (learned through GVRP) in the temporary untagged VLAN assigned by a RADIUS server on an authenticated port in an 802.1X, MAC, or Web authentication session. Enter the no form of this command to disable the use of GVRP-learned VLANs in an authentication session. For information on how to enable a switch to dynamically create 802.1Q-compliant VLANs, see "GVRP" in the advanced traffic management guide.
555
Aruba 2930M/F | Access Security Guide
1. If a port is assigned as a member of an untagged dynamic VLAN, the dynamic VLAN configuration must exist at the time of authentication and GVRP for port-access authentication must be enabled on the switch. If the dynamic VLAN does not exist or if you have not enabled the use of a dynamic VLAN for authentication sessions on the switch, the authentication fails.
2. After you enable dynamic VLAN assignment in an authentication session, it is recommended that you use the interface unknown-vlans command on a per-port basis to prevent denial-of-service attacks. The interface unknown-vlans command allows you to: n Disable the port from sending advertisements of existing GVRP-created VLANs on the switch. n Drop all GVRP advertisements received on the port. See "GVRP" in the advanced traffic management guide.
3. If you disable the use of dynamic VLANs in an authentication session using the no aaa portaccess gvrp-vlans command, client sessions that were authenticated with a dynamic VLAN continue and are not deauthenticated. (This behavior differs from how static VLAN assignment is handled in an authentication session. If you remove the configuration of the static VLAN used to create a temporary client session, the 802.1X, MAC, or Web authenticated client is deauthenticated.)
However, if a RADIUS-configured dynamic VLAN used for an authentication session is deleted from the switch through normal GVRP operation (for example, if no GVRP advertisements for the VLAN are received on any switch port), authenticated clients using this VLAN are deauthenticated.
Any port VLAN-ID changes you make on 802.1X-aware ports during an 802.1X-authenticated session do not take effect until the session ends.
With GVRP enabled, a temporary, untagged static VLAN assignment created on a port by 802.1X authentication is advertised as an existing VLAN. If this temporary VLAN assignment causes the switch to disable a configured (untagged) static VLAN assignment on the port, then the disabled VLAN assignment is not advertised. When the 802.1X session ends, the switch:
n Eliminates and ceases to advertise the temporary VLAN assignment. n Re-activates and resumes advertising the temporarily disabled VLAN assignment
EAP identifier compliance for 802.1x
Overview
You can add, modify, and delete netdestination entries which are used by one or more alias-based class filters or ACLs. Any changes made to the netdestination entries are applied only when netedit-update command is executed. This feature is supported only on command line interface.
aaa port-access authenticator eap-id-compliance
Syntax
aaa port-access authenticator eap-id-compliance no aaa port-access authenticator eap-id-compliance
Aruba 2930M/F | Access Security Guide
556
Description
This command enables EAP identifier compliance to support non-incremental EAP identifier values from RADIUS server, for a new EAP request . EAP Identifier compliance is disabled by default. The no form of the command disables EAP identifier compliance to support non-incremental EAP identifier values from RADIUS server, for a new EAP request.
Command context
config
Examples
switch(config)#aaa port-access authenticator
active
Activate/deactivate 802.1X authenticator.
cached-reauth-delay Set period of time, in seconds, during which
authenticator will not initiate reauthentications after
a cached reauthentication.
eap-id-compliance
Enable/disable EAP identifier compliance feature.
[ethernet] PORT-LIST Manage 802.1X on the device ports.
switch(config)#aaa port-access eap-id-compliance
switch(config)#show port-access authenticator 1/5 Port Access Authenticator Status Port-access authenticator activated [No] : Yes Allow RADIUS-assigned dynamic (GVRP) VLANs [No] : No Use LLDP data to authenticate [No] : No Dot1X EAP Identifier Compliance [Disabled] : Enabled
Auths/ Unauth Untagged Tagged
% In RADIUS Cntrl
Port Guests Clients VLAN
VLANs Port COS Limit ACL Dir Port Mode
----- ------- ------- -------- ------ --------- ----- ------ ----- ----------
1/5 0/0
0
22
No
No
No No
both 1000FDx
switch(config)#show running config Running configuration:
hostname "switch" module 1 type j9728a snmp-server community "public" unrestricted aaa port-access authenticator 1-2 aaa port-access authenticator cached-reauth-delay 300 aaa port-access authenticator eap-id-compliance aaa port-access authenticator active oobm
ip address dhcp-bootp exit vlan 1 name "DEFAULT_VLAN" untagged 1-48 ip address dhcp-bootp exit
EAP-TLS fragmentation
Overview
EAP-TLS (Extensible Authentication Protocol-Transport Layer Security) is one of the preferred authentication methods in enterprise business. EAP-TLS provides secured certificate-based mutual authentication of the client and the network.
557
Aruba 2930M/F | Access Security Guide
EAP-TLS authentication has three components:
n The Supplicant, or client is a device requesting access to the network. n Authenticator, or switch is a network device providing link between the supplicant and a RADIUS server. It
can allow or block network traffic between the supplicant and server. n RADIUS, or EAP server validates and authenticates the client.
Currently, EAP-TLS support on Aruba switch allows a client or a EAP/RADIUS server to exchange data packets of standard Maximum Transmission Unit (MTU) size. When jumbo is enabled on a switch, the client and the EAP server can send data packets up to MTU size of 9 KB. But, the maximum MTU size allowed between the switch and the RADIUS server is 3 KB. A RADIUS server cannot process any inbound packet greater than 3 KB, thus the switch fails to complete the EAP authentication process. Aruba switch supports an internal EAP fragmentation for EAP-TLS to exchange the RADIUS packets between a client and a RADIUS server. By default, if the packet size is greater than 3 KB, the packet will be fragmented into smaller packets of size 1011 bytes. With EAP-TLS fragmentation, you can enable jumbo and EAP-TLS authentication together on the switch. This feature supports high-size chain certificates on both Windows and Linux clients. The IP fragmentation must be enabled between the switch and the RADIUS server. The IP MTU size must be set appropriately to handle the RADIUS packets. The switch performs the following functions for a successful exchange of RADIUS packets between the client and the RADIUS server:
n Fragments the EAP Request data during a server-client key exchange. n Fragments the EAP Response data during a supplicant-client key exchange. n Re-assembles the fragmented EAP Request data. n Re-assembles the fragmented EAP Response data.
When the size of the EAP data received by the switch for authentication is less than 3 KB, the switch does not perform EAP-TLS fragmentation before sending the EAP data to the RADIUS server. In some deployments, firewalls or gateways are deployed between the RADIUS server and the switch. If the size of the RADIUS packet is above the default MTU, there is a chance that the RADIUS packet is fragmented in the network and dropped by the firewall. As a result, the switch fails to complete the EAP authentication process. To avoid packet drops, you can configure the EAP-TLS fragment size sent to the RADIUS server.
Configuring EAP-TLS Fragment Size
Use the following command to configure and reduce the EAP-TLS fragment size sent to the RADIUS server. Reducing the EAP-TLS fragment size ensures that IP fragmentation does not take place in the network.
Aruba 2930M/F | Access Security Guide
558
n It is important to configure the EAP-TLS fragment size based on the MTU of the network. n The following command will only set the EAP-TLS fragment size sent to the RADIUS server. The
EAP-TLS fragment size sent to supplicant will not be changed. This command is applicable only for the EAP-TLS method, and it does not apply to PEAP/EAP-TTLS.
Syntax
aaa port-access authenticator eap-tls-fragment towards-server <max-fragment-size> no aaa port-access authenticator eap-tls-fragment towards-server <max-fragment-size>
Description
Configures the EAP-TLS fragment size sent to the RADIUS server. If the EAP-TLS fragment size is not configured, the switch will perform EAP-TLS fragmentation only when the size of the incoming data packet is more than 3 KB. The no form of the command removes the EAP-TLS fragment size configuration.
Parameter
eap-tls-fragment towards-server Configure the EAP-TLS fragment size, which is sent to the RADIUS server. <max-fragment-size> Enter the value to set the maximum fragment size. The allowable range of EAP-TLS fragment size is between 576 to 3072 bytes.
Command Context
config
Configuring EAP-TLS fragmentation
Following is the workflow to configure EAP-TLS fragmentation in a switch:
n Authenticator Switch/RADIUS client l Upgrade your switch to latest version. l Enable jumbo frames on the Authenticator switch and Supplicant interface.
For more information, see Jumbo frames chapter in the Management and Configuration Guide of your switch.
n Supplicant/Client (Linux, or Window VM) l For a linux VM: 1. Import root CA certificate, client certificate, and client key files. 2. Enable jumbo frames on client/switch interface using command: ifconfig eth1 mtu 9000. 3. Start the supplicant. l For a window VM: 1. Import root CA certificate, and client certificate on the window client. 2. Enable jumbo frames on window NIC using command: enable jumbo 9182. 3. Start the supplicant.
559
Aruba 2930M/F | Access Security Guide
n RADIUS server RADIUS server can be a ClearPass server. 1. Import root CA certificate, server certificate, and server key.pem files. 2. Start the RADIUS server service.
Operating Notes
n Due to the fragmentation process in a switch, there is a delay in response to Access-Challenge packet from the RADIUS server. The time delay is due to size of the client and server certificates.
n The certificate size must be less than 64k bytes as there is a limitation on the size of the certificate during EAP TLS authentication.
n The fragmentation size of a certificate must not exceed 1001 bytes. n Debug messages of fragmentation of packets on a switch are entered in the debug console log. You can
enable debug logs by executing following commands in the switch:
l debug destination session
l debug security port-access authenticator
l debug security radius-server Example showing the debug messages of fragmentation of packets on a switch:
0000:04:23:36.39 1X m8021xCtrl:Port 2: Response packet, Fragmented bit set(eap_flag = 192) in EAP ID #29 to 005056-bd38d7. Re-assemble the packet, total client certificate length 15113
0000:04:23:36.59 1X m8021xCtrl:Port 2: Response re-assembly, Re-assembled length = 3100 for EAP ID #29 to 005056-bd38d7. Total Length re-assembled = 3100.
0000:04:23:36.77 1X m8021xCtrl:Port 2: Response re-assembly, Send request ACK with EAP ID #30 to 005056-bd38d7.
0000:04:23:36.89 1X m8021xCtrl:Port 2: received type 13 EAP response #30 from 005056-bd38d7.
0000:04:23:37.00 1X m8021xCtrl:Port 2: Response re-assembly, Re-assembled length = 3100 for EAP ID #30 to 005056-bd38d7. Total Length re-assembled = 6200.
n When the supplicant, and a server certificate size is large, or the EAP size configured on the supplicant, and the server is small, there are more rounds of EAP TLS handshake. The client, and server support maximum of 50 complete EAP request-response rounds. If EAP request-response rounds exceed 50, the EAP TLS authentication fails.
Example 1
Client Cert-size = 40K or less(Jumbo enabled)
EAP supplicant size
= 8K
RADIUS Cert-size
= less than 3k
EAP RADIUS size
= 3k
Calculate the round for the above configuration
EAP Identity
= 1 round
EAP Method
= 1 round
Client hello+ server cert
= 1 round
Client cert to switch
= 40/8 rounds = 5 rounds
Switch to RADIUS
= 40 rounds
Cipher spec + success
= 2 rounds
-------------------------------------------------
Total
= 50 rounds
Aruba 2930M/F | Access Security Guide
560
Example 2
Client Cert-size = 6K or more(Jumbo enabled)
EAP supplicant size
= 300 Bytes
RADIUS Cert-size
= less than 3k
EAP RADIUS size
= 3k
Calculate the round for the above configuration
EAP Identity
= 1 round
EAP Method
= 1 round
Client hello+ server cert
= 1 round
Client cert to switch
= 60/3 rounds = 20 rounds
Switch to RADIUS
= 20 rounds
Cipher spec + success
= 2 rounds
-------------------------------------------------
Total
= 45 rounds
Messages related to 802.1X operation
Table 43: 802.1X operating messages Message
Port <port-list> is not an authenticator.
Port <port-list> is not a supplicant.
No server(s) responding.
Meaning
The ports in the port list have not been enabled as 802.1X authenticators. Use this command to enable the ports as authenticators:
Switch(config)# aaa portaccess authenticator e 10
Occurs when there is an attempt to change the supplicant configuration on a port that is not currently enabled as a supplicant. Enable the port as a supplicant and then make the desired supplicant configuration changes. See Enabling a switch port as a supplicant.
This message can appear if you configured the switch for EAPRADIUS or CHAP-RADIUS authentication, but the switch
561
Aruba 2930M/F | Access Security Guide
Message
LACP has been disabled on 802.1X port(s). Error configuring port <port-list> LACP and 802.1X cannot be run together.
Meaning
does not receive a response from a RADIUS server. Ensure that the switch is configured to access at least one RADIUS server. (Use show radius.) If you also see the message Can't reach RADIUS server <x.x.x.x> , try the suggestions listed for that message (see Messages related to RADIUS operation).
To maintain security, LACP is not allowed on ports configured for 802.1X authenticator operation. If you configure port security on a port on which LACP (active or passive) is configured, the switch removes the LACP configuration, displays a notice that LACP is disabled on the port(s), and enables 802.1X on that port.Also, the switch will not allow you to configure LACP on a port on which port access (802.1X) is enabled.
Aruba 2930M/F | Access Security Guide
562
Chapter 27 Configuring and Monitoring Port Security
Configuring and Monitoring Port Security
Overview
You can add, modify, and delete netdestination entries which are used by one or more alias-based class filters or ACLs. Any changes made to the netdestination entries are applied only when netedit-update command is executed. This feature is supported only on command line interface.
Port security
Basic operation
Default port security operation: The default port security setting for each port is off, or "continuous". That is, any device can access a port without causing a security reaction. Intruder protection: A port that detects an "intruder" blocks the intruding device from transmitting to the network through that port. Eavesdrop protection: Using either the port-security command or the switch WebAgent to enable port security on a given port automatically enables eavesdrop prevention on that port. General operation for port security: On a per-port basis, you can configure security measures to block unauthorized devices, and to send notice of security violations. Once port security is configured, you can then monitor the network for security violations through one or more of the following:
n Alert flags captured by network management tools. n Alert Log entries in the WebAgent. n Event Log entries in the console interface. n Intrusion Log entries in the menu interface, CLI, or WebAgent.
For any port, you can configure the following:
n Action: Used when a port detects an intruder. Specifies whether to send an SNMP trap to a network management station and whether to disable the port.
n Address Limit: Sets the number of authorized MAC addresses allowed on the port. n Learn-Mode: Specify how the port acquires authorized addresses. o Limited-Continuous: Sets a finite limit (1-32) to the number of learned addresses allowed per port. o Continuous: Allows the port to learn addresses from inbound traffic from any connected device. This is the
default setting. o Static: Enables you to set a fixed limit on the number of MAC addresses authorized for the port and to specify
some or all the authorized addresses. (If you specify only some of the authorized addresses, the port learns the remaining authorized addresses from the traffic it receives from connected devices.) o Configured: Requires that you specify all MAC addresses authorized for the port. The port is not allowed to learn addresses from inbound traffic.
Aruba 2930M/F | Access Security Guide
563
n Authorized (MAC) Addresses: Specify up to eight devices (MAC addresses) that are allowed to send inbound traffic through the port. This feature:
o Closes the port to inbound traffic from any unauthorized devices that are connected to the port. o Provides the option for sending an SNMP trap notifying of an attempted security violation to a network
management station and, optionally, disables the port. (For more on configuring the switch for SNMP management, see "Trap receivers and authentication traps" in the management and configuration guide for your switch.)
n Port Access: Allows only the MAC address of a device authenticated through the switch 802.1X Port-Based access control.
Eavesdrop Prevention
Configuring port security on a given switch port automatically enables Eavesdrop Prevention for that port. This prevents use of the port to flood unicast packets addressed to MAC addresses unknown to the switch and blocks unauthorized users from eavesdropping on traffic intended for addresses that have aged-out of the switch address table. (Eavesdrop Prevention does not affect multicast and broadcast traffic; the switch floods these two traffic types out a given port regardless of whether port security is enabled on that port.)
Disabling Eavesdrop Prevention
Traffic with an unknown destination address is blocked when port security is configured and Eavesdrop Prevention is enabled. You can disable Eavesdrop Prevention on ports where it may cause problems, such as on ports that are configured to use limited-continuous learning mode. See Configuring port security for more information on learning modes.
Feature interactions when Eavesdrop Prevention is disabled
The following table explains the various interactions between learning modes and Eavesdrop Prevention when Eavesdrop Prevention is disabled.
When the learning mode is "port-access", Eavesdrop Prevention will not be applied to the port. However, it can still be configured or disabled for the port.
Table 44: Learn Effect
Learn mode
Effect
Static
When Eavesdrop Prevention is disabled, the port transmits packets that have unknown destination addresses. The port is secured and only a limited number of static MAC addresses are learned. A device must generate traffic before the MAC address is learned and traffic is forwarded to it.
Continuous The default. The Eavesdrop Prevention option does not apply because port security is disabled. Ports forward traffic with unknown destination addresses normally.
Port-access Disabling Eavesdrop Prevention is not applied to the port. There is no change.
564
Aruba 2930M/F | Access Security Guide
Learn mode
Effect
Limitedcontinuous
When Eavesdrop Prevention is disabled, the port transmits packets that have unknown destination addresses. The port is secured; MAC addresses age normally. Eavesdrop Prevention may cause difficulties in learning MAC addresses (as with static MAC addresses) and cause serious traffic issues when a MAC ages out.
Configured
When Eavesdrop Prevention is disabled, the port transmits packets that have unknown destination addresses. The port is secured by a static MAC address. Eavesdrop Prevention should not cause any issues because all valid MAC addresses have been configured.
Syntax:
port-security <port-list> eavesdrop-prevention no port-security <port-list> eavesdrop-prevention
When this option is enabled, the port is prevented from transmitting packets that have unknown destination addresses. Only devices attached to the port receive packets intended for them. This option does not apply to a learning mode of port-access or continuous. Default: Enabled
The show port-security command displaying Eavesdrop Prevention
switch(config)# show port-security Port Security
Port Learn Mode | Action
Eavesdrop Prevention
------ ------------- + ---------------- --------------------
1
Continuous | None
Enabled
2
Continuous | None
Enabled
3
Continuous | None
Enabled
4
Continuous | None
Enabled
5
Continuous | None
Enabled
MIB Support
The following MIB support is provided for Eavesdrop Prevention.
hpSecPtPreventEavesdrop OBJECT-TYPE SYNTAX INTEGER { enable (1), disable (2) } MAX-ACCESS read-write STATUS current DESCRIPTION "If enabled on a switch, outbound unknown unicast packets will not be forwarded out this port. If enabled on a repeater, outbound unknown unicast packets for this port will be scrambled.::= { hpSecurePortEntry 5 }
Blocked unauthorized traffic
Unless you configure the switch to disable a port on which a security violation is detected, the switch security measures block unauthorized traffic without disabling the port. This implementation enables you to apply the security configuration to ports on which hubs, switches, or other devices are connected, and to maintain security while also maintaining network access to authorized users. For example:
Aruba 2930M/F | Access Security Guide
565
How port security controls access
Broadcast and Multicast traffic is always allowed, and can be read by intruders connected to a port on which you have configured port security.
Overview
A port interrupted with unauthorized mac-address or invalid user is blocked and goes to nonresponding status. The disable timer starts after intrusion detection when the port is in nonresponding state. The port security auto recovery feature allows the interface or port to automatically come up after the timer expires. Static, configured, port-access learn mode, and limited continuous modes can be configured with disable timer.
nIf you configure the value of disable-timer as zero, the timer is disabled. nIn continuous mode, the send-disable action cannot be configured, and you cannot set the disable timer. nWhen port-security is enabled with MAC, LOCAL-MAC, and dot1x, only port-access learn mode must be enabled.
Prerequisites:
n Set the action for disable-timer to send-disable. n The disable-timer must be enabled manually by the user for the port.
Requirements:
n dot1x client n mac client n Switch n Windows
566
Aruba 2930M/F | Access Security Guide
Limitations:
n The disable-timer must be enabled manually by the user for the port.
n If the port is nonfunctional, you cannot change the disable-timer value. You can configure the disable-timer with value to zero.
n You cannot execute the port-securtiy <port-num> disable-timer<Value> command, if the port goes to nonresponding state.
port-security disable-timer
Syntax port-security <port-numbers> disable-timer <seconds>
Description
Configures the timer for the port numbers of port security once the port goes to the error-disabled state.
Command context
config
Parameters
port-numbers
Specifies the port numbers. You can configure a single port or range of ports. seconds
Sets the number of seconds after which disabled ports are automatically re-enabled. The range can be from 0 to 300 seconds.
Types of port-security modes
switch(config)# port-security 1-4
action
Define the action in case of an intrusion detection.
address-limit
Define number of authorized addresses on the ports.
clear-intrusion-flag Clear the intrusion indicator for the ports.
disable-timer
Configure number of seconds after which disabled ports
are automatically re-enabled.
eavesdrop-prevention Enable Eavesdrop Prevention.
learn-mode
Define the mode for acquiring authorized MAC addresses.
mac-address
Configure the addresses authorized on the ports.
How to configure the disable timer:
Configuring timer as 50 seconds for the port numbers from 1 to 10.
switch(config)# port-security 1-4 disable-timer 50 switch(config)# show port-security 1-4
Port Security
Port : 1 Learn Mode [Continuous] : Port-Access Action [None] : Send Alarm, Disable Port Eavesdrop Prevention [Enabled] : Enabled
Aruba 2930M/F | Access Security Guide
567
Disable Timer : 50
Authorized Addresses --------------------
Port : 2 Learn Mode [Continuous] : Port-Access Action [None] : Send Alarm, Disable Port Eavesdrop Prevention [Enabled] : Enabled Disable Timer : 50
Authorized Addresses --------------------
Port : 3 Learn Mode [Continuous] : Port-Access Action [None] : Send Alarm, Disable Port Eavesdrop Prevention [Enabled] : Enabled Disable Timer : 50
Authorized Addresses --------------------
Port : 4 Learn Mode [Continuous] : Port-Access Action [None] : Send Alarm, Disable Port Eavesdrop Prevention [Enabled] : Enabled Disable Timer : 50
Authorized Addresses --------------------
To check Intrusion
switch(config)#sh int brief 1-4
Status and Counters - Port Status
| Intrusion
MDI Flow Bcast
Port
Type
| Alert
Enabled Status Mode
Mode Ctrl Limit
------------ ---------- + --------- ------- ------ ---------- ---- ---- -----
1
100/1000T | Yes
Yes
Up
1000FDx Auto off 0
2
100/1000T | Yes
Yes
Down 1000FDx Auto off 0
3
100/1000T | No
Yes
Up
1000FDx MDI off 0
4
100/1000T | Yes
Yes
Down 1000FDx Auto off 0
To check event logs
To check the debug log for port security, you can enable debug security port-security command. Check the logs in reversible order by using following command:
switch(config)#sh log -r
Keys: W=Warning I=Information M=Major D=Debug E=Error
---- Reverse event Log listing: Events Since Boot ----
I 03/11/18 12:31:19 00001 vlan: ST1-CMDR: VLAN10 virtual LAN enabled (122 times
568
Aruba 2930M/F | Access Security Guide
in 60 seconds)
I 03/11/18 12:31:19 00076 ports: ST1-CMDR: port 1/A1 is now on-line
I 03/11/18 12:31:17 03125 mgr: ST1-CMDR: Startup configuration changed by unknown. New seq. number 186
I 03/11/18 12:31:17 02611 mgr: ST1-CMDR: port-security subsystem saved some internal change(s) to startup config.
I 03/11/18 12:31:17 05754 fault: ST1-CMDR: port-security disable timer expired for port:1/A1
I 03/11/18 12:30:27 00002 vlan: ST1-CMDR: VLAN10 virtual LAN disabled (121 times in 60 seconds) 03/11/18 12:30:27 00077 ports: ST1-CMDR: port 1/A1 is now off-line
I 03/11/18 12:30:27 03125 mgr: ST1-CMDR: Startup configuration changed by unknown. New seq. number 185
I 03/11/18 12:30:27 02611 mgr: ST1-CMDR: port-security subsystem saved some internal change(s) to startup config. W 03/11/18 12:30:26 00334 FFI: ST1-CMDR: Port 1/A1 - Security violation caused by MAC address 300002-b85107.
I 03/11/18 12:30:26 05753 fault: ST1-CMDR: Port-security disable timer set for port:1/A1
Trunk group exclusion
Port security does not operate on either a static or dynamic trunk group. If you configure port security on one or more ports that are later added to a trunk group, the switch will reset the port security parameters for those ports to the factory-default configuration. (Ports configured for either Active or Passive LACP, and which are not members of a trunk, can be configured for port security.)
Planning port security
1. Plan your port security configuration and monitoring according to the following: a. On which ports do you want port security? b. Which devices (MAC addresses) are authorized on each port? c. For each port, what security actions do you want? (The switch automatically blocks intruders detected on that port from transmitting to the network.) You can configure the switch to (1) send intrusion alarms to an SNMP management station and to (2) optionally disable the port on which the intrusion was detected. d. How do you want to learn of the security violation attempts the switch detects? You can use one or more of these methods: n Through network management (That is, do you want an SNMP trap sent to a net management station when a port detects a security violation attempt?) n Through the switch Intrusion Log, available through the CLI, menu, and WebAgent n Through the Event Log (in the menu interface or through the CLI show log command)
2. Use the CLI or WebAgent to configure port security operating and address controls.
Aruba 2930M/F | Access Security Guide
569
Port security command options and operation
This section describes the CLI port security command and how the switch acquires and maintains authorized addresses.
Use the global configuration level to execute port-security configuration commands.
Displaying port security settings
Syntax: show port-security show port-security <port-number> show port-security [<port-number>-<port-number>]...[,<port-number>] The CLI uses the same command to provide two types of port security listings:
n All ports on the switch with their Learn Mode and (alarm) Action n Only the specified ports with their Learn Mode, Address Limit, (alarm) Action, and Authorized Addresses
Without port parameters, show port-security displays Operating Control settings for all ports on a switch.
Port security listing (ports 7 and 8 show the default setting)
switch(config)# show port-security
Port Security
Port Learn Mode | Action
Eavesdrop Prevention
---- ----------- + ------------------------ --------------------
1 Continuous | Send Alarm, Disable Port Enabled
2 Continuous | Send Alarm, Disable Port Enabled
3 Static
| Send Alarm
Enabled
4 Continuous | Send Alarm, Disable Port Enabled
5 Continuous | Send Alarm, Disable Port Enabled
6 Continuous | Send Alarm, Disable Port Enabled
7 Continuous | None
Enabled
8 Continuous | None
Enabled
With port numbers included in the command, show port-security displays Learn Mode, Address Limit, (alarm) Action, and Authorized Addresses for the specified ports on a switch. The following example lists the full port security configuration for a single port:
The port security configuration display for a single port
switch(config)# show port-security 3
Port Security
Port : 3 Learn Mode [Continuous] : Static Address Limit [1] : 1 Action [None] : None Eavesdrop Prevention [Enabled] : Enabled
Authorized Addresses -------------------00906d-fdcc00
The next example shows the option for entering a range of ports, including a series of non-contiguous ports. Note that no spaces are allowed in the port number portion of the command string:
570
Aruba 2930M/F | Access Security Guide
Entering a range of ports switch(config)# show port-security 1-3,6,8
Listing authorized and detected MAC addresses
Syntax:
show mac-address [port-list|mac-address|vlan <vid>] Without an optional parameter, show mac-address lists the authorized MAC addresses that the switch detects on all ports. mac-address: Lists the specified MAC address with the port on which it is detected as an authorized address. port list: Lists the authorized MAC addresses detected on the specified port(s). vlan <vid>: Lists the authorized MAC addresses detected on ports belonging to the specified VLAN.
Show mac-address outputs
switch(config)# show mac-address Status and Counters - Port Address Table
MAC Address Port VLAN
------------- ----- ----
00000c-07ac00 7
1
0000aa-9c09cb 7
1
000102-f215c7 5
100
.
0018fe-a5e504 1
222
switch(config)# show mac-address 7 Status and Counters - Port Address Table - 7
MAC Address VLANs ------------- -----------00000c-07ac00 1 0000aa-9c09cb 1
switch(config)# show mac-address 00000c-07ac00 Status and Counters - Address Table - 00000c-07ac00
Port VLAN
----- ----
5
100
switch(config)# show mac-address vlan 1 Status and Counters - Address Table - VLAN 1
MAC Address Port ------------- ----00000c-07ac00 1 000050-53c774 1
. 0000aa-9c09cb 1
Configuring port security
Using the CLI, you can do the following:
Aruba 2930M/F | Access Security Guide
571
n Configure port security and edit security settings. n Add or delete devices from the list of authorized addresses for one or more ports. n Clear the Intrusion flag on specific ports.
Lock a MAC to a port-VLAN pair
Overview
AOS-S can learn statically configured MAC addresses, or dynamic MAC addresses. When port security is enabled on a switch, any unauthorized MAC address is denied access to the network. Lock a MAC to a portVLAN pair feature supports both static and dynamic MAC learning with a new mode: learn-mode mixed. Using this mode, you can limit the number of MAC addresses learnt per port. Previously, port-security did not support configuration of static MAC address on a port for a specific VLAN. Now, you can statically configure a MAC address to a specific port and VLAN, and simultaneously learn dynamic MAC addresses on the same port for other VLANs. The existing port-security feature is modified to support the following enhancements:
n port-security learn-mode mixed command supports both dynamic MAC address learning, and static MAC address configuration on a port-VLAN pair.
n If learn-mode mixed is configured on the ports, a statically configured MAC address cannot move from one port to another secured port.
Retention of static addresses
Static MAC addresses do not age-out. MAC addresses learned by using learn-mode continuous or learnmode limited-continuous age out according to the currently configured MAC age time. For information on the mac-age-time command, see "Interface Access and System Information" in the management and configuration guide for your switch.
Learned addresses
In the following two cases, a port in Static learn mode retains a learned MAC address even if you later reboot the switch or disable port security for that port:
n The port learns a MAC address after you configure the port for Static learn mode in both the startup-config file and the running-config file (by executing the write memory command).
n The port learns a MAC address after you configure the port for Static learn mode in only the running-config file and, after the address is learned, you execute write memory to configure the startup-config file to match the running-config file.
To remove an address learned using either of the preceding methods, do one of the following:
n Delete the address by using no port-security <port-number> mac-address <mac-addr>.
n Download a configuration file that does not include the unwanted MAC address assignment. n Reset the switch to its factory-default configuration.
Assigned/authorized addresses
If you manually assign a MAC address (using port-security <port-number> address-list <mac-addr>) and then execute write memory, the assigned MAC address remains in memory until you do one of the following:
572
Aruba 2930M/F | Access Security Guide
n Delete it by using no port-security <port-number> mac-address <mac-addr>
n Download a configuration file that does not include the unwanted MAC address assignment.
n Reset the switch to its factory-default configuration.
Specifying authorized devices and intrusion responses
This example configures port A1 to automatically accept the first device (MAC address) it detects as the only authorized device for that port. (The default device limit is 1.) It also configures the port to send an alarm to a network management station and disable itself if an intruder is detected on the port.
switch(config)# port-security a1 learn-mode static action send-disable
The next example does the same as the preceding example, except that it specifies a MAC address of 0c0090123456 as the authorized device instead of allowing the port to automatically assign the first device it detects as an authorized device.
switch(config)# port-security a1 learn-mode static mac-address 0c0090-123456 action send-disable
This example configures port A5 to:
n Allow two MAC addresses, 00c100-7fec00 and 0060b0-889e00, as the authorized devices.
n Send an alarm to a management station if an intruder is detected on the port, but allow the intruder access to the network.
switch(config)# port-security a5 learn-mode static address-limit 2 mac-address 00c100-7fec00 0060b0-889e00 action send-alarm
If you manually configure authorized devices (MAC addresses) and/or an alarm action on a port, those settings remain unless you either manually change them or the switch is reset to its factory-default configuration. You can "turn off" authorized devices on a port by configuring the port to continuous Learn Mode, but subsequently reconfiguring the port to static Learn Mode restores those authorized devices.
Adding an authorized device to a port
To simply add a device (MAC address) to a port's existing Authorized Addresses list, enter the port number with the mac-address parameter and the device's MAC address. This assumes that Learn Mode is set to static and the Authorized Addresses list is not full (as determined by the current Address Limit value). For example, suppose port A1 allows two authorized devices, but has only one device in its Authorized Address list:
Figure 117 Adding an authorized device to a port
Aruba 2930M/F | Access Security Guide
573
With the above configuration for port A1, the following command adds the 0c0090-456456 MAC address as the second authorized address.
switch(config)# port-security a1 mac-address 0c0090-456456 After executing the above command, the security configuration for port A1 would be:
Figure 118 Adding a second authorized device to a port
(The message Inconsistent value appears if the new MAC address exceeds the current Address Limit or specifies a device that is already on the list. Note that if you change a port from static to continuous learn mode, the port retains in memory any authorized addresses it had while in static mode. If you subsequently attempt to convert the port back to static mode with the same authorized address(es), the Inconsistent value message appears because the port already has the address(es) in its "Authorized" list.) If you are adding a device (MAC address) to a port on which the Authorized Addresses list is already full (as controlled by the port's current Address Limit setting), then you must increase the Address Limit in order to add the device, even if you want to replace one device with another. Using the CLI, you can simultaneously increase the limit and add the MAC address with a single command. For example, suppose port A1 allows one authorized device and already has a device listed:
Port security on port A1 with an address limit of "1"
switch(config)# show port-security 1 Port Security
Port : 1 Learn Mode [Continuous] : Static Address Limit [1] : 2 Action [None] : None Eavesdrop Prevention [Enabled] : Enabled
Authorized Addresses -------------------0c0090-123456 0c0090-456456
To add a second authorized device to port A1, execute a port-security command for port A1 that raises the address limit to 2 and specifies the additional device's MAC address. For example:
switch(config)# port-security a1 mac-address 0c0090-456456 address-limit 2
Removing a device from the "authorized" list for a port
This command option removes unwanted devices (MAC addresses) from the Authorized Addresses list. (An Authorized Address list is available for each port for which Learn Mode is currently set to "Static". See the Command syntax listing under Configuring port security on page 571.
574
Aruba 2930M/F | Access Security Guide
When learn mode is set to static, the Address Limit (address-limit) parameter controls how many devices are allowed in the Authorized Addresses (mac-address) for a given port. If you remove a MAC address from the Authorized Addresses list without also reducing the Address Limit by 1, the port may subsequently detect and accept as authorized a MAC address that you do not intend to include in your Authorized Address list. Thus, if you use the CLI to remove a device that is no longer authorized, it is recommended that you first reduce the Address Limit (address-limit) integer by 1, as shown below. This prevents the possibility of the same device or another unauthorized device on the network from automatically being accepted as "authorized" for that port.
To remove a device (MAC address) from the "Authorized" list and when the current number of devices equals the Address Limit value, you should first reduce the Address Limit value by 1, then remove the unwanted device.
You can reduce the address limit below the number of currently authorized addresses on a port. This enables you to subsequently remove a device from the "Authorized" list without opening the possibility for an unwanted device to automatically become authorized. For example, suppose port A1 is configured as shown below and you want to remove 0c0090-123456 from the Authorized Address list:
Figure 119 Two authorized addresses on port A1
The following command serves this purpose by removing 0c0090-123456 and reducing the Address Limit to 1: switch(config)# port-security a1 address-limit 1 switch(config)# no port-security a1 mac-address0c0090-123456
The above command sequence results in the following configuration for port A1: Figure 120 Port A1 after removing one MAC address
Aruba 2930M/F | Access Security Guide
575
Clear MAC address table
The following options allow learned MAC addresses to be removed from the MAC address table as follows:
n Remove all MAC addresses. n Remove all MAC address on a specified VLAN n Remove all MAC addresses on a port n Remove a specific MAC address on a specific VLAN
This functionality is also supported by SNMP.
Configuring clearing of learned MAC addresses
Use the following commands to clear learned MAC addresses from a port or list of ports, a specific VLAN, or to clear a specific MAC address from a VLAN.
Syntax:
clear mac-address port < port-list >
Removes MAC addresses that were learned on the specified port or ports in <port-list> . Use all to remove all MAC addresses in the MAC address table. switch(config)# clear mac-address port 4-7
Syntax:
clear mac-address vlan < vid > Removes all MAC addresses that were learned on the specified VLAN. switch(config)# clear mac-address vlan 2
Syntax:
clear mac-address vlan <vid> mac <mac-addr> Removes the specified MAC address from the specified VLAN. switch(config)# clear mac-address vlan 2 mac 0001e6-b197a8 To view the results from clearing a MAC address, use the show mac-address command with the appropriate option.
A MAC address cleared from the MAC Address Table
switch(config)# show mac-address vlan 2 Status and Counters - Address Table - VLAN 2
MAC Address ------------00000c-07ac00 000102-03db12 0001e6-b197a8
Located on Port --------------2 2 2
switch(config)# clear mac-address vlan 2 mac 0001e6-b197a8 switch(config)# show mac-address vlan 2
Status and Counters - Address Table - VLAN 2
MAC Address Located on Port ------------- ---------------
576
Aruba 2930M/F | Access Security Guide
00000c-07ac00 2 000102-03db12 2
MAC Lockdown
Syntax:
static-mac {< mac-addr > vlan < vid > interface < port-number >} no static-mac {< mac-addr > vlan < vid > interface < port-number >} Locks down a given MAC address and VLAN to a specific port. A separate command is necessary for each MAC/VLAN pair you wish to lock down. If not specifying a VID, the switch inserts "1". MAC Lockdown, also known as "static addressing," is the permanent assignment of a given MAC address and VLAN to a specific port on the switch. MAC Lockdown is used to prevent station movement and MAC address hijacking. It also controls address learning on the switch. Locking down a MAC address on a port and a specific VLAN only restricts the MAC address on that VLAN. The client device with that MAC address is allowed to access other VLANs on the same port or through other ports.
Port security and MAC Lockdown are mutually exclusive on a given port.
How MAC Lockdown works
When a device's MAC address is locked down to a port (typically in a pair with a VLAN) all information sent to that MAC address must go through the locked-down port. If the device is moved to another port it cannot receive data. Traffic to the designated MAC address goes only to the allowed port, whether the device is connected to it or not. MAC Lockdown is useful for preventing an intruder from "hijacking" a MAC address from a known user in order to steal data. Without MAC Lockdown, this will cause the switch to learn the address on the malicious user's port, allowing the intruder to steal the traffic meant for the legitimate user. MAC Lockdown ensures that traffic intended for a specific MAC address can only go through the one port which is supposed to be connected to that MAC address. It does not prevent intruders from transmitting packets with the locked MAC address, but it does prevent responses to those packets from going anywhere other than the locked-down port. Thus TCP connections cannot be established. Traffic sent to the locked address cannot be hijacked and directed out the port of the intruder. If the device (computer, PDA, wireless device) is moved to a different port on the switch (by reconnecting the Ethernet cable or by moving the device to an area using a wireless access point connected to a different port on that same switch), the port will detect that the MAC Address is not on the appropriate port and will continue to send traffic out the port to which the address was locked. Once a MAC address is configured for one port, you cannot perform port security using the same MAC address on any other port on that same switch. You cannot lock down a single MAC Address/VLAN pair to more than one port; however you can lock down multiple different MAC Addresses to a single port on the same switch. Stations can move from the port to which their MAC address is locked to other parts of the network. They can send, but will not receive data if that data must go through the locked down switch. Please note that if the device moves to a distant part of the network where data sent to its MAC address never goes through the locked down switch, it may be possible for the device to have full two-way communication. For full and complete lockdown network-wide all switches must be configured appropriately. Once you lock down a MAC address/VLAN pair on one port that pair cannot be locked down on a different port.
Aruba 2930M/F | Access Security Guide
577
You cannot perform MAC Lockdown and 802.1X authentication on the same port or on the same MAC address. MAC Lockdown and 802.1X authentication are mutually exclusive. Lockdown is permitted on static trunks (manually configured link aggregations).
Differences between MAC Lockdown and port security
Because port-security relies upon MAC addresses, it is often confused with the MAC Lockdown feature. However, MAC Lockdown is a completely different feature and is implemented on a different architecture level. Port security maintains a list of allowed MAC addresses on a per-port basis. An address can exist on multiple ports of a switch. Port security deals with MAC addresses only while MAC Lockdown specifies both a MAC address and a VLAN for lockdown. MAC Lockdown, on the other hand, is not a "list." It is a global parameter on the switch that takes precedence over any other security mechanism. The MAC Address will only be allowed to communicate using one specific port on the switch. MAC Lockdown is a good replacement for port security to create tighter control over MAC addresses and which ports they are allowed to use (only one port per MAC Address on the same switch in the case of MAC Lockdown). (You can still use the port for other MAC addresses, but you cannot use the locked down MAC address on other ports.) Using only port security the MAC Address could still be used on another port on the same switch. MAC Lockdown, on the other hand, is a clear one-to-one relationship between the MAC Address and the port. Once a MAC address has been locked down to a port it cannot be used on another port on the same switch. The switch does not allow MAC Lockdown and port security on the same port.
MAC Lockdown operating notes
Limitations
n This feature is not supported on SNMP, REST, and next Gen UI. n You cannot edit netservices. n Configuration backup and restore are not supported by netedit-update command. n When net edit is in progress, ctrl+c is disabled. n netedit-update command is not a part of the AirWave template.
Event log messages
See the event log message reference guide for information about event log messages.
Limiting the frequency of log messages
The first move attempt (or intrusion) is logged as you see in the example above. Subsequent move attempts send a message to the log file also, but message throttling is imposed on the logging on a per-module basis. What this means is that the logging system checks again after the first 5 minutes to see if another attempt has been made to move to the wrong port. If this is the case the log file registers the most recent attempt and then checks again after one hour. If there are no further attempts in that period then it will continue to check every 5 minutes. If another attempt was made during the one hour period then the log resets itself to check once a day. The purpose of rate-limiting the log messaging is to prevent the log file from becoming too full. You can also configure the switch to send the same messages to a server. See "Debug and Messaging Operation" in the management and configuration guide for your switch.
578
Aruba 2930M/F | Access Security Guide
Deploying MAC Lockdown
When you deploy MAC Lockdown you need to consider how you use it within your network topology to ensure security. In some cases where you are using techniques such as "meshing" or Spanning Tree Protocol (STP) to speed up network performance by providing multiple paths for devices, using MAC Lockdown either will not work or else it defeats the purpose of having multiple data paths. The purpose of using MAC Lockdown is to prevent a malicious user from "hijacking" an approved MAC address so they can steal data traffic being sent to that address. As we have seen, MAC Lockdown can help prevent this type of hijacking by making sure that all traffic to a specific MAC address goes only to the proper port on a switch which is supposed to be connected to the real device bearing that MAC address. However, you can run into trouble if you incorrectly try to deploy MAC Lockdown in a network that uses multiple path technology, like Spanning Tree or "mesh networks." Let's examine a good use of MAC Lockdown within a network to ensure security first.
Figure 121 MAC Lockdown deployed at the network edge provides security
Basic MAC Lockdown deployment
In the Model Network Topology shown above, the switches that are connected to the edge of the network each have one and only one connection to the core network. This means each switch has only one path by which data can travel to Server A. You can use MAC Lockdown to specify that all traffic intended for Server A's MAC Address must go through the one port on the edge switches. That way, users on the edge can still use other network resources, but they cannot "spoof" Server A and hijack data traffic which is intended for that server alone.
Aruba 2930M/F | Access Security Guide
579
The key points for this Model Topology are:
n The Core Network is separated from the edge by the use of switches which have been "locked down" for security.
n All switches connected to the edge (outside users) each have only one port they can use to connect to the Core Network and then to Server A.
n Each switch has been configured with MAC Lockdown so that the MAC Address for Server A has been locked down to one port per switch that can connect to the Core and Server A.
Using this setup Server A can be moved around within the core network, and yet MAC Lockdown will still prevent a user at the edge from hijacking its address and stealing data. Please note that in this scenario a user with bad intentions at the edge can still "spoof" the address for Server A and send out data packets that look as though they came from Server A. The good news is that because MAC Lockdown has been used on the switches on the edge, any traffic that is sent back to Server A will be sent to the proper MAC Address because MAC Lockdown has been used. The switches at the edge will not send Server A's data packets anywhere but the port connected to Server A. (Data would not be allowed to go beyond the edge switches.)
Using MAC Lockdown still does not protect against a hijacker within the core! In order to protect against someone spoofing the MAC Address for Server A inside the Core Network, you would have to lock down each and every switch inside the Core Network as well, not just on the edge.
Problems using MAC Lockdown in networks with multiple paths
Now let's take a look at a network topology in which the use of MAC Lockdown presents a problem. In the next figure, Switch 1 (on the bottom-left) is located at the edge of the network where there is a mixed audience that might contain hackers or other malicious users. Switch 1 has two paths it could use to connect to Server A. If you try to use MAC Lockdown here to make sure that all data to Server A is "locked down" to one path, connectivity problems would be the result since both paths need to be usable in case one of them fails.
580
Aruba 2930M/F | Access Security Guide
Figure 122 Connectivity problems using MAC lockdown with multiple paths
The resultant connectivity issues would prevent you from locking down Server A to Switch 1. And when you remove the MAC Lockdown from Switch 1 (to prevent broadcast storms or other connectivity issues), you then open the network to security problems. The use of MAC Lockdown as shown in the above figure would defeat the purpose of using MSTP or having an alternate path. Technologies such as MSTP or "meshing" are primarily intended for an internal campus network environment in which all users are trusted. MSTP and "meshing" do not work well with MAC Lockdown. If you deploy MAC Lockdown as shown in the Model Topology in Deploying MAC Lockdown on page 579, you should have no problems with either security or connectivity.
MAC Lockout
Syntax:
lockout-mac <mac-address> no lockout-mac <mac-address> Locks a MAC address out on the switch and all VLANs. MAC Lockout involves configuring a MAC address on all ports and VLANs for a switch, so that any traffic to or from the "locked-out" MAC address is dropped: all data packets addressed to or from the given address are stopped by the switch. MAC Lockout is like a simple denylist. MAC Lockout is implemented on a per switch assignment. To use it you must know the MAC Address to block. To fully lock out a MAC address from the network it is necessary to use the MAC Lockout command on all switches.
How MAC Lockout works
Let us say a customer knows there are unauthorized wireless clients who must not have access to the network. The network administrator "locks out" the MAC addresses for the wireless clients by using the MAC Lockout command (lockout-mac <mac-address> ). When the wireless clients then attempt to use the network, the
Aruba 2930M/F | Access Security Guide
581
switch recognizes the intruding MAC addresses and prevents them from sending or receiving data on that network. Unwanted MAC Addresses can be disallowed on all switch ports with a single command. You do not have to configure every port--perform the command on the switch and it is effective for all ports. MAC Lockout overrides MAC Lockdown, port security, and 802.1X authentication. You cannot use MAC Lockout to lock:
n Broadcast or Multicast Addresses (Switches do not learn these addresses)
n Switch Agents (The switch MAC Address)
A MAC address can exist on many different VLANs, so a lockout MAC address must be added to the MAC table as a drop. As many addresses can quickly fill the MAC table, restrictions are placed on the number of lockout MAC addresses based on the number of VLANs configured.
VLANs configured
1-8 9-16 17-256 257-1024 1025-2048
Number of MAC lockout addresses
Total number of MAC addresses
200
1,600
100
1,600
64
16,384
16
16,384
8
16,384
There are limits for the number of VLANs, Multicast Filters, and Lockout MACs that can be configured concurrently as all use MAC table entries.
Table 45: Limits on Lockout MACs
# VLANs # Multicast filters # Lockout MACs
<=1024
16
16
1025-2048 8
8
J9780A, J9782A, and J9783A.
If someone using a locked out MAC address tries to send data through the switch, a message is generated in the log file: Lockout logging format: W 10/30/03 21:35:15 maclock: 0001e6-1f96c0 detected on port 15 W 10/30/03 21:35:18 maclock: 0001e6-1f96c0 detected on port 15 W 10/30/03 21:35:18 maclock: Ceasing lock-out logs for 5m
As with MAC Lockdown, a rate limiting algorithm is used on the log file so that it does not become clogged with error messages. See Limiting the frequency of log messages on page 578.
582
Aruba 2930M/F | Access Security Guide
User-based lockout compliance
When a specified number of unsuccessful authentication attempts has occurred, remote users can be locked out. If the system-configured usernames (manager, operator, and local users) are not unique, the user-based lockout delay feature cannot be enabled. If lockout-delay with the user-based-lockout feature is enabled, the manager, operator, or local user creation fails for duplicate usernames. Locked out users are unlocked after reboot.
aaa authentication
Syntax
aaa authentication user-based-lockout no aaa authentication user-based-lockout aaa authentication lockout-delay <delay-time>
Description
Locks out users based on their usernames. RADIUS and TACACS users are locked out only if they logged in to the switch successfully at least once. The no form unlocks currently locked-out users.
Context
config
Parameters
delay-time Delay time in seconds for user-based lockout to begin. Range: 0 to 3600.
Example
Initiate user-based lockout: switch(config)# aaa authentication user-based-lockout
Example
Initiate user-based lockout after a 10-minute delay. aaa authentication lockout-delay 600
aaa authentication unlock
Syntax
aaa authentication unlock user-name <USER-NAME>
Description
Unlock the specified locked user if user-based-lockout is enabled.
Parameters
USER-NAME A valid username that is locked-out.
Aruba 2930M/F | Access Security Guide
583
Example
Unlock a specific username. switch(config)# aaa authentication unlock user-name manager
show authentication
Syntax
show authentication locked-out-users
Description
Show all users who are in a locked-out state.
Context
config
Example
Show all locked users: switch(config)# show authentication locked-out-users
Console Session Lockout Overview
Management users are locked out when wrong credentials are provided. Based on the configuration of number of invalid login attempts, the management user can be locked from accessing console. A locked user can log in to the console only after the configured lockout delay time has elapsed or when the administrator unlocks the locked user. Use aaa authentication console-lockout command to enable console lockout.
aaa authentication console-lockout
Syntax
aaa authentication console-lockout no aaa authentication console-lockout
Description
Enables console lockout. By default, console lockout is disabled. The no from of this command disables the console lockout.
Command context
config
Example
switch(config)# aaa authentication console-lockout All the currently locked-out users will be unlocked.
Proceed?[y/n] y Enabling console-lockout may result in switch console access becoming inaccessible in the event of multiple console login failures.
Proceed?[y/n] y
584
Aruba 2930M/F | Access Security Guide
switch(config)#show running-config
Running configuration:
hostname "switch" module 1 type jl256a snmp-server community "public" unrestricted aaa authentication num-attempts 2 aaa authentication lockout-delay 120 aaa authentication console-lockout vlan 1
name "DEFAULT_VLAN" untagged 1-52 ip address dhcp-bootp exit no tftp server no autorun no dhcp config-file-update no dhcp image-file-update no dhcp proxy-url-update no dhcp tr69-acs-url password operator
n When only console lockout is enable in switch, the users locked out from console can still be able to login from Telnet or SSH sessions.
n Console lockout feature is applicable in console access to Commander, Standby, and Member console of stacked switches and Activate Standby console of HA switches.
n When both user-based and console lockout is enabled, users locked out from any one of the management interfaces gets locked form the remaining interfaces as well.
n All locked users will be unlocked on redundancy switchover, reboot, and power cycle of the system.
n Lockout feature is not supported on webUI, REST interfaces.
n Console lockout has no impact when lockout delay is set to zero.
n When the console is locked out after num-attempts login failures, change in num-attempts or lockout-delay configuration from another session unlocks all Console/Telnet/SSH locked users.
Port security and MAC Lockout
MAC Lockout is independent of port-security and in fact will override it. MAC Lockout is preferable to port-security to stop access from known devices because it can be configured for all ports on the switch with one command.
Aruba 2930M/F | Access Security Guide
585
It is possible to use MAC Lockout in conjunction with port-security. You can use MAC Lockout to lock out a single address--deny access to a specific device--but still allow the switch some flexibility in learning other MAC Addresses. Be careful if you use both together, however:
n If a MAC Address is locked out and appears in a static learn table in port-security, the apparently "authorized" address will still be locked out anyway.
n MAC entry configurations set by port security will be kept even if MAC Lockout is configured and the original port security settings will be honored once the Lockout is removed.
n A port security static address is permitted to be a lockout address. In that case (MAC Lockout), the address will be locked out (SA/DA drop) even though it's an "authorized" address from the perspective of port security.
n When MAC Lockout entries are deleted, port security will then re-learn the address as needed later on.
Reading intrusion alerts and resetting alert flags
Notice of security violations
When the switch detects an intrusion on a port, it sets an "alert flag" for that port and makes the intrusion information available as described below. While the switch can detect additional intrusions for the same port, it does not list the next chronological intrusion for that port in the Intrusion Log until the alert flag for that port has been reset. When a security violation occurs on a port configured for Port Security, the switch responds in the following ways to notify you:
n The switch sets an alert flag for that port. This flag remains set until: o You use either the CLI, menu interface, or WebAgent to reset the flag. o The switch is reset to its factory default configuration.
n The switch enables notification of the intrusion through the following means: o In the CLI: l The show port-security intrusion-log command displays the Intrusion Log. l The log command displays the Event Log. o In the menu interface: l The Port Status screen includes a per-port intrusion alert. l The Event Log includes per-port entries for security violations. o In the WebAgent: l The Alert Log includes entries for per-port security violations. l The Intrusion Log lists per-port security violation entries. o In network management applications using an SNMP trap sent to a network management station.
How the intrusion log operates
When the switch detects an intrusion attempt on a port, it enters a record of this event in the Intrusion Log. No further intrusion attempts on that port will appear in the Log until you acknowledge the earlier intrusion event by resetting the alert flag. The Intrusion Log lists the 20 most recently detected security violation attempts, regardless of whether the alert flags for these attempts have been reset. This gives you a history of past intrusion attempts. Thus, for example, if there is an intrusion alert for port A1 and the Intrusion Log shows two or more entries for port 1, only the most
586
Aruba 2930M/F | Access Security Guide
recent entry has not been acknowledged (by resetting the alert flag). The other entries give you a history of past intrusions detected on port A1.
Multiple intrusion log entries for the same port
switch(config)# show port-security intrusion-log Status and Counters - Intrusion Log
Port MAC Address
Date / Time
----- ------------- --------------------------
1
080009-e93d4f 03/07/11 21:09:34
1
080009-e93d4f 03/07/11 10:18:43
The log shows the most recent intrusion at the top of the listing. You cannot delete Intrusion Log entries (unless you reset the switch to its factory-default configuration). Instead, if the log is filled when the switch detects a new intrusion, the oldest entry is dropped off the listing and the newest entry appears at the top of the listing.
Keeping the intrusion log current by resetting alert flags
When a violation occurs on a port, an alert flag is set for that port and the violation is entered in the Intrusion Log. The switch can detect and handle subsequent intrusions on that port, but will not log another intrusion on the port until you reset the alert flag for either all ports or for the individual port.
On a given port, if the intrusion action is to send an SNMP trap and then disable the port (senddisable), and an intruder is detected on the port, then the switch sends an SNMP trap, sets the port's alert flag, and disables the port. If you re-enable the port without resetting the port's alert flag, then the port operates as follows:
n The port comes up and will block traffic from unauthorized devices it detects.
n If the port detects another intruder, it will send another SNMP trap, but will not become disabled again unless you first reset the port's intrusion flag.
This operation enables the port to continue passing traffic for authorized devices while you take the time to locate and eliminate the intruder. Otherwise, the presence of an intruder could cause the switch to repeatedly disable the port.
Checking for intrusions, listing intrusion alerts, and resetting alert flags (CLI)
The following commands display port status, including whether there are intrusion alerts for any ports, list the last 20 intrusions, and either reset the alert flag on all ports or for a specific port for which an intrusion was detected. The record of the intrusion remains in the log. For more information, see Operating notes for port security.
Syntax:
show interfaces brief List intrusion alert status (and other port status information)'. show port-security intrusion-log List intrusion log content. clear intrusion-flags Clear intrusion flags on all ports. port-security <port-number> clear-intrusion-flag Clear the intrusion flag on one or more specific ports.
Aruba 2930M/F | Access Security Guide
587
Example:
In the following example, executing show interfaces brief lists the switch port status, indicating an intrusion alert on port 1. Figure 123 An unacknowledged intrusion alert in a port status display
To see the details of the intrusion, enter the show port-security intrusion-log command. For example: Figure 124 The intrusion log with multiple entries for the same port
The above example shows three intrusions for port 1. Since the switch can show only one uncleared intrusion per port, the older two intrusions in this example have already been cleared by earlier use of the clear intrusionlog or the port-security <port-list> clear-intrusion-flag command. The intrusion log holds up to 20 intrusion records, and deletes intrusion records only when the log becomes full and new intrusions are subsequently added. The "prior to " text in the record for the third intrusion means that a switch reset occurred at the indicated time and that the intrusion occurred prior to the reset.
To clear the intrusion from port 1 and enable the switch to enter any subsequent intrusion for port 1 in the Intrusion Log, execute the port-security clear-intrusion-flag command. If you then re-display the port status screen, you will see that the Intrusion Alert entry for port 1 has changed to "No". (Executing show port-security intrusion-log again will result in the same display as above, and does not include the Intrusion Alert status.) switch(config)# port-security 1 clear-intrusion-flag switch(config)# show interfaces brief
588
Aruba 2930M/F | Access Security Guide
Figure 125 Port status screen after alert flags reset
For more on clearing intrusions, see Keeping the intrusion log current by resetting alert flags.
Using the Event Log to find intrusion alerts (CLI)
The Event Log lists port security intrusions as: W MM/DD/YY HH:MM:SS FFI: port A3 -- Security Violation where "W" is the severity level of the log entry and FFI is the system module that generated the entry. For further information, display the Intrusion Log, as shown below. From the manager or Configuration level: Syntax: log <search-text> For <search-text>
, use ffi, security, or violation. Figure 126 Log listing with and without detected security violations
For more Event Log information, see "Using the Event Log to identify problem sources" in the management and configuration guide for your switch.
Operating notes for port security
Proxy Web servers
If you are using the WebAgent through a switch port configured for Static port security, and your browser access is through a proxy web server, then it is necessary to do the following:
Aruba 2930M/F | Access Security Guide
589
n Enter your PC or workstation MAC address in the port's Authorized Addresses list.
n Enter your PC or workstation's IP address in the switch IP Authorized managers list. See Using Authorized IP Managers.
Without both of the above configured, the switch detects only the proxy server's MAC address, and not your PC or workstation MAC address, and interprets your connection as unauthorized.
"Prior to" entries in the Intrusion Log
If you reset the switch (using the Reset button, Device Reset, or Reboot Switch), the Intrusion Log will list the time of all currently logged intrusions as "prior to" the time of the reset.
Alert flag status for entries forced off of the Intrusion Log
If the Intrusion Log is full of entries for which the alert flags have not been reset, a new intrusion will cause the oldest entry to drop off the list, but will not change the alert flag status for the port referenced in the dropped entry. This means that, even if an entry is forced off of the Intrusion Log, no new intrusions can be logged on the port referenced in that entry until you reset the alert flags.
LACP not available on ports configured for port security
To maintain security, LACP is not allowed on ports configured for port security. If you configure port security on a port on which LACP (active or passive) is configured, the switch removes the LACP configuration, displays a notice that LACP is disabled on the port(s), and enables port security on that port. For example: switch(config)# port-security e 7 learn-mode static address-limit 2 LACP has been disabled on secured port(s). switch(config)# The switch will not allow you to configure LACP on a port on which port security is enabled. For example: switch(config)# int e 7 lacp passive Error configuring port 7: LACP and port security cannot be run together. switch(config)# To restore LACP to the port, you must remove port security and re-enable LACP active or passive.
590
Aruba 2930M/F | Access Security Guide
Chapter 28 Using Authorized IP Managers
Using Authorized IP Managers
Introduction
The Authorized IP Managers feature uses IP addresses and masks to determine which stations (PCs or workstations) can access the switch through the network. This covers access through the following means: n Telnet and other terminal emulation applications n The WebAgent n SSH n SNMP versions 1, 2 and 3 (with a correct community name) n TFTP When configured in the switch, the Authorized IP Managers feature takes precedence over local passwords, TACACS+, and RADIUS. This means that the IP address of a networked management device must be authorized before the switch will attempt to authenticate the device by invoking any other access security features. If the Authorized IP Managers feature disallows access to the device, then access is denied. Thus, with authorized IP managers configured, having the correct passwords is not sufficient for accessing the switch through the network unless the station attempting access is also included in the switch Authorized IP Managers configuration. Use Authorized IP Managers along with other access security features to provide a more comprehensive security fabric than if you use only one or two security options.
When no Authorized IP Manager rules are configured, the access method feature is disabled and access is not denied.
For each authorized manager address, you can configure either of these access levels:
n Manager
Enables full access to all screens for viewing, configuration, and all other operations available.
n Operator
Allows read-only access. (This is the same access that the switch allows for the operator-level password feature.) Configure up to 100 authorized manager entries, where each entry applies to either a single management station or a group of stations.
Aruba 2930M/F | Access Security Guide
591
Configuring Authorized IP Managers does not protect access to the switch through a modem or direct connection to the Console (RS-232) port. Also, if an unauthorized station "spoofs" an authorized IP address, it can gain management access to the switch even though a duplicate IP address condition exists. For these reasons, you should enhance your network security by keeping physical access to the switch restricted to authorized personnel, using the user name/password and other security features available in the switch, and preventing unauthorized access to data on your management stations.
Defining authorized management stations
n Authorizing Single Stations: The table entry authorizes a single management station to have IP access to the switch. To use this method, just enter the IP address of an authorized management station in the Authorized manager IP column, and leave the IP Mask set to 255.255.255.255. This is the easiest way to use the Authorized managers feature. For more on this topic, see Configuring one station per Authorized manager IP entry.
n Authorizing Multiple Stations: The table entry uses the IP Mask to authorize access to the switch from a defined group of stations. This is useful if you want to easily authorize several stations to have access to the switch without having to type in an entry for every station. All stations in the group defined by the one Authorized manager IP table entry and its associated IP mask will have the same access level--manager or operator. For more on this topic, see Configuring multiple stations per Authorized manager IP entry.
To configure the switch for authorized manager access, enter the appropriate Authorized manager IP value, specify an IP Mask, and select either manager or operator for the Access Level. The IP Mask determines how the Authorized manager IP value is used to allow or deny access to the switch by a management station.
If the management VLAN is configured, access can only be on that VLAN.
Overview of IP mask operation
The default IP Mask is 255.255.255.255 and allows switch access only to a station having an IP address that is identical to the Authorized manager IP parameter value. ("255" in an octet of the mask means that only the exact value in the corresponding octet of the Authorized manager IP parameter is allowed in the IP address of an authorized management station.) However, you can alter the mask and the Authorized manager IP parameter to specify ranges of authorized IP addresses. For example, a mask of 255.255.255.0 and any value for the Authorized manager IP parameter allows a range of 0 through 255 in the 4th octet of the authorized IP address, which enables a block of up to 254 IP addresses for IP management access (excluding 0 for the network and 255 for broadcasts). A mask of 255.255.255.252 uses the 4th octet of a given Authorized manager IP address to authorize four IP addresses for management station access. The details on how to use IP masks are provided under Configuring one station per Authorized manager IP entry on page 596.
The IP Mask is a method for recognizing whether a given IP address is authorized for management access to the switch. This mask serves a different purpose than IP subnet masks and is applied in a different manner.
592
Aruba 2930M/F | Access Security Guide
Viewing and configuring IP Authorized managers (CLI)
Listing the switch's current IP Authorized manager(s)
Use the show ip authorized-managers command to list IP stations authorized to access the switch. For example:
The show authorized-managers command with access method configured
switch(config)# show ip authorized-manager
IPV4 Authorized managers ------------------------
Address : 10.10.10.10 Mask : 255.255.255.255 Access : manager
Configuring IP Authorized managers for the switch (CLI)
See the IPv6 configuration guide for information about Authorized IP manager configuration with IPv6 addresses. Syntax: ip authorized-managers <ip-address> <ip-mask>> access [manager|operator] no ip authorized-managers <ip-address> <ip-mask>> access [manager|operator] access-method [all|ssh|telnet|web|snmp|tftp] ipv6 authorized-managers <ip-address> <ip-mask> no ipv6 authorized-managers <ip-address> <ip-mask> access [manager|operator] access-method [all|ssh|telnet|web|snmp|tftp] Configures one or more authorized IP addresses. access [manager|operator]
Configures the privilege level for <ip-address>. Applies only to access through telnet, SSH, SNMPv1, SNMPv2c, and SNMPv3. Default: manager access-method [all|ssh|telnet|web|snmp|tftp] Configures access levels by access method and IP address. Each management method can have its own set of authorized managers. Default: all
Configuring IP authorized manager access method SSH
switch(config)# ip authorized-managers 10.10.10.2 255.255.255.255 manager access-method ssh
To authorize manager access This command authorizes manager-level access for any station with an IP address of 10.28.227.0 through 10.28.227.255: switch(config)# ip authorized-managers 10.28.227.101255.255.255.0 access manager Similarly, the next command authorizes manager-level access for any station having an IP address of 10.28.227.101 through 103: switch(config)# ip authorized-managers 10.28.227.101 255.255.255.252 access manager If you omit the <mask bits> when adding a new authorized manager, the switch automatically uses 255.255.255.255. If you do not specify either manager or operator access, the switch assigns the manager access.
Aruba 2930M/F | Access Security Guide
593
To edit an existing manager access entry To change the mask or access level for an existing entry, use the entry's IP address and enter the new value(s). (Notice that any parameters not included in the command will be set to their default.): switch(config)# ip authorized-managers 10.28.227.101 255.255.255.0 access operator The above command replaces the existing mask and access level for IP address 10.28.227.101 with 255.255.255.0 and operator. The following command replaces the existing mask and access level for IP address 10.28.227.101 with 255.255.255.255 and manager (the defaults) because the command does not specify either of these parameters. switch(config)# ip authorized-managers 10.28.227.101
To delete an authorized manager entry This command uses the IP address of the authorized manager you want to delete: switch(config)# no ip authorized-managers 10.28.227.101
Configuring IP Authorized managers (WebAgent)
In the WebAgent you can configure IP Authorized managers as described below. To Add, Modify, or Delete an IP Authorized manager address:
1. In the navigation tree, click Security.
2. Click IP Authorization.
3. Click Add Address to add an IP Authorized manager. Enter the appropriate parameter settings for the operation you want.
4. To delete an IP authorized manager, select the Authorized Address and click Delete.
5. To change IP Authorization parameters, click Change in the IP Authorization Details box. Enter the information and click Save.
594
Aruba 2930M/F | Access Security Guide
Figure 127 Configuring Authorized manager access method in the WebAgent
Web proxy servers
If you use the WebAgent to access the switch from an authorized IP manager station, it is highly recommended that you avoid using a web proxy server in the path between the station and the switch. This is because switch access through a web proxy server requires that you first add the web proxy server to the Authorized manager IP list. This reduces security by opening switch access to anyone who uses the web proxy server.
How to eliminate the web proxy server
There are two ways to eliminate a web proxy server from the path between a station and the switch: 1. Add the IP address or DNS name of the switch to the non-proxy or Exceptions list in the web browser interface used on the authorized station. 2. If you don't need proxy server access on the authorized station, disable the proxy server feature in the station's web browser interface.
IP or MAC authentication can be used without a web proxy server.
Using a web proxy server to access the WebAgent
This is NOT recommended. Using a web proxy server between the stations and the switch poses a security risk. If the station uses a web proxy server to connect to the switch, any proxy user can access the switch.
If it is necessary to use the WebAgent and your browser access is through a web proxy server, perform these steps:
1. Enter the web proxy server's MAC address in the port's Authorized Addresses list. 2. Enter the web proxy server's IP address in the switch's IP Authorized managers list.
Aruba 2930M/F | Access Security Guide
595
You must perform both of these steps or the switch only detects the proxy server's MAC address and IP address instead of your workstation addresses, and your connection is considered unauthorized.
Building IP Masks
The IP Mask parameter controls how the switch uses an Authorized manager IP value to recognize the IP addresses of authorized manager stations on your network.
Configuring one station per Authorized manager IP entry
This is the easiest way to apply a mask. If you have ten or fewer management and/or operator stations, you can configure them by adding the address of each to the Authorized manager IP list with 255.255.255.255 for the corresponding mask. For example, as shown in Listing the switch's current IP Authorized manager(s) on page 593, if you configure an IP address of 10.28.227.125 with an IP mask of 255.255.255.255, only a station having an IP address of 10.28.227.125 has management access to the switch.
Table 47: Table 46: Analysis of IP Mask for Single-Station Entries
1st Octet
2nd Octet
3rd Octet
4th Octet
managerLevel or operatorLevel Device Access
IP Mask 255 255 255 255 The "255" in
each octet of
the mask
specifies that
only the exact
value in that
octet of the
corresponding
Authorized 10
28
227 125 IP address is
manager
allowed. This
IP
mask allows
management
access only to
a station
having an IP
address of
10.33.248.5.
Configuring multiple stations per Authorized manager IP entry
The mask determines whether the IP address of a station on the network meets the criteria you specify. That is, for a given Authorized manager entry, the switch applies the IP mask to the IP address you specify to determine a range of authorized IP addresses for management access. As described above, that range can be as small as one IP address (if 255 is set for all octets in the mask), or can include multiple IP addresses (if one or more octets in the mask are set to less than 255).
596
Aruba 2930M/F | Access Security Guide
If a bit in an octet of the mask is "on" (set to 1), then the corresponding bit in the IP address of a potentially authorized station must match the same bit in the IP address you entered in the Authorized manager IP list. Conversely, if a bit in an octet of the mask is "off" (set to 0), then the corresponding bit in the IP address of a potentially authorized station on the network does not have to match its counterpart in the IP address you entered in the Authorized manager IP list. Thus, in the example shown above, a "255" in an IP Mask octet (all bits in the octet are "on") means only one value is allowed for that octet--the value you specify in the corresponding octet of the Authorized manager IP list. A "0" (all bits in the octet are "off") means that any value from 0 to 255 is allowed in the corresponding octet in the IP address of an authorized station. You can also specify a series of values that are a subset of the 0-255 range by using a value that is greater than 0, but less than 255.
Table 48: Analysis of IP Mask for Multiple-Station Entries
IP Mask
Authorized manager IP IP Mask
Authorized manager IP
1st Octet 255 10
255
10
2nd Octet 255 28
255
28
3rd Octet 255 227
255
227
4th Octet 0 125
249
125
manager-Level or operator-Level
Device Access
The "255" in the first three octets of the mask specify that only the exact value in the octet of the corresponding IP address is allowed. However, the zero (0) in the 4th octet of the mask allows any value between 0 and 255 in that octet of the corresponding IP address. This mask allows switch access to any device having an IP address of 10.28.227.xxx, where xxx is any value from 0 to 255.
In this example (Figure 128: How the Bitmap in the IP Mask defines Authorized manager addresses, below), the IP mask allows a group of up to 4 management stations to access the switch. This is useful if the only devices in the IP address group allowed by the mask are management stations. The "249" in the 4th octet means that bits 0 and 3 7 of the 4th octet are fixed. Conversely, bits 1 and 2 of the 4th octet are variable. Any value that matches the authorized IP address settings for the fixed bits is allowed for the purposes of IP management station access to the switch. Thus, any management station having an IP address of 10.28.227.121, 123, 125, or 127 can access the switch.
Aruba 2930M/F | Access Security Guide
597
Figure 128 How the Bitmap in the IP Mask defines Authorized manager addresses
Table 49: Additional examples for authorizing multiple stations
IP mask
Authorized manager IP
IP mask Authorized manager IP
Entries for authorized manager list
255
255
0
255
10
33
248
1
255
238
255
250
10
247
100
195
Results
This combination specifies an authorized IP address of 10.33.xxx.1. It could be applied, for example, to a subnetted network where each subnet is defined by the third octet and includes a management station defined by the value of "1" in the fourth octet of the station's IP address.
Allows 230, 231, 246, and 247 in the 2nd octet, and 194, 195, 198, 199 in the 4th octet.
Operating notes
n Network Security Precautions: Enhance your network's security by keeping physical access to the switch restricted to authorized personnel, using the password features built into the switch, using the additional security features described in this manual, and preventing unauthorized access to data on your management stations.
n Modem and Direct Console Access: Configuring authorized IP managers does not protect against access to the switch through a modem or direct Console (RS-232) port connection.
598
Aruba 2930M/F | Access Security Guide
n Duplicate IP Addresses:
If the IP address configured in an authorized management station is also configured (or "spoofed") in another station, the other station can gain management access to the switch even though a duplicate IP address condition exists.
n Web Proxy Servers:
If you use the WebAgent to access the switch from an authorized IP manager station, it is recommended that you avoid the use of a web proxy server in the path between the station and the switch. This is because switch access through a web proxy server requires that you first add the web proxy server to the Authorized manager IP list. This reduces security by opening switch access to anyone who uses the web proxy server. The following two options outline how to eliminate a web proxy server from the path between a station and the switch:
l Even if you need proxy server access enabled in order to use other applications, you can still eliminate proxy service for web access to the switch. To do so, add the IP address or DNS name of the switch to the non-proxy, or "Exceptions" list in the web browser interface you are using on the authorized station.
l If you don't need proxy server access at all on the authorized station, then just disable the proxy server feature in the station's web browser interface.
Aruba 2930M/F | Access Security Guide
599
Chapter 29 Key Management System
Key Management System
Overview
You can add, modify, and delete netdestination entries which are used by one or more alias-based class filters or ACLs. Any changes made to the netdestination entries are applied only when netedit-update command is executed. This feature is supported only on command line interface.
Configuring key chain management
Procedure
KMS has three configuration steps: 1. Create a key chain entry. 2. Assign a time-independent key or set of time-dependent keys to the Key Chain entry. The choice of key type is based on the level of security required for the protocol to which the key entry will be assigned. 3. Assign the key chain to a KMS-enabled protocol.
This procedure is protocol-dependent. For information on a specific protocol, see the management and configuration guide for your switch.
Creating and deleting key chain entries
To use KMS, you must create one or more key chain entries. An entry can be the pointer to a single timeindependent key or a chain of time-dependent keys.
The key chain information is copied to the standby management module (if redundancy is enabled and the standby module has passed self-test).
Syntax: key-chain <chain_name> no key-chain <chain_name> Generate or delete a key chain entry. Using the optional no form of the command deletes the key chain. The <chain_name> parameter can include up to 32 characters. show key-chain Displays the current key chains on the switch and their overall status. For example, to generate a new key chain entry:
Aruba 2930M/F | Access Security Guide
600
Figure 129 Adding a new key chain entry
After adding an entry, assign keys to it for use by a KMS-enabled protocol.
Assigning a time-independent key to a chain
A time-independent key has no Accept or Send time constraints. It is valid from boot-up until you change it. If you use a time-independent key, then it is the only key needed for a key chain entry. Syntax: key-chain <chain_name> key <key_id> no key-chain <chain_name> key <key_id> Generates or deletes a key in the key chain entry <chain_name>. Using the optional no form of the command deletes the key. The <key_id> is any number from 0-255. [key-string <key_str>] This option lets you specify the key value for the protocol using the key. The <key_str> can be any string of up to 14 characters in length. [accept-lifetime infinite][send-lifetime infinite]
accept-lifetime infinite: Allows packets with this key to be accepted at any time from boot-up until the key is removed. send-lifetime infinite: Allows the switch to send this key as authorization, from boot-up until the key is removed. show key-chain <chain_name> Displays the detail information about the keys used in the key chain named <chain_name>. Example: To generate a new time-independent key for the switch key chain entry:
Figure 130 Adding and displaying a time-independent key to a key chain entry
Assigning time-dependent keys to a chain
A time-dependent key has Accept or Send time constraints. It is valid only during the times that are defined for the key . If a time-dependent key is used, there is usually more than one key in the key chain entry. Syntax: key-chain <chain_name> key <key_id> no key-chain <chain_name> key <key_id>
Generates or deletes a key in the key chain entry <chain_name> . Using the optional no form of the command deletes the key. The <key_id> is any number from 0-255. [key-string <key_str>]
601
Aruba 2930M/F | Access Security Guide
This option specifies the key value referenced by the protocol using the key. The <key_str> can be any string up to 14 characters in length.
[encrypted-key <key_str>] Set key string using a base64-encoded aes-256 encrypted string. accept-lifetime <mm/dd/yy[yy]hh:mm:ss|now> Specifies the start date and time of the valid period in which the switch can use this key to authenticate inbound packets. duration <mm/dd/yy[yy]hh:mm:ss|seconds> Specifies the time period during which the switch can use this key to authenticate inbound packets. Duration is either an end date and time or the number of seconds to allow after the start date and time ( which is the acceptlifetime setting). send-lifetime <mm/dd/yy[yy]hh:mm:ss|now> Specifies the start date and time of the valid period in which the switch can transmit this key as authentication for outbound packets. show key-chain <chain_name> Displays the detail information about the keys used in the key chain named <chain_name>.
Using time-dependent keys requires that all the switches have accurate, synchronized time settings. You can manually set the time or use the Time protocol feature included in the switches. See time protocols in the management and configuration guide for your switch.
Example: Figure 131 Adding time-dependent keys to a key chain entry
Given transmission delays and the variations in the time value from switch to switch, it is advisable to include some flexibility in the Accept lifetime of the keys you configure. Otherwise, the switch may disregard some packets because either their key has expired while in transport or there are significant time variations between switches.
To list the result of the commands in Assigning time-dependent keys to a chain: Figure 132 Display of time-dependent keys in the key chain entry
Aruba 2930M/F | Access Security Guide
602
Use show key-chain to display the key status at the time the command is issued. Using the information from the example configuration in Assigning time-dependent keys to a chain and Assigning time-dependent keys to a chain if you execute show key-chain at 8:05 on 01/19/03, the display would appear as follows:
Figure 133 Status of keys in key chain entry "Networking2"
The "Networking1" key chain entry is a time-independent key and will not expire. "Networking2" uses timedependent keys, which result in this data:
Expired=1 Active=2
Key 1 has expired because its lifetime ended at 8:10 on 01/18/03, the previous day.
Key 2 and 3 are both active for 10 minutes from 8:00 to 8:10 on 1/19/03.
Keys 4 and 5 are either not yet active or expired. The total number of keys is 5.
603
Aruba 2930M/F | Access Security Guide
Chapter 30 Device Fingerprinting
Device Fingerprinting
Device fingerprinting helps categorize the devices by analyzing the data sent by the end devices. When a specific device is fingerprinted, the details can be used to provide controlled network access and bandwidth for the end devices by Clear Pass Policy Manager. You can create appropriate access and enforcement policies in ClearPass during authentication. For example, the devices that are fingerprinted or profiled as computers will be given access to specific VLAN and the devices that are categorized as phones will be given access to another VLAN. Device fingerprinting can be enabled per-port.
Fingerprinting of end devices is achieved by configuring switch to analyze the traffic patterns and send only the required piece of information to ClearPass for parsing.
Switch collects the protocol data sent by the end clients and forward the same data securely to ClearPass.
ClearPass uses this data to fingerprint the end devices that can be further used to set network access policies.
Prerequisites
Before configuring the device fingerprinting, configure the following commands: n radius-server host <CPPM-IP address>
For more information, see Configuring the switch n radius-server cppm identity <IDENTITY> key <KEY>
For more information, see radius-server cppm identity
n Configure device fingerprinting in Access Switches. n ClearPass server certificate must be installed.
Server certificate installation on ClearPass
You can generate and install the certificate in ClearPass for HTTPS service. Copy the root certificate or the CA (Certificate authority) certificate of ClearPass into the switch for successful device fingerprinting operation. The following commands are used to copy CA certificate on ClearPass to the switch:
1. To create TA certificate. crypto pki ta-profile
<TA-PROFILE-NAME>
2. To copy CA certificate to the TA profile. copy tftp ta-certificate <TA-PROFILE-NAME> <TFTP-IP-ADDRESS> <TA-CERTIFICATE-NAME>
Aruba 2930M/F | Access Security Guide
604
device-fingerprinting policy
Syntax
device-fingerprinting policy <profile_name> no device-fingerprinting policy <profile_name>
Description
Configures the device fingerprinting for profiles. The no form of this command removes the device fingerprinting for profiles.
Command context
config
Parameters
profile_name Configure the client profile name. The maximum length for a profile name is 32 characters.
Usage
device-fingerprinting [policy] <PROFILE_NAME> [dhcp | http | lldp | cdp] [[option-name {list} | option-number <NUM>] | [tlv-name {list} | tlv-number <NUM>]]
Examples
switch(config)# device-fingerprinting
apply
Apply the configured profile on a portlist.
policy
Configure data collector profile.
[ethernet] PORT-LIST Configure device fingerprinting port attributes.
timer
Set the timer to process client data
to cppm (default value is 120 seconds).
switch(config)# device-fingerprinting policy
POLICY_NAME-STR
Configure device finger-printing profile.
switch(config)# device-fingerprinting policy test
cdp
finger-print client data using CDP protocol TLV's.
dhcp
finger-print client data using DHCP protocol options.
http
finger-print client data using HTTP protocol option.
lldp
finger-print client data using LLDP protocol TLV's.
switch(config)# device-fingerprinting policy test cdp
tlv-name
Protocol TLV name to match.
tlv-num
Protocol TLV number to match.
switch(config)# device-fingerprinting policy test dhcp
option-num
Protocol option number to match.
switch(config)# device-fingerprinting policy test lldp
tlv-name
Protocol TLV name to match.
tlv-num
Protocol TLV number to match.
device-fingerprinting timer
Syntax
device-fingerprinting timer <time> no device-fingerprinting timer
605
Aruba 2930M/F | Access Security Guide
Description
Configures the timer for switch to send the client data to ClearPass. The default time is 120 seconds. The time range is 60 to 300 seconds. The no form of this command resets the timer to its default value.
Command context
config
Parameters
time Configures the timer for switch to send the client data to ClearPass. The range can be 60 to 300 seconds.
Usage
device-fingerprinting [timer] <60-300>
Examples
switch(config)# device-fingerprinting timer
<60-300>
set the timer for cppm (default value is 120 seconds).
switch(config)# device-fingerprinting timer 80
switch(config)# no device-fingerprinting timer
device-fingerprinting client-limit
Syntax
device-fingerprinting <port-number> client-limit <limit> no device-fingerprinting <port-number> client-limit
Description
Sets the maximum client limit that can be fingerprinted on a port. The default client limit is two. The client limit range is 2 to 8. The no form of this command resets to default client limit.
Command context
config
Parameters
port-number Specifies the port number.
limit Sets the maximum client limit. The range can be 2 to 8.
Usage
device-fingerprinting [PORT-LIST {list}] [client-limit] <2-8>
Examples
Aruba 2930M/F | Access Security Guide
606
switch(config)# device-fingerprinting 1
client-limit
Set the client limit <2-8> for port to process max clients
fingerprint data at the same time (default value is 2).
switch(config)# device-fingerprinting 1 client-limit 5
switch(config)# no device-fingerprinting 1 client-limit
device-fingerprinting incoming-clients-only
Syntax
device-fingerprinting <port-number> incoming-clients-only no device-fingerprinting <port-number> incoming-clients-only
Description
Enables the fingerprinting for the new clients.
To execute this command, device fingerprinting feature must be enabled on the ports.
Enables fingerprinting for the clients that comes in after enabling the fingerprinting feature on the port. The no form of this command disables the device fingerprinting for the incoming clients.
Command context
config
Parameters
port-number Specifies the port number.
Usage
device-fingerprinting [PORT-LIST {list}] [incoming-clients-only]
Examples
switch(config)# device-fingerprinting 1 incoming-clients-only Enables fingerprinting for the clients that comes in after
enabling the fingerprinting feature on the port. switch(config)# device-fingerprinting 1 incoming-clients-only switch(config)# no device-fingerprinting 1 incoming-clients-only
device-fingerprinting apply
Syntax
device-fingerprinting apply policy <profile_name> <port-number> no device-fingerprinting apply policy <profile_name> <port-number>
Description
Configures the device fingerprinting profile on a port or port list.
Device fingerprinting cannot be completed until the profile is applied on a port or port list.
The no form of this command removes the device fingerprinting profile from the port list.
607
Aruba 2930M/F | Access Security Guide
Command context
config
Parameters
profile_name Specifies the profile name.
port_number Specifies the port number on which the profile has to be applied.
Usage
device-fingerprinting apply policy <profile_name> [PORT-LIST {list}]
Examples
switch(config)# device-fingerprinting apply
policy
Enter the profile name.
switch(config)# device-fingerprinting apply policy test
[ethernet] PORT-LIST Enter a port number, a list of ports or 'all' for all ports.
switch(config)# device-fingerprinting apply policy test 1
switch(config)# device-fingerprinting apply policy test 2
switch(config)# device-fingerprinting apply policy test 3
switch(config)# device-fingerprinting apply policy test 10
switch(config)# device-fingerprinting apply policy test1 4
switch(config)# device-fingerprinting apply policy test1 5
switch(config)# device-fingerprinting apply policy test2 6
switch(config)# device-fingerprinting apply policy test2 7
switch(config)# device-fingerprinting apply policy test2 8
show device-fingerprinting profile-name
Syntax
show device-fingerprinting profile-name <profile_name>
Description
Shows device fingerprinting profile information.
Command context
manager
Parameters
profile_name Specifies the profile name.
Examples
switch(config)# show device-fingerprinting profile-name test
Protocol Option_Name/TLV_Name
---------- --------------------
DHCP
TLV_Num
HTTP
user_agent
Option_Num/TLV_Num -------------------55,60,12 NA
Aruba 2930M/F | Access Security Guide
608
LLDP
TLV_Num
6
CDP
TLV_Num
6
show device-fingerprinting active
Syntax
show device-fingerprinting active
Description
Displays the configured profiles and ports.
Command context
manager
Examples
switch(config)# show device-fingerprinting active
Profile : test Ports : 1-3,10
Profile : test1 Ports : 4-5
Profile : test2 Ports : 6-8
show device-fingerprinting client-status
Syntax
show device-fingerprinting client-status
Description
Shows the device fingerprinting state for each client.
Command context
manager
Parameters
port-number Specifies the port number.
Usage
show device-fingerprinting client-status [PORT-LIST {list}]
Examples
switch(config)# show device-fingerprinting client-status
Port Client MAC
Finger Printing Status
---- --------------- ----------------------
1 0050568e4a81 Completed
609
Aruba 2930M/F | Access Security Guide
1 f403431cb4fd Completed 1 7446a054d1a2 Inprogress 1 ecebb8175000 Data not collected 1 64510686503f Data not collected 1 f403431ca400 Inprogress 1 000c2960b4db Completed 1 64510686503f Data collected
n Data not collected--The client fingerprint data is not collected.
n Data collected--The client fingerprint data is collected.
n Inprogress--The client fingerprint data is either post into ClearPass or getting client details from ClearPass.
n Completed--The client details are retrieved from ClearPass successfully.
show device-fingerprinting client-details
Syntax
show device-fingerprinting client-details
Description
Shows the fingerprinting data collected from ClearPass for the clients.
Command context
manager
Usage
show device-fingerprinting client-details [PORT-LIST {list}]
Examples
switch(config)# show device-fingerprinting client-details
MAC Address Device Name
Device Category
Device Family
------------- -------------------- -------------------- --------------------
0050568E4A81 VMWare
Server
VMWare
7446A054D1A2 Cisco IP Phone 79XX VoIP Phone
Cisco
0050568E4A81 VMWare
Server
VMWare
F403431CA400 Windows
Computer
Windows
000C2960B4DB Windows Vista/7/2008 Computer
Windows
b45d50c54b0c Aruba IAP
Access Points
Aruba
switch(config)# show running-config
Running configuration: module 1 type jl557a device-fingerprinting timer 80 device-fingerprinting policy "test"
dhcp http lldp chassis-id lldp port-id lldp time-to-live
Aruba 2930M/F | Access Security Guide
610
lldp port-description lldp system-name lldp system-capabilities lldp management-address cdp 6 cdp device-id cdp address cdp port-id cdp capabilities cdp version exit device-fingerprinting timer 80 device-fingerprinting policy "test1" dhcp http lldp cdp exit device-fingerprinting policy "test2" dhcp option-num 55 http lldp 6 lldp port-id cdp 3 cdp device-id exit device-fingerprinting policy "test3" dhcp option-num 60 dhcp option-num 12 http lldp 2 lldp 5 cdp 45 cdp 50 cdp device-id exit device-fingerprinting apply policy "test1" 2 device-fingerprinting apply policy "test2" 3 device-fingerprinting 1 incoming-clients-only device-fingerprinting 1 client-limit 5
Limitations
n Device fingerprinting cannot be enabled on same port as per-port tunneling node (PPTN). When the controller is not reachable, then the tunnel node server fallback local switching is configured for device fingerprinting to work.
n If the client does not send the configured protocol, the fingerprinting cannot be completed.
n HTTP fingerprinting works only when the traffic is received on Port 80.
n Client entries are automatically removed from the client status table after 30 minutes.
n Device fingerprinting and PUTN cannot work together on the same port when the switch is enabled (globally, irrespective of VLAN configuration) with DHCP snooping.
n If the fingerprinting policy is already applied on the ports and the client limit is changed, then the effect only applies for the runtime clients or after interface flap.
611
Aruba 2930M/F | Access Security Guide
Troubleshooting
Device fingerprinting client details is blank
Symptom
The show device-fingerprinting client-details command displays empty client detail table.
Action
n Make sure that the ClearPass is reachable. n Make sure that the valid username and password are used. n Verify the client mac-address present in show mac-address for ports where device fingerprinting is enabled. n Run the client status output and see the client fingerprint state. If the clients are not in completed state, then
the fingerprinting has not been successfully completed. n Make sure that the profile is applied on the ports.
Device fingerprinting client status is blank
Symptom
The show device-fingerprinting client-status command displays empty client detail table.
Action
n Make sure that the port status is up. n Verify that the client mac-address present in show mac-address for ports where device fingerprinting is
enabled. n Make sure that the profile is applied on the ports.
Aruba 2930M/F | Access Security Guide
612
Chapter 31 Secure mode(FIPS)
Secure mode(FIPS)
Overview
Secure Mode allows the transition between standard secure mode and enhanced secure mode for several security functions. Standard secure mode is the existing, default security mode on the switch. Enhanced secure mode provides an additional level of switch security. Test-mode is not allowed in enhanced secure mode. Enhanced secure mode is also known as FIPS. To form a stack in enhanced secure mode, see the section Stack formation in Enhanced or Standard Secure Mode in the Advanced Traffic Management Guide of your switch.
When changing from standard to enhanced secure mode, the switch must be removed from production and commands must be executed from a serial terminal emulator connected to the switch. Executing the secure mode command initiates a switch reboot which erases all the configuration files and everything on the flash memory except the firmware images, similar to the erase all zeroize command. (See "Switch Memory and Configuration" in the basic operation guide for your switch). After the system reboots, the switch must be power-cycled.
Configuring secure mode
When using enhanced secure mode, several commands have differences from standard secure mode in their options or output. To transition from one security mode to the other, enter this command from a serial terminal connected to the switch.
Syntax
secure-mode <standard | enhanced>
Enables the selected secure mode. This command must be executed from a serial terminal. standard
Use standard security. This is the default. enhanced
Use enhanced security
switch(config)# secure-mode enhanced Validating software and configurations, this may take a minute... The system will be rebooted and all management module files except software images will be erased and zeroized. This will take up to 60 minutes and the switch will not be usable during that time. A power-cycle will then be required to complete the transition. Continue (y/n)? y (Switch reboots...) . Zeroizing the file system ... 100% Verifying cleanness of the file system... 100% Restoring firmware image and other system files... Zeroization of file system completed Continue initializing... ...
Aruba 2930M/F | Access Security Guide
613
switch(config)# show secure-mode Level: Enhanced If the secure-mode transition fails, this message displays: Secure-mode transition failed.
Commands affected when enhanced secure mode is enabled
There are several types of CLI commands that show sensitive information in plain text: n Feature-specific show commands n Show config commands n Password commands n Secret key commands n MIB CLI commands
Feature-specific show commands
For feature-specific show commands, the following prompt appears before the sensitive information is displayed when using enhanced secure mode:
This may show sensitive information. Continue (y/n)? If "y/Y" is entered, the normal output of the command is displayed. If any other key is pressed, the command is not executed and there is no output. The default is "n/N" when interactive mode is disabled.
Show flash and show version command output
When using enhanced secure mode, the output from the show flash and show version commands is slightly different. Figure 134 Output of the show flash Command
Figure 135 Output of the show version Command
614
Aruba 2930M/F | Access Security Guide
Show config commands
The show config commands that may show sensitive information on the console are:
n show config n show running-config n show default-config n write terminal
When one of the above commands is executed in enhanced secure mode, the following prompt displays:
Do you want to show sensitive information (y/n)?
If "Y/y" is entered, the normal command output is displayed on the console. If "N/n" is entered, all the sensitive information is hidden and will be displayed as asterisks ("*****"). The default option is "N/n" when interactive mode is disabled.
MIB CLI commands
When MIB CLI commands are executed in enhanced secure mode, the following prompt appears before the sensitive information for the getmib or walkmib command is displayed:
This may show sensitive information. Continue (y/n)?
If "Y/y" is entered, the sensitive information is displayed in plain text. If `N/n' is entered, the command is not executed and there is no output. The default is "n/N" when interactive mode is disabled. When using enhanced secure mode, the secret input echo for the setmib command is not replaced with asterisks, however, a warning message displays when this command is executed:
The setmib command should not be used in enhanced secure mode.
When an event is configured using setmib command, a RMON message is logged to the respective event id:
setmib command overrides the configuration of "snmp-server enable traps event-list" for event id: %d
Password commands
When the switch is in enhanced secure mode, a plaintext password cannot be entered inline; it is prompted for interactively twice, for example, for an operator password:
New password for operator: ***** Please retype new password for operator: *****
Additional password command option
There is an additional password command option that allows the setting of a password for the ROM console.
Syntax
password <manager | operator>[username <ASCII-STR>][sha1<hashed-password>] password <rom-console> | all no password port-access [username <ASCII-STR>] Sets or clears the local password/user name for a given access level. If no password is entered in the command, you are prompted twice to enter the password. When the switch is in enhanced secure mode, the password for manager, operator, and the ROM console must be at least 8 characters long. The ROM password cannot be set
Aruba 2930M/F | Access Security Guide
615
or changed in the Web Agent. When the no form of the command is executed, the command removes specific local password protection.
The port-access option is available only if includecredentials is enabled.
Prompt for password when first logging in
All user names and passwords should be configured at startup after transitioning to enhanced secure mode, however, the switch will enter enhanced secure mode regardless of the password settings.
After a cold reboot from a console session... ROM console passwords must be set before continuing. New Manager password:****** Retype password:****** New Operator password:****** Retype password:******
Behavior when changing or exiting levels
Table 50: Behavior for Manager and Operator Levels
Current Role CLI: enable
CLI: exit
CLI: logout
operator
Enter manager role - ask for credential Session terminated Session terminated
manager
Not available
Session terminated Session terminated
Additional password commands
Table 51: Password Commands Affected by Enhanced Secure Mode
Command in Standard Secure Mode
Command in Enhanced Secure Mode Location
snmpv3 user <user-name> auth [md5 | sha] <password> [priv [des | aes] ]
snmpv3 user <user-name> auth [md5 | sha] [priv]
management and configuration guide
aaa port-access supplicant <port-list>
aaa port-access supplicant <port-list>
access security
identity <user-name> secret [<port-list>] identity <user-name> secret <port-list> guide
aaa port-access mac-based password <password>
aaa port-access mac-based password
stack member <switch-num> mac-address <mac-addr> [password <password>]
stack member <switch-num> mac-address <mac-addr> password]
advanced traffic configuration guide
Secret keys
When the switch security is in enhanced secure mode, CLI commands that take a secret key as a parameter have the echo of the secret typing replaced with asterisks, unless the secret is not used for authorizing access to switch access. The input for <key-string> is prompted for interactively:
616
Aruba 2930M/F | Access Security Guide
Enter key-string: ******** Re-enter key-string: ********
Or Enter authentication-key: ******** Re-enter authentication-key: ********
Table 52: Secret key commands
Command in Standard Secure Mode
Command in Enhanced Secure Location Mode
key-chain radius-server [host
key-chain <chain-name> key <1-255> key-string <key-str>
radius-server [host <ip-addr>] key <key-str>
<chain-name> key <1-255> key-string <key-str>
access security guide <ip-addr>] key
tacacs-server [host
tacacs-server [host <ip-addr>] key <key-str>
access security guide <ip-addr>] key
sntp authentication key-id
authentication-mode md5 key-value
sntp authentication key-id <1-4294967295>
authentication-mode md5 key-value [trusted]
<key-str> [trusted]
management and configuration guide
<1-4294967295>
router ospf area link authentication-key
router ospf area <area-id> virtual-
link <ip-addr>
authentication-key <key-str>
multicast and routing guide <area-id> virtual-
<ip-addr>
vlan addr>] authentication-key
vlan <vid> ip rip [<ip-
addr>] authentication-key
multicast and routing guide <vid> ip rip [<ip-
vlan addr>] authentication-key
vlan <vid> ip ospf [<ip-
addr>] authentication-key <key-str>
multicast and routing guide <vid> ip ospf [<ip-
Aruba 2930M/F | Access Security Guide
617
Command in Standard Secure Mode
encrypt-credentials [preshared-key
plaintext><key-str>]
Command in Enhanced Secure Location Mode
encrypt-credentials [preshared-key
<hex |
access security guide <hex | plaintext>]
SSH changes
There are fewer options available for the ip ssh cipher command in enhanced secure mode. The following options are unavailable:
n 3des-cbc n rijndael-dbd@lysator.liu.se
The options available for the ip ssh mac <mac-type> command in enhanced secure mode are hmac-sha1 and hmac-sha2-256.
SSL changes
When operating in enhanced secure mode, the SSL server will not allow protocol versions lower than TLS 1.0. See Configuring Secure Sockets Layer on page 467 for more information about SSL.
Zeroizing with HA
When zeroization is triggered by a secure mode transition, HA handles zeroization on the AMM and SMM automatically. When zeroization is started from the ROM console, there is no synchronization performed between the AMM and SMM, as zeroization from the ROM console is treated as a recovery facility. Each MM has to be zeroized individually.
Opacity-shields command
Syntax
opacity-shields no opacity-shields Indicates that opacity shields have been installed. This causes the system threshold temperature to be decreased to 35 degrees C. Default: Disabled
Operating notes for passwords in enhanced secure mode
The following rules are in effect when enhanced secure mode is enabled or the system is transitioning to enhanced secure mode.
n Switching access levels, for example, from manager to operator, requires going through the appropriate authentication process for that access level.
n Passwords must be at least 8 characters. n The password for operator, manager, or ROM can be deleted.
618
Aruba 2930M/F | Access Security Guide
n If a password is changed, it has to be entered twice, unless it is already hashed by SHA1 in the existing command for Operator or Manager.
n When setting the password at the Operator level, the word "Manager" cannot be a user name; conversely, when setting a password at the Manager level, the word "Operator" cannot be a user name. These are caseinsensitive.
n A password is required for every login regardless of access level. The user name corresponding to the login level (Manager/Operator) must be specified.
n Access to ROM functionality is password protected. n When there is a Standby Management Module (SMM), the passwords are synchronized to the SMM.
Troubleshooting
Verifying the flash is signed
Enter this command to verify that the firmware image has been verified and signed.
Syntax
verify signature flash <primary | secondary> Verifies the signature of a switch's firmware image .
n primary: Verifies the primary flash image. n secondary: Verifies the secondary flash image.
Setting the diagnostic level
The diagnostic level should be set to standard when using enhanced secure mode. To display the diagnostic level, enter the show diagnostic-level command. To set the diagnostic level from the ROM console, enter this command.
Syntax
diagnostic-level <standard | support> Sets the diagnostic level.
Zeroizing from the ROM console
It is possible to zeroize the file storage from the ROM console of the switch, using the erase-all zeroize command at the prompt. This most likely occurs during a switch recovery process.
=> erase-all zeroize The system will be rebooted and all management module files except software images will be erased and zeroized. This will take up to 60 minutes and the switch will not be usable during that time. Continue (y/n)? y
Error messages
Error messages that may occur when executing secure-mode:
Initial check failure message:
This command can only be run on a serial terminal
Aruba 2930M/F | Access Security Guide
619
Possible pre-check failure messages:
n The default boot image is not set. n The default boot image must be the same image that is running n Standby Management Module is not responding n Active and Standby Management Modules are not in sync n The current software image was downloaded with an older software version and does not have its signature.
Download the image again.
After rebooting:
Secure-mode transition failed. Standby Management Module is not responding.
620
Aruba 2930M/F | Access Security Guide
Chapter 32 Certificate Manager
Certificate Manager
Certificate Manager enables Public Key Infrastructure (PKI) capability on the switch providing authentication of network entities. This feature enables configuration and management of digital certificates on Networking switches, a key component of establishing digital identity in PKI. Each entity in the PKI has their identity validated by a CA/RA. The CA issues a digital certificate as part of enrolling each entity into the PKI. This digital certificate is used by replying parties (e.g., network connection peers) to set up secure communication. Based on the information present in the certificate of the sender, the receiving entity can validate the authenticity of the sender and subsequently establish a secure communication channel.
Configuration support
The certificate manager CLI provides configuration support for integrating the switch into a customer's PKI.
Trust anchor profile (crypto pki ta-profile)
The profile defines required Anchor Trust for several certificate-specific operations, such as certificate enrollment and certificate validations. A trust anchor may be a Root CA certificate or an Intermediate CA certificate. The following command creates a trust anchor profile. Syntax crypto pki ta-profile <profile-name> ssh-username <ssh-username> no crypto pki ta-profile <profile-name> ssh-username <ssh-username> Description Create a Trust Anchor profile and associate it with an SSH username. Parameters profile-name
A name (mzhaximum 100 characters) with a unique identifier for the Trust Anchor Profile. Ten TA profiles are supported: one for each allowed trust anchor (Root CA certificate.) Profile number 2 is always reserved for self-signed certificate. For example, you can only create 9 TA profiles (Root CA certificates) per switch. ssh-username Set the username whose certificate will be validated with the TA profile for two-factor authentication.
Web User's Interface
When permitted by the existing configuration, the Web UI creates a "default" Trust Anchor profile (the profile name is "default") when a TA certificate is installed. The Web UI may only manage the TA certificate installed against the "default" profile--no other certificates are visible or installed via Web UI. An administrator may create this same "default" TA profile. Restrictions on the "default" profile are described in Local Certificate Installation. The Web UI manages a TA profile implicitly and only under the following conditions:
n If a TA Profile with the name "default" exists.
n If a TA Profile with the name "default" does not exist but one of the TA Profiles is not configured.
Aruba 2930M/F | Access Security Guide
621
In these cases the Web UI may configure the "default" TA Profile. When a default profile does not exist and both TA Profiles have been configured by the CLI (i.e., they both have a name that is not `default'), the Web UI may not alter either TA profile and the usage web certificate to be installed must fit within a certificate chain belonging to an existing TA Profile.
Switch identity profile
The switch can have multiple certificates using the same base identity but with different protocol usage. This profile captures the common identity data for use in multiple certificates. The switch identity profile is a configuration aid that configures default values used when creating multiple certificates. This profile is not used for any other purpose and is therefore optional. The user can enter both subject information and one or more IP addresses when creating an Identity Profile. There is no constraint to have either subject or IP addresses, they are not mutually exclusive although at least one must be present. Syntax: crypto pki [identity-profile][profile-name] subject[CommonName <cn-value>] [Org <org-value> ] [OrgUnit <org-unit value>] [Locality <location-value>] [State <state-value>] [Country <country-code>] no crypto pki [identity-profile][profile-name] subject[CommonName <cn-value>] [Org <orgvalue> ] [OrgUnit <org-unit value>] [Locality <location-value>] [State <state-value>] [Country <country-code>] Parameters If the certificate subject fields are not provided on the command line, they are interactively prompted as follows: identity-profile
Creates an identity profile. profile-name
Specify the Switch Id Profile name. cn-value
Common Name (CN) must be present, max length 90. org-value
Organization Name (O) preferred, max length 100. org-unit value
Organizational Unit Name (OU) preferred, max length 100. location-value
Locality (L) optional, max length 100. state-value
State (ST) optional, max length 100. country-code
To specify the two letter ISO 3166-1 country code. Max length 2.
Local certificate enrollment -- manual mode
To enroll a Local certificate using a manual copy and paste method, a key size and the relevant TA profile details are required. The following command manually creates a certificate signature request. Including the subject overrides the configured Identity Profile: Syntax:
622
Aruba 2930M/F | Access Security Guide
crypto pki create-csr certificate-name <CERT-NAME> ta-profile <Profile-name> [usage <openflow | web | all>] [key-type rsa key-size <1024|2048>] [key-type ecdsa curve <256|384>] subject [common-name <CN-Value>] [org <Org-Value>] [org-unit <Org-unit-value>] [locality <Location-Value>] [state <state-Value>] [country <Country-Code>] [valid-start <date>] [valid-end <date>]
Parameters key-size [1024|2048]
The length of the RSA key, default is 1024 bits. certificate-name
Name of the certificate. ta-profile
The Trust Anchor Profile associated with the certificate. A profile named `default' can be updated from the web UI. ta-profile-name Specify the Switch Id TA profile name.
usage <openflow|web|all> Intended application for the certificate, the default is web.
valid-start Certificate validity start date (MM/DD/YY).
valid-end Certificate validity end date (MM/DD/YY).
cn-value Common Name (CN) must be present, max length 90.
org-value Organization Name (O) preferred, max length 100.
org-unit value Organizational Unit Name (OU) preferred, max length 100.
location-value Locality (L) optional, max length 100.
state-value State (ST) optional, max length 100.
country-code To specify the two letter ISO 3166-1 country code. Max length 2.
A CSR created with TA profile name of `default' MUST include usage of either "web" or "all".
Example: of PEM format output This command creates a certificate signing request in realtime and then output the result to the console:
-----BEGIN CERTIFICATE REQUEST----MIIBpDCCAQ0CAQAwZDELMAkGA1UEBhMCVVMxCzAJBgNVBAgTAkNBMRIwEAYDVQQH EwlSb3NldmlsbGUxCzAJBgNVBAoTAkhQMQ0wCwYDVQQLEwRFVlBHMRgwFgYDVQQD
Aruba 2930M/F | Access Security Guide
623
Ew9UZXN0IE1hY2hpbmUgMDEwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAN7i w3x2gi3tZf4LnXltSicl7RNcVggxYHcZQySWFtCXFTb5uaJ6vA3RdBIThgUKZSpc rgtc7jQmRDUdKAbWLPrqC7wBxMlXbnQYegubvOfzf/dT1CYJXxdUZh5BMN5ob/00 t60m9cM7Odsu0a0dBoQQRI8315KJ0AuHDE6VOe4dAgMBAAGgADANBgkqhkiG9w0B AQUFAAOBgQBQCZar2ox6RXm7F/vVhyrrp0E0YrPimxDvg40jnwqtwOgpQAvns4pt o5RVx4/Q6hzF2QivYqLl3+K8WOVVJ7XLDcHNea8RJgx13t45uMYrsMKWdbhR9+jQ KFzmffQJXRXOnH6rfQSNYBXndg0azhc8saORrOqrTn3Yw3psYSNMbA== -----END CERTIFICATE REQUEST-----
You must manually copy the certificate signing request (CSR) created with the "create-csr" command (above) and have it signed by a CA. The local certificate status is updated to "CSR" after the CSR is created. A pending certificate request is not persistent across a power cycle or reboot. Once the CA-signed certificate response is received, the user executes the following command and pastes the signed certificate provided by CA on the command line. The switch retains the name of the certificate used when creating the CSR in memory while waiting for the signed certificate to be installed. When the signed certificate is pasted to the command line, the switch matches the certificate to the CSR by matching the public key and then saves the signed certificate to flash. The signed certificate will not be accepted if a CSR does not exist or if the trust chain cannot be verified (for example, if the CA's root certificate is not installed in the Trust Anchor Profile.) Syntax: crypto pki install-signed-certificate <data>
Intermediate certificate installation is similar to the local certificate installation. When intermediate certificates are to be individually installed, the local-certificate name is used and certificate manager uses this name to build the certificate chain between the root and the leaf certificate of the specified name. Intermediate certificates must be presented in order from the trust anchor to the local (leaf) certificate. The user is prompted to paste the new certificate (PEM-encoded PKCS#7) to the command line. The provided data is parsed internally by Certificate Manager and stored in DER format thus requiring no additional parsing in CLI. The following text appears.
To install a signed certificate, the certificate must match a previously created signing request.
With the cursor at the start of a blank line, when the user presses the Enter key, the user operation is done. Usage of word pad is suggested to copy the certificate and paste it to this command.
To check the CSR status, enter: show crypto pki local-certificate Local enrollment is implemented in the web UI; specifically the security -- SSL page is updated for the Web UI SSL server application, with web usage. The Web UI does not provide general PKI configurability for all applications (Web UI does not allow creation or management of other device certificates add.)
Self-signed certificate for a specific application (along with the key-pair) is removed once a CA signed local-certificate is installed for that application.
Self-signed certificate enrollment
This certificate installation method may be used when a Certificate Authority is not available. A self-signed certificate provides the relying party no assurance of identity, so this is not as secure as using a CA-signed certificate. A self-signed certificate may be useful, but its use is not recommended. A self-signed certificate many only be installed on the "default" TA-Profile, so the ta-profile-name parameter is not present in the command. To enroll a local certificate in self-signed mode, the user must specify the subject information and key-size. The details specific to the certificate "subject" are obtained from id-profile if not specified here. Syntax:
624
Aruba 2930M/F | Access Security Guide
crypto pki enroll-self-signed certificate-name <CERT-NAME> subject [common-name <CN-Value>] [org <Org-Value>][org-unit <Org-unit-value>] [locality <Location-Value>] [state <stateValue>][country <Country-Code>][valid-start <date>][valid-end <date>] [usage <openflow | web | all>] [key-type rsa key-size <1024|2048>] [key-type ecdsa curve <256|384>]
no crypto pki enroll-self-signed certificate-name <CERT-NAME> subject [common-name <CNValue>] [org <Org-Value>][org-unit <Org-unit-value>] [locality <Location-Value>] [state <state-Value>][country <Country-Code>][valid-start <date>][valid-end <date>] [usage <openflow | web | all>] [key-type rsa key-size <1024|2048>] [key-type ecdsa curve <256|384>] Parameters
key-size [1024|2048]
The length of the key; default is 1024 bits.
usage [<openflow|web|all>]
Intended application for the certificate; the default is web. The openflow option is not supported for self-signed certificate enrollment. Subject Fields The following prompts appear if these required fields are not given as arguments.
Enter Common Name(CN) : Enter Org Unit(OU) : Enter Org Name(O) : Enter Locality(L) : Enter State(ST) : Enter Country(C) :
Self-signed certificate
A self-signed certificate uses the "default" TA profile, which is created automatically if it does not already exist and one of the ten available TA Profiles is not yet assigned.
Syntax: crypto pki create-self-signed certificate-name [name] subject [common-name org-value] [org-unit org-unit-value] [locality locationvalue] [state state-value] [country country-code]]
cn-value] [org
no crypto pki create-self-signed certificate-name [name] subject [common-name cn-value] [org org-value] [org-unit org-unit-value] [locality location-value] [state state-value] [country country-code]] To create and install a self-signed local certificate the certificate subject may be configured with the crypto pki identity-profile command. Parameters key-size [1024|2048]
The length of the key; default is 1024 bits. subject [field <field value>]
Subject fields of the certificate; the default values are specified in the identity profile. usage [<openflow|web|all>]
Intended application for the certificate; the default is web.
valid-start date Start date of the certificate.
valid-end date End date of the certificate.
Aruba 2930M/F | Access Security Guide
625
Subject Fields Following are the prompts appear if these required fields are not given as arguments.
Enter Common Name(CN) : Enter Org Unit(OU) : Enter Org Name(O) : Enter Locality(L) : Enter State(ST) : Enter Country(C) :
certificate-name Name of the certificate.
ta-profile The Trust Anchor Profile associated with the certificate. A profile named `default' is updateable from the web UI.
ta-profile-name Specify the Switch Id TA profile name.
cn-value Common Name (CN) must be present, max length 90.
org-value Organization Name (O) preferred, max length 100.
org-unit value Organizational Unit Name (OU) preferred, max length 100.
location-value Locality (L) optional, max length 100.
state-value State (ST) optional, max length 100.
country-code To specify the two letter ISO 3166-1 country code. Max length 2.
valid-start Certificate validity start date (MM/DD/YYYY).
valid-end Certificate validity end date (MM/DD/YYYY).
The default value for start date is the current date and the default value for the end date is the current date plus one year. Local enrollment is implemented in the web UI and the security -- SSL page is updated for the web UI SSL server application. The Web UI does not provide general PKI configurability for all applications creation or management of other device certificates.
Removal of certificates/CSRs
To remove the certificates/CSRs, use the following command: Syntax: crypto pki clear certificate-name [Cert-Name] Clears the CSR or certificate and its related private key. Parameter certificate-name
626
Aruba 2930M/F | Access Security Guide
Name of the local certificate.
Zeroization
Certificate and key removal is discussed as part of the no form of each certificate installation command above. The no forms described above delete certificates and keys. The "Zeroize" command simply deletes (unlinks) key files. Full file system zeroization is performed by following with FIPS/Secure Mode commands. The no form is supported only for TA profile and identity profile. It is not supported for local certificate. Zeroization erases keys and related PKI data such as CSRs and TA profiles from the file system. Syntax: crypto pki zeroize This command returns crypto pki configuration to the factory default state by deleting all certificates and related private keys. The Trust Anchor profile and switch identity profile configurations are also removed. zeroize
Removes all pki configuration, including profiles, certificates and keys.
The no form is not available for the certificate command. To remove a certificate from the switch, use the clear command.
File transfer
To load a Trust Anchor Certificate against a TA Profile, execute the following command.
The TA profile must exist for the command to succeed.
Syntax copy tftp ta-certificate ta-profile-name <ip-addr/ipv6-addr> filename or copy sftp ta-certificate ta-profile-name ip-addr/ipv6-addr|host-name-str user <username>|username@ip-strport <TCP-port> FILE-NAME Parameters ta-certificate
Copy a Trust Anchor certificate to the device. ta-profile-name
The Trust Anchor Profile associated with the certificate. ip-addr
IP address of the server. file-name
Name of the certificate file. ipv6-addr
Specify TFTP server IPv6 address. host-name-str
Specify hostname of the SFTP server. user
Aruba 2930M/F | Access Security Guide
627
Specify the username on the remote system. username@ip-str
Specify the username along with remote system information (hostname, IPv4 or IPv6 address.) port
TCP port of the SSH server on the remote system. Syntax Copy a Trust Anchor (TA) certificate to the device using TFTP: copy tftp local-certificate [Cert-Name] [<ip-addr/ipv6-addr>] Copy a Trust Anchor (TA) certificate to the device using SFTP: copy sftp local-certificate [Cert-Name] [<ip-addr/ipv6-addr/host-name-str>] [user <username>] [username@ip-str <filename>] The file is checked immediately upon completion of transfer and results written to the CLI. The file can be in PEMencoded or DER-encoded (binary) PKCS#7 format. If the certificate subject matches an existing TA certificate associated with the specified TA profile, then the new certificate updates the existing certificate. Any certificate which is a root or intermediate certificate will be accepted as a TA certificate. There is no check for the subject.
Loading a local certificate
To load a local certificate (single certificate/certificate chain), execute the following command. Syntax copy tftp local-certificate <ip-addr> <file-name> copy sftp local-certificate [user <user-name>] [<ip-addr/ipv6-addr/host-name-str>] [<username@ip-str>] <filename> [port <1-65535>] Parameters ta-certificate
Copy a Trust Anchor certificate to the device. ta-profile-name
The Trust Anchor Profile associated with the certificate. local certificate
Local Certificate to be copied. ip-addr
IP address of the server. file-name
Name of the certificate file. ipv6-addr
Specify TFTP server IPv6 address. host-name-str
Specify hostname of the SFTP server. user
Specify the username on the remote system. username@ip-str
Specify the username along with remote system information (hostname, IPv4 or IPv6 address.) port
628
Aruba 2930M/F | Access Security Guide
TCP port of the SSH server on the remote system.
The loaded certificate is validated against a pending Certificate Request and the maximum number of intermediate certificates allowed is 3 (with a maximum of 5 certificates in a chain). Intermediate certificates must either be loaded before the local certificate or are included as part of the local certificate.
Debug logging
The following command enables or disables debug logs: debug security <crypto> no debug security <crypto>
Parameter
crypto Display all Crypto messages.
Certificate specific
This command displays summary information for all certificates or detailed information for the named certificate. show crypto pki local-certificate [summary | <Cert-Name>] Example of displaying certificate summary information:
switch# show crypto pki local-certificate summary
Name
Usage
Expiration
Parent / Profile
-------------------- ------------- -------------- ----------------
IDEVID_CERT
IDEVID
2031/01/26
IDEVID_INTER_1
IDEVID_INTER_1
IDEVID
2031/01/26
IDEVID_INTER_2
IDEVID_INTER_2
IDEVID
2031/01/26
IDEVID_ROOT
Summary mode lists all certificates below a TA profile, including both local certificates and installed intermediates. The names of intermediate certificates are transitory and can change after local certificates are added or removed. In detailed mode the "certificate name" can be provided as an argument and details specific to the certificate are displayed. If the "expiration" displays CSR, then detailed mode re-displays the CSR as described with the crypto pki create-csr local-certificate command.
All installed certificates are shown in the same way, provided that the fields exist in the certificate. For example, a CA signed certificate has an "Issuer:" field with a different value from the "Subject" field. In a self-signed certificate, these fields are set to the same value. Since the fields are present in either type of certificate, they are always shown. Similarly, a Root certificate is a self-signed certificate. A trust anchor certificate can be either a Root certificate or an Intermediate certificate. The same fields are present in the certificate--just set to different values.
When working in the summary mode:
n An installed certificate can or can not have a subject key identifier. n An installed certificate can or can not contain an authority key identifier. n An installed certificate can or can not contain key usage constraints, which can or can not be marked critical. n When an extension is critical, the keyword "critical" is displayed; when the extension is not critical, no
additional wording is displayed.
While address ranges can be encoded in a certificate, this usage is not consistent with identifying a switch (or switch interface), so CIDR format is not expected. However, if present it must be displayed for diagnostic
Aruba 2930M/F | Access Security Guide
629
purposes. (CIDR format display can be eliminated by adding tests to reject certificates with a range at the time of certificate installation.) IP addresses are listed in lexicographical order, except that all IPv4 addresses are shown as a group before IPv6 addresses are displayed. IPv6 addresses are shown in full, without the "zeroes removed" notation.
Per RFC-5280: "Certificate users MUST be able to handle serial Number values up to 20 octets." Thus, the serial number can take 40 hex characters to print. The serial number is printed in hex to limit string length and to allow easier manual decoding of UUID type serial numbers.
The detail form of the certificate specific show command is available from the web UI. The web UI allows display of those configured certificates related to the web server only. This includes the SSL server certificate, trust anchor certificate and any other certificates configured as part of the certificate chain. All the certificates in the trust chain are also displayed.
Profile specific--TA profile
Two forms of output are available for this command, summary and detailed. If no argument is provided, a brief about all profiles is printed as shown below.
show crypto pki ta-profile
Show Trust Anchor profile specific details. Syntax show crypto pki ta-profile Example
switch# show crypto pki ta-profile
Profile Name Configured
Profile Status
CRL Configured
OCSP
------------------------------------------------------------------------------------------------
IDEVID_ROOT
Root Certificate Installed
COMODO_CA
Root Certificate Installed
No
No
GEOTRUST_CA
Root Certificate Installed
No
No
ARUBA_CA
Root Certificate Installed
No
No
ADDTRUST_CA
Root Certificate Installed
No
No
This command is not available on the web UI. A new certificate ADDTRUST_CA has been added to the switch certificate store.
Certificate details
Show the details of the Trust Anchor profile specified. Syntax show crypto pki ta-profile [ta-profile-name] Parameter ta-profile-name
630
Aruba 2930M/F | Access Security Guide
Trust Anchor Profile name for the certificate. Example
switch# show crypto pki ta-profile ADDTRUST_CA
Profile Name Profile Status
CRL Configured OCSP Configured
--------------- ------------------------------ --------------- ---------------
ADDTRUST_CA
1 certificate installed
No
No
Trust Anchor: <print_cert for Trust Anchor>
The output format for the TA certificate is same as the format for "Certificate details" above. The "Status" field lists the total number of certificates, including intermediates and local, that references this trust anchor. Intermediate certificates are shown with local certificates, as certificates under an anchor form a tree not a list.
Web support
The current security--SSL page configures web UI SSL servers only. The Suite B features are not supported on the web UI. The following are requirements for a web UI design:
n The web UI implicitly uses a TA profile named "default". If the TA certificate installed on the switch is associated with a profile of another name, the TA certificate is read-only to the web UI. See Trust anchor profile (crypto pki ta-profile).
n The web UI supports local certificate enrollment with an implicit usage of 'web'. See Local certificate enrollment -- manual mode.
n The web UI supports self-signed local certificate enrollment with an implicit usage of `web'. See Local certificate enrollment -- manual mode.
n The web UI shows the TA certificate and the configured SSL server certificate with `web' usage with any intermediate certificates in the chain. The display will match the Certificate Detail format as described in Profile specific--TA profile.
n The web UI must be able to replace an SSL server certificate (as it currently does.)
n The web UI does not need to provide `zeroization' of any certificates. See Zeroization.
SSL screen
The following figure shows the results if the user clicks Security -- SSL. Details about each panel/window in the SSL page are given below.
Aruba 2930M/F | Access Security Guide
631
Figure 136 SSL Screen
Panel hierarchy
The SSL panel displays Certificate Management features.
TA certificates panel The Trust Anchor (TA) Certificates panel displays information and status for TA profiles. Buttons, Install and Remove, install new TA profiles or remove existing ones. To install a new TA certificate, click Install. The install screen appears and prompts for certificate location. Click the Upload button to upload the new TA certificate to the switch. Click Cancel to abort the installation.
Figure 137 Install TA profile
A default TA profile is automatically created when the conditions explained in section have been satisfied. The install option is not available if:
Procedure
632
Aruba 2930M/F | Access Security Guide
1. All ten TA profiles are used and none are named "default". The TA profile number 2 is always reserved for self-signed certificate.
2. The current certificate with `usage=web' is linked to a TA profile whose name is not "default". Switch identity profile panel Switch Identity Profile displays the details of switch identity profile, if already configured with the CLI. Otherwise displays Switch Identity Profile is not configured. Installed certificates panel The Installed Certificates panel displays the certificate profile, usage, key size, status, type, beginning and end date for currently installed certificates. Figure 138 Installed certificates
View Certificate displays all certificates in the certificate chain. The view certificate list displays the local certificate, up to three intermediate certificates and one TA certificate. When a certificate is selected, a detailed view of the certificate is displayed in a popup window. Figure 139 TA certificate
Certificate requests panel The Certificate Requests panel displays the status of currently requested certificate. Within the panel the Create Self-Signed Certificate link is available.
Procedure
1. Ensure that there are no pending requests. 2. Create and install a self-signed certificate.
Any existing certificate will be replaced with one of the same name. A non-default TA Profile with a certificate configured with usage of web will not be allowed.
Create Self-Signed Certificate
Creates a self-signed certificate. Upon selection of this link, an edit request form becomes available which provides all required information for the creation of the certificate.
Aruba 2930M/F | Access Security Guide
633
The default TA Profile is called Default.
Figure 140 Certificate requests form
The Certificate Request field have the following constraints: Common Name (CN)--must be present, max length 90. Common Name should be preset with value from Switch ID profile if one exists. Organizational Unit Name (OU)--preferred, max length 100. Organization Name (O)--preferred, max length 100. Locality (L)--optional, max length 100. State (ST)--optional, max length 100. Country (C)--preferred, max length 2. Start Date--Preset with current date. End Date--Preset with current date + 1 year.
Select Install when the form has been completed to Install this certificate to the switch. Select Cancel to cancel the user request.
Error messages
Table 54: Table 53: Error messages
Error Message
Explanation
Fail the revocation-check command when a given ta-profile is not already The TA profile %s does not
configured on the switch. And Fail the clear crl command if an invalid ta-profile is exist.
given.
The TA profile %s has no certificate configured.
Fail the revocation-check command if TA certificate associated to the given profile is not already downloaded.
The URL length exceeds the maximum allowed length of Restrict length of the URL revocation URL to 255 characters. 255 characters.
Either the TA certificate A warning message will be displayed if any of the following is not completed when is not installed or the this command is run.
634
Aruba 2930M/F | Access Security Guide
Error Message
Explanation
revocation check is not set to CRL.
1. If revocation check is not CRL. 2. If TA certificate is not installed.
Do you want to delete all A prompt is given to user to select y/n before deleting all CRLs.
the CRLs? Continue (y/n):
Do you want to delete the CRL of the TA profile %s? Continue (y/n):
A prompt is given to user to select y/n before deleting CRL of the TA profile.
Following is the command which needs to be mutually exclusive with the SuiteB-
The SuiteB-minLoS command minLOS command if its configured in strict mode for SSL: [no] tls
in strict mode is mutually application {web-ssl | openflow | syslog | tr69 | cloud | all}
exclusive, with minimum
lowest-version {tls1.0 | tls 1.1| tls 1.2 | default } [cipher
TLS configured for an
{aes256-sha256 | aes256-sha | aes128-sha256 | aes128-sha | des3-
application.
cbc-sha | ecdh-rsa-aes128-gcm-sha256}]
Do you want to terminate the existing SSL/TLS sessions? Continue (y/n):
When minLOS is configured for TLS, prompt the user to kill the existing SSL/TLS sessions.
All manager level %s public keys will be deleted. Continue (y/n):
A warning message when user tries to clear all the manager keys with key type (rsa/dsa) specified.
All operator level %s public keys will be deleted. Continue (y/n):
A warning message when user tries to clear all the operator keys with key type (rsa/dsa) specified.
All operator level %s public keys will be deleted. Continue (y/n):
A warning message when user tries to clear all the keys with key type (rsa/dsa) specified.
The CRL is not downloaded or not available in the switch.
An error message when CRL is not available in the switch and when user checks the revocation status of a certificate using the command show crypto pki taprofile ta1 crl certificate-serial-num 0x3535456889ccce2e.
A DNS server must be
configured before
An error message when a named URL is configured without DNS is on switch
configuring the named URL configured.
for CRL/OCSP.
A CRL URL must begin with The URL scheme should `ldap' for CRL.
ldap://.
An OCSP URL must begin
The URL scheme should be `http' or `https' for OCSP anything else should be
with http:// or https://. given an error.
A self-signed certificate
requires a TA profile. One
of the existing TA
A default profile does not already exist and the ten TA profiles are already in use
profiles must be removed
(preventing creation of the `default' TA profile.) The maximum number of TA profiles is ten; and one of those ten TA profiles is reserved for self-signed (the default
before a self-signed
profile).
certificate may be
created.
Aruba 2930M/F | Access Security Guide
635
Error Message
Explanation
No matching CSR found. Certificate validation
If there is no CSR present on the switch, then the certificate cannot be matched.
failed.
Certificate "<cert name>" The specified certificate name is already used.
already exists".
Configuration failed.
Incomplete certificate chain.
The certificate chain is incomplete.
The certificate has expired or is not yet
The certificate is invalid.
valid.
Configuration failed. The
specified key is not The crypto keys are not available.
available. Please wait and
try again.
Certificate name is too long. The maximum length
The certificate name exceeds the maximum length allowed.
is 20.
Certificate subject does
not match the existing
certificate associated
Overwriting a configured TA certificate.
with Trust Anchor profile
<TA-Profile-Name>.
File format not recognized
or file is corrupted. Certificate validation
There is a problem with the file, such a corruption.
failed.
Key generation in The key is not generated yet during a request for a CSR.
progress, try again later.
No matching CSR found. Certificate validation
There is no CSR present on the switch, the certificate cannot be matched.
failed.
Profile was not added. The maximum number of profiles User tried to add the tenth TA profile.
is %d
Removing this TA profile
will also remove all associated certificates.
Removing a TA profile removes all associated certificates. The following warning/query appears.
Continue (y/n) ?
TA Profile%s does not exist.
During deletion, the mentioned TA profile is not existing / not configured.
The certificate cannot be The Trust Anchor certificate is not installed on the switch against the specified TA
verified because the
profile.
636
Aruba 2930M/F | Access Security Guide
Error Message
Explanation
associated Trust Anchor
profile has no certificate
configured.
The default value for start date is the current date and the default value When enrolled for self-signing without having a switch identity profile or subject for the end date is the fields in the command line. current date plus one year.
The existing certificate for this TA profile [%s] The mentioned TA profile certificate already exists and the user attempts to install a will be replaced. Continue new certificate over the existing one. (y/n)?
Enter Common Name(CN) : Enter Org Unit(OU) : Enter Org Name(O) : Enter Locality(L) : Enter State(ST) : Enter Country(C) :
Prompts appear if the required fields are not given as arguments.
Aruba 2930M/F | Access Security Guide
637
Chapter 33 EST and its applications
EST and its applications
Data protection is necessary in a large roaming environment, where the certificate signing request passes through the multiple administrative domains, and untrusted networks. Manual signing of certificate on a CA server can cause security issues, and data sniffing. Eavesdroppers can collect confidential information to generate CSR, causing breach of trust, and security threat to an organization. To overcome these issues, following solutions are supported in switch: n Application Certificate Enrollment using EST: EST (Enrollment over Secured Transport) over TLS is secure,
reliable, and convenient mode for certificate request, and certificate enrollment. With this release, EST enrollment is supported for RadSec, Captive portal, OpenFlow, Syslog, and, SSH client/server applications. n Secure RADIUS (RadSec): RadSec is a protocol that supports RADIUS over TLS. RadSec mandates TLS to provide a secure, reliable, and a convenient mode of transport for RADIUS server request. n Syslog over TLS: Syslog over TLS secures the communication between a switch and a Syslog server for mutual authentication. Figure 141 EST infrastructure supporting Certificate Enrollment, RadSec, and Syslog applications
Application Certificate Enrollment using EST
Secure Syslog over TLS
Transport Layer Security (TLS) provides authentication, privacy, and network security. Syslog server connection without TLS is insecure. You can secure the connection between switch and syslog server over TLS by mutual authentication of certificates.
Aruba 2930M/F | Access Security Guide
638
Syslog considerations
Following are the pre-requisites before you start with syslog server configuration:
n You must configure external syslog server which is the TLS compliant.
n The syslog server must be reachable from at least one of the switch interfaces. For more information, see Configuring syslog server over TLS on page 639Configuring syslog server over TLS .
n A client certificate with usage syslog or all must be pre-installed on the switch and client certificate TA must be installed on the syslog server.
n A server certificate must be pre-installed on the syslog server and server certificate TA must be installed on the client switch.
Configuring syslog server over TLS
Syntax
logging <IP-ADDR> tls <PORT-NUMBER> no logging <IP-ADDR> tls <PORT-NUMBER>
Description
Configures the TLS port for syslog application. The default value for TLS port is 6514. The no form of the command resets to the default TLS port number.
Command context
config
Parameters
IP-ADDR Specifies the IP address. PORT-NUMBER Specifies the port number used for the IP address.
Examples
switch (config)# logging 10.7.21.2 tls
<1024-49151>
The port number to be used for the given IP-ADDR.
switch (config)# logging 10.7.21.2 tls 2048
<cr>
Creating a certificate manually for syslog application
The following steps are performed manually to create a certificate on the switch:
1. Configure a TA-profile which is required for creating CSR using crypto pki ta-profile <PROFILE_ NAME>.
2. Generate root certificate from a CA server and install the certificate using copy tftp ta-certificate. 3. Create a CSR request with respect to the created TA-profile using crypto pki create-csr
certificate-name <syslog_leaf> ta-profile <PROFILE_NAME> usage ALL.
639
Aruba 2930M/F | Access Security Guide
4. Install a signed certificate using crypto pki install-signed-certificate. It prompts the administrator to paste the base-64 format of the signed certificate. If the certificate is valid and the associated TA-profile matches the CSR, then switch installs the certificate.
You can automate certificate creation using EST. Refer Creating a syslog certificate using EST server.
Configuration commands
Creating CSR certificate using syslog
crypto pki create-csr certificate-name ta-profile usage syslog
Syntax
crypto pki create-csr certificate-name <Certificate_Name> ta-profile <Profile_Name> usage syslog {[key-type rsa key-size <Key_Size> | (key-type ecdsa curve <Curve_Size>)] | [subject (common-name <CN_Value>) | (org <Org_Value>)(org-unit <Org_Unit_Value>) | (locality <Location_Value>) | (state <State_Value>) (country <Country_Code>)] | [valid-start <Start_Date> valid-end <End_Date>]}
Description
Creates a certificate signature request manually to support syslog through TLS application.
Command context
config
Parameters
Certificate_Name Specifies the certificate name. Profile_Name Specifies the TA profile name. Usage Specifies the intended application. Default is web. Key-type Specifies the key type. Either RSA or ECDSA. Key_Size Specifies the key size. Values allowed are 1024 or 2048. The default value is 1024. Curve_Size Specifies the elliptic curve size. Values allowed are 256 or 384. The default value is 256. CN_Value Specifies the common name for the certificate. Org_Value Specifies the organization name for the certificate. Org_Unit_Value Specifies the organization unit for the certificate. Location_Value
Aruba 2930M/F | Access Security Guide
640
Specifies the location of the organization. State_Value Specifies the state. Country_Code Specifies the country code. Start_Date Specifies the validity start date for the certificate. End_Date Specifies the validity end date for the certificate.
Examples
switch(config)# crypto pki create-csr certificate-name cert1 ta-profile ta1
usage syslog
key-type
Specify the key-type.
subject
Subject fields of the certificate, the default values are specified
in the identity profile.
valid-start
Certificate validity start date (MM/DD/YYYY).
switch(config)# crypto pki create-csr certificate-name cert1 ta-profile ta1 usage syslog key-type
ecdsa
Use the ECDSA key.
rsa
Use the RSA key.
subject
Subject fields of the certificate, the default values
are specified in the identity profile.
valid-start
Certificate validity start date (MM/DD/YYYY).
switch(config)# crypto pki create-csr certificate-name cert1 ta-profile ta1
usage syslog key-type rsa
key-size
The length of the key, default is 1024 bits.
switch(config)# crypto pki create-csr certificate-name cert1 ta-profile ta1 usage syslog key-type rsa key-size 1024
2048
switch(config)# crypto pki create-csr certificate-name cert1 ta-profile ta1
usage syslog key-type rsa key-size 1024
subject
Subject fields of the certificate, the default values are specified
in the identity profile.
valid-start
Certificate validity start date (MM/DD/YYYY).
switch(config)# crypto pki create-csr certificate-name cert1 ta-profile ta1
usage syslog key-type rsa key-size 1024 subject
common-name
To specify common name
country
To specify the two letter ISO 3166-1 country code
locality
To specify locality
org
To specify organization
org-unit
To specify organization unit
state
To specify state
valid-start
Certificate validity start date (MM/DD/YYYY).
switch(config)# crypto pki create-csr certificate-name cert1 ta-profile ta1
usage syslog key-type rsa key-size 1024 subject common-name CN1 country in
locality xxx org yyy org-unit org123 state zzz
valid-start
Certificate validity start date (MM/DD/YYYY).
switch(config)# crypto pki create-csr certificate-name cert1 ta-profile ta1 usage syslog key-type rsa key-size 1024 subject common-name CN1 country in locality xxx
641
Aruba 2930M/F | Access Security Guide
org yyy org-unit org123 state zzz valid-start 05/20/2019
valid-end
Certificate validity end date (MM/DD/YYYY).
switch(config)# crypto pki create-csr certificate-name cert1 ta-profile ta1 usage syslog key-type rsa key-size 1024 subject common-name CN1 country in locality xxx org yyy org-unit org123 state zzz valid-start 05/20/2019 valid-end 06/15/2025 <cr>
Installing a signed certificate
Syntax
crypto pki install-signed-certificate
Description
Installs the signed certificate manually. The certificate must match the created CSR request. The generated CSR must be signed using an external CA server, and install the signed certificate in switch.
Command context
config
Examples
switch(config)# crypto pki install-signed-certificate Paste the certificate here and enter: -----BEGIN CERTIFICATE----MIICpzCCAY+gAwIBAgICIqUwDQYJKoZIhvcNAQELBQAwFzEVMBMGA1UEAwwMZXN0 RXhhbXBsZUNBMB4XDTE5MDMyNzA2MzAwNVoXDTIwMDMyNjA2MzAwNVowDzENMAsG A1UEAxMEVEVTVDCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEArQKlLXS5Qo+X +vMw6mZ9KJul0oLUpe95MV4RdwQEdG0tN70uZPH3x24rzsFlFgX3pmwBaaciFHed x1Mqh1ypzdqxINu/rJBUN2pL3FYx4t232FKZphT2nEOdpEt5/93nPbuF2lAU/Wug tS+MSPeRwE2sPUdINKCnyRRjW9ypp+ECAwEAAaOBiDCBhTAJBgNVHRMEAjAAMAsG A1UdDwQEAwIHgDArBgNVHR8EJDAiMCCgHqAchhpodHRwOi8vZXhhbXBsZS5jb20v Y3JsLnBlbTAdBgNVHQ4EFgQUZjXFrRlBqKN1+gCrFhb0ATqN9WMwHwYDVR0jBBgw FoAUg/Mm+wJiLIHWa0Lm/uwTslbqfWwwDQYJKoZIhvcNAQELBQADggEBAA/VwaIM OykB0RghWTEhlOaQtVfzIlkotvXYQ4XuwMYiMxlrPtM3tS2EgwFPg6K6tbjWFgZ2 pQKvQm8k/+ZWCiUwE8xE1lo5KWGDGyq9nmKhrmy6WUQxE+1muLe2NLZ2nG3Pq4E0 dLsCp7yQ24YtoEiMdOSLN0TOsC8fnr06ZSnOkr0XHvAWkTTybVr+jsAO7wNRc4fY IAwMGcgcHPAfjx7S3cMVprk45PzkTXAchV/HF+7ICqaT+EaYl2NcqjH0jzc83vS3 7o5eavVUdV73GA1objWxcp6Iya0nvwXqdB7X2rTrNAVqvAX+yD7CF7TN9qFeVl5j LFs3lFzKuGh18ng= -----END CERTIFICATE----<cr>
Show commands
show crypto pki local-certificate
Syntax
show crypto pki local-certificate [Summary | Cert_Name]
Description
Displays the local certificate details.
Example
Aruba 2930M/F | Access Security Guide
642
switch(config)#show crypto pki local-certificate cert1
Name
Usage
------------------- -----------
cert1
Syslog
Expiration -----------CSR
Parent / Profile -------------------ta1
Creating a syslog certificate using EST server
Prerequisites
n IDEVID certificate must be present on the switch. n Add IDEVID TA certificate in EST server TA certificate database. n Add EST server TA certificate in switch TA profile. n Synchronize time between switch and the EST server.
1. Manually configure EST server profile such as profile name, server URL, retry interval, retry count, and authorization mechanism. The switch connects with EST server through the configured URL.
2. Create a TA profile.
Example:
crypto pki ta-profile ta-est 3. Configure enrollment CLI for application certficates using est profile in the templates. 4. Verify the enrollment of syslog certificate. For more information on EST, refer EST and its applications.
Secure Radius (RadSec)
Overview of RadSec
RADIUS protocol uses UDP as underlying transport layer protocol. RadSec is a protocol that supports RADIUS over TCP and TLS. In conventional RADIUS requests, security is a concern as the confidential data is sent using weak encryption algorithms. The access requests are in plain text includes information such as user name, IP address and so on. The user password is an encrypted shared secret. As a result, eavesdroppers can listen to these RADIUS requests and collect confidential information. Data protection is necessary in roaming environments where the RADIUS packets travel across multiple administrative domains and untrusted networks. RadSec mandates TLS to provide a secure, reliable, and a convenient mode of transport for RADIUS requests over unsecure networks.
643
Aruba 2930M/F | Access Security Guide
RadSec module secures the communication between the switch and RADIUS server using TLS connection. Using RADIUS over TLS provides users with the flexibility to host RADIUS servers across geographics and WAN networks. For enabling RADIUS security, a new CLI option tls is provided under the command radius-server, where tls stands for Transport Layer Security. Advantages of RadSec over TLS:
n Secures the communication between the switch and RADIUS server using a TLS session. n Provides flexibility and enhances security to host RADIUS servers across geographics and WAN networks. n Uses digital certificates to authenticate both client and server connection.
RadSec configuration
To configure RadSec protocol, use the following commands:
n Configure tls using the command radius-server host <IP-ADDR/FQDN> tls command.
n Install certificates with usage radsec-client or all. If certificate with usage radsec-client or all is not installed, the switch uses the default IDEVID to establish connection with the RadSec server. For more information about certificates, see the Access Security Guide of your switch.
n Configure the IP address for RadSec communication using the command ip source-interface. For more information, see the Management and Configuration Guide of your switch.
n Configure the TLS version lesser than the default 1.2 using the command tls application.
n (optional) Assign the radius server with TLS in the server-group configuration using the command aaa server-group. For more information, see the Access Security Guide of your switch.
RadSec considerations
RADIUS communication between the switch and RADIUS server uses UDP as the transport layer mechanism. RadSec supports communication between the switch and RADIUS server over TCP and TLS. RadSec considerations are as follows:
n No change in RADIUS packet formats from UDP to TCP. n TLS version must be at least 1.1 for successful connections.
Aruba 2930M/F | Access Security Guide
644
n Mutually authenticated TLS connections are required. The default port is 2083. For more information about automatic certificates enrollment, see EST certificates section in the Access Security Guide of your switch.
n If certificates with radsec-client or all as usage are not installed, switch uses the default IDEVID certificate.
n If a server group consists of RADIUS servers supporting both UDP and TCP, the authentication falls back to the next available RADIUS server. The fallback happens to the next available server, in case of a connection failure.
n With RADIUS tracking enabled and RadSec server is not reachable due to a failed TCP connection, the server is termed as DEAD server. If server is configured with deadtime, then new requests are not made until the dead time elapses.
n Supports configurable connection time-out.
Certificate Manager considerations
The certificate manager considerations for RadSec implementation are:
n RadSec requires a mutually authenticated TLS connection for communication between the switch and RADIUS server.
n For TLS connections, you require: l Certificates with usage radsec-client or all or l Switch default certificate, IDEVID.
n The switch must have a CA certificate that issued the RadSec server certificate. The RadSec server must have a CA certificate that issued the switch RadSec application certificate.
n EST enrolment is supported for RadSec certificates. For more information, see the Access Security Guide of your switch.
Enabling TLS connection for RadSec
Use the following commands to configure RadSec over TLS:
n radius-server host <IP-ADDR | FODN> tls port <PORT> n radius-server host <IP-ADDR | FQDN> tls oobm n radius-server host <IP-ADDR | FQDN> tls clearpass n radius-server host <IP-ADDR | FQDN> tls dyn-authorization n radius-server host <IP-ADDR | FQDN> tls time-window <SECONDS> n radius-server host <IP-ADDR | FQDN> tls time-window positive-time-window n radius-server host <IP-ADDR | FQDN> tls time-window plus-or-minus-time-window n radius-server tls timeout <SECONDS> n radius-server tls connection-timeout <SECONDS> n radius-server tls dead-time <MINUTES> n radius-server tls dead-time infinite
645
Aruba 2930M/F | Access Security Guide
radius-server host tls port
Syntax
radius-server host <IP-ADDR/FQDN> tls port <PORT> no radius-server host <IP-ADDR/FQDN> tls port <PORT>
Description
Enables TLS session over TCP connection for Radsec protocol. RADIUS packets are encrypted due to TLS over TCP connection. The no form of the command configures TLS session on the default port, 2083.
Command context
config
Parameters
IP-ADDR Specifies server IPv4 address.
For successful RadSec connections, when the RADIUS server host is configured with an IP address, the server certificate sent by the RadSec server must contain the same IP address in the common name or Subject Alternative Name (SAN) field of the certificate.
FQDN Specifies server FQDN.
For successful RadSec connections, when the RADIUS server host is configured with an FQDN, the server certificate sent by the RadSec server must contain the same FQDN name in the common name or Domain Name Service (DNS) field of the certificate.
PORT Specifies the TCP destination port number for TLS session. The default port is 2083.
Examples
The following example shows how to configure a RADIUS server with an address of 10.3.17.8, and enabling TLS. If no port is configured, TLS is enabled on the default port, 2083 as shown:
switch(config)# radius-server
access-request
Configure access-request attribute to be included.
cppm
Username and password combination of ClearPass which is
used to login to ClearPass to download user roles.
dead-time
Configure the dead time for unavailable RADIUS servers.
dyn-autz-port
Configure the UDP port for dynamic authorization
messages.
fqdn-retry
The interval at which the resolution of the FQDN is
retried for the radius server which failed to resolve
the FQDN at the time of configuring it.
host
Configure a RADIUS server.
key
Configure the default authentication key for all RADIUS
servers.
retransmit
Configure the request retransmit count.
Aruba 2930M/F | Access Security Guide
646
timeout tls tracking
Configure the server response timeout. Configure the RADIUS server with respect to TLS. Configure RADIUS service tracking parameters.
switch(config)# radius-server host
FQDN
The server fqdn address.
IP-ADDR
The server IPv4 address.
IPV6-ADDR
The server IPv6 address.
NOTE: RadSec for IPv6 servers is not supported.
switch(config)# radius-server host 10.3.17.8 tls
clearpass
Radius server is hosted by ClearPass or not
dyn-authorization
Accept dynamic authorization messages.
oobm
Use the OOBM interface to connect to the server.
port
Configure the TCP destination port number for TLS
session (the default is 2083).
time-window
Configure replay protection for dynamic authorization
messages.
switch(config)# show radius host 10.3.17.8
Status and Counters - RADIUS Server Information
Server IP Addr : 10.3.17.8
TLS Enabled : Yes
Authentication Port Round Trip Time Pending Requests Retransmissions Timeouts Malformed Responses Bad Authenticators Unknown Types Packets Dropped Access Requests Access Challenges Access Accepts Access Rejects
: 2083 :0 :0 :0 :0 :0 :0 :0 :0 :0 :0 :0 :0
Accounting Port
: 2083
Round Trip Time
:0
Pending Requests
:0
Retransmissions
:0
Timeouts
:0
Malformed Responses : 0
Bad Authenticators : 0
Unknown Types
:0
Packets Dropped
:0
Accounting Requests : 0
Accounting Responses : 0
Upon enabling TLS on port 1026 of RADIUS host 10.3.17.8:
switch(config)# radius-server host 10.3.17.8 tls port
<1025-65535>
Enter a TCP port number.
switch(config)# radius-server host 10.3.17.8 tls port 1026
switch(config)# show radius host 10.3.17.8
Status and Counters - RADIUS Server Information
Server IP Addr : 10.3.17.8
Authentication Port Round Trip Time
Pending Requests Retransmissions Timeouts Malformed Responses Bad Authenticators Unknown Types Packets Dropped Access Requests
: 1026 :0
:0 :0 :0 :0 :0 :0 :0 :0
TLS Enabled : Yes
Accounting Port
: 1026
Round Trip Time
:0
Pending Requests
:0
Retransmissions
:0
Timeouts
:0
Malformed Responses : 0
Bad Authenticators : 0
Unknown Types
:0
Packets Dropped
:0
Accounting Requests : 0
647
Aruba 2930M/F | Access Security Guide
Access Challenges
:0
Access Accepts
:0
Access Rejects
:0
Accounting Responses : 0
The following example shows FQDN www.clearpass.com being configured as a radius-server host:
switch(config)# radius-server host www.clearpass.com tls
switch(config)# show radius host www.clearpass.com
Status and Counters - RADIUS Server Information
Server IP Addr : 10.101.0.199
TLS Enabled : Yes
Authentication Port Round Trip Time Pending Requests Retransmissions Timeouts Malformed Responses Bad Authenticators Unknown Types Packets Dropped Access Requests Access Challenges Access Accepts Access Rejects Connection Status Connection Error
: 2083
Accounting Port
: 2083
:0
Round Trip Time
:0
:0
Pending Requests
:0
:0
Retransmissions
:0
:0
Timeouts
:0
:0
Malformed Responses : 0
:0
Bad Authenticators : 0
:0
Unknown Types
:0
:0
Packets Dropped
:0
:0
Accounting Requests : 0
:0
Accounting Responses : 0
:0
:0
: Waiting for socket creation
: RadSec server certificate has bad common name.
Retrying the connection in (minutes) : 5
radius-server host tls oobm
Syntax
radius-server host <IP-ADDR/FQDN> tls oobm
Description
Configures the support for RADIUS TLS server over OOBM interface. By default, the OOBM support is disabled. Enabling OOBM, establishes the TLS connection from the OOBM interface to the RADIUS TLS server.
Command context
config
Parameters
IP-ADDR Specifies the IPv4 address of the server. FQDN Specifies the FQDN of the server.
Example
switch(config)# radius-server host 10.2.97.10 tls oobm
Aruba 2930M/F | Access Security Guide
648
radius-server host tls clearpass
Syntax
radius-server host <IP-ADDR | FQDN > tls clearpass no radius-server host <IP-ADDR | FQDN > tls clearpass
Description
Configures RADIUS server over clearpass. By default, clearpass support is disabled. The no form of the command disables clearpass support.
Command context
config
Parameters
IP-ADDR Specifies server IPv4 address. FQDN Specifies server FQDN.
Example
switch(config)# radius-server host 10.2.97.10 tls clearpass
radius-server host tls dyn-authorization
Syntax
radius-server host <IP-ADDR | FQDN> tls dyn-authorization no radius-server host <IP-ADDR | FQDN> tls dyn-authorization
Description
Enables dynamic authorization. The Disconnect-Request and CoA-Request messages from the RADIUS server are accepted and processed. By default, dynamic authorization messages are ignored. The no form of the command disables dynamic authorization.
Command context
config
Parameters
IP-ADDR Specifies server IPv4 address. FQDN Specifies server FQDN.
Example
radius-server host 10.2.97.10 tls dyn-authorization
649
Aruba 2930M/F | Access Security Guide
radius-server host tls time-window
Syntax
radius-server host <IP-ADDR/FQDN> tls time-window <Seconds> no radius-server host <IP-ADDR/FQDN> tls time-window <Seconds>
Description
The time-window sub-command of tls configures the time window (in seconds) within which the RADIUS packets carrying the Event-Timestamp attribute is considered as current and accepted for processing by the NAS and the RADIUS TLS Server. A non-zero value indicates that the Event-Timestamp attribute must be used in the dynamic authorization communication exchange between the switch and the RADIUS server. Zero value disables the Event-Timestamp attribute checking. Default time window is 300 seconds. The no form of the command sets the value to zero. Zero value disables the Event-Timestamp attribute checking.
Command context
config
Parameters
IP-ADDR Specifies server IPv4 address. FQDN Specifies server FQDN.
Example
switch(config)# radius-server host 10.2.97.10 tls time-window
<0-65535>
The window size in seconds.
positive-time-window Sets the current acceptable time-window as default (+)
time-window value for dynamic authorization messages.
plus-or-minus-time-window Sets the current acceptable time-window as (+/-)
time-window value for dynamic authorization messages.
radius-server host tls time-window positive-time-window
Syntax
radius-server host <IP-ADDR | FQDN> tls time-window positive time-window no radius-server host <IP-ADDR | FQDN> tls time-window positive time-window
Description
Configures the replay protection for dynamic authorization messages. Default is positive window-type. The no form of the command disables replay protection.
Command context
config
Parameters
IP-ADDR Specifies server IPv4 address. FQDN
Aruba 2930M/F | Access Security Guide
650
Specifies server FQDN.
Usage
When replay protection is enabled and positive-time-window is set, the messages from the server must contain a time stamp attribute that differs from the current time. The time stamp value must not be more than the specified number of seconds. Messages with time stamp value outside the valid window are considered stale and are ignored. Setting the time window to zero disables replay protection.
Example
switch(config)# radius-server host 10.2.97.10 tls time-window
<0-65535>
The window size in seconds.
positive-time-window Sets the current acceptable time-window as default (+)
time-window value for dynamic authorization messages.
plus-or-minus-time-window Sets the current acceptable time-window as (+/-)
time-window value for dynamic authorization messages.
radius-server host tls time-window plus-or-minus-time-window
Syntax
radius-server host <IP-ADDR | FQDN> tls time-window plus-or-minus-time-window no radius-server host<IP-ADDR | FQDN> time-window plus-or-minus-time-window
Description
Enables replay protection for dynamic authorization messages and sets the minus-or-plus-time-window. Default is positive-time-window. The no form the command disables replay protection.
Command context
config
Parameters
IP-ADDR Specifies server IPv4 address. FQDN Specifies server FQDN.
Usage
Messages from the server must contain an event time stamp attribute, which differs from the current time by not more than the (+/-) specified number of seconds. Messages with the time stamp value outside the configured time window are considered invalid and ignored. Setting the time window disables the replay of the dynamic authorization messages.
Example
switch(config)# radius-server host 10.2.97.10 time-window
<0-65535>
The window size in seconds.
positive-time-window Sets the current acceptable time-window as default (+)
time-window value for dynamic authorization messages.
plus-or-minus-time-window Sets the current acceptable time-window as (+/-)
time-window value for dynamic authorization messages.
651
Aruba 2930M/F | Access Security Guide
radius-server tls timeout
Syntax
radius-server tls timeout <Seconds>
Description
Configures the RADIUS server response timeout. Default timeout is 30 seconds.
Command context
config
Parameter
seconds Specifies the timeout in seconds. Range is <5240> seconds.
Usage
If the established session is active and RADIUS server is not responding to the requests for the specified timeout, then the next configured server is considered. For deployments where RadSec servers are distributed across WAN, it is recommended to configure the time out to a larger value.
Example
switch(config)# radius-server tls timeout
<5-240>
Enter an integer number.
radius-server tls connection-timeout
Syntax
radius-server tls connection-timeout <Seconds> no radius-server tls connection-timeout
Description
Configures the TLS connection timeout value. Default is five seconds. The no form of the command sets the default value.
Command context
config
Parameter
seconds Specifies the connection timeout in seconds.
Example
switch(config)# radius-server tls connection-timeout
<5-30>
Enter an integer number.
radius-server tls dead-time
Syntax
Aruba 2930M/F | Access Security Guide
652
radius-server tls dead-time <Minutes> no radius-server tls dead-time <Minutes>
Description
Configures a dead time for nonfunctional RADIUS TLS servers. When a server stops responding, the switch ignores the server for the configured dead time, and considers the next available server. By default, nonfunctional servers are not skipped. The no form of the command disables the configured dead time for nonfunctional servers.
Command context
config
Parameter
minutes Specifies the dead-time in minutes.
Example
switch(config)# radius-server tls dead-time
<1-1440>
The dead time value in minutes.
infinite
Infinite dead time.
radius-server tls dead-time infinite
Syntax
radius-server tls dead-time infinite no radius-server tls dead-time infinite
Description
Configures infinite dead time for nonfunctional RADIUS TLS servers. When a server is marked nonfunctional, the switch ignores it indefinitely, until RADIUS tracking sets the server as functional. The no form of the command disables the configured dead time for nonfunctional servers.
Command context
config
Example
switch(config)# radius-server tls dead-time <1-1440> The dead time value in minutes. infinite Infinite dead time. Use the show run command to view all the configured tls subcommands:
switch(config)# show run|include tls radius-server host 10.11.12.13 tls port 1200 radius-server host 10.11.12.13 tls time-window plus-or-minus-time-window radius-server host 10.11.12.13 tls time-window 777 radius-server host 10.2.97.10 oobm clearpass radius-server host 10.3.17.8 tls oobm radius-server host 10.3.17.8 tls clearpass radius-server host 10.92.2.3 tls port 1026 radius-server host 10.92.2.3 tls oobm radius-server host 10.92.2.3 tls clearpass radius-server host 10.92.2.3 tls dyn-authorization radius-server host 10.92.2.3 tls time-window plus-or-minus-time-window radius-server host 10.92.2.3 tls time-window 10
653
Aruba 2930M/F | Access Security Guide
radius-server host 10.93.2.3 tls radius-server host 10.4.11.3 tls port 1026 radius-server host 10.4.11.3 tls oobm radius-server host 10.4.11.3 tls clearpass radius-server host 10.4.11.3 tls dyn-authorization radius-server host 10.4.11.3 tls time-window plus-or-minus-time-window radius-server host 10.4.11.3 tls time-window 577 radius-server tls connection-timeout 22 radius-server tls dead-time infinite radius-server tls timeout 16
show radius host
Syntax
show radius host <IP-ADDR/FQDN>
Description
Shows RADIUS status and statistics information.
Command context
config
Parameters
IP-ADDR Specifies server IPv4 address. FQDN Specifies server FQDN.
Example
Following is an example of show radius host with IP address 192.168.1.252:
switch(config)# show radius host 192.168.1.252
Status and Counters - RADIUS Server Information
Server IP Addr : 192.168.1.252
TLS Enabled : Yes
Authentication Port Round Trip Time Pending Requests Retransmissions Timeouts Malformed Responses Bad Authenticators Unknown Types Packets Dropped Access Requests Access Challenges Access Accepts Access Rejects Connection Status Connection Error
: 2083
Accounting Port
: 2083
: 16
Round Trip Time
:0
:0
Pending Requests
:0
:0
Retransmissions
:0
: 21
Timeouts
:0
:0
Malformed Responses : 0
:0
Bad Authenticators : 0
:0
Unknown Types
:0
:3
Packets Dropped
:0
: 104
Accounting Requests : 0
:0
Accounting Responses : 0
:0
: 80
: RadSec Connection established
: NA
Aruba 2930M/F | Access Security Guide
654
Following is an example of show radius host with FQDN as radsec.com
HP-VSF-Switch# sh radius host radsec.com Status and Counters - RADIUS Server Information
Server IP Addr : 192.168.1.252
TLS Enabled : Yes
Authentication Port Round Trip Time Pending Requests Retransmissions Timeouts Malformed Responses Bad Authenticators Unknown Types Packets Dropped Access Requests Access Challenges Access Accepts Access Rejects Connection Status Connection Error
: 2083
Accounting Port
: 2083
: 17
Round Trip Time
:0
:0
Pending Requests
:0
:0
Retransmissions
:0
:0
Timeouts
:0
:0
Malformed Responses : 0
:0
Bad Authenticators : 0
:0
Unknown Types
:0
:0
Packets Dropped
:0
:0
Accounting Requests : 0
:0
Accounting Responses : 0
:0
:0
: RadSec Connection established
: NA
show radius
Syntax
show radius
Description
Shows RADIUS status and statistics information.
Command context
config
Example
switch(config)# show radius
Status and Counters - General RADIUS Information
Dead RADIUS server are preceded by *
Deadtime (minutes)
:0
TLS Dead Time (minutes)
:0
Timeout (seconds)
:5
TLS Timeout (seconds)
:5
Retransmit Attempts
:2
TLS Connection Timeout (seconds) : 5
Global Encryption Key
: procurve
Dynamic Authorization UDP Port : 2000
Source IP Selection
: Outgoing Interface
Tracking
: Enabled
Request Packet Count
:1
Track Dead Servers Only
: Disabled
Tracking Period (seconds)
: 500
ClearPass Identity
: admin
Auth Acct DM/ Time | Server IP Addr Port Port CoA Window | Encryption Key
OOBM
655
Aruba 2930M/F | Access Security Guide
--------------- ----- ----- --- ------ + ------------------
192.168.1.252 2083 2083 No 300 |
No
show radius accounting
Syntax
show radius accounting
Description
Shows RADIUS status and statistics information.
Command context
config
Example
switch(config)# show radius accounting
Status and Counters - RADIUS Accounting Information
Dead RADIUS server are preceded by *
NAS Identifier
: Switch
Invalid Server Addresses : 0
UDP/TCP
Server IP Addr Port Timeouts Requests Responses
--------------- ------- ---------- ---------- ----------
192.168.1.252 2083 0
0
0
show radius authentication
Syntax
show radius authentication
Description
Shows RADIUS status and statistics information.
Command context
config
Example
switch(config)# show radius authentication
Status and Counters - RADIUS Authentication Information
Dead RADIUS server are preceded by *
NAS Identifier
: Switch
Invalid Server Addresses : 0
UDP/TCP
Aruba 2930M/F | Access Security Guide
656
Server IP Addr Port Timeouts Requests Challenges Accepts Rejects
--------------- ------- ---------- ---------- ---------- ---------- ----------
192.168.1.252 2083 21
104
0
0
80
show radius host dyn-authorization
Syntax
show radius host <IP-ADDR | FQDN> dyn-authorization
Description
Shows RADIUS status and statistics information.
Command context
config
Parameters
IP-ADDR Specifies server IPv4 address. FQDN Specifies server FQDN.
Example
switch (config)# show radius host 10.4.11.3 dyn-authorization Status and Counters - RADIUS Dynamic Authorization Information
Authorization Client IP Address : 10.4.11.3
Unknown PKT Types Received : 0
TLS Enabled
: Yes
Disc-Reqs
:0
Disc-Reqs Authorize Only : 0
Disc-ACKs
:0
Disc-NAKs
:0
Disc-NAKs Authorize Only : 0
Disc-NAKs No Ses. Found : 0
Disc-Reqs Ses. Removed : 0
Disc-Reqs Malformed
:0
Disc-Reqs Bad Authentic. : 0
Disc-Reqs Dropped
:0
CoA-Reqs
:0
CoA-Reqs Authorize Only : 0
CoA-ACKs
:0
CoA-NAKs
:0
CoA-NAKs Authorize Only : 0
CoA-NAKs No Ses. Found : 0
CoA-Reqs Ses. Changed : 0
CoA-Reqs Malformed
:0
CoA-Reqs Bad Authentic. : 0
CoA-Reqs Dropped
:0
tls application
Syntax
tls application {web-ssl | openflow | syslog | tr69 | cloud | radsec | all} lowest-version {tls1.0 | tls 1.1| tls 1.2 | default }
[cipher {<cipher-name> | all} | disable-cipher {<cipher-name>}] no tls application {web-ssl | openflow | syslog | tr69 | cloud | radsec | all} lowestversion {tls1.0 | tls 1.1| tls 1.2 | default }
[cipher {<cipher-name> | all} | disable-cipher {<cipher-name>}]
657
Aruba 2930M/F | Access Security Guide
Description
Configures the lowest version of TLS and the cipher suite for an application. For successful connections, TLS version must be equal or greater than the configured version. The no form of the command resets to the default tls version.
Command context
config
Examples
switch (config)# tls application radsec
lowest-version
Configure the lowest version of TLS for applications.
switch (config)# tls application radsec lowest-version
default
Configure the default version of TLS1.1 as the lowest
version of TLS for the specified application
tls1.0
Configure TLS1.0 as the lowest version of TLS for the
specified application
tls1.1
Configure TLS1.1 as the lowest version of TLS for the
specified application
tls1.2
Configure TLS1.2 as the lowest version of TLS for the
specified application
switch (config)# tls application radsec lowest-version default
Do you want to terminate the existing TLS or SSL sessions (y/n)? y
Scalability
You can configure up to 15 RADIUS servers. The RADIUS servers are categorized into RADIUS groups. These groups are assigned to authentication methods such as 802.1x and MAC authentication.
Alarms/Timers
A one minute timer is introduced to re-establish failed connections to the RadSec servers. Connection retry to the failed servers happens every five minutes.
Operating notes
RadSec supports:
n IPv4 RadSec only (with FQDN support) n 15 RADIUS server configuration with RadSec functionality n User specified RADIUS TCP port. Default port is 2083. n RADIUS accounting n RADIUS CoA n RADIUS tracking n EST for installing radsec-client usage certificate n Connections with:
l Manually installed application certificates with the usage radsec-client. l Application certificates installed through EST workflow. l Switch default IDEVID certificate, if radsec-client application certificate is not installed.
Aruba 2930M/F | Access Security Guide
658
Deployment scenarios
With RadSec, one can mitigate the risks of data sniffing over insecure networks. It is achieved by creating an encrypted TLS tunnel for exchanging RADIUS packets across remote RADIUS servers. For successful TLS connections, install the certificates in either of the following ways:
n Manually install certificates by raising a CSR request. For more information about installing the certificate manually, see the Access Security Guide of your switch.
n Enrolling the application certificate using EST. For more information about EST, see the Access Security Guide of your switch.
After installation, the CA certificates of RADIUS servers must be copied to the switch certificate store. If certificates with the usage radsec are not installed, the switch uses the default, IDEVID certificate. You can deploy the RADIUS/TLS servers in any of the following scenarios:
n Scenario 1: Switch establishes TLS connection with the RADIUS server. n Scenario 2: Switch establishes TLS connection with the proxy server, which communicates with the RADIUS
server.
Scenario 1: Switch establishes TLS connection with the RADIUS server
In this scenario, the RADIUS server is across WAN. The RADIUS/TLS secures the user data by creating an encrypted TLS tunnel between the switch and authentication server.
Scenario 2: Switch establishes TLS connection with the proxy server, which communicates with the RADIUS server
In this scenario, multiple RADIUS servers are distributed over WAN (untrusted networks). RADIUS proxy directs the RADIUS requests to the RADIUS server, which listens on UDP. The proxy server uses the switch certificates to authenticate the client-server credentials. As a result, all RADIUS communications across the network are TLS encrypted.
Example of RadSec configuration
Prerequisite
n ClearPass version is 6.7.4 or higher.
659
Aruba 2930M/F | Access Security Guide
ClearPass as RadSec server
Following are the steps to configure ClearPass as RadSec server:
1. Import Root CA certificate to the ClearPass certificate store. Choose Select Type as RadSec Server Certificate
Click Create Certificate Signing Request. Enter the IP address of ClearPass . For configuring radius-server host FQDN on DUT, enter the hostname.
2. 3. Sign the created CSR with CA. 4. Ensure RadSec Server Certificate is selected while importing signed certificate.
5. Select Enable RadSec while adding devices.
Aruba 2930M/F | Access Security Guide
660
The IP address is used as the source IP of the DUT and must be reachable from ClearPass.
DUT configuration
Follow these steps to configure DUT:
1. Generate CSR with usage radsec-client
DUT(config)# crypto pki ta-profile ta1 DUT(config)# crypto pki create-csr certificate-name Cert1 ta-profile ta1
key-type rsa key-size 2048 subject common-name test org HEP org-unit HPN state KA country IN usage radsec-client
2. Copy CA root certificate generated on CA. DUT(config)# copy tftp ta-certificate ta1 <tftp server ip> certnew.cer
3. Sign the CSR with CA.
4. Install the signed certificate. DUT(config)# crypto pki install-signed-certificate
5. Verify the installed Root and Local certificate.
DUT(config)# sh crypto pki ta-profile
Profile Name Profile Status
CRL Configured OCSP Configured
--------------- ------------------------------ --------------- ---------------
IDEVID_ROOT
Root Certificate Installed
COMODO_CA
Root Certificate Installed
No
No
default
Self-signed Certificate Ins... No
No
GEOTRUST_CA
Root Certificate Installed
No
No
ARUBA_CA
Root Certificate Installed
No
No
ADDTRUST_CA
Root Certificate Installed
No
No
clearpass
Root Certificate Installed
No
No
ta1
Root Certificate Installed
No
No
DUT(config)# sh crypto pki local-certificate
Name
Usage
Expiration
Parent / Profile
-------------------- ------------- -------------- --------------------
IDEVID_CERT
IDEVID
2031/01/26
IDEVID_INTER_1
IDEVID_INTER_1
IDEVID
2031/01/26
IDEVID_INTER_2
661
Aruba 2930M/F | Access Security Guide
IDEVID_INTER_2 test Test_Certificate Cert1 DUT(config)#
IDEVID All Web
RADSEC
2031/01/26 2019/08/13 2019/08/03
2020/02/14
6. Configure radius-server with tls option. DUT(config)# radius-server host 192.168.1.252 tls
7. Enable debug commands. Debug security RadSec Debug security radius
8. Verify the RadSec connection. DUT(config)# show radius host 192.168.1.252
IDEVID_ROOT default default
ta1
Status and Counters - RADIUS Server Information
Server IP Addr : 192.168.1.252
TLS Enabled : Yes
Authentication Port Round Trip Time Pending Requests Retransmissions Timeouts Malformed Responses Bad Authenticators Unknown Types Packets Dropped Access Requests Access Challenges Access Accepts Access Rejects Connection Status Connection Error
: 2083
Accounting Port
: 2083
:4
Round Trip Time
:0
:0
Pending Requests
:0
:0
Retransmissions
:0
: 78
Timeouts
:0
:0
Malformed Responses : 0
:2
Bad Authenticators : 0
:0
Unknown Types
:0
: 10
Packets Dropped
:0
: 1435
Accounting Requests : 0
: 22
Accounting Responses : 0
: 11
: 1324
: RADSEC Connection established
: NA
Troubleshooting a RadSec connection
To troubleshoot a TLS enabled RADIUS server, use show radius host <IP | FQDN> command. The output information helps you to identify the reason for a connection failure.
RadSec TCP Socket Configuration
Unable to create a RadSec TCP socket. TCP socket is not created due to an internal socket configuration.
n No user action is required, as the switch retry happens every five minutes.
RadSec server connection
Unable to connect to RadSec server. Server is not reachable.
1. Check if the RadSec server is reachable. 2. Check if the switch is reachable from the RadSec server.
Switch certificates for RadSec are not available
Certificate for RadSec application is not present in the switch certificate store. Certificate used for RadSec connection is not configured on the switch.
Aruba 2930M/F | Access Security Guide
662
n Configure the certificates. For more information, see the Access Security Guide of your switch.
RadSec negotiation failure
RadSec negotiation failure. TLS handshake between the RADIUS server and switch has failed.
1. Verify the certificates for successful connections.
Unable to create RadSec TCP socket
TCP socket bind failure. The administratively assigned IP address of the switch is unable to bind to the socket. n No user action is required.
RadSec server TLS/TCP connection
RadSec server TLS/TCP connection is closed. The RADIUS server closes the connection due to bad packet header during TLS handshake.
1. Verify the logs in the ClearPass server.
Connection error between RadSec server and TCP socket
Symptom
The RadSec server is unable to read from the TCP socket due to a connection error.
Cause
The connection with the RadSec server is closed.
Action
No user action is required, as the connection retry happens every five minutes.
RadSec server read timeout error
RadSec server is unable to read from the socket. The RadSec server is unable to read, and write from the socket due to a timeout error. The connection with the RadSec server is closed. n No user action is required, as the connection retry happens every five minutes.
RadSec server write timeout error
RadSec server is unable to write to the socket. The RadSec server is unable to write to the socket due to a write timeout error. The connection with the RadSec server is closed. n No user action is required, as the connection retry happens every five minutes.
RadSec server certificate issue due to wrong common name
Connection failure due to a wrong common name in the RadSec server certificate. Mismatch between the common name in the RadSec server certificate and the RadSec configured on the host.
663
Aruba 2930M/F | Access Security Guide
n Check the CA certificate.
RadSec server certificate has a wrong subject name
RadSec server certificate has a wrong subject name. Connectivity error due to mismatch in the subject name between the switch and RadSec server CA certificate.
n Check the CA certificate and modify the subject name.
RadSec server CA unavailability
The RadSec server CA is not present in the switch trusted store.
n RadSec server certificate is not copied in the switch trusted store. n Switch CA certificate is not copied in the RadSec server CA store.
n Copy the required certificates.
Debugging a RadSec connection using logs
Use any of the following debug commands to troubleshoot connection issues:
n debug security radsec n debug security radius-server
Following is a sample of debug log: switch(config)# debug destination session switch(config)# debug security radsec switch(config)# debug security radius
0005:00:08:46.73 RAD mRadiusCtrl:ACCESS REQUEST id: 1 to 192.168.1.252 session: 0, access method: CONSOLE, User-Name: user1, NAS-IP-Address: 20.1.1.251.
0005:00:08:46.89 RAD mRadiusCtrl:ACCESS REQUEST id: 1 to 192.168.1.252 session: 0, access method: CONSOLE, NAS-identifier: HP-VSF-Switch.
0005:00:08:47.04 RAD mRadiusCtrl:Tracking packets alarm set 0005:00:08:47.11 RAD tRadsecR:ACCESS ACCEPT id: 1 from 192.168.1.252 received.
0005:00:12:12.89 RSEC tRadsecR:RADSEC: getsockopt() err code : 58, socket down and closed.
0005:00:15:23.82 RSEC mRadiusCtrl:RADSEC: successfully established connection with server 192.168.1.252.
Aruba 2930M/F | Access Security Guide
664
Chapter 34
Conformance to Suite-B Cryptography requirements
Conformance to Suite-B Cryptography requirements
Suite B is a set of cryptographic algorithms used for encryption, key exchange, digital signature, and hashing. As per RFC 6460, the Fact Sheet on Suite B Cryptography requires key establishment and authentication algorithms based on Elliptic Curve Cryptography and encryption using AES. In particular, Suite B includes the following:
n Advanced Encryption Standard (AES) FIPS 197 (with key sizes of 128 and 256 bits) n Elliptic Curve Digital Signature Algorithm (ECDSA) using 256 and 384 bit prime module curves digital
signatures n Elliptic Curve Diffie-Hellman (ECDH) using 256 and 384 bit prime module curves key exchange n Secure Hash Algorithm 2 (SHA-256 and SHA-384) message digest n Additional PKI / Certificate management requirements: Certificate Revocation List (CRL) and Online
Certificate Status Protocol (OCSP)
Suite B algorithms are defined to support two minimum levels of security, minLoS, with security strengths of 128 and 192 bits:
n minLOS-128 n minLOS-192
The level of security is determined by the strength of the keys.
Configuration support
The certificate manager CLI provides configuration support for integrating the switch into a customer's PKI.
CRL configuration facts
n When a certificate is presented while a CRL download is in progress and that the cached CRL has become stale or is not present, the acceptation or rejection of the certificate is subject to the policy enforcement of CRL configuration.
n When a CRL becomes stale, for example if the current time is ahead of the nextUpdateTime of the CRL, the CRL is deleted immediately.
n Once a successful TLS connection is established, even if the server certificate is revoked at a later time, the connection continues to exist until a renegotiation happens.
n If a CRL download fails due to any reason (for example, the server is not reachable or the memory is not available), an event is recorded in the system log with the failure reason. Once you have resolved the failure issue, you must initiate a download.
n You can download only one CRL at a time. If you initiate a request to fetch a CRL while a CRL download is already in progress, your request will be rejected.
n The Cumulative Maximum storage allowed for CRLs in flash is 1 MB.
Aruba 2930M/F | Access Security Guide
665
n Only two CRL files are allowed in the system. Any fetch request beyond this limit is rejected and logged appropriately.
n CRL fetch is supported only via LDAP. The CRL downloaded is of DER (binary) format. n If you delete an installed root-certificate when a CRL download for that profile is already in progress, the
download will be uninterrupted. The downloaded CRL thereafter will be deleted once its lifetime expires (becomes stale). n When you configure a CRL URL for a given TA profile, it takes priority over the CDP server settings mentioned in the certificate. n You can configure two URLs per CRL/CDP LDAP servers and OCSP responders. n Standard TCP timeouts are applicable during CRL fetch or OCSP status fetch. n CRLs are also written into the non-volatile memory so that when a device reboots or failover and previously had a valid CRL, it will automatically be loaded from the non-volatile memory avoiding a re-fetch of the CRL. In addition, for every 24 hour period (per CRL file), a given CRL file is updated into the flash memory if there is any recent update to the last written state.
OCSP configuration facts
n If you delete an installed root-certificate at the same time that an OCSP handshake is in progress, the revocation status o/p will be based on the deleted root-certificate.
n If you configure an OCSP responder URL for a given TA profile, it takes priority over the OCSP server settings specified in the AIA field of the client certificate.
n Now as OCSP enhancement, you can configure four OCSP responder URLs. n If the revocation-check is configured as both OCSP and CRL, OCSP takes precedence. For example, the
switch tries to retrieve the revocation status using OCSP first followed by CRL.
Configure CRL for revocation check
Configures the parameters for the Certificate Revocation list (CRL) revocation check mode.
Syntax
crypto pki ta-profile <profile-name>revocation-check [crl] [[strict|optional] [url1 <REVOCURL> | url2 <REVOC-URL>|[refresh-interval <hours>]
Parameters
profile-name A name (maximum 100 characters) with a unique identifier for the Trust Anchor Profile. Ten TA profiles are supported: one for each allowed trust anchor (Root CA certificate.) revocation-check Applies revocation check on a TA profile. crl Uses CRL for revocation.
You can only specify one of these options:
strict Sets the enforcement as strict.
666
Aruba 2930M/F | Access Security Guide
optional Sets enforcement as optional. url1 Configures the first URL. url2 Configures the second URL. refresh-interval Sets the periodic update interval in hours, default is 24.
Configure OCSP for revocation check
Configures the parameters for the OCSP revocation check mode.
Syntax
crypto pki ta-profile profile-name revocation-check ocsp [[strict|optional] | [url1 REVOCURL] | [url2 REVOC-URL] | [url3 REVOC-URL] | [url4 REVOC-URL] | [disable-nonce]]
Parameters
profile-name A name (maximum 100 characters) with a unique identifier for the Trust Anchor Profile. Ten TA profiles are supported: one for each allowed trust anchor (Root CA certificate.) revocation-check Applies revocation check on a TA profile. ocsp Uses OCSP for revocation.
You can only specify one of these options:
strict Sets the enforcement as strict. optional Sets enforcement as optional. url1 Configure the first URL. url2 Configures the second URL. url3 Configures the third URL. url4 Configures the fourth URL. disable-nonce Disables the nonce.
Aruba 2930M/F | Access Security Guide
667
Retrieve CRL
Retrieves the CRL of the TA profile.
Syntax
crypto pki ta-profile profile-name retrieve-crl
Parameters
profile-name A name (maximum 100 characters) with a unique identifier for the Trust Anchor Profile. Ten TA profiles are supported: one for each allowed trust anchor (Root CA certificate.) retrieve-crl Retrieves the CRL of the TA profile. You must configure the CRL URLs before you can perform this command. See Configure CRL for revocation check on page 666.
Set TA profile to validate CRL and OCSP
Sets the TA profile that contains root certificate for validating the CRL file.
Syntax
crypto pki ta-profile profile-name crl-root-profile ta-profile-name
parameters
ta-profile-name Name of the TA profile that contains root-certificate to validate revocation response. crl-root-profile Sets the TA profile that contains root certificate for validating the CRL file. Sets the TA profile that contains root certificate for validating the OCSP response.
Syntax
crypto pki ta-profile profile-name ocsp-root-profile ta-profile-name
Parameters
ta-profile-name Name of the TA profile that contains root-certificate to validate revocation response. ocsp-root-profile Sets the TA profile that contains root certificate for validating the OCSP response.
Clear CRL
Clears the CRL associated with the TA profiles.
Syntax
crypto pki clear crl [all | ta-profile profile-name]
Parameters
crl
668
Aruba 2930M/F | Access Security Guide
Clears all the CRLs associated with the TA profiles. all Clears all the CRLs associated with the all the TA profiles. ta-profile Clears the CRL of the specified TA profile. profile-name A name (maximum 100 characters) with a unique identifier for the Trust Anchor Profile. Ten TA profiles are supported: one for each allowed trust anchor (Root CA certificate.)
Create a certificate signing request
Creates a certificate signing request on the switch. Including the subject will override the configured identify profile.
Syntax
crypto pki create-csr certificate-name CERT-NAME ta-profile Profile-Name [usage <openflow | web | all | captive-portal | syslog | radsec-client>][key-type rsa keysize <1024|2048>] [key-type ecdsa curve <256|384>] [subject [command-name <CN-Value>] [org <Org-Value>] [orgunit <Org-unit-value>] [locality Location-Value>] [state <state-Value>] [country <CountryCode>] [valid-start <date> valid-end <date>]
Parameters
profile-name A name (maximum 100 characters) with a unique identifier for the Trust Anchor Profile. Ten TA profiles are supported: one for each allowed trust anchor (Root CA certificate.) usage When usage is set to all, it includes the OpenFlow and web applications, as well as other applications such syslog. rsa Uses the RSA key. You must specify the size of the key, key-size. Default is 1024. ecdsa Uses the ECDSA key. You must specify the elliptic curve size, curve. Default is 256.
Attempting to install a CA signed ecdsa 256/384 bit certificate fails with an error similar to Invalid certificate.
Create and enroll a self-signed certificate
Creates and enrolls a self-signed local certificate. Including the subject will override the configured identity profile.
Syntax
crypto pki enroll-self-signed certificate-name CERT-NAME [subject [command-name <CN-Value>] [org <Org-Value>] [org-unit <Org-unit-value>] [locality <Location-Value>] [state <state-Value>] [country <Country-Code>] [valid-start <date> valid-end <date>][usage <openflow | web | all | captive-portal | syslog | radsec-client>] [key-type rsa key-size <1024|2048>] [key-type ecdsa curve <256|384>]
Aruba 2930M/F | Access Security Guide
669
Parameters
profile-name A name (maximum 100 characters) with a unique identifier for the Trust Anchor Profile. Ten TA profiles are supported: one for each allowed trust anchor (Root CA certificate.) usage When usage is set to all, it includes OpenFlow and web applications, as well as other applications such as syslog. rsa Uses the RSA key. You must specify the size of the key, key-size. Default is 1024. ecdsa Uses the ECDSA key. You must specify the elliptic curve size, curve. Default is 256.
Configure or remove the minimum levels of security minLos for TLS
Configures the minimum levels of security for TLS to comply with Suite B. If strict mode is configured, only TLS 1.2 connections with ciphers compatible with 128 and 192 bits are accepted. For non-strict mode (which is the default option), the TLS 1.0 and later connections are supported.
Syntax
crypto SuiteB-MinLoS <128|192> tls [strict] no crypto SuiteB-MinLoS <128|192> tls [strict]
Parameters
no If you specify the strict mode, the strict configuration is removed. If you do not specify the strict mode, the minLoS and the strict configuration on the TLS are removed. SuiteB-MinLoS Configures Suite B minimum levels of security for TLS. 128 This security level matches Elliptic Curve P-256. 192 This security level matches Elliptic Curve P-384. tls Configures Suite B compliant minimum levels of security for TLS. strict Enforces the strict mode.
Install authentication files
Install authentication files for the SSH server as follows:
Syntax
crypto key generate ssh [rsa|dsa]
670
Aruba 2930M/F | Access Security Guide
Definitions key
Operation on an SSH key file.
generate
Installs a new key.
Installing a new key might be very slow in the first few minutes after booting the device.
Parameters
rsa Specifies a RSA key type. dsa Specifies a DSA key type.
Remove authentication files
Removes authentication files for the SSH server.
Syntax
crypto key zeroize [ssh | ssh-client-key | ssh-client-known-hosts]
Definitions key
Operation on an SSH key file.
zeroize
Removes the existing key.
ssh-client-key
Deletes SSH client key pair.
ssh-client-known-hosts
Removes the SSH client known hosts file.
show crypto client-public-key
Syntax
show crypto client-public-key [babble] [fingerprint] [manager] [operator]
Description
View the client public keys configured on the switch.
Parameters
Aruba 2930M/F | Access Security Guide
671
babble Display phonetic hash. fingerprint Display hexadecimal hash. manager Select manager public keys. operator Select operator public keys.
Remove the client public keys from configuration
Removes the currently loaded authorized client public keys from the active configuration. By default, the operator client public keys are removed.
Syntax
clear crypto client-public-key [<operator|manager> key-type <dsa|rsa>]
Parameters
dsa Removes the DSA key. rsa Removes the RSA key.
Show details of TA profile
Shows the details of the Trust Anchor profile specified.
Syntax
show crypto pki ta-profile TA-Profile-Name detail
Full syntax example
show crypto pki ta-profile crl TA-profile-name crl certificate-serial-numserial-num Displays all CRLs available in all TA-profiles. The option certificate-serial-num is only used when crl option is used in the show CLI.
Syntax
show crypto pki ta-profile [TA-PROFILE-NAME] [crl | detail] [certificate-serial-num <SERIALNUM>]
Parameters
TA-PROFILE-NAME
A name (maximum 100 characters) with a unique identifier for the Trust Anchor Profile. Ten TA profiles are supported: one for each allowed trust anchor (Root CA certificate.)
crl
672
Aruba 2930M/F | Access Security Guide
Shows the CRL details of the TA profile detail
Shows the configuration details of the TA profile. SERIAL-NUM
Serial number of the certificate whose revocation information is required.
The option certificate-serial-num is only used when the crl option is used in the show CLI; for example: show crypto pki ta-profile [TA-profile-name] crl certificate-serial-num <serialnum>
Support and other resources
Accessing Aruba Support
Aruba Support Services Aruba Support Portal North America telephone
International telephone
https://www.arubanetworks.com/support-services/
https://asp.arubanetworks.com/
1-800-943-4526 (US & Canada Toll-Free Number) +1-408-754-1200 (Primary - Toll Number) +1-650-385-6582 (Backup - Toll Number - Use only when all other numbers are not working)
https://www.arubanetworks.com/support-services/contactsupport/
Be sure to collect the following information before contacting Support:
n Technical support registration number (if applicable) n Product name, model or version, and serial number n Operating system name and version n Firmware version n Error messages n Product-specific reports and logs n Add-on products or components n Third-party products or components
Other useful sites
Other websites that can be used to find information:
Airheads social forums and Knowledge Base
https://community.arubanetworks.com/
Aruba 2930M/F | Access Security Guide
673
Software licensing
End-of-Life information
Aruba software and documentation
https://lms.arubanetworks.com/ https://www.arubanetworks.com/support-services/end-of-life/ https://asp.arubanetworks.com/downloads
Accessing updates
To download product updates:
Aruba Support Portal
https://asp.arubanetworks.com/downloads If you are unable to find your product in the Aruba Support Portal, you may need to search My Networking, where older networking products can be found:
My Networking
https://www.hpe.com/networking/support To view and update your entitlements, and to link your contracts and warranties with your profile, go to the Hewlett Packard Enterprise Support Center More Information on Access to Support Materials page: https://support.hpe.com/portal/site/hpsc/aae/home/
Access to some updates might require product entitlement when accessed through the Hewlett Packard Enterprise Support Center. You must have an HPE Passport set up with relevant entitlements.
Some software products provide a mechanism for accessing software updates through the product interface. Review your product documentation to identify the recommended software update method. To subscribe to eNewsletters and alerts: https://www.hpe.com/support/e-updates
Warranty information
To view warranty information for your product, go to https://www.arubanetworks.com/supportservices/productwarranties/.
Regulatory information
To view the regulatory information for your product, view the Safety and Compliance Information for Server, Storage, Power, Networking, and Rack Products, available at www.hpe.com/support/Safety-ComplianceEnterpriseProducts
Additional regulatory information
Aruba is committed to providing our customers with information about the chemical substances in our products as needed to comply with legal requirements, environmental data (company programs, product recycling, energy efficiency), and safety information and compliance data, (RoHS and WEEE). For more information, see https://www.arubanetworks.com/company/about-us/environmental-citizenship/.
674
Aruba 2930M/F | Access Security Guide
Documentation feedback
Aruba is committed to providing documentation that meets your needs. To help us improve the documentation, send any errors, suggestions, or comments to Documentation Feedback (hpe-aruba-techpub-india@hpe.com). When submitting your feedback, include the document title, part number, edition, and publication date located on the front cover of the document. For online help content, include the product name, product version, help edition, and publication date located on the legal notices page.
Aruba 2930M/F | Access Security Guide
675
Chapter 35 AOS-S RADIUS Vendor-Specific Attributes
AOS-S RADIUS Vendor-Specific Attributes
RADIUS VSA assignments for AOS-S are made under HPE Vendor-Specific ID 11.
Management access
hp-privilege-level
Type #: 1 Platforms supported: All Description: Specifies the privilege level for the management user Length: 4 Type: Integer Value range: Predefined privilege level are values 1 (Operator) and 15 (Manager) Format: HP-Privilege-Level = 1
hp-command-string
Type #: 2 Platforms supported: All Description: Specifies list of CLI commands that are permitted or denied Length: 1-253 Type: String Value range: List of commands Format: HP-Command-String += "show running-config", HP-Command-String += "enable"
hp-command-exception
Type #: 3 Platforms supported: All Description: Specifies whether commands indicated by the hp-command-string are permitted or denied Length: 1 Type: Integer Value range: zero (0) means permit all listed commands and deny all others; one (1) means deny all listed commands and permit all others Format: HP-Command-String += "show running-config", HP-Command-String += "enable", HP-Command-Exception = 0 or HP-Command-String += "show running-config", HP-Command-String += "enable", HP-Command-Exception = 1
Aruba 2930M/F | Access Security Guide
676
Chapter 35 | AOS-S RADIUS Vendor-Specific Attributes
hp-command-string
Type#: 80 Description: Specifies URI that user is allowed or denied to access Length: 1-253 Type: String Value range: Lists of URIs Format: HP-URI-String
hp-command-string
Type#: 81 Description: Specifies Parameter that user is allowed or denied to access in the URI Length: 1-253 Type: String Value range: List of methods Format: HP-URI-Json-String
hp-command-string
Type#: 82 Description: Specifies method allowed/denied for the user to access the URI Length: 2-6 Type: String Value range: "GET", "PUT","POST", "DELETE" and ".*" Format: HP-URI-Access
hp-command-exception
Type#: 83 Description: Specifies permission for the user to access the URI Length: 1 Type: Integer Value range: 0 means permit and 1 means deny Format: HP-URI-Exception
Access control
hp-port-dot1x-client-limit
Type #: 10 Platforms supported: All Description: Overrides local config on how many clients to allow for 802.1X Length: 4 Type: Integer Value range: Values range from 0 to 32 clients. A zero client limit means that this VSA is disabled. Format: HP-Port-Client-Limit-Dot1x = 5
hp-port-macauth-client-limit
Type #: 11
677
Aruba 2930M/F | Access Security Guide
Chapter 35 | AOS-S RADIUS Vendor-Specific Attributes
Platforms supported: All Description: Overrides local config on how many clients to allow for MAC Authentication Length: 4 Type: Integer Value range: Values range from 0 to 256 clients. A zero client limit means that this VSA is disabled. Supports 0-32 clients on the switch. Format: HP-Port-Client-Limit-MA = 5
hp-port-webauth-client-limit
Type #: 12 Platforms supported: All Description: Overrides local config on how many clients to allow for Web Authentication Length: 4 Type: Integer Value range: Values range from 0 to 256 clients. A zero client limit means that this VSA is disabled. Supports 0-32 clients on the switch. Format: HP-Port-Client-Limit-WA = 5
hp-port-dot1x-port-mode
Type #: 13 Platforms supported: All Description: Sets the 802.1X mode of operation to port-based Length: 4 Type: Integer Value range: A port-based VSA is set with a value of 1; a user-based VSA is set with a value of 2. Format: For port-based mode: HP-Port-Auth-Mode-Dot1x = 1, HP-Port-Client-Limit-MA = 0, HP-Port-Client-Limit-WA = 0 For user-based mode: HP-Port-Auth-Mode-Dot1x = 5
hp-port-macauth-port-mode
Type #: 14 Platforms supported: All Description: Sets the port to port-based mode for a MAC Authentication Length: 4 Type: Integer Value range: A port-based VSA is set with a value of 1. Format: HP-Port-Auth-Mode-MacAuth = 1
hp-port-bounce-host
Type #: 23 Platforms supported: All
Aruba 2930M/F | Access Security Guide
678
Chapter 35 | AOS-S RADIUS Vendor-Specific Attributes
Description: Toggle the physical port where the client is attached Length: 4 Type: Integer Value range: Integer value to represent the time interval to bounce the host port in seconds. Format: HP-Port-Bounce-Host = 12
hp-captive-portal-url
Type #: 24 Platforms supported: All Description: URL used for the Captive Portal for an authenticated client Length: <=255 Type: String Value range: URL Link for Captive Portal redirection for an authenticated client. Format: http://radius_server_ip/guest/captive_portal_login.php?
hp-user-role
Type #: 25 Platforms supported: All Description: The role applied for the authenticating user Length: <=63 Type: String Value range: Name of the created User role Format: HP-User-Role = TestRole
hp-cppm-role
Type #: 27 Platforms supported: All except 2530 Description: The ClearPass role applied for the authenticating user Length: <=63 Type: String Value range: ClearPass will send the Downloadable User Role name in this VSA to the authenticator Switch and switch downloads the Downloadable User Role. This VSA is supported in both RADIUS Access-Accept and RADIUS CoA. This VSA is mutually exclusive with hp-user-role VSA for local user-role. Format: HP-CPPM-Role = TestRole
hp-acct-terminate-cause
Type #: 29 Platforms supported: All Description: Used in accounting stop requests to indicate why a session was terminated Length: 4 Type: Integer Value range: This is similar to Acct-Terminate-Cause mentioned in RFC 2866 and RFC 3580. This attribute is sent in accounting request from switch with the reason for account termination.
679
Aruba 2930M/F | Access Security Guide
Chapter 35 | AOS-S RADIUS Vendor-Specific Attributes
Values:
RADIUS_HP_NAS_FILTER_RULE_BAD_SYNTAX
1
RADIUS_HP_NAS_FILTER_RULE_RESOURCE_OVERFLOW 2
Format: Acct-Terminate-Cause = Port-Disabled
hp-capability-advertisement
Type #: 255 Platforms supported: All Description: Advertises the device capabilities Length: <=255 Type: String Value range: List of 'HP-Capability-Advert' Vendor Specific Attributes (VSAs) containing information about the switch's current capability. Format: HP-Capability-Advert = 0x0138 Details: 0x01: Version of Capability Advertisement 0x38: Hex value of Attribute type 56 (Egress-VLANID) HP-Capability-Advert = 0x011a0000000b30 Details: 0x1: Version 0x1a: HP Vendor Specific type 0x0000000b: HP Vendor ID 0x30: Vendor Attribute Type of HP-Bandwidth-Max-Egress
Class of service
hp-port-priority-regeneration-table
Type #: 40 Platforms supported: All Description: A user-priority regeneration table. Eight octets, corresponding to priorities 0-7, containing new mappings. Length: 10 Type: String Value range: To set CoS priority Format: HP-Port-Priority-Regeneration-Table=5555555
Bandwidth
hp-bandwidth-max-ingress
Type #: 46
Aruba 2930M/F | Access Security Guide
680
Chapter 35 | AOS-S RADIUS Vendor-Specific Attributes
Platforms supported: All Description: Maximum bandwidth allocated to port for traffic received from user(s) (Kbps) Length: 4 Type: Integer Value range: RADIUS-assigned rate limit bandwidths must be specified in Kbps. (Bandwidth percentage settings are not supported.) Using a VSA on a RADIUS server to specify a per-user rate limit requires the actual Kbps to which ingress (inbound) traffic volume must be limited. For example, to limit inbound traffic on a gigabit port to half of the port's bandwidth capacity, a VSA setting of 500,000 Kbps is required. It also requires a port-access authentication method (802.1X, Web Auth, or MAC Auth) to be configured on the client's port on the switch. The actual bandwidth available for ingress traffic from an authenticated client can be affected by the total bandwidth available on the client port. Format: HP-RATE-LIMIT = 500000
hp-bandwidth-max-egress
Type #: 48 Platforms supported: All except 2530 Description: Maximum bandwidth allocated to port for traffic transmitted out to user(s) (Kbps) Length: 4 Type: Integer Value range: RADIUS-assigned rate limit bandwidths must be specified in Kbps. (Bandwidth percentage settings are not supported.) Using a VSA on a RADIUS server to specify a per-port rate limit requires the actual Kbps to which you want to limit outbound traffic volume. For example, to limit outbound traffic on a gigabit port to half of the port's bandwidth capacity requires a VSA setting of 500,000 Kbps. In instances where multiple, authenticated clients are using this feature on the same switch port, only one (per port) rate limit is applied. In this case, the actual rate used is the rate assigned by the RADIUS server to the most recently authenticated client. This rate remains in effect as long as any authenticated client remains connected on the port. It also requires a port access authentication method (802.1X, Web Auth, or MAC Auth) to be configured on the client's port on the switch. The actual bandwidth available for egress traffic from an authenticated client can be affected by the total bandwidth available on the client port. Format: HP-RATE-LIMIT = 500000
hp-port-speed
Type #: 49 Platforms supported: All Description: Allowed port link speed/type following hpSwitchPortFastEtherMode Length: 20 Type: String Value range: Switch need to enable port-speed-vsa on port using following command: aaa port-access <port-num> port-speed-vsa Values allowed: 10-half 100-half 10-full 100-full 1000-full
681
Aruba 2930M/F | Access Security Guide
Chapter 35 | AOS-S RADIUS Vendor-Specific Attributes
auto auto-10 auto-100 auto-2500 auto-5000 auto-2500-5000 auto-1000 auto-10-100 auto-1000-2500 auto-1000-2500-5000 auto-10g Format: HP-Port-Speed = "100-half"
Filtering
hp-nas-filter-rule
Type #: 61 Platforms supported: All Description: Toggle the physical port where the client is attached Length: <=255 Type: String Value range: Access Control Entry Format: HP-nas-filter-rule += "deny in tcp from any to any 20,21 cnt", HP-nas-filter-rule += "permit in ip from any to any cnt"
hp-access-profile
Type #: 62 Platforms supported: All Description: Raw ACL string to apply for packets from user Length: 32 Type: String Value range: This attribute sets the access profile for the user for EWA (Enhanced Web Authentication). The value will be used to create a redirect URL based on the users profile. Format: HP-Access-Profile = "1.1.1.1 ;/usr/local/tests"
hp-ipv6-rules
Type #: 63 Platforms supported: All Description: Name of access profile IDM to switch (must be fewer than 32 octets) Length: 4 Type: Integer Value range:
Aruba 2930M/F | Access Security Guide
682
Chapter 35 | AOS-S RADIUS Vendor-Specific Attributes
1 - both IPv6 and IPv4 traffic rules will be applied 0 - only IPv4 traffic rules will be applied and ipv6 traffic will be denied Format: HP-Nas-Rules-IPv6=1
hp-egress-vland-id
Type #: 64 Platforms supported: All Description: When set to 1, enables IPv6 support for filter/traffic rules Length: 4 Type: Integer Value range: vlan id value Format: <tagged/untagged(0x31 or 0x32)>000<VLAN_ID (as hex)> The value of Egress-VLANID is a bit string, the first 8 bits specify whether the VLAN is tagged or untagged and must be either 0x31 (tagged) or 0x32 (untagged). The next 12 bits are padding 0x000, and the final 12 bits are the VLAN ID as an integer value. For example, the value to set VLAN 17 as a tagged egress VLAN would be 0x31000011 HP-Egress-Vlan-id = 0x31000011
hp-egress-vlan-name
Type #: 65 Platforms supported: All Description: VSA equivalent of RFC 4675 attributes Length: <=255 Type: String Value range: vlan name value Format: <tagged/untagged(1 or 2)><VLAN Name String> HP-Egress-Vlan-Name = 1VLAN100 or HP-Egress-Vlan-Name = 2VLAN200
683
Aruba 2930M/F | Access Security Guide
madbuild