Wired Intelligent Edge

I am very new to Aruba Networks Switches. I would appriciate if I can get a basic level of support on the below.

I am configuring MODEL # S2500-24P-4X10G POE

Can we TELNET Aruba s2500 switch?

HOW CAN WE BLOCK SSH/TELNET ?

I have some basic questions for Authentication.

Question 1: Configuration> Authentication>Servers-- I have configured Internal Server with 

User name: MAC Address of Machine

Password: MAC Address of Machine

Under Role: I can see the list below

1. authenticated

2.denyall

3.guest

4.guest-logon

5.logon

Can you breifly explain the use of each, What are the roles and each role application where we have to apply each.

Question 2: Configuration> Authentication>Profile

Under AAA Profiles the default profiles are below

1.default

2.default-dot1x

3.default-mac-auth

Can you breifly explain each and application where we have to apply them.

When I click on new button .

I gave the name for my AAA Profile "TEST"

VLAN Assignment Native "1".

Port Assignment any port belongs to Native VLAN.

Under Initial role what I have to select and why?

Under user role what I have to select and why?

How Initial role is different from User Role?

User User role What is derived VLAN?

Under Authentication Method I have below Feilds

Authentication method I have selected as MAC

------------ There are two selections 

      Select from a knows profile ? What is knows profile where we define it.

      Specify a new profile?

Just for your information I am using inhouse testing. Wants to test different features for S2500 Currently I am looking for MAC based authentication.  

Please elaborate. As I have to perfrom demo at different customer site, If you can also share demo script for switch which you guys are using to demonstrated the features and commissioning demo Script. 

Regards

Muhammad Malik

Hi Muhammad,

SSH and telnet can be used.

To block access via SSH and telnet, you could create a netdestination with a list of all of the address that you want to be able to access the switch from. Then build a netdestination of all of the IP interfaces that are active on the switch. Then build an ACL that allows access to those address and blocks others. For example:

ip access-list stateless MANAGEMENT-SSH-ACL
  alias NET-MGT-IP   alias SWITCH-IPS any  permit
  alias SWITCH-IPS   alias NET-MGT-IP any  permit
  alias DHCP-SERVERS-DEST   alias SWITCH-IPS svc-dhcp  permit
  any   alias SWITCH-IPS any  deny
  any any any  permit
!

Question 1: The roles that you have listed are the default roles that are built into the switch. Roles can be used to give different access to different people. You can attached ACLs and VLAN assignments to a specific role.

You can see exactly what is configured for each role by running the command show rights <role name>

You could have IT administrators in the authenticated role with allowall access and then create a second role for end users which restricts access to certain things.

For question 2: The AAA profiles can be applied globally to the entire switch and also on a per-port or per-vlan basis. A big thing to remember is that AAA profiles are only used if the port is untrusted. This forces the device to go through some type of authentication process. If the port is trusted, then no authentication will happen.

The Initial Role is used for things like captive portals where the user will end up in a different role after layer 3 authentication. For layer 2 802.1x authentication (EAPOL), the initial role is not used but it is best to apply a denyall rule there.

User role would be the final data access role for the user.

If you are using the internal user database to store mac addresses for authentication, put the mac address as both the username and password.

For MAC Authentication Server Group, you can then use "default" which defaults to the internal user database for authentication.

For MAC authentication Default Role, you would specify the user role that you want MAC auth'ed users to be put into after successful authentication.

Hi  ,

Thank you for your response . I want to apply mac based authentication I am giving my machine NIC MAC address as a user name and password. Attached is the configuration for your review.

I am using default AAA profile and My switch port 23 is also untrusted. But still I am unable to apply the mac base security. Can you please let me know where I am doing wrong.

I have also gone through the user manual.

also do you have some demo script prepared with you for switch demonstration.

Thanks

Are you entering the MAC address in the following format? AA-BB-CC-11-22-33 (caps and dashes)? The MAC profile is currently set to dash delimeters and all caps.

Also, can you turn on user debugging and then connect the device and post the log?

Enable debugging:

(config) # logging level debugging user-debug <mac address>

Display log:

show log user-debug all | include <mac address>

Hi  ,

Thank you for your response . I want to apply mac based authentication I am giving my machine NIC MAC address as a user name and password. Attached is the configuration for your review.

I am using default AAA profile and My switch port 23 is also untrusted. But still I am unable to apply the mac base security. Can you please let me know where I am doing wrong.

I have also gone through the user manual.

also do you have some demo script prepared with you for switch demonstration.

Thanks