Chapter 7: Switch Security: Authentication, Access Control, and Port Security
Learning Objectives
Trace the 802.1X EAP exchange between supplicant, authenticator, and RADIUS authentication server.
Configure port-access authentication on AOS-CX (802.1X, MAC-Auth, multi-domain, multi-auth).
Distinguish Local User Roles (LUR) from Downloadable User Roles (DUR) and configure DUR prerequisites.
Apply ACLs and classifier policies to ports, VLANs, SVIs, and L3 VNI contexts on AOS-CX.
Harden the AOS-CX management plane with SSH keys, HTTPS certificates, TACACS+, and centralized syslog.
Compare RADIUS vs TACACS+ and select the appropriate AAA protocol per use case.
A campus switch is the front door of the enterprise network. Every printer, kiosk, IP phone, laptop, contractor tablet, and IoT camera plugs into it, and once a frame is forwarded the rest of the network has to trust the sender. The HPE Aruba Networking Switching Associate (HPE7-A01) exam expects you to treat that front door like a security checkpoint: authenticate the user or device, hand it a role that says what it is allowed to do, enforce that role with ACLs and Classifier policies, and finally lock the management plane so no attacker can simply log into the switch and erase the rules.
Think of the switch as the lobby of a corporate building. The 802.1X handshake is the security guard checking your badge. The user role is the visitor sticker that says which floors you can ride to. The ACL is the elevator's card reader that enforces it. And the management plane hardening is the locked supply closet behind reception where the building blueprints live.
7.1 Port-Based Authentication
Pre-Reading Quiz: Port-Based Authentication
1. Which actor in the 802.1X model relays EAP frames between the client and the RADIUS server but does not itself decide whether the user is authorized?
Supplicant
Authenticator
Authentication server
CoA proxy
2. A desk has an IP phone with a PC daisy-chained behind it. Which AOS-CX port-access mode lets the phone authenticate on a tagged voice VLAN while the PC independently authenticates on the untagged data VLAN?
Single-host
Multi-host
Multi-domain
Multi-auth
3. A printer with no 802.1X supplicant must still be allowed onto the network. Which fallback method does AOS-CX use, and what does it send to RADIUS as the credential?
Captive portal; the user's email address
MAC authentication; the device's MAC address as username/password
PEAP-MSCHAPv2; an AD service account
EAP-TLS; a pre-installed device certificate
4. ClearPass needs to revoke a guest session after the user's time-quota expires. Which feature must be enabled on the AOS-CX switch so ClearPass can push that change asynchronously?
radius dyn-authorization enable (CoA)
aaa accounting commands stop
port-access role flush
snmp-server trap port-state
Port-based authentication means the switch refuses to forward user traffic on an access port until the connecting device proves who it is. AOS-CX implements this with the port-access framework, which unifies 802.1X, MAC authentication, and captive portal under a single authenticator state machine.
7.1.1 The 802.1X EAP Flow
802.1X is an IEEE standard that wraps the Extensible Authentication Protocol (EAP) inside Layer-2 frames called EAPOL (EAP over LAN). Three actors are involved:
Supplicant — the client, typically the OS-native 802.1X service on a laptop or phone.
Authenticator — the AOS-CX switch port. It is the gatekeeper: it relays EAP between the supplicant and the RADIUS server but does not itself decide whether the user is allowed in.
Authentication Server — the RADIUS server, almost always Aruba ClearPass Policy Manager in HPE designs.
The handshake follows a strict sequence. The supplicant or the switch sends an EAPOL-Start. The switch replies with an EAP-Request/Identity. The supplicant returns its identity, which the switch encapsulates inside RADIUS Access-Request and forwards to ClearPass. ClearPass and the supplicant then negotiate an inner EAP method — EAP-TLS (certificates), PEAP-MSCHAPv2 (AD password inside a TLS tunnel), or EAP-TTLS. When ClearPass is satisfied it returns a RADIUS Access-Accept that may include vendor-specific attributes (VSAs) such as the Aruba user role or a VLAN ID, and the switch finally moves the port from the unauthenticated to the authorized state.
radius-server host 10.10.0.105 key plaintext aruba123 vrf mgmt
aaa authentication port-access dot1x authenticator
vlan 10
port-access role LUR
vlan access 10
interface 1/1/1
no shutdown
no routing
vlan access 1
aaa authentication port-access dot1x authenticator
enable
The vrf mgmt qualifier sends authentication traffic out the dedicated out-of-band management VRF. The port-access role LUR block defines a Local User Role pinned to VLAN 10. When ClearPass returns its own role via the Aruba VSA, the local role is overridden and the CLI suffixes the role name with an asterisk (e.g., test_LUR*) to flag the RADIUS override.
7.1.2 MAC Authentication as Fallback
Devices without supplicants — printers, badge readers, IP cameras — can authenticate via MAC-Auth (also called MAB). The switch sends the MAC as both username and password to RADIUS. Production deployments combine 802.1X and MAC-Auth on the same port: dot1x first, then MAC-Auth on timeout/failure.
7.1.3 Multi-Domain and Multi-Host Modes
Mode
Behavior
Typical Use
Single-host
Exactly one MAC may authenticate.
High-security ports, server racks.
Multi-host
First MAC authenticates; port then opens to all subsequent MACs without auth.
Legacy mode; rarely recommended.
Multi-domain
One voice (tagged) and one data (untagged) MAC. Each authenticates independently.
Phone-plus-PC desks.
Multi-auth
Every MAC behind the port authenticates separately into its own VLAN/role.
Hubs, virtualized hosts with multiple VMs.
7.1.4 Captive Portal Integration
For guests, AOS-CX integrates with ClearPass Guest via a redirect role. The unknown MAC is MAC-Auth'd, ClearPass returns a "guest-redirect" role (limited reachability + redirect URL), the user registers/logs in via the portal, then ClearPass issues a Change-of-Authorization (CoA) over RADIUS dynamic authorization to upgrade the session to a "guest-authorized" role. CoA requires radius dyn-authorization enable on the switch.
Key Points
802.1X requires three actors: supplicant, authenticator (switch), authentication server (ClearPass).
EAP frames travel in EAPOL on the access link and inside RADIUS toward the server.
MAC-Auth is the universal fallback for supplicant-less devices.
Multi-domain = one voice + one data MAC; multi-auth = many MACs each in their own role.
CoA from ClearPass requires radius dyn-authorization enable on the switch.
Post-Reading Quiz: Port-Based Authentication
1. Which actor in the 802.1X model relays EAP frames between the client and the RADIUS server but does not itself decide whether the user is authorized?
Supplicant
Authenticator
Authentication server
CoA proxy
2. A desk has an IP phone with a PC daisy-chained behind it. Which AOS-CX port-access mode lets the phone authenticate on a tagged voice VLAN while the PC independently authenticates on the untagged data VLAN?
Single-host
Multi-host
Multi-domain
Multi-auth
3. A printer with no 802.1X supplicant must still be allowed onto the network. Which fallback method does AOS-CX use, and what does it send to RADIUS as the credential?
Captive portal; the user's email address
MAC authentication; the device's MAC address as username/password
PEAP-MSCHAPv2; an AD service account
EAP-TLS; a pre-installed device certificate
4. ClearPass needs to revoke a guest session after the user's time-quota expires. Which feature must be enabled on the AOS-CX switch so ClearPass can push that change asynchronously?
radius dyn-authorization enable (CoA)
aaa accounting commands stop
port-access role flush
snmp-server trap port-state
7.2 User Roles and Device Profiles
Pre-Reading Quiz: User Roles & Device Profiles
1. Which of the following is true of a Downloadable User Role (DUR) but NOT of a Local User Role (LUR)?
It can pin the client to a specific VLAN.
It is fetched from ClearPass over HTTPS after authentication and cleared on reboot.
It is referenced in a RADIUS Access-Accept VSA.
It applies an inline classifier policy to the role.
2. Three switch-side prerequisites are required for DUR. Which one is NOT a prerequisite?
A TA profile that trusts the ClearPass HTTPS certificate
A dedicated read-only ClearPass admin user configured via radius-server clearpass
A SNMP v3 user authorized to write running-config
HTTPS reachability from the switch's source VRF to ClearPass on TCP/443
3. An Aruba AP is plugged into an access port that has 802.1X enabled but the AP has no supplicant. Which AOS-CX feature applies a pre-built role on this port the moment LLDP is heard, before any authentication is attempted?
4. On the CLI, the role name contractor* is shown for a connected client. What does the asterisk indicate?
The role contains a syntax error.
The session is in the unauthenticated/redirect state.
The role was applied via RADIUS rather than from local config.
The role expired and is awaiting re-authentication.
Authentication tells the switch who connected. Authorization tells it what they can do. AOS-CX expresses authorization with roles — named policies bundling VLAN, ACLs, QoS, captive-portal redirect, session timeout, and reauthentication interval.
7.2.1 Local User Roles (LUR)
A Local User Role lives in the switch's running configuration. It is defined once with port-access role <name> and referenced either by local fallback config or by the name returned in a RADIUS VSA.
LURs are perfect for small deployments and as fallback when ClearPass is unreachable. The drawback is sprawl: every change touches every switch.
7.2.2 Downloadable User Roles (DUR)
A DUR is defined entirely in ClearPass and pulled to the switch on demand over HTTPS/REST after authentication. The switch caches it in volatile memory; reboot or policy update clears it. Three switch-side prerequisites:
Trust Anchor (TA) profile for ClearPass HTTPS — the switch validates ClearPass's certificate before downloading any role.
A read-only ClearPass admin account dedicated to DUR (configured via radius-server clearpass username/password).
HTTPS reachability from the switch's source VRF to ClearPass on TCP/443.
Figure 7.2: Downloadable User Role Flow — Auth → Fetch → Apply
Aspect
Local User Role (LUR)
Downloadable User Role (DUR)
Storage
Switch running-config
ClearPass; downloaded volatilely
Change management
Per-switch CLI push
Single ClearPass edit
Survives reboot?
Yes (in startup-config)
No — re-downloaded after auth
Requires HTTPS to ClearPass?
No
Yes
Best for
Small sites, fallback
Campus-wide consistent policy
Visible suffix when applied via RADIUS
*
* plus Type: clearpass
7.2.3 Device Profiles via LLDP
A device profile watches LLDP TLVs and applies a pre-built role when a match is found, before any authentication is attempted. This solves the chicken-and-egg problem of provisioning APs and IoT gateways on locked-down ports.
port-access lldp-group aruba-ap
match sys-desc Aruba
port-access device-profile aps
associate role ap-role
associate lldp-group aruba-ap
enable
Key Points
LURs live on the switch; DURs live on ClearPass and are downloaded over HTTPS, cleared on reboot.
DUR prerequisites: TA profile, dedicated read-only ClearPass admin user, HTTPS reachability, and CoA enabled.
The asterisk on a role name (e.g. contractor*) means the role came from RADIUS, not from running-config.
Device profiles use LLDP to apply a role before authentication — the standard way to bring up Aruba APs.
Post-Reading Quiz: User Roles & Device Profiles
1. Which of the following is true of a Downloadable User Role (DUR) but NOT of a Local User Role (LUR)?
It can pin the client to a specific VLAN.
It is fetched from ClearPass over HTTPS after authentication and cleared on reboot.
It is referenced in a RADIUS Access-Accept VSA.
It applies an inline classifier policy to the role.
2. Three switch-side prerequisites are required for DUR. Which one is NOT a prerequisite?
A TA profile that trusts the ClearPass HTTPS certificate
A dedicated read-only ClearPass admin user configured via radius-server clearpass
A SNMP v3 user authorized to write running-config
HTTPS reachability from the switch's source VRF to ClearPass on TCP/443
3. An Aruba AP is plugged into an access port that has 802.1X enabled but the AP has no supplicant. Which AOS-CX feature applies a pre-built role on this port the moment LLDP is heard, before any authentication is attempted?
4. On the CLI, the role name contractor* is shown for a connected client. What does the asterisk indicate?
The role contains a syntax error.
The session is in the unauthenticated/redirect state.
The role was applied via RADIUS rather than from local config.
The role expired and is awaiting re-authentication.
7.3 ACLs and Classifier Policies
Pre-Reading Quiz: ACLs & Classifier
1. AOS-CX ACLs are evaluated in which order, and what happens to a packet that matches no rule?
Bottom-up, longest-match-wins; unmatched packets are forwarded.
Top-down, first-match-wins; unmatched packets are dropped by an implicit deny any.
Random order, weighted; unmatched packets are sent to the supervisor.
Hash-table lookup; unmatched packets are punted to CPU.
2. You need to filter L2 traffic between two endpoints in the SAME VLAN. To which AOS-CX object should the ACL be applied?
The SVI (interface vlan <id>)
The L2 VLAN itself (vlan <id> with apply access-list)
The default VRF
The management interface mgmt
3. When should you choose a classifier policy (class-map + policy-map) over a plain ACL on AOS-CX?
Whenever you need stateful inspection.
When you need to mark DSCP, rate-limit, or redirect traffic — actions richer than permit/deny.
Only on management ports.
Whenever the rule list contains more than 100 entries.
4. An ACL named DENY-RFC1918 is applied to interface 1/1/5 inbound, but RFC1918 traffic is still being forwarded. Which command is the fastest first-line check?
show running-config interface 1/1/5
show access-list hit-counts ip DENY-RFC1918
show interface 1/1/5 statistics
debug acl all
Roles describe intent; ACLs and classifier policies enforce it in hardware. AOS-CX ACLs are stateless: each packet is evaluated independently against the ACE list, top-down, first-match-wins, with an implicit deny any at the end of every list. ACLs are programmed into TCAM and run at wire speed; the trade-off is no payload inspection or app-layer filtering.
7.3.1 Standard vs Extended ACLs
AOS-CX collapses the standard/extended distinction: every ACL is a named list whose ACE syntax matches any L3/L4 fields.
access-list ip BLOCK-RFC1918
10 deny ip 10.0.0.0/8 any
20 deny ip 172.16.0.0/12 any
30 deny ip 192.168.0.0/16 any
40 permit ip any any
7.3.2 Stateless First-Match-Wins Evaluation
Return traffic must be permitted explicitly (e.g. permit tcp any eq 443 any established). The "first-match-wins" rule rewards careful ordering: a permissive permit ip any any placed too early will silently bypass every later deny.
A classifier policy can do more than permit/deny — it can mark DSCP, rate-limit, mirror, or redirect.
class ip web-traffic
10 match tcp any any eq 80
20 match tcp any any eq 443
policy CAMPUS-QOS
10 class ip voice-traffic action dscp ef
20 class ip web-traffic action dscp af31
30 class ip any action dscp default
7.3.4 Where to Apply ACLs
Context
Location
Use Case
Physical interface
interface 1/1/1
Per-port ingress filter (guest port lockdown).
SVI / VLAN interface
interface vlan 10
Routed traffic entering/leaving a VLAN.
L2 VLAN
vlan 10
Switched (intra-VLAN) traffic between endpoints.
L3 VNI (VXLAN)
VNI context
Routed traffic inside an EVPN-VXLAN fabric.
7.3.5 Hit-Count Verification
The single most useful troubleshooting command for "is my ACL even matching?" is:
show access-list hit-counts ip BLOCK-RFC1918
A line that should be matching but shows zero hits is an instant flag — either the traffic is not arriving where you think it is, or an earlier ACE is catching it.
Key Points
AOS-CX ACLs are stateless, top-down, first-match-wins, with an implicit deny any at the end.
Apply to interface, SVI, L2 VLAN, or L3 VNI — choose based on whether traffic is switched or routed.
Use a classifier policy for DSCP marking, rate-limiting, mirroring, or redirection — richer than ACL permit/deny.
show access-list hit-counts is the first command to run when an ACL is not behaving as expected.
Post-Reading Quiz: ACLs & Classifier
1. AOS-CX ACLs are evaluated in which order, and what happens to a packet that matches no rule?
Bottom-up, longest-match-wins; unmatched packets are forwarded.
Top-down, first-match-wins; unmatched packets are dropped by an implicit deny any.
Random order, weighted; unmatched packets are sent to the supervisor.
Hash-table lookup; unmatched packets are punted to CPU.
2. You need to filter L2 traffic between two endpoints in the SAME VLAN. To which AOS-CX object should the ACL be applied?
The SVI (interface vlan <id>)
The L2 VLAN itself (vlan <id> with apply access-list)
The default VRF
The management interface mgmt
3. When should you choose a classifier policy (class-map + policy-map) over a plain ACL on AOS-CX?
Whenever you need stateful inspection.
When you need to mark DSCP, rate-limit, or redirect traffic — actions richer than permit/deny.
Only on management ports.
Whenever the rule list contains more than 100 entries.
4. An ACL named DENY-RFC1918 is applied to interface 1/1/5 inbound, but RFC1918 traffic is still being forwarded. Which command is the fastest first-line check?
show running-config interface 1/1/5
show access-list hit-counts ip DENY-RFC1918
show interface 1/1/5 statistics
debug acl all
7.4 Management Plane Hardening
Pre-Reading Quiz: Mgmt Plane Hardening
1. Which AAA protocol is preferred for switch administrator login on AOS-CX, and why?
RADIUS — UDP is faster and stateless.
TACACS+ — encrypts the entire payload over TCP/49 and supports per-command authorization.
Kerberos — tickets cannot be replayed.
LDAP-bind — native AD integration without a middle-tier server.
2. Why is configuring aaa authentication login default group tacacs local (the trailing local) considered critical?
It enables debug logging on every login attempt.
It allows admins to log in with the locally-defined account if the TACACS+ server is unreachable.
It encrypts the locally stored password with AES-256.
It forces TACACS+ to also accept RADIUS attributes.
3. Which command set on AOS-CX disables SSH password login while keeping key-based login enabled?
ssh disable password-auth followed by ssh enable key-auth
ssh password-authentication disable with user admin authorized-key "ssh-ed25519 ..."
ssh server reject password with aaa key-only mode
line vty + transport input ssh-key
4. Which logging configuration captures CLI commands, login attempts, and AAA decisions and ships them off-box?
logging buffered debug
logging 10.10.0.120 vrf mgmt severity info include-auditable-events
snmp-server trap aaa
copy running-config startup-config audit
An attacker who reaches the management plane does not need to evade ACLs — they can simply rewrite them. Hardening the management plane is therefore a security multiplier for everything else in this chapter.
7.4.1 SSH Key-Based Authentication
ssh server vrf mgmt
ssh password-authentication disable
user admin authorized-key "ssh-ed25519 AAAAC3Nz...comment"
Restrict the management VRF and bind SSH to it. The data VRF (default) should not run an SSH listener unless a deliberate exception is documented.
7.4.2 HTTPS Certificates
Replace the self-signed cert with one signed by your enterprise CA. A typical workflow uses crypto pki ta-profile to trust your enterprise root, generates a CSR from the switch, has your CA sign it, and installs the signed cert as the HTTPS server certificate.
7.4.3 AAA TACACS+ for Admin Login
Feature
RADIUS
TACACS+
Transport
UDP 1812/1813
TCP 49
Encryption
Password only
Entire payload
AAA separation
Auth+Authz combined
Auth, Authz, Accounting separate
Per-command authorization
No
Yes
Common use
802.1X, MAC-Auth, VPN
Switch/router admin login
tacacs-server host 10.10.0.110 key plaintext tacacs123 vrf mgmt
aaa authentication login default group tacacs local
aaa authorization commands default group tacacs local
aaa accounting all default start-stop group tacacs
The local fallback is critical: if the TACACS+ server is unreachable, the switch falls back to local authentication. Without it, a TACACS+ outage locks every administrator out of every switch — exactly when you most need to log in.
include-auditable-events captures CLI commands, login attempts (success and failure), AAA decisions, and configuration changes. Combined with TACACS+ accounting (which records every command typed), this gives a tamper-evident trail.
Figure 7.4: Management Plane Hardening Layers
graph TD
A[Administrator] --> B[Transport Layer]
B --> B1[SSH key-based auth password-auth disable bound to mgmt VRF]
B --> B2[HTTPS w/ enterprise CA-signed cert crypto pki ta-profile]
B1 --> C[Authentication Layer]
B2 --> C
C --> C1[TACACS+ over TCP/49 full payload encryption]
C --> C2[Local fallback user group tacacs local]
C1 --> D[Authorization Layer]
C2 --> D
D --> D1[Per-command authz aaa authorization commands]
D --> D2[RBAC roles administrators / operators / auditors]
D1 --> E[Accounting Layer]
D2 --> E
E --> E1[TACACS+ accounting start-stop all commands]
E --> E2[Syslog off-box include-auditable-events]
E1 --> F[Hardened Management Plane]
E2 --> F
Key Points
TACACS+ over TCP/49 encrypts the entire packet and supports per-command authorization — preferred for admin login.
Always include local in aaa authentication login for fallback during a TACACS+ outage.
Use SSH key-based auth bound to mgmt VRF; replace self-signed HTTPS cert with enterprise CA-signed one.
Ship logs off-box with include-auditable-events to capture CLI, AAA, and config changes.
Post-Reading Quiz: Mgmt Plane Hardening
1. Which AAA protocol is preferred for switch administrator login on AOS-CX, and why?
RADIUS — UDP is faster and stateless.
TACACS+ — encrypts the entire payload over TCP/49 and supports per-command authorization.
Kerberos — tickets cannot be replayed.
LDAP-bind — native AD integration without a middle-tier server.
2. Why is configuring aaa authentication login default group tacacs local (the trailing local) considered critical?
It enables debug logging on every login attempt.
It allows admins to log in with the locally-defined account if the TACACS+ server is unreachable.
It encrypts the locally stored password with AES-256.
It forces TACACS+ to also accept RADIUS attributes.
3. Which command set on AOS-CX disables SSH password login while keeping key-based login enabled?
ssh disable password-auth followed by ssh enable key-auth
ssh password-authentication disable with user admin authorized-key "ssh-ed25519 ..."
ssh server reject password with aaa key-only mode
line vty + transport input ssh-key
4. Which logging configuration captures CLI commands, login attempts, and AAA decisions and ships them off-box?
logging buffered debug
logging 10.10.0.120 vrf mgmt severity info include-auditable-events
snmp-server trap aaa
copy running-config startup-config audit
Chapter Summary
Switch security on AOS-CX is a layered story that follows the packet from the edge inward. At the access port, 802.1X authenticates the user via EAP between supplicant, authenticator (the switch), and ClearPass; MAC authentication handles supplicant-less devices as a fallback; multi-domain mode lets a single port serve a phone and a PC under independent identities. Once authenticated, the client receives a role — a Local User Role stored on the switch, a Downloadable User Role pulled from ClearPass on demand, or a device profile matched on LLDP — that pins the session to a VLAN with associated ACLs and session timers. ACLs and classifier policies enforce the role's intent in TCAM at wire speed. Above all of this sits the management plane, hardened with SSH key auth, signed HTTPS certs, TACACS+ with per-command authorization and local fallback, and centralized syslog with auditable-event capture.
The exam expects you to recognize the CLI shape of each piece, know which command goes in which context, and understand which mechanism solves which problem — 802.1X for who, role for what, ACL for enforcement, TACACS+ for admin accountability.