Configuring Username and Password Security > Creating password security

 

 next

Creating password security

To set up password security:

  1. In the console interface, set up a manager password pair (and if applicable for your system, an operator password pair).

  2. Exit the current console session. A manager password pair is now needed for full access to the console.

Passwords are case-sensitive.

The next time a console session starts for either the menu interface or the CLI, a prompt appears requesting a password. Because you protected both the manager and operator levels, the level of access to the console interface is determined by which password is entered in response to the prompt.

If you configure only a manager password (with no operator password), and in a later session the manager password is not entered correctly in response to a prompt from the switch, then the switch does not allow management access for that session. If the switch has a password for both the manager and operator levels, and neither is entered correctly in response to the switch’s password prompt, then the switch does not allow management access for that session.

If you configure only an operator password, entering the operator password enables full manager privileges.

[NOTE: ]

NOTE: When configuring an operator or manager password a message appears indicating that (USB) autorun has been disabled. See Appendix A, “File Transfers”, in the management and configuration guide for your switch for more information on the autorun feature.

[CAUTION: ]

CAUTION: If the switch has neither a manager nor an operator password, anyone having access to the switch through either Telnet or the serial port of the switch can access the switch with full manager privileges.

Setting an inactivity timer

If you set a manager password, you can configure an inactivity timer which causes the console session to end after the specified period of inactivity. This provides an additional level of security against unauthorized console access.

[NOTE: ]

NOTE: If the console inactivity-timer expires, it terminates any outbound Telnet or SSH sessions open on the switch.

Choose one of the following to set the inactivity timer:

  • Menu Interface:

    • System Information screen, Select option 2 — Switch Configuration.

  • CLI:

    • Use the command ( and options) as follows:

      console inactivity-timer 0 | <1 | 5 | 10 | 15 | 20 | 30 | 60 | 120>

Setting a new console password

  1. From the Main Menu select:

    3. Console Passwords

  2. To set a new password:

    Select Set Manager Password or Set operator Password.

    You are prompted to Enter new password.

    Type a password of up to 64 ASCII characters with no spaces, and press [Enter]. (Remember that passwords are case-sensitive.)

    When prompted to Enter new password again, retype the new password and press [Enter].

Set password screen

Set password screen

If you start a new console session, the switch prompts you to enter the new password. Remember that user names are optional. If you use the CLI to configure an optional user name, the switch prompts you for the user name, and then the password.

Deleting password protection

This procedure deletes all user names (if configured) and passwords (manager and operator).

Option one

  1. To clear all password protection when you have physical access to the switch, press and hold the [Clear] button on the front of the switch for a minimum of one second.

  2. Enter new passwords as described in Setting a new console password.

Option two

To clear all password protection when you do not have physical access to the switch and you have manager-level access, do the following:

  1. Enter the console at the manager level.

  2. Select the Set Manager Password option.

  3. Select Delete Password Protection.

    The following prompt appears:

    Continue Deletion of password protection? No/ Yes

    1. Press the [Space bar] to select Yes, then press [Enter].

    2. Press [Enter] to clear the Delete Password Protection message.

Recovering from a lost manager password

If you cannot start a console session at the manager level because of a lost manager password, clear the password by following these steps:

  1. Get physical access to the switch.

  2. Press and hold the [Clear] button on the switch for a minimum of one second.

This deletes all passwords and user names (manager and operator) used by the console.

Setting passwords and user names in the CLI

[NOTE: ]

NOTE: The password command has changed. You can now configure manager and operator passwords in one step.

Syntax

[no] password < manager | operator | all | port-access > [user-name ASCII-STR ] [ < plaintext | sha1 > ASCII-STR]

Sets or clears a local user name/password for a given access level.

The command sets or changes existing passwords. If no password is provided in the command, you are prompted to enter the new password twice.

The [no] form of the command removes specific local password protection.

[NOTE: ]

NOTE: The port-access option is available only if include-credentials is enabled.

For the 3800 and 5400zl switches, when the switch is in enhanced secure mode, commands that take a password as a parameter have the echo of the password typing replaced with asterisks. The input for the password is prompted for interactively.

Syntax

manager | operator | port-access |all

Level of access

manager

Configures access to the switch with manager-level privileges.

operator

Configures access to the switch with operator-level privileges.

port-access

Configures access to the switch through 802.1X authentication with operator-level privileges.

user-namename

The optional text string of the user name associated with the password. Username up to 64 characters.

plaintext|sha1

Format for the password entry, and the password itself (up to 64 characters). Specifies the type of algorithm (if any) used to hash the password. Valid values are plaintext or sha-1 The default type is plaintext, which is also the only type accepted for the port-access parameter.

Example of configuring manager and operator passwords

Example of configuring manager and operator passwords

Removing password protection using the CLI

Removing password protection means to eliminate password security. This command prompts you to verify that you want to remove one or both passwords, then clears the indicated passwords. (This command also clears the user name associated with a password you are removing.) For example, to remove the operator password (and user name, if assigned) from the switch, you would do the following:

Syntax

[no] password

Executing this command removes password protection from the operator level so anyone able to access the switch console can gain operator access without entering a user name or password.

Syntax

[no] password all

This command removes both operator and manager password protection.

Example

Removing a password and associated user name from a switch

Removing a password and associated user name from a switch

General password rules

User names and passwords are case-sensitive. ASCII characters in the range of 33-126 are valid, including:

  • A through Z uppercase characters

  • a through z lower case characters

  • 0 through 9 numeric characters

  • Special characters ‘ ~ ! @ # $ % ^ & * ( ) - _ = + [ ] { } \ | ; : ‘ “ , < > / ?.

    [NOTE: ]

    NOTE: The SPACE character is allowed to form a user name or password pass-phrase. The user name must be in quotes, for example “The little brown fox”. A space is not allowed as part of a user name without the quotes. A password that includes a space or spaces should not have quotes.

Local user and password Length

To set the minimum password length for manager, operator, and local management privilege user, use the following command.

Syntax
[no] password < manager | operator | port-access | all > [user-name ASCII-STR ] [ < plaintext | sha1 > ASCII-STR] minimum-length num

  • <manager|operator|port-access|all> - Level of access.

  • user-name ASCII-STR - Username (up to 64 characters).

  • <plaintext|sha1> ASCII-STR - Format for the password entry, and the password itself (up to 64 characters). 'plaintext' is default type, and the only type accepted for 'port-access'.

  • minimum-length - Minimum number of permissible characters required to set a new password.

Sets or clears the local password/user name to access levels of manager, operator, and local management. Configures minimum password length for a given access level equal to or greater than 15 alpha/numeric digits.

Invoked without [no], the command sets or changes the existing passwords. If no password is provided in the command, the user is prompted to enter the new password twice. The command removes specific local password protection.

The option password minimum-lenght configures the minimum password length applicable to the manager, operator or local management. The range available for password length is 15–64.

operator

Configure operator access.

manager

Configure manager access.

all

Configure all available types of access.

minimum-length

Configure minimum password length.

[NOTE: ]

NOTE: “Port-access” is available only if “include-credentials” is enabled.

Restrictions for the setmib command

Usernames and passwords can be set using the CLI command setmib. They cannot be set using SNMP.

  • Quotes are permitted for enclosing other characters, for example, a user name or password of abcd can be enclosed in quotes “abcd” without the quotes becoming part of the user name or password itself. Quotes can also be inserted between other characters of a user name or password, for example, ab”cd. A pair of quotes enclosing characters followed by any additional characters is invalid, for example, “abc”d.

  • Spaces are allowed in user names and passwords. The user name or password must be enclosed in quotes, for example, “one two three”. A blank space or spaces between quotes is allowed, for example, “ ”.

Additional restrictions

Some authentication servers prevent the usage of special symbols such as the backslash (\) and quotes (“”). The switch allows the use of these symbols in configurable credentials, but using them can limit access for some users who can use different client software. See the vendor’s documentation for specific information about these restrictions.

Upgrading or downgrading software versions implications for passwords

When you update software from a version that does not support long passwords to a version that supports long passwords, the existing user names and passwords continue to be there and no further action is required.

Before downgrading to a software version that does not include this feature, use one of the following procedures:

  1. Reset the user name and/or password to be no more than 16 characters in length, without using any special characters, from the CLI command password.

    1. Execute a CLI write memory command (required if the include-credentials feature has ever been enabled.)

    switch(config)# password manager 
New password: ******** 
Please retype new password: ******* 
switch(config)# write mem

    Or

  2. Execute the CLI command [no] password all. This clears all the passwords.

    1. Execute a CLI write memory command (required if the include-credentials feature has ever been enabled.)

      switch(config)# no password all
Password protections will be deleted, do you want to
continue [y/n]? y
switch(config)# write mem

    Or

  3. Clear the password by using the [Clear] button on the switch.

    1. Execute a CLI write memory command (required if the include-credentials feature has ever been enabled.)

Unable to use previous password

If you cannot access the switch after a software version downgrade, clear the password by using the [Clear] button on the switch to regain access. Then boot into a software version that supports long passwords, and perform steps 1, 2, or 3 in the preceding section.

prev

 

up

 next

Configuring Username and Password Security 

home

 Security credentials

Copyright © 2016 Hewlett Packard Enterprise Development LP