Manualshelf

Access Security Guide K/KA/KB.15.15

ManualsBrandsHP ManualsNetwork HardwareHP 5406R-8XGT/8SFP+ (No PSU) v2 zl2 Switch
21222324252627282930
Figure 4 Example of security credentials saved in the running-config
Although you can enter an SNMPv3 authentication or privacy password in either clear ASCII text
or the SHA-1 hash of the password, the password is displayed and saved in a configuration file
only in hashed format, see Figure 26 (page 48).
See “Configuring for Network Management Applications” in the Management and Configuration
Guide for your switch for more information about the configuration of SNMP security parameters.
802.1X port access credentials
802.1X authenticator (port access) credentials can be stored in a configuration file. 802.1X
authenticator credentials are used by a port to authenticate supplicants requesting a point-to-point
connection to the switch. 802.1X supplicant credentials are used by the switch to establish a
point-to-point connection to a port on another 802.1X-aware switch. Only 802.1X authenticator
credentials are stored in a configuration file.
The local password configured with the password command is no longer accepted as an 802.1X
authenticator credential. A new configuration command password port-access is introduced
to configure the local operator username and password used as 802.1X authentication credentials
for access to the switch.
The password port-access values are now configured separately from the manager and
operator passwords configured with the password manager and password operator
commands and used for management access to the switch.
After you enter the complete password port-access command syntax, the password is set.
You are not prompted to enter the password a second time.
TACACS+ encryption key authentication
You can use TACACS+ servers to authenticate users who request access to a switch through Telnet
(remote) or console (local) sessions. TACACS+ uses an authentication hierarchy consisting of:
Remote passwords assigned in a TACACS+ server
Local manager and operator passwords configured on the switch.
When you configure TACACS+, the switch first tries to contact a designated TACACS+ server for
authentication services. If the switch fails to connect to any TACACS+ server, it defaults to its own
locally assigned passwords for authentication control if it has been configured to do so.
For improved security, you can configure a global or server-specific encryption key that encrypts
data in TACACS+ packets transmitted between a switch and a RADIUS server during authentication
sessions. The key configured on the switch must match the encryption key configured in each
TACACS+ server application. (The encryption key is sometimes referred to as “shared secret” or
secret” key.)
TACACS+ shared secret (encryption) keys can be saved in a configuration file by entering this
command:
HP Switch(config)# tacacs-server key <keystring>
The option <keystring> is the encryption key (in clear text) used for secure communication with
all or a specific RADIUS server.
28 Configuring Username and Password Security