Manualshelf

Common Criteria for HP Networking Switches

ManualsBrandsHP ManualsComputer AccessoriesHP 20-port 10/100/1000 PoE+ / 4-port Mini-GBIC zl Module
11121314151617181920
16
Port-Access | Local None
Webui | Local None
SSH | Local None
Web-Auth | ChapRadius radius None
MAC-Auth | ChapRadius radius None
| Local None
| Enable Enable Enable
Access Task | Primary Server Group Secondary
----------- + ---------- ------------ ----------
Console | Local None
Telnet | Local None
Webui | Local None
SSH | Local None
Note: Port-access (802.1x), Web-Auth and MAC-Auth are means of securing the network from
unauthorized users, not the switch itself, and therefore are not covered in the scope of this
document.
The default number of login attempts is “3,” meaning the user has three chances to successfully supply
access credentials. Once this limit is reached the user must re-initiate a login. The number of login
attempts allowed can be changed by entering the configuration context and using the following
command:
HP Switch(config)# aaa authentication num-attempts < 1-10 >
The “Respect Privilege” option instructs the switch to allow the authenticating server to supply the
privilege level of the user. See the “Server-Supplied Privilege Level” section below for more information.
If the primary authentication method fails for any reason, (for example, the authenticating server(s) are
unreachable), the secondary method will be used to authenticate users. In the above configuration,
when no “Local” username/passwords are configured everyone has manager permission.
Most access methods allow three methods of authenticating users:
Local uses the switch’s locally stored usernames and passwords
RADIUS uses a RADIUS server to authenticate users
TACACS+ uses a TACACS server to authenticate users
Local Authentication
Local username and passwords are configured on a per-switch basis and provide the most basic form of
authentication. Manager and Operator access levels must have a password assigned. The switch allows
you to configure manager and operator passwords, as well as an optional username for each. The switch
must be configured to require passwords for the two user levels (Manager and Operator) for minimal
identification. Otherwise, if the switch is left in default mode, all functions would be available without
user authentication. Local authentication is often used as the secondary login method so as to provide a
minimum level of security should the primary method fail.