09-26-2017 07:53 AM
How do we force a user to use credentials when using the Web GUI of a 2930F
At present anyone can browse to the IP of the switch and view quite a bit of information.
We would like to make nothing available without logging in.
How do we do this?
Solved! Go to Solution.
09-27-2017 12:39 AM
By default, the switch has two administrative accounts: manager and operator, both without a password. What probably happens is that you set the manager password, but when you connect to the web interface it will use the operator account (password-less) by default, so not asking for any password.
In order to fix this, and two other things that you might not like: snmp-write with community public standard enabled, tftp server enabled so anyone can fetch the config without password, I use the following steps:
password manager user-name "swadmin" plaintext "admin123" password operator user-name "operator" plaintext "password123" no snmp-server community public no snmp-server enable no tftp server
Which changes the manager username and password, sets an operator password, removes the 'public' SNMP community and disables tftp. If you need SNMP, you might not want to disable the snmp server, but configure it instead.
From hardening perspective, I'd like to have syslog and ntp timesync configured:logging 10.1.254.20
timesync ntp no sntp ntp unicast ntp server 10.1.254.20 ntp server 10.1.254.28 ntp enable time daylight-time-rule western-europe time timezone 60
A document with the name HP - Hardening ProCurve Switches.pdf can be found on the internet which goes even deeper (and was the source of my command-set).
In the case, you want to go even further, search for 'Aruba 2920 Switch Series. FIPS 140-2 Non-Proprietary Security Policy' and find how you can even protect from people with physical access to the switch.
Just setting an operator password would fix your specific issue.
If you have urgent issues, please contact your Aruba partner or Aruba TAC (click for contact details).