Campus Switching and Routing

Reply
Occasional Contributor I
Posts: 6
Registered: ‎10-11-2016

Securing passwords on an Aruba (aka HP Procurve) switch

Hello,

 

I was just looking for some clarity around storing the manager and operator passwords on an Aruba 2920-48G switch.  

 

Are passwords encrypted by default?

 

Is 'plaintext' in the following command merely to indicate that the password is entered as plaintext and encrypted by the switch?

 

password manager plaintext PASSWORD 

 

Regards.

Contributor II
Posts: 54
Registered: ‎12-01-2016

Re: Securing passwords on an Aruba (aka HP Procurve) switch

Your passwords are not displayed in the running configuration on ProCurve switches, neither as plaintext nor as hash. Not sure where exactly it stores them, but they cannot be seen from the config itself.

Jibran Aziz
ACDX | ACCP | ACMP | ACMA | CCIE (RnS, SP, DC) | JNCIS | JNCIA
Contributor II
Posts: 54
Registered: ‎12-01-2016

Re: Securing passwords on an Aruba (aka HP Procurve) switch

Not sure if that was your concern or something else.

Jibran Aziz
ACDX | ACCP | ACMP | ACMA | CCIE (RnS, SP, DC) | JNCIS | JNCIA
Occasional Contributor I
Posts: 6
Registered: ‎10-11-2016

Re: Securing passwords on an Aruba (aka HP Procurve) switch

Jibran,

 

Thanks for getting back to me.  That was partly my concern.  I check the running config and couldn't see any reference to the password.  

 

It would be good to know if it's encrypted, if I need to anything to encrypt it or what Aruba's best practises are.

 

Regards

Contributor II
Posts: 54
Registered: ‎12-01-2016

Re: Securing passwords on an Aruba (aka HP Procurve) switch

In a document called 'Configuration of HP ProCurve Devices in a Campus Environment' i found a line stating:  "In HP devices, a special area that is not readily accessible is used to store passwords. Therefore password settings are not visible in the switch configuration file."

http://services.geant.net/cbp/Knowledge_Base/Campus_Networking/Documents/gn3-na3-t4-cbpd111.pdf

 

Inside the system, passwords are stored as MD5. Below link can confirm this:

https://community.hpe.com/t5/ProCurve-ProVision-Based/Switch-Local-Password-Store-and-Hash/td-p/5978797

Jibran Aziz
ACDX | ACCP | ACMP | ACMA | CCIE (RnS, SP, DC) | JNCIS | JNCIA
Aruba Employee
Posts: 35
Registered: ‎11-17-2015

Re: Securing passwords on an Aruba (aka HP Procurve) switch

[ Edited ]

Greetings!

 

The recently-released 16.03 switch software for the 2920, 2930F, 3810, and 5400R switch series introduces support for storing local credentials as SHA-256 hashes, for improved security over the default SHA-1 format.  This option can be enabled with the following command, executed from the switch configuration context:

 

password non-plaintext-sha256

There are a few limitations to this feature; I've copied the following from the WC.16.03 Access Security Guide (page 44-45):

  • After password non-plaintext-sha256 is executed, the password cannot be converted back to plaintext; you must reconfigure the password.
  • This feature is not applicable for passwords used in protocol handshaking (for example, SNMPv3, OSPF, and BFD).
  • Configuring the password in SHA-256 format is not allowed if the password complexity feature is enabled.
  • If the passwords in the configuration are in SHA-256 format, downgrading to a version where this feature is not supported results in the deletion of the passwords. HPE recommends that you disable this feature and reconfigure the password before downgrading.
  • If the password non-plaintext-sha256 feature is enabled, you are not allowed to enter the password in SHA-1 format.

 



Matthew Fern | Technical Marketing Engineer, Campus Networking
Aruba, a Hewlett Packard Enterprise Company
Occasional Contributor I
Posts: 6
Registered: ‎10-11-2016

Re: Securing passwords on an Aruba (aka HP Procurve) switch

Thanks for the update.  I'm still running 16.02.

Search Airheads
Showing results for 
Search instead for 
Did you mean: