Security

last person joined: 8 hours ago 

Enterprise security using ClearPass Policy Management, ClearPass Security Exchange, IntroSpect, VIA, 360 Security Exchange, Extensions and Policy Enforcement Firewall (PEF).
Expand all | Collapse all

Securing passwords on an Aruba (aka HP Procurve) switch

  • 1.  Securing passwords on an Aruba (aka HP Procurve) switch

    Posted Feb 06, 2017 05:09 PM

    Hello,

     

    I was just looking for some clarity around storing the manager and operator passwords on an Aruba 2920-48G switch.  

     

    Are passwords encrypted by default?

     

    Is 'plaintext' in the following command merely to indicate that the password is entered as plaintext and encrypted by the switch?

     

    password manager plaintext PASSWORD 

     

    Regards.



  • 2.  RE: Securing passwords on an Aruba (aka HP Procurve) switch

    Posted Feb 06, 2017 06:11 PM

    Your passwords are not displayed in the running configuration on ProCurve switches, neither as plaintext nor as hash. Not sure where exactly it stores them, but they cannot be seen from the config itself.



  • 3.  RE: Securing passwords on an Aruba (aka HP Procurve) switch

    Posted Feb 06, 2017 06:11 PM

    Not sure if that was your concern or something else.



  • 4.  RE: Securing passwords on an Aruba (aka HP Procurve) switch

    Posted Feb 06, 2017 06:16 PM

    Jibran,

     

    Thanks for getting back to me.  That was partly my concern.  I check the running config and couldn't see any reference to the password.  

     

    It would be good to know if it's encrypted, if I need to anything to encrypt it or what Aruba's best practises are.

     

    Regards



  • 5.  RE: Securing passwords on an Aruba (aka HP Procurve) switch

    Posted Feb 06, 2017 06:46 PM

    In a document called 'Configuration of HP ProCurve Devices in a Campus Environment' i found a line stating:  "In HP devices, a special area that is not readily accessible is used to store passwords. Therefore password settings are not visible in the switch configuration file."

    http://services.geant.net/cbp/Knowledge_Base/Campus_Networking/Documents/gn3-na3-t4-cbpd111.pdf

     

    Inside the system, passwords are stored as MD5. Below link can confirm this:

    https://community.hpe.com/t5/ProCurve-ProVision-Based/Switch-Local-Password-Store-and-Hash/td-p/5978797



  • 6.  RE: Securing passwords on an Aruba (aka HP Procurve) switch

    Posted Feb 08, 2017 03:54 PM

    Greetings!

     

    The recently-released 16.03 switch software for the 2920, 2930F, 3810, and 5400R switch series introduces support for storing local credentials as SHA-256 hashes, for improved security over the default SHA-1 format.  This option can be enabled with the following command, executed from the switch configuration context:

     

    password non-plaintext-sha256

    There are a few limitations to this feature; I've copied the following from the WC.16.03 Access Security Guide (page 44-45):

    • After password non-plaintext-sha256 is executed, the password cannot be converted back to plaintext; you must reconfigure the password.
    • This feature is not applicable for passwords used in protocol handshaking (for example, SNMPv3, OSPF, and BFD).
    • Configuring the password in SHA-256 format is not allowed if the password complexity feature is enabled.
    • If the passwords in the configuration are in SHA-256 format, downgrading to a version where this feature is not supported results in the deletion of the passwords. HPE recommends that you disable this feature and reconfigure the password before downgrading.
    • If the password non-plaintext-sha256 feature is enabled, you are not allowed to enter the password in SHA-1 format.

     



  • 7.  RE: Securing passwords on an Aruba (aka HP Procurve) switch

    Posted Feb 08, 2017 07:32 PM

    Thanks for the update.  I'm still running 16.02.



  • 8.  RE: Securing passwords on an Aruba (aka HP Procurve) switch

    Posted Jul 27, 2018 01:04 AM

    Hi,

    Currently I am using Sha 256 non-text password. If I want to switch to Sha-1. What is the process?



  • 9.  RE: Securing passwords on an Aruba (aka HP Procurve) switch

    Posted Jun 10, 2019 04:44 PM

    Hi! What abour tacacs shared secret?? I'm running 16.05, ran the command you seggested but still can see the TACACS shared secret... Any thoughts?

     

    Thanx!



  • 10.  RE: Securing passwords on an Aruba (aka HP Procurve) switch

    Posted Jul 27, 2018 02:56 AM

    Don't forget to add the following commands:

    include-credentials
    encrypt-credentials
    
    


  • 11.  RE: Securing passwords on an Aruba (aka HP Procurve) switch

    Posted Jul 27, 2018 03:03 AM

    Thanks RLitchfield. But I would like to have the exact commands.

    I tried executing the below:

    no password non-plaintext-sha256

     

    But In running config of the Switch, I still see "password non-plaintext-sha256"



  • 12.  RE: Securing passwords on an Aruba (aka HP Procurve) switch

    Posted Jul 27, 2018 01:17 PM

    Greetings!

     

    When you ran the 'no password non-plaintext-sha256' command, you should have seen a prompt similar to the following:

     

    switch(config)# no password non-plaintext-sha256 
    
                                  **** CAUTION ****
    
     This will remove switch passwords, you need to reconfigure switch passwords later.
    
     Do you want to continue (y/n)?  y
    
     Do you want to set new switch passwords (y/n)?  n

    Did you see that when you ran the command?  If you did, did you choose to continue and/or set new passwords?

     

     

    If you did not see that prompt, could you let us know what software version you're running?