I was just looking for some clarity around storing the manager and operator passwords on an Aruba 2920-48G switch.
Are passwords encrypted by default?
Is 'plaintext' in the following command merely to indicate that the password is entered as plaintext and encrypted by the switch?
password manager plaintext PASSWORD
Your passwords are not displayed in the running configuration on ProCurve switches, neither as plaintext nor as hash. Not sure where exactly it stores them, but they cannot be seen from the config itself.
Not sure if that was your concern or something else.
Thanks for getting back to me. That was partly my concern. I check the running config and couldn't see any reference to the password.
It would be good to know if it's encrypted, if I need to anything to encrypt it or what Aruba's best practises are.
In a document called 'Configuration of HP ProCurve Devices in a Campus Environment' i found a line stating: "In HP devices, a special area that is not readily accessible is used to store passwords. Therefore password settings are not visible in the switch configuration file."
Inside the system, passwords are stored as MD5. Below link can confirm this:
The recently-released 16.03 switch software for the 2920, 2930F, 3810, and 5400R switch series introduces support for storing local credentials as SHA-256 hashes, for improved security over the default SHA-1 format. This option can be enabled with the following command, executed from the switch configuration context:
There are a few limitations to this feature; I've copied the following from the WC.16.03 Access Security Guide (page 44-45):
Thanks for the update. I'm still running 16.02.
Currently I am using Sha 256 non-text password. If I want to switch to Sha-1. What is the process?
Hi! What abour tacacs shared secret?? I'm running 16.05, ran the command you seggested but still can see the TACACS shared secret... Any thoughts?
Don't forget to add the following commands:
Thanks RLitchfield. But I would like to have the exact commands.
I tried executing the below:
no password non-plaintext-sha256
But In running config of the Switch, I still see "password non-plaintext-sha256"
When you ran the 'no password non-plaintext-sha256' command, you should have seen a prompt similar to the following:
switch(config)# no password non-plaintext-sha256
**** CAUTION ****
This will remove switch passwords, you need to reconfigure switch passwords later.
Do you want to continue (y/n)? y
Do you want to set new switch passwords (y/n)? n
Did you see that when you ran the command? If you did, did you choose to continue and/or set new passwords?
If you did not see that prompt, could you let us know what software version you're running?
At Aruba, we believe that the most dynamic customer experiences happen at the Edge. Our mission is to deliver innovative solutions that harness data at the Edge to drive powerful business outcomes.
© Copyright 2020 Hewlett Packard Enterprise Development LPAll Rights Reserved.