Requirement:
Configure Password Control on the PVOS switches.
Solution:To configure password control configuration, we need to make sure of the below:
- The switches are on Aruba OS, KA/KB/WB/WC/YA/YB/YC/RA 16.01.xxxx and later.
Note: This feature does not work on firmware K.16.01.xxxx and later
- Moreover make sure that the minimum password length is configured equal or more than the sum of password composition.
Ø If we fail to do that in advance the switch will throw in the following error:
Ø HP-5412Rzl2 (config) # password configuration-control
Ø The minimum password length configured is 8 less than the sum of password composition. Operation aborted
We can have a look at the default minimum password length and the password composition from the following command:
HP-5412Rzl2#show password configuration-control
So we could see that at default, the password composition consists of 2 lowercase, 2 Upper case, 2 special characters and 2 numbers. The minimum password length as a result should be 8, if we add the password composition characters.
Command to increase the minimum password length is:
5412Rzl2 (config)# password minimum-length 8
Note: The minimum password length is modified. Update the local passwords to comply with the modified password length.
Moreover we also need to make sure that manager credentials should be configured to enable “password configuration – control”
Configuring it without the manager credentials throws in the following error:
Command: 5412Rzl2 (config)# password configuration-control
Configuration:Configuring password configuration-control:
After configuring the manager credentials, we can configure the password configuration control on the switch:
Command: 5412Rzl2 (config)# password configuration-control
Note: Configuring this feature will disable the WebUI on the switch and the REST protocol as well.
When password configuration control is setup, we can’t change the manager password before 24 hours because the default minimum wait time in hours before an existing password can be updated is 24 hours.
To change the minimum wait time we can use the following command:
- HP-5412Rzl2 (config)# password configuration update-interval-time <0-168> in hours
If you want to remove the manager password, we need to disable password configuration control.
NOTE: When Password configuration control is enabled, it is required to enter the minimum characters of 15 for both manager and operator passwords.
This can be changed with the following command:
Refer to the CLI clip above for the command.
Here “admin” is any username.
Note: You can only uses values of 15 and above.
VerificationTo confirm that password configuration-control is active we can use the following commands:
Hp-5412Rzl2(config)# show password-configuration