HP 5500 Ei 5500 Si Switch Series Configuration Guide

 236 
Setting super password control parameters 
CLI commands fall into four levels: visit, monitor, system, and manage, in ascending order. Accordingly, 
login users fall into four levels, each corresponding to a command level. A user of a certain level can only 
use the commands at that level or lower levels.  
To switch from a lower user level to a higher one, a user needs to enter a password for authentication. 
This password is called a super password. For more information on super passwords, see...

 237 
Task Command Remarks 
Display information about users in 
the password control blacklist. display password-control blacklist 
[
 user-name  name |  ip 
ipv4-address |  ipv6 ipv6-address  ] 
[ |  { begin |  exclude | include } 
regular-expression  ]   Available in any view 
Delete users from the password 
control blacklist. 
reset password-control blacklist 
[
 user-name  name ]  Available in user view 
Clear history password records.  reset password-control 
history-record 
[ user-name  name |...

 238 
# Set the minimum password update interval to 36 hours. 
[Sysname] password-control password update interval 36 
# Specify that a user can log in five times within 60 days after the password expires. 
[Sysname] password-control expired-user-login delay 60 times 5 
# Set the maximum account idle time to 30 days. 
[Sysname] password-control login idle-time 30 
# Refuse any password that contains the username or the reverse of the username. 
[Sysname] password-control complexity user-name check 
#...

 239 
 Maximum failed login attempts:       2 times 
 Login attempt-failed action:         Lock 
 Minimum password update time:        36 hours 
 User account idle-time:              30 days 
 Login with aged password:            5 times in 60 day(s) 
 Password complexity:                 Enabled (username checking) 
                                      Enabled (repeated characters chec\
king) 
# Display the password control configuration information for super passwords. 
 display password-control super...

 240 
Configuring HABP 
HABP overview 
The HW Authentication Bypass Protocol (HABP) is intended to enable the downstream network devices 
of an access device to bypass 802.1X authentication and MAC authentication configured on the access 
device. 
As shown in  Figure 89, 8
 02.1X authenticator Switch A has two switches attached to it: Switch B and 
Switch C. On Switch A, 802.1X authentication is enabled globally and on the ports connecting the 
downstream network devices. The end-user devices (the...

 241 
Otherwise, the cluster management device will not be able to manage the devices attached to this 
member switch. For more information about the cluster function, see  Network Management and 
Monitoring Configuration Guide . 
Configuring HABP 
Configuring the HABP server 
An HABP server is usually configured on the authentication device enabled with 802.1X authentication 
or MAC address authentication. The HABP server sends HABP requests to the attached switches (HABP 
clients) at a specified...

 242 
Step Command Remarks 
4.  Specify the VLAN to which the 
HABP client belongs.  habp client vlan 
vlan-id  Optional 
By default, an HABP client belongs 
to VLAN 1. 
The VLAN to which an HABP client 
belongs must be the same as that 
specified on the HABP server for 
transmitting HABP packets. 
 
Displaying and maintaining HABP 
 
Task Command Remarks 
Display HABP configuration 
information. 
display habp
 [ | { begin |  exclude 
|  include  } regular-expression  ]  Available in any view 
Display...

 243 
Figure 90 Network diagram 
 
 
Configuration procedure 
1. Configure Switch A: 
# Perform 802.1X related configurations on Switch A (see  Configuring 802.1X).
  
# Enable HABP. (HABP is enabled by defaul t. This configuration is optional.) 
 system-view 
[SwitchA] habp enable 
# Configure HABP to work in server mode, and specify VLAN 1 for HABP packets. 
[SwitchA] habp server vlan 1 
# Set the interval at which the switch sends HABP request packets to 50 seconds. 
[SwitchA] habp timer 50 
2....

 244 
 display habp 
Global HABP information: 
         HABP Mode: Server 
         Sending HABP request packets every 50 seconds 
         Bypass VLAN: 1 
# Display HABP MAC address table entries. 
 display habp table 
MAC             Holdtime  Receive Port 
001f-3c00-0030  53        GigabitEthernet1/0/2 
001f-3c00-0031  53        GigabitEthernet1/0/1  

 245 
Managing public keys 
Overview 
To protect data confidentiality during transmission, the data sender uses an algorithm and a key to 
encrypt the plain text data before sending the data out,  and the receiver uses the same algorithm with the 
help of a key to decrypt the data, as shown in  Figure 91. 
Figure 91  Encryption an

d decryption 
 
 
The keys that participate in the conversion between the  plain text and the cipher text can be the same or 
different, dividing the encryption and decryp...