Home > HP > Printer > HP 5500 Ei 5500 Si Switch Series Configuration Guide

HP 5500 Ei 5500 Si Switch Series Configuration Guide

Add to Favourites
    Download as PDF Print this page Share this page

    Have a look at the manual HP 5500 Ei 5500 Si Switch Series Configuration Guide online for free. It’s possible to download the document as PDF or print. UserManuals.tech offer 1114 HP manuals and user’s guides for free. Share the user manual or guide on Facebook, Twitter or Google+.

    View all the pages
    Page
    of 2513
    Add page 1901 to Favourites
    image text
    Enable zoom 
    							 236 
Setting super password control parameters 
CLI commands fall into four levels: visit, monitor, system, and manage, in ascending order. Accordingly, 
login users fall into four levels, each corresponding to a command level. A user of a certain level can only 
use the commands at that level or lower levels.  
To switch from a lower user level to a higher one, a user needs to enter a password for authentication. 
This password is called a super password. For more information on super passwords, see  Fundamentals 
Configuration Guide . 
To set super password control parameters: 
 
Step Command Remarks 
1.   Enter system view. 
system-view  N/A 
2.  Set the password aging time 
for super passwords.  password-control super aging 
aging-time
  Optional 
90 days by default 
3.
  Configure the minimum length 
for super  passwords.  password-control super length 
length
  Optional 
10 characters by default 
4.
  Configure the password 
composition policy for super  
passwords.  password-control super 
composition type-number 
type-number
 [  type-length  
type-length  ]  Optional 
By default, the minimum number of 
password composition types is 1 
and the minimum number of 
characters of a password 
composition type is 1 too. 
 
Setting a local user password in interactive mode 
You can set a password for a local user in interactive mode. When doing so, you need to confirm the 
password. 
To set a password for a local user in interactive mode: 
 
Step Command 
1.
  Enter system view. 
system-view 
2.  Create a local user and enter local user view. 
local-user user-name 
3.  Set the password for the local user in interactive 
mode.  password 
 
Displaying and maintaining password control 
 
Task Command Remarks 
Display password control 
configuration information. display password-control 
[ super ] 
[ |  { begin |  exclude | include } 
regular-expression  ]  Available in any view
    Add page 1902 to Favourites
    image text
    Enable zoom 
    							 237 
Task Command Remarks 
Display information about users in 
the password control blacklist. display password-control blacklist 
[
 user-name  name |  ip 
ipv4-address |  ipv6 ipv6-address  ] 
[ |  { begin |  exclude | include } 
regular-expression  ]   Available in any view 
Delete users from the password 
control blacklist. 
reset password-control blacklist 
[
 user-name  name ]  Available in user view 
Clear history password records.  reset password-control 
history-record 
[ user-name  name | 
super  [ level level  ] ]  Available in user view 
 
 
NOTE: 
The reset password-control history-record  command can delete the history password records of a 
specific user or all users  even when the password history function is disabled. 
 
Password control configuration example 
Network requirements 
Implementing the following global password control policy: 
•  An FTP or VTY user failing to provide the correct password in two successive login attempts is 
permanently prohibited from logging in. 
•   A user can log in five times within 60 days after the password expires. 
•   The password aging time is 30 days. 
•   The minimum password update interval is 36 hours. 
•   The maximum account idle time is 30 days. 
•   A password cannot contain the username or the reverse of the username. 
•   No character occurs consecutively three or more times in a password. 
Implementing the following su per password control policy: 
•   A super  password must contain at least three types of valid characters, five or more of each type. 
Implementing the following password control policy for local Telnet user  test: 
•   The password must contain at least 12 characters. 
•   The password must consist of at least two types of valid characters, five or more of each type. 
•   The password aging time is 20 days. 
Configuration procedure 
# Enable the password control feature globally. 
 system-view 
[Sysname] password-control enable 
# Prohibit the user from logging in forever after two successive login failures. 
[Sysname] password-control login-attempt 2 exceed lock 
# Set the password aging time to 30 days for all passwords. 
[Sysname] password-control aging 30
    Add page 1903 to Favourites
    image text
    Enable zoom 
    							 238 
# Set the minimum password update interval to 36 hours. 
[Sysname] password-control password update interval 36 
# Specify that a user can log in five times within 60 days after the password expires. 
[Sysname] password-control expired-user-login delay 60 times 5 
# Set the maximum account idle time to 30 days. 
[Sysname] password-control login idle-time 30 
# Refuse any password that contains the username or the reverse of the username. 
[Sysname] password-control complexity user-name check 
# Specify that no character of the password can be repeated three or more times consecutively. 
[Sysname] password-control complexity same-character check 
# Set the minimum number of composition types for super  passwords to 3 and the minimum number of 
characters of each composition type to 5. 
[Sysname] password-control super composition type-number 3 type-length 5\
 
# Configure a super password. 
[Sysname] super password level 3 simple 12345ABGFTweuix 
# Create a local user named test. 
[Sysname] local-user test 
# Set the service type of the user to Telnet. 
[Sysname-luser-test] service-type telnet 
# Set the minimum password length to 12 for the local user. 
[Sysname-luser-test] password-control length 12 
# Set the minimum number of password composition types to 2 and the minimum number of characters 
of each password composition type to 5 for the local user. 
[Sysname-luser-test] password-control composition type-number 2 type-len\
gth 5 
# Set the password aging time to 20 days for the local user. 
[Sysname-luser-test] password-control aging 20 
# Configure the password of the local user in interactive mode. 
[Sysname-luser-test] password 
Password:*********** 
Confirm :*********** 
Updating user(s) information, please wait........ 
[Sysname-luser-test] quit 
Verifying the configuration 
# Display the global password control configuration information. 
 display password-control 
Global password control configurations: 
 Password control:                    Enabled 
 Password aging:                      Enabled (30 days) 
 Password length:                     Enabled (10 characters) 
 Password composition:                Enabled (1 types,  1 characters p\
er type) 
 Password history:                    Enabled (max history record:4) 
 Early notice on password expiration: 7 days 
 User authentication timeout:         60 seconds
    Add page 1904 to Favourites
    image text
    Enable zoom 
    							 239 
 Maximum failed login attempts:       2 times 
 Login attempt-failed action:         Lock 
 Minimum password update time:        36 hours 
 User account idle-time:              30 days 
 Login with aged password:            5 times in 60 day(s) 
 Password complexity:                 Enabled (username checking) 
                                      Enabled (repeated characters chec\
king) 
# Display the password control configuration information for super passwords. 
 display password-control super 
 Super password control configurations: 
 Password aging:                      Enabled (30 days) 
 Password length:                     Enabled (10 characters) 
 Password composition:                Enabled (3 types,  5 characters p\
er type) 
# Display the password control configuration information for local user  test. 
 display local-user user-name test 
The contents of local user test: 
 State:                    Active 
 ServiceType:              telnet 
 Access-limit:             Disable           Current AccessNum: 0 
 User-group:               system 
 Bind attributes: 
 Authorization attributes: 
 Password aging:                       Enabled (20 days) 
 Password length:                      Enabled (12 characters) 
 Password composition:                 Enabled (2 types,  5 characters \
per type) 
Total 1 local user(s) matched.
    Add page 1905 to Favourites
    image text
    Enable zoom 
    							 240 
Configuring HABP 
HABP overview 
The HW Authentication Bypass Protocol (HABP) is intended to enable the downstream network devices 
of an access device to bypass 802.1X authentication and MAC authentication configured on the access 
device. 
As shown in  Figure 89, 8
 02.1X authenticator Switch A has two switches attached to it: Switch B and 
Switch C. On Switch A, 802.1X authentication is enabled globally and on the ports connecting the 
downstream network devices. The end-user devices (the supplicants) run the 802.1X client software for 
802.1X authentication. For Switch B and Switch D, where the 802.1X client is not supported (which is 
typical of network devices), the communication between them will fail because they cannot pass 802.1X 
authentication and their packets will be blocked on Sw itch A. To allow the two switches to communicate, 
you can use HABP. 
Figure 89  Network diagram for HABP application 
 
 
HABP is a link layer protocol that works above the MAC layer. It is built on the client-server model. 
Generally, the HABP server is enabled on the authentication device (which is configured with 802.1X or 
MAC authentication, such as Switch A in the above example), and the attached switches function as the 
HABP clients, such as Switch B through Switch E in the example. No device can function as both an HABP 
server and a client at the same time. Typically, the HABP server sends HABP requests to all its clients 
periodically to collect their MAC addresses, and the  clients respond to the requests. After the server 
learns the MAC addresses of all the clients, it regi sters the MAC addresses as HABP entries. Then, link 
layer frames exchanged between the clients can bypass the 802.1X authentication on ports of the server 
without affecting the normal operation of the whole ne t work. Al l  HA BP  packets  must travel  i n a speci fie d 
VLAN. Communication between the HABP server and HABP clients is implemented through this VLAN. 
In a cluster, if a member switch with 802.1X authentication or MAC authentication enabled is attached 
with some other member switches of the cluster, you also need to configure HABP server on this device.
    Add page 1906 to Favourites
    image text
    Enable zoom 
    							 241 
Otherwise, the cluster management device will not be able to manage the devices attached to this 
member switch. For more information about the cluster function, see  Network Management and 
Monitoring Configuration Guide . 
Configuring HABP 
Configuring the HABP server 
An HABP server is usually configured on the authentication device enabled with 802.1X authentication 
or MAC address authentication. The HABP server sends HABP requests to the attached switches (HABP 
clients) at a specified interval, collecting their MAC addresses from the responses. HABP packets are 
transmitted in the VLAN specified on the HABP server. 
To configure an HABP server:  
 
Step Command Remarks 
1.  Enter system view. 
system-view  N/A 
2.  Enable HABP. 
habp enable  Optional 
Enabled by default 
3.
  Configure HABP to work in 
server mode and specify the 
VLAN for HABP packets.  habp server vlan 
vlan-id
 
HABP works in client mode by 
default. 
The VLAN specified on the HABP 
server for transmitting HABP 
packets must be the same as that to 
which the HABP clients belong. 
4.  Set the interval to send HABP 
requests.  habp timer 
interval Optional 
20 seconds by default 
 
Configuring an HABP client 
An HABP client is usually configured on each device that is attached to the authentication device. After 
receiving an HABP request from the HABP server, an HABP client responds to the request, delivering its 
MAC address to the server, and forwards the HABP re quest to its attached switches. HABP packets are 
transmitted in the VLAN to which the HABP client belongs. 
To configure an HABP client:  
 
Step Command Remarks 
1.   Enter system view. 
system-view  N/A 
2.  Enable HABP. 
habp enable  Optional 
Enabled by default 
3.
  Configure HABP to work in 
client mode.  undo habp server  Optional 
HABP works in client mode by 
default.
    Add page 1907 to Favourites
    image text
    Enable zoom 
    							 242 
Step Command Remarks 
4.  Specify the VLAN to which the 
HABP client belongs.  habp client vlan 
vlan-id  Optional 
By default, an HABP client belongs 
to VLAN 1. 
The VLAN to which an HABP client 
belongs must be the same as that 
specified on the HABP server for 
transmitting HABP packets. 
 
Displaying and maintaining HABP 
 
Task Command Remarks 
Display HABP configuration 
information. 
display habp
 [ | { begin |  exclude 
|  include  } regular-expression  ]  Available in any view 
Display HABP MAC address table 
entries.  display habp table [ |
 { begin | 
exclude  | include  } 
regular-expression  ]  Available in any view
 
Display HABP packet statistics.  display habp traffic
 [ | { begin  | 
exclude  | include  } 
regular-expression  ]   Available in any view
 
 
HABP configuration example 
Network requirements 
As shown in Figure 90 , Switch A is attached with access de vices Switch B and Switch C. 802.1X 
authentication is configured on Switch A for central authentication and management of users (Host A 
through Host D).  
For communication between Switch B and Switch C, enable HABP server on Switch A, enable HABP 
client on Switch B and Switch C, and specify VLAN 1 for HABP packets. 
Configure the HABP server to send HABP request packe ts to the HABP clients in VLAN 1 at an interval 
of 50 seconds.
    Add page 1908 to Favourites
    image text
    Enable zoom 
    							 243 
Figure 90 Network diagram 
 
 
Configuration procedure 
1. Configure Switch A: 
# Perform 802.1X related configurations on Switch A (see  Configuring 802.1X).
  
# Enable HABP. (HABP is enabled by defaul t. This configuration is optional.) 
 system-view 
[SwitchA] habp enable 
# Configure HABP to work in server mode, and specify VLAN 1 for HABP packets. 
[SwitchA] habp server vlan 1 
# Set the interval at which the switch sends HABP request packets to 50 seconds. 
[SwitchA] habp timer 50 
2. Configure Switch B: 
# Enable HABP. (HABP is enabled by defaul t. This configuration is optional.) 
 system-view 
[SwitchB] habp enable 
# Configure HABP to work in client mode. (H ABP works in client mode by default. This 
configuration is optional.) 
[SwitchB] undo habp server 
# Specify the VLAN to which the HABP client be longs as VLAN 1. (An HABP client belongs to 
VLAN 1 by default. This configuration is optional.) 
[SwitchB] habp client vlan 1 
3.  Configure Switch C: 
Configurations on Switch C are similar to those on Switch B. 
4. Verify your configuration: 
# Display HABP configuration information.
    Add page 1909 to Favourites
    image text
    Enable zoom 
    							 244 
 display habp 
Global HABP information: 
         HABP Mode: Server 
         Sending HABP request packets every 50 seconds 
         Bypass VLAN: 1 
# Display HABP MAC address table entries. 
 display habp table 
MAC             Holdtime  Receive Port 
001f-3c00-0030  53        GigabitEthernet1/0/2 
001f-3c00-0031  53        GigabitEthernet1/0/1
    Add page 1910 to Favourites
    image text
    Enable zoom 
    							 245 
Managing public keys 
Overview 
To protect data confidentiality during transmission, the data sender uses an algorithm and a key to 
encrypt the plain text data before sending the data out,  and the receiver uses the same algorithm with the 
help of a key to decrypt the data, as shown in  Figure 91. 
Figure 91  Encryption an

d decryption 
 
 
The keys that participate in the conversion between the  plain text and the cipher text can be the same or 
different, dividing the encryption and decryp tion algorithms into the following types: 
•   Symmetric key algorithm —The keys for encryption and decryption are the same. 
•   Asymmetric key algorithm —The keys for encryption and decryption are different, one is the public 
key, and the other is the private key. The inform ation encrypted with the public key can only be 
decrypted with the corresponding private key, and vice versa. The private key is kept secret, and the 
public key may be distributed widely. The private ke y cannot be practically derived from the public 
key. Asymmetric key algorithms include the Revest-Shamir-Adleman Algorithm (RSA), and the 
Digital Signature Algorithm (DSA). 
Asymmetric key algorithms can be used in two scenarios for two purposes: 
•   To encrypt and decrypt data — T h e  s e n d e r  u s e s  t h e  p u b l i c  ke y  o f  t h e  i n t e n d e d  r e c e i ve r  t o  e n c r y p t  t h e  
information to be sent. Only the intended receiver, the holder of the paired private key, can decrypt 
the information. This mechanism guarantees confidentiality. Only RSA can be used for data 
encryption and decryption. 
•   To authenticate a sender —Also called digital signature. The sender signs the information to be 
sent by encrypting the information with its own private key. A receiver decrypts the information with 
the senders public key and, based on whether the information can be decrypted, determines the 
authenticity of the information. RSA and DSA can be used for digital signature. 
Asymmetric key algorithms are widely used in various applications. For example, Secure Shell (SSH), 
Secure Sockets Layer (SSL), and Public Key Infrastructure (PKI) use the algorithms for digital signature. For 
information about SSH, SSL, and PKI, see  Configuring SSH2.0
, Configuring SSL , and
  1Configuring 
PKI . 
Configuration task list 
Public key configuration tasks enable you to manage the local asymmetric key pairs, and configure the 
peer host public keys on the local device. By completing these tasks, the local device is ready to work 
with applications such as SSH and SSL to implement data encryption/decryption, or digital signature. 
Complete these tasks to configure public keys:
    All HP manuals Comments (0)

    Related Manuals for HP 5500 Ei 5500 Si Switch Series Configuration Guide