Access security features

This section provides an overview of the switch’s access security features, authentication protocols, and methods.Access security and switch authentication features lists these features and provides summary configuration guidelines. For more in-depth information, see the references provided (all chapter and page references are to this Access Security Guide unless a different manual name is indicated).


	NOTE: The Management Interface wizard provides a convenient step-by-step method to prepare the switch for secure network operation. See Using the Management Interface wizard for details.

Access security and switch authentication features

Feature	Default setting	Security guidelines	More information and configuration details
Manager password	no password	Configuring a local manager password is a fundamental step in reducing the possibility of unauthorized access through the switch's WebAgent and console (CLI and Menu) interfaces. The manager password can easily be set by any one of the following methods: CLI: password manager command, or Management interface wizard WebAgent: the password options under the Security tab, or Management interface wizard Menu interface: Console passwords option SNMP	Configuring local password security Using the Management Interface wizard Using SNMP to view and configure switch authentication features
Telnet and Web-browser access (WebAgent)	enabled	The default remote management protocols enabled on the switch are plain text protocols, which transfer passwords in open or plain text that is easily captured. To reduce the chances of unauthorized users capturing your passwords, secure and encrypted protocols such as SSH and SSL (see below for details) should be used for remote access. This enables you to employ increased access security while still retaining remote client access. Also, access security on the switch is incomplete without disabling Telnet and the standard Web browser access (WebAgent). Among the methods for blocking unauthorized access attempts using Telnet or the WebAgent are the following two CLI commands: `no telnet-server`: This command blocks inbound Telnet access. `no web-management`: This command prevents use of the WebAgent through http (port 80) server access. If you choose not to disable Telnet and the WebAgent, you may want to consider using RADIUS accounting to maintain a record of password-protected access to the switch.	Using the Management Interface wizard For more on Telnet and the WebAgent, see "Interface Access and System Information" in the Management and Configuration Guide. For RADIUS accounting, see RADIUS Authentication, Authorization, and Accounting
SSH	disabled	SSH provides Telnet-like functions through encrypted, authenticated transactions of the following types: client public-key authentication: uses one or more public keys (from clients) that must be stored on the switch. Only a client with a private key that matches a stored public key can gain access to the switch. switch SSH and user password authentication: this option is a subset of the client public-key authentication, and is used if the switch has SSH enabled without a login access configured to authenticate the client's key. In this case, the switch authenticates itself to clients, and users on SSH clients then authenticate themselves to the switch by providing passwords stored on a RADIUS or TACACS+ server, or locally on the switch. secure copy (SC) and secure FTP (SFTP): By opening a secure, encrypted SSH session, you can take advantage of SC and SFTP to provide a secure alternative to TFTP for transferring sensitive switch information. For more on SC and SFTP, see the section titled "Using Secure Copy and SFTP" in the "File Transfers" appendix of the Management and Configuration Guide for your switch.	Using the Management Interface wizard Configuring Secure Shell (SSH)
SSL	disabled	Secure Socket Layer (SSL) and Transport Layer Security (TLS) provide remote Web browser access (WebAgent) to the switch via authenticated transactions and encrypted paths between the switch and management station clients capable of SSL/TLS operation. The authenticated type includes server certificate authentication with user password authentication.	Using the Management Interface wizard Configuring Secure Socket Layer (SSL)
SNMP	public, unrestricted	In the default configuration, the switch is open to access by management stations running SNMP management applications capable of viewing and changing the settings and status data in the switch MIB (Management Information Base). Thus, controlling SNMP access to the switch and preventing unauthorized SNMP access should be a key element of your network security strategy.	SNMP security guidelines Using the Management Interface wizard Management and Configuration Guide, see “Using SNMP Tools to manage the switch”.
Authorized IP managers	none	This feature uses IP addresses and masks to determine whether to allow management access to the switch across the network through the following: Telnet and other terminal emulation applications The WebAgent SNMP (with a correct community name)	Using Authorized IP Managers
Secure Management VLAN	disabled	This feature creates an isolated network for managing the HP switches that offer this feature. When a secure management VLAN is enabled, CLI, Menu interface, and WebAgent access is restricted to ports configured as members of the VLAN.	Advanced Traffic Management Guide, see "Static Virtual LANs (VLANs)".
ACLs for Management Access Protection	none	ACLs can also be configured to protect management access by blocking inbound IP traffic that has the switch itself as the destination IP address.	Access Control Lists (ACLs)IPv4 Access Control Lists (ACLs)
TACACS+ Authentication	disabled	This application uses a central server to allow or deny access to TACACS-aware devices in your network. TACACS+ uses username/password sets with associated privilege levels to grant or deny access through either the switch serial (console) port or remotely, with Telnet. If the switch fails to connect to a TACACS+ server for the necessary authentication service, it defaults to its own locally configured passwords for authentication control. TACACS+ allows both login (read-only) and enable (read/write) privilege level access.	TACACS+ Authentication
RADIUS Authentication	disabled	For each authorized client, RADIUS can be used to authenticate operator or manager access privileges on the switch via the serial port (CLI and Menu interface), Telnet, SSH, and Secure FTP/Secure Copy (SFTP/SCP) access methods.	RADIUS Authentication, Authorization, and Accounting
802.1X Access Control	none	This feature provides port-based or user-based authentication through a RADIUS server to protect the switch from unauthorized access and to enable the use of RADIUS-based user profiles to control client access to network services. Included in the general features are the following: user-based access control supporting up to 32 authenticated clients per port port-based access control allowing authentication by a single client to open the port switch operation as a supplicant for point-to-point connections to other 802.1X-compliant HP switches	Configuring Port and User-Based Access Control (802.1X)
Web and MAC Authentication	none	These options are designed for application on the edge of a network to provide port-based security measures for protecting private networks and the switch itself from unauthorized access. Because neither method requires clients to run any special supplicant software, both are suitable for legacy systems and temporary access situations where introducing supplicant software is not an attractive option. Both methods rely on using a RADIUS server for authentication. This simplifies access security management by allowing you to control access from a master database in a single server. It also means the same credentials can be used for authentication, regardless of which switch or switch port is the current access point into the LAN. Web authentication uses a web page login to authenticate users for access to the network. MAC authentication grants access to a secure network by authenticating device MAC addresses for access to the network.	Web and MAC Authentication

prev	up	next
Security Overview	home	Network security features