Configuring local password security

Setting passwords (Menu)

From the Main Menu select:

3. Console passwords

Set password screen
To set a new password:
1. Select Set manager password or Set operator password. You will then be prompted with Enter new password.
2. Type a password of up to 64 ASCII characters with no spaces, and press Enter. (Remember that passwords are case-sensitive.)
3. When prompted with Enter new password again, retype the new password and press Enter.

After you configure a password, if you subsequently start a new console session, you will be prompted to enter the password. Remember that usernames are optional. If you use the CLI or WebAgent to configure an optional username, the switch will prompt you for the username, and then the password.

Deleting password protection

This procedure deletes all usernames (if configured) and passwords (manager and operator).

Option one

If you have physical access to the switch, press and hold the Clear button (on the front of the switch) for a minimum of one second to clear all password protection.
Enter new passwords.

Option two

If you do not have physical access to the switch, you will need manager-level access:

Enter the console at the manager level.
Select the Set manager password option.
Select to Delete password Protection. Selection will prompt the following:
```
Continue Deletion of password protection? No/Yes
```
1. Press the Space bar to select Yes, then press Enter.
2. Press Enter to clear the Delete password Protection message.

Recovering from a lost manager password

If you cannot start a console session at the manager level because of a lost manager password, clear the password by following these steps:

Get physical access to the switch.
Press and hold the Clear button on the switch for a minimum of one second.

This deletes all passwords and usernames (manager and operator) used by the console and the WebAgent.

Setting passwords and usernames (CLI)


	NOTE: You can now configure manager and operator passwords in one step.

Syntax:

[no] password <manager|operator|all|port-access> [user-name ASCII-STR] [<plaintext|sha1> ASCII-STR]

Sets or clears a local username/password for a given access level.

The command sets or changes existing password(s). If no password is provided in the command, you are prompted to enter the new password twice.

The [no] form of the command removes specific local password protection.

NOTE: port-access is available only if include-credentials is enabled.

<manager|operator|port-access|all>: Level of access

manager

Configures access to the switch with manager-level privileges.

operator

Configures access to the switch with operator-level privileges.

port-access

Configures access to the switch through 802.1X authentication with operator-level privileges.

user-name <name>

The optional text string of the user name associated with the password. Username up to 64 characters.

<plaintext|sha1>

Format for the password entry, and the password itself (up to 64 characters). Specifies the type of algorithm (if any) used to hash the password. Valid values are plaintext or sha-1 The default type is plaintext, which is also the only type accepted for the port-access parameter.

Configuring manager and operator passwords

HP Switch(config)# password manager
New password: ******* 


Please retype new password: ******* 


HP Switch(config)# password operator
New password: ********
Please retype new password: ********

	Password entries appear as asterisks.
	You must type the password entry twice.

Removing password protection

Removing password protection means to eliminate password security. This command prompts you to verify that you want to remove one or both passwords, then clears the indicated password(s). (This command also clears the username associated with a password you are removing.) For example, to remove the operator password (and username, if assigned) from the switch, you would do the following:

Syntax:

[no] password

Executing this command removes password protection from the operator level so anyone able to access the switch console can gain operator access without entering a username or password.

Syntax:

[no] password all

This command removes both operator and manager password protection.

Removing a password and associated username from a switch

HP Switch(config)# no password
Password protection will be deleted, do you want to continue [y/n]? y 
HP Switch(config)#

Username and password length

The limit on username and password length is 64 characters for the following authentication methods:

Front-end—WEB User Interface, SSH, and Telnet
Back-end—RADIUS, TACACS+, and Local

General rules for usernames and passwords

Usernames and passwords are case-sensitive. ASCII characters in the range of 33-126 are valid, including:

A through Z uppercase characters
a through z lower case characters
0 through 9 numeric characters
Special characters ‘ ~ ! @ # $ % ^ & * ( ) - _ = + [ ] { } \ | ; : ‘ “ , < > / ?.


	NOTE: The SPACE character is allowed to form a username or password pass-phrase. The username must be in quotes, for example “The little brown fox”. A space is not allowed as part of a username without the quotes. A password that includes a space or spaces should not have quotes.

Restrictions for the setmib command

Usernames and passwords can be set using the CLI command setmib. They cannot be set using SNMP.

Quotes are permitted for enclosing other characters, for example, a username or password of abcd can be enclosed in quotes “abcd” without the quotes becoming part of the username or password itself. Quotes can also be inserted between other characters of a username or password, for example, ab”cd. A pair of quotes enclosing characters followed by any additional characters is invalid, for example, “abc”d.
Spaces are allowed in usernames and passwords. The username or password must be enclosed in quotes, for example, “one two three”. A blank space or spaces between quotes is allowed, for example, “ ”.

Additional restrictions

Some authentication servers prevent the usage of special symbols such as the backslash (\) and quotes (“ ”). The switch allows the use of these symbols in configurable credentials, but using them can limit access for some users who can use different client software. See the vendor’s documentation for specific information about these restrictions.

Passwords implications when upgrading or downgrading software versions


	IMPORTANT: This section applies to following HP Switches: HP Switch 2910al-series (J9145A, J9145A, J9147A, J9146A, J9148A HP Switch 2920-series (J9726A, J9726A, J9727A, J9727A, J9728A, J9729A)

When you update software from a version that does not support long passwords to a version that does support long passwords, the existing usernames and passwords continue to be there and no further action is required.

Before downgrading to a software version that does not include this feature, use one of the following procedures:

Reset the username and/or password to be no more than 16 characters in length, without using any special characters, from the CLI command password.
1. Execute a CLI write memory command (required if the include-credentials feature has ever been enabled.)
```
HP Switch(config)# password manager 
New password: ******** 
Please retype new password: ******* 
HP Switch(config)# write mem
```
Or
Execute the CLI command [no] password all. This clears all the passwords.
1. Execute a CLI write memory command (required if the include-credentials feature has ever been enabled.)
```
HP Switch(config)# no password all
Password protections will be deleted, do you want to
continue [y/n]? y
HP Switch(config)# write mem
```
Or
Clear the password by using the Clear button on the switch.
1. Execute a CLI write memory command (required if the include-credentials feature has ever been enabled.)

Unable to use previous password


	IMPORTANT: This section applies to following HP Switches: HP Switch 2910al-series (J9145A, J9145A, J9147A, J9146A, J9148A HP Switch 2920-series (J9726A, J9726A, J9727A, J9727A, J9728A, J9729A)

If you cannot access the switch after a software version downgrade, clear the password by using the Clear button on the switch to regain access. Then boot into a software version that supports long passwords, and perform steps 1, 2, or 3 in the preceding section.

Setting passwords and usernames (WebAgent)

In the WebAgent you can enter passwords and (optional) usernames. See the WebAgent Online Help for detailed information.

prev	up	next
Configuring Username and Password Security	home	Saving security credentials in a config file


	NOTE: `port-access` is available only if `include-credentials` is enabled.

`manager`	Configures access to the switch with manager-level privileges.
`operator`	Configures access to the switch with operator-level privileges.
`port-access`	Configures access to the switch through 802.1X authentication with operator-level privileges.
`user-name <name>`	The optional text string of the user name associated with the password. Username up to 64 characters.
`<plaintext\|sha1>`	Format for the password entry, and the password itself (up to 64 characters). Specifies the type of algorithm (if any) used to hash the password. Valid values are `plaintext` or `sha-1` The default type is `plaintext`, which is also the only type accepted for the `port-access` parameter.