HP 5500 Ei 5500 Si Switch Series Configuration Guide
Have a look at the manual HP 5500 Ei 5500 Si Switch Series Configuration Guide online for free. It’s possible to download the document as PDF or print. UserManuals.tech offer 1114 HP manuals and user’s guides for free. Share the user manual or guide on Facebook, Twitter or Google+.
![Page 1890
225
Error:When we change port-mode, we should first change it to noRestrictions, then change
it to the other.
Analysis
For a port operating in a port security mode other than noRestrictions, you cannot change the port
security mode by using the port-security port-mode command directly.
Solution
Set the port security mode to noRestrictions first.
[Device-GigabitEthernet1/0/1] undo port-security port-mode
[Device-GigabitEthernet1/0/1] port-security port-mode autolearn
Cannot configure secure...](http://img.usermanuals.tech/thumb/36/58909/w64_hp-5500-ei-5500-si-switch-series-configuration-guide-1889.png "Page 1890
225
Error:When we change port-mode, we should first change it to noRestrictions, then change
it to the other.
Analysis
For a port operating in a port security mode other than noRestrictions, you cannot change the port
security mode by using the port-security port-mode command directly.
Solution
Set the port security mode to noRestrictions first.
[Device-GigabitEthernet1/0/1] undo port-security port-mode
[Device-GigabitEthernet1/0/1] port-security port-mode autolearn
Cannot configure secure...")
![Page 1891
226
[Device-GigabitEthernet1/0/1] undo port-security port-mode](http://img.usermanuals.tech/thumb/36/58909/w64_hp-5500-ei-5500-si-switch-series-configuration-guide-1890.png "Page 1891
226
[Device-GigabitEthernet1/0/1] undo port-security port-mode")
226 [Device-GigabitEthernet1/0/1] undo port-security port-mode
227 Configuring a user profile User profile overview A user profile provides a configuration template to save predefined configurations, such as a Quality of Service (QoS) policy. Different user profiles are applicable to different application scenarios. The user profile supports working with 802.1X authenti cation and portal authentication. It is capable of restricting authenticated users behaviors. After the authentication server verifies a user, it sends the device the name of the user profile that is associated with the user. Then the device applies the configurations in the user profile if the profile is enabled, and allows user access based on all valid configurations. If the user profile is not enabled, the de vice denies the user access. After the user logs out, the device automatically disables the configurations in the user profile, and the restrictions on the users are removed. Without user profiles, service applications are base d on interface, VLAN, or globally, and a policy applies to any user that accesses the interface, or VLAN, or device. If a user moves between ports to access a device, to restrict the user behavior, you must remove the policy from the previous port and then configure the same policy on the port that the user uses. The configuration task is tedious and error prone. User profiles provide flexible user-based service appl ications because a user profile is associated with a target user. Every time the user accesses the device, the device automatically applies the configurations in the associated user profile. User profile configuration task list Task Remarks Creating a user profile Required Applying a QoS policy Required Enabling a user profile Required Creating a user profile Configuration prerequisites Before you create a user profile, complete the following tasks: • Configure authentication parameters on the device. • Perform configurations on the client, the device, and the authentication server, for example, username, password, authentication scheme, domain, and binding a user profile with a user. Configuration procedure
228
Step Command Remarks
1. Enter system view.
system-view N/A
2. Create a user profile,
and enter its view. user-profile
profile-name You can use the command to enter the view of
an existing user profile.
Applying a QoS policy
You can apply QoS policies in user profile view
to implement traffic management functions.
Configuration guidelines
• After a user profile is created, apply a QoS policy in user profile view to implement restrictions on
online users. The QoS policy takes effect when the user profile is enabled and a user using the user
profile goes online.
• The QoS policies that can be applied to user profiles support only the remark, car, and filter
actions.
• Do not apply an empty policy in user profile view because a user profile with an empty policy
applied cannot be enabled.
• If a user profile is enabled, you cannot modify the applied QoS policy (including the ACL that is
referenced by the QoS policy) or remove it.
• For information about QoS policy configurations, see ACL and QoS Configuration Guide .
Configuration procedure
Step Command Remarks
1. Enter system view.
system-view N/A
2. Enter user profile view.
user-profile profile-name N/A
3. Apply the QoS policy. qos apply policy
policy-name
{ inbound | outbound } The
inbound keyword applies the
QoS policy to incoming traffic of the
switch (traffic sent by online users).
The outbound keyword applies the
QoS policy to outgoing traffic of the
switch (traffic sent to online users).
The outbound keyword is not
available on the HP 5500 SI Switch
Series.
Enabling a user profile
Enable a user profile so that configurations in the profile can be applied by the device to restrict user
behaviors. If the device detects that the user profil e is disabled, the device denies the associated user
even the user has been verified by the authentication server.
229
To enable a user profile:
Step Command Remarks
1. Enter system view.
system-view N/A
2. Enable a user profile.
user-profile profile-name enable A user profile is disabled by
default.
NOTE:
• You can only edit or remove the configurations in a disabled user profile.
• Disabling a user profile logs out the users that are using the user profile.
Displaying and maintaining user profiles
Task Command Remarks
Display information about all the
created user profiles. display user-profile
[ | { begin | exclude
| include } regular-expression ] Available in any view
230 Configuring password control Password control overview Password control refers to a set of functions provided by the local authentication server to control user login passwords, super passwords, and user login status based on predefined policies. The rest of this section describes the password control functions in detail. 1. Minimum password length By setting a minimum password length, you can en force users to use passwords long enough for system security. If a user specifies a shorter password, the system rejects the setting and prompts the user to re-specify a password. 2. Minimum password update interval This function allows you to set the minimum interv al at which users can change their passwords. If a non-manage level user logs in to change the password but the time that elapses since the last change is less than this interval, the system denies the request. For example, if you set this interval to 48 hours, a non-manage level user cannot ch ange the password twice within 48 hours. This prevents users from changing their passwords frequently. NOTE: • This function is not effective for users of the manage level. For information about user levels, see Fundamentals Configuration Guide . • This function is not effective for a user who is prompted to chan ge the password at the first login or a user whose password has just been aged out. 3. Password aging Password aging imposes a lifecycle on a user pa ssword. After the password aging time expires, the user needs to change the password. If a user enters an expired password when logging in , the system displays an error message and prompts the user to provide a new password and to confirm it by entering it again. The new password must be a valid one and the user must enter exactly the same password when confirming it. 4. Early notice on pending password expiration When a user logs in, the system checks whether the password will expire in a time equal to or less than the specified period. If so, the system notifies the user of the expiry time and provides a choice for the user to change the password. If the user provides a new password that is qualified, the system records the new password and the time. If the user chooses to leave the password or the user fails to change it, the system allows the user to log in using the present password. NOTE: Telnet, SSH, and terminal users can change their passwords by themselves, while FTP users can only have their passwords changed by the administrator. 5. Login with an expired password You can allow a user to log in a certain number of times within a specified period of time after the password expires, so that the user does not need to change the password immediately. For
231
example, if you set the maximum number of logins with an expired password to three and the time
period to 15 days, a user can log in three times within 15 days after the password expires.
6. Password history
With this feature enabled, the system maintains ce rtain entries of passwords that a user has used.
When a user changes the password, the system checks the new password against the used ones.
The new password must be different from the used ones by at least four characters and the four
characters must not be the same . Otherwise, you will fail to change the password and the system
displays an error message.
You can set the maximum number of history password records for the system to maintain for each
user. When the number of history password records exceeds your setting, the latest record will
overwrite the earliest one.
7. Login attempt limit
Limiting the number of consecutive failed lo gin attempts can effectively prevent password
guessing.
If an FTP or virtual terminal line (VTY) user fail s authentication due to a password error, the system
adds the user to a password control blacklist. If a user fails to provide the correct password after
the specified number of cons ecutive attempts, the system takes action as configured:
{ Prohibiting the user from logging in until the user is removed from the password control blacklist
manually.
{ Allowing the user to try continuously and removing the user from the password control blacklist
when the user logs in to the system successfully or the blacklist entry times out (the blacklist entry
aging time is one minute).
{ Prohibiting the user from logging in within a configurable period of time, and allowing the user
to log in again after the period of time elapses or the user is removed from the password control
blacklist.
A password control blacklist can contain up to 1024 entries.
A login attempt using a wrong username will undoubtedly fail but the username will not be added
to the password control blacklist.
Web users failing login authentication are not added to the password control blacklist. Users
accessing the system through the console or AUX interface are not blacklisted either, because the
system is unable to obtain the IP addresses of these users and these users are privileged and
therefore relatively secure to the system.
8. Password composition checking
A password can be a combination of characte rs from the following four categories:
{ Uppercase letters A to Z
{ Lowercase letters a to z
{ Digits 0 to 9
{ 32 special characters including blank sp ace and ~`!@#$%^&*()_+-={}|[]\:;’,./.
Depending on the system security requirements, you can set the minimum number of categories a
password must contain and the minimum numb er of characters of each category.
There are four password combination levels: 1, 2, 3, and 4, each representing the number of
categories that a password must at least contai n. Level 1 means that a password must contain
characters of one category, level 2 at least two categories, and so on.
When a user sets or changes the password, the system checks if the password satisfies the
composition requirement. If not, the system displays an error message.
232
9.
Password complexity checking
A less complicated password such as a password co ntaining the username or repeated characters
is more likely to be cracked. For higher security, you can configure a password complexity
checking policy to make sure that all user pa sswords are relatively complicated. With such a
policy configured, when a user configures a password, the system checks the complexity of the
password. If the password is not qualified, th e system refuses the password and displays a
password configuration failure message.
You can impose the fo llowing password complexity requirements:
{ A password cannot contain the username or the reverse of the username. For example, if the
username is abc, a password such as abc982 or 2cba is unqualified.
{ No character of the password is repeated three or more times consecutively. For example,
password a1 11 is not qualified.
10. Password display in the form of a string of *
For the sake of security, the password a user enters is displayed in the form of a string of *.
11. Authentication timeout management
The authentication period is from when the server obtains the username to when the server finishes
authenticating the user’s password. If a Telnet user fails to log in within the configured period of
time, the system tears down the connection.
12. Maximum account idle time
You can set the maximum account idle time to make accounts staying idle for this period of time
become invalid and unable to log in again. For ex ample, if you set the maximum account idle time
to 60 days and user using the account test has never logged in succes sfully within 60 days after
the last successful login, the account becomes invalid.
13. Logging
The system logs all successful password changing events and the events of adding users to the
password control blacklist.
Password control configuration task list
The password control functions can be configured in several views, and different views support different
functions. The settings configured in different view s or for different objects have different application
ranges and different priorities:
• Global settings in system view apply to all local user passwords and super passwords.
• Settings in user group view apply to the passwords of all local users in the user group.
• Settings in local user view apply to only the password of the local user.
• Settings for super passwords apply to only super passwords.
The above four types of settings have different priorities:
• For local user passwords, the settings with a sm aller application range have a higher priority.
• For super passwords, the settings configured specific ally for super passwords, if any, override those
configured in system view.
Complete the following tasks to configure password control:
Task Remarks
Enabling password control Required
233
Task Remarks
Setting global password control parameters Optional
Setting user group password control parameters Optional
Setting local user password control parameters Optional
Setting super password control parameters Optional
Setting a local user password in interactive mode Optional
Configuring password control
Enabling password control
To enable password control functions, you need to:
1. Enable the password control featur e in system view. Only after the password control feature is
enabled globally, can password cont rol configurations take effect.
2. Enable password control function s. Some password control functions need to be enabled
individually after the password control feature is enabled globally. These functions include:
{ Pa s swo rd a g i n g
{ Minimum password length
{ Pa s swo rd h i s t o r y
{ Password composition checking
You must enable a function for its relevant configurations to take effect.
To enable password control:
Step Command Remarks
1. Enter system view.
system-view N/A
2.
Enable the password control
feature. password-control
enable Disabled by default
3. Enable a password control
function individually. password-control
{ aging |
composition | history | length }
enable Optional
All of the four password control
functions are enabled by default.
NOTE:
After global password control is enabled, local user passwords configured on the device are not displayed
when you use the corresponding display command.
Setting global password control parameters
Step Command Remarks
1. Enter system view. system-view N/A
234
Step Command Remarks
2. Set the password aging time. password-control aging aging-time Optional
90 days by default
3. Set the minimum password
update interval. password-control password
update interval interval
Optional
24 hours by default
4.
Set the minimum password
length. password-control length
length Optional
10 characters by default
5.
Configure the password
composition policy. password-control composition
type-number
policy-type
[ type-length type-length ] Optional
By default, the minimum number of
password composition types is 1
and the minimum number of
characters of a password
composition type is 1 too.
6.
Configure the password
complexity checking policy. password-control complexity
{
same-character | user-name }
check Optional
By default, the system does not
perform password complexity
checking.
7.
Set the maximum number of
history password records for
each user. password-control history
max-record-num
Optional
4 by default
8.
Specify the maximum number
of login attempts and the
action to be taken when a
user fails to log in after the
specified number of attempts. password-control login-attempt
login-times [ exceed { lock | unlock
| lock-time time } ] Optional
By default, the maximum number
of login attempts is 3 and a user
failing to log in after the specified
number of attempts must wait for
one minute before trying again.
9.
Set the number of days during
which the user is warned of
the pending password
expiration. password-control
alert-before-expire alert-time
Optional
7 days by default
10.
Set the maximum number of
days and maximum number
of times that a user can log in
after the password expires. password-control
expired-user-login delay
delay
times times Optional
By default, a user can log in three
times within 30 days after the
password expires.
11.
Set the authentication timeout
time. password-control
authentication-timeout
authentication-timeout Optional
60 seconds by default
12.
Set the maximum account idle
time. password-control login idle-time
idle-time
Optional
90 days by default
NOTE:
The specified action to be taken after a user fails to log in for the specified number of attempts takes effec
t
immediately, and can thus affect the users already in the password control blacklist. Other password
control configurations take effect only for users logging in later and passwords configured later.
235 Setting user group password control parameters Step Command Remarks 1. Enter system view. system-view N/A 2. Create a user group and enter user group view. user-group group-name N/A 3. Configure the password aging time for the user group. password-control aging aging-time Optional By default, the password aging time configured in system view is used. 4. Configure the minimum password length for the user group. password-control length length Optional By default, the minimum password length configured in system view is used. 5. Configure the password composition policy for the user group. password-control composition type-number type-number [ type-length type-length ] Optional By default, the password composition policy configured in system view is used. Setting local user password control parameters Step Command Remarks 1. Enter system view. system-view N/A 2. Create a local user and enter local user view. local-user user-name N/A 3. Configure the password aging time for the local user. password-control aging aging-time Optional By default, the setting for the user group to which the local user belongs is used; if no aging time is configured for the user group, the setting in system view is used. 4. Configure the minimum password length for the local user. password-control length length Optional By default, the setting for the user group to which the local user belongs is used; if no minimum password length is configured for the user group, the setting in system view is used. 5. Configure the password composition policy for the local user. password-control composition type-number type-number [ type-length type-length ] Optional By default, the settings for the user group to which the local user belongs are used; if no password composition policy is configured for the user group, the settings in system view are used.