ProCurve – Front-Panel Security & Authentication

I was looking for some ProCurve documentation on AAA security and stumbled across the Hardening ProCurve Switches White Paper and found a few nice things to add to our ProCurve config.

Password Clear Protection – Front-Panel Securitylogo_procurve_networking_by_hp
ProCurve devices utilize the Reset and Clear buttons on the front panel to help users reset the switch configuration to factory default or to reset the console password. This capability creates a security risk anywhere it’s impossible to  prevent physical access to the switch. ProCurve makes it possible to disable this functionality to protect from malicious use of these features.

There are two components to front-panel security: “password clear” and “factory reset.” Both must be disabled to fully secure the device.

In the switch’s default mode, a malicious user can utilize the front-panel clear button to reset a console password stored locally on the switch. To disable this feature, issue the command:

ProCurve Switch(config)# no front-panel-security password-clear

The other capability built into ProCurve switches is the ability to reset the switch configuration to the factory default mode:

ProCurve Switch(config)# [no] front-panel-security factory-reset

Executing this command prevents reset of the switch configuration by use of the front-panel Reset and Clear buttons.

It’s critical to understand that disabling these features severely restricts administrator options if the password is lost or forgotten. Before making these changes, users are strongly encouraged to review all considerations outlined in the Access and Security Guide for your model.
wireless_edge_services_zl_module
Authentication – Server-Supplied Privilege Level
Login privilege level instructs the switch to accept the authenticating user’s command level (manager or operator) that is supplied by the server. This allows manager-level users to skip the login context and proceed immediately to enable context, thus eliminating the need for a manager-level user to login twice.

To allow the switch to accept the privilege level provided by the server, use the following configuration command:

ProCurve Switch(config)# aaa authentication login privilege-mode

To supply a privilege level via RADIUS, specify the “Service-Type” attribute in the user’s credentials.
• Service-Type = 6 allows manager-level access
• Service-Type = 7 allows operator-level access
• A user with Service-Type not equal to 6 or 7 is denied access
• A user with no Service-Type attribute supplied is denied access when privilege mode is enabled

– The Radius Authentication for switch access sounds interesting. If our Staff are using their network credentials to access the switch config, or contractors that are working on the network, we can easily enable/disable their access to the switches without hassle and letting everyone know the Manager/Operator passwords