Aruba

By default, credentials such as RADIUS or TACACS authentication keys, are stored separately from the switch configuration, and are not shown when saved or running configurations are displayed or copied using TFTP or SSH. You can change this behavior using the include-credentials command. This clearly seems to be a security issue, because the displays credentials are unencrypted. You can check the current status using show include-credentials.

HP Switch(config)# show include-credentials
Stored in Configuration         : Yes
Enabled in Active Configuration : Yes
Include ClearPass Keys          : No

If you want to encrypt these credentials, you can use the encrypt-credentials command. This command will encrypt the credentials using either a hardcoded 256 bit key, or you can add a pre-shared key to the command. In each case the switch uses AES256-CBC to encrypt the credeitals, regardless of the provided key.

Open network ports in offices, waiting rooms and entrance halls make me curious. Sometimes I  want to plugin a network cable, just to see if I get an IP address. I know many companies that does not care about network access control. Anybody can plugin any device to the network. When talking with customers about network access control, or port security, I often hear their complains about complexity. It’s too complex to implement, to hard to administrate. But it is not sooo complex. In the easiest setup (with mac authentication), you need a switch, that can act as authenticator, and a authentication server. But IEEE 802.1x is not much more complicated.