Secure Mode (3800, 3810, 5400zl, and 8200zl Switches) |
Configuring
Configuring secure mode
When using enhanced secure mode, several commands have differences from standard secure mode in their options or output. To transition from one security mode to the other, enter this command from a serial terminal connected to the switch.
Syntax
secure-mode <standard | enhanced>
Enables the selected secure mode. This command must be executed from a serial terminal.
standard
Use standard security. This is the default.
enhanced
Use enhanced security
switch(config)# secure-mode enhanced Validating software and configurations, this may take a minute... The system will be rebooted and all management module files except software images will be erased and zeroized. This will take up to 60 minutes and the switch will not be usable during that time. A power-cycle will then be required to complete the transition. Continue (y/n)? y (Switch reboots...) . Zeroizing the file system ... 100% Verifying cleanness of the file system... 100% Restoring firmware image and other system files... Zeroization of file system completed Continue initializing... ... switch(config)# show secure-mode Level: EnhancedIf the secure-mode transition fails, this message displays:
Secure-mode transition failed.
Commands affected when enhanced secure mode is enabled
There are several types of CLI commands that show sensitive information in plain text:
Feature-specific show commands
Show config commands
Password commands
Secret key commands
MIB CLI commands
Feature-specific show commands
For feature-specific show commands, the following prompt appears before the sensitive information is displayed when using enhanced secure mode:
This may show sensitive information. Continue (y/n)?
If “y/Y” is entered, the normal output of the command is displayed. If any other key is pressed, the command is not executed and there is no output. The default is “n/N” when interactive mode is disabled.
Show flash and show version command output
When using enhanced secure mode, the output from the show flash and show version commands is slightly different.
Show config commands
The show config commands that may show sensitive information on the console are:
show config
show running-config
show default-config
write terminal
When one of the above commands is executed in enhanced secure mode, the following prompt displays:
Do you want to show sensitive information (y/n)?
If “Y/y” is entered, the normal command output is displayed on the console. If “N/n” is entered, all the sensitive information is hidden and will be displayed as asterisks (“*****”). The default option is “N/n” when interactive mode is disabled.
MIB CLI commands
When MIB CLI commands are executed in enhanced
secure mode, the following prompt appears before the sensitive information
for the getmib
or walkmib
command
is displayed:
This may show sensitive information. Continue (y/n)?
If “Y/y” is entered, the sensitive information is displayed in plain text. If ‘N/n’ is entered, the command is not executed and there is no output. The default is “n/N” when interactive mode is disabled.
When using enhanced secure mode, the secret input echo for the setmib command is not replaced with asterisks, however, a warning message displays when this command is executed:
The setmib command should not be used in enhanced secure mode.
Password commands
When the switch is in enhanced secure mode, a plaintext password cannot be entered inline; it is prompted for interactively twice, for example, for an operator password:
New password for operator: ***** Please retype new password for operator: *****
Additional password command option
There is an additional password command option that allows the setting of a password for the ROM console. See Configuring Username and Password Security for more information about setting passwords on the switch.
Syntax
password <manager | operator>[username <ASCII-STR>][sha1<hashed-password>]
password <rom-console> | all
[no]password port-access [username <ASCII-STR>]
Sets or clears the local password/user name for a given access level. If no password is entered in the command, you are prompted twice to enter the password. When the switch is in enhanced secure mode, the password for manager, operator, and the ROM console must be at least 8 characters long. The ROM password cannot be set or changed in the Web Agent. When the no form of the command is executed, the command removes specific local password protection. Note: The port-access option is available only if “includecredentials” is enabled.
Prompt for password when first logging in
All user names and passwords should be configured at startup after transitioning to enhanced secure mode, however, the switch will enter enhanced secure mode regardless of the password settings.
After a cold reboot from a console session... ROM console passwords must be set before continuing. New Manager password:****** Retype password:****** New Operator password:****** Retype password:******
Behavior when changing or exiting levels
Behavior for Manager and Operator Levels
Current Role | CLI: enable | CLI: exit | CLI: logout |
---|---|---|---|
operator | Enter manager role - ask for credential | Session terminated | Session terminated |
manager | Not available | Session terminated | Session terminated |
Additional password commands
Password Commands Affected by Enhanced Secure Mode
Command in Standard Secure Mode | Command in Enhanced Secure Mode | Location |
---|---|---|
snmpv3 user <user-name> auth [md5 | sha] <password> [priv [des | aes] ] | snmpv3 user <user-name> auth [md5 | sha][priv] | management and configuration guide |
aaa port-access supplicant <port-list> identity <user-name> secret [<port-list>] | aaa port-access supplicant <port-list> identity <user-name> secret <port-list> | Commands to configure the global MAC authentication password |
aaa port-access mac-based password <password> | aaa port-access mac-based password | |
stack member <switch-num> mac-address <mac-addr>[password <password>] | stack member <switch-num> mac-address <mac-addr> password] | advanced traffic configuration guide |
Secret keys
When the switch security is in enhanced secure mode, CLI commands that take a secret key as a parameter have the echo of the secret typing replaced with asterisks, unless the secret is not used for authorizing access to switch access. The input for <key-string> is prompted for interactively:
Enter key-string: ******** Re-enter key-string: ********
Or
Enter authentication-key: ******** Re-enter authentication-key: ********
Secret key commands
Command in Standard Secure Mode | Command in Enhanced Secure Mode | Location |
---|---|---|
key-chain <chain-name> key <1-255>
key-string <key-str> |
key-chain
<chain-name> key <1-255> key-string <key-str> |
|
radius-server [host<ip-addr>] key <key-str> |
radius-server [host <ip-addr>] key |
Configuring the switch global RADIUS parameters |
tacacs-server [host <ip-addr>] key <key-str> |
tacacs-server [host <ip-addr>] key |
Configuring the switch TACACS+ server access |
sntp authentication key-id <1-4294967295>
authentication-mode md5 key-value <key-str> [trusted] |
sntp authentication key-id <1-4294967295> authentication-mode
md5 key-value [trusted] |
management and configuration guide |
router ospf area <area-id> virtual-link
<ip-addr> authentication-key <key-str> |
router ospf area <area-id> virtual-link <ip-addr>
authentication-key |
multicast and routing guide |
vlan <vid> ip rip [<ip-addr>] authentication-key |
vlan <vid> ip rip [<ip-addr>] authentication-key |
multicast and routing guide |
vlan <vid> ip ospf [<ip-addr>] authentication-key
<key-str> |
vlan <vid>
ip ospf [<ip-addr>] authentication-key |
multicast and routing guide |
autorun encryption-key <key-str> |
autorun encryption-key |
management and configuration guide |
encrypt-credentials [pre-shared-key <hex |
plaintext> <key-str>] |
encrypt-credentials
[pre-shared-key <hex | plaintext>] |
Enabling Encrypt-Credentials |
SSH changes
There are fewer options available for the ip
ssh cipher
command in enhanced secure mode. The following
options are unavailable:
3des-cbc
rijndael-dbd@lysator.liu.se
The only option available for the ip ssh mac <mac-type>command in enhanced secure mode is hmac-sha1.
SSL changes
When operating in enhanced secure mode, the SSL server will not allow protocol versions lower than TLS 1.0.
See Secure web management for more information about SSL.
Zeroizing with HA
For the 8200 switch, when zeroization is triggered by a secure mode transition, HA handles zeroization on the AMM and SMM automatically.
When zeroization is started from the ROM console, there is no synchronization performed between the AMM and SMM, as zeroization from the ROM console is treated as a recovery facility. Each MM has to be zeroized individually.