Secure Mode (3800, 3810, 5400zl, and 8200zl Switches)

Configuring

Configuring secure mode

When using enhanced secure mode, several commands have differences from standard secure mode in their options or output. To transition from one security mode to the other, enter this command from a serial terminal connected to the switch.

Syntax

secure-mode <standard | enhanced>

Enables the selected secure mode. This command must be executed from a serial terminal.

standard

Use standard security. This is the default.

enhanced

Use enhanced security

switch(config)# secure-mode enhanced
Validating software and configurations, this may take a
minute...
The system will be rebooted and all management module files
except software images will be erased and zeroized. This
will take up to 60 minutes and the switch will not be usable
during that time. A power-cycle will then be required to
complete the transition. Continue (y/n)? y
(Switch reboots...)
.
Zeroizing the file system ... 100%
Verifying cleanness of the file system... 100%
Restoring firmware image and other system files...
Zeroization of file system completed
Continue initializing...
...
switch(config)# show secure-mode
Level: Enhanced

If the secure-mode transition fails, this message displays:

Secure-mode transition failed.

Commands affected when enhanced secure mode is enabled

There are several types of CLI commands that show sensitive information in plain text:

  • Feature-specific show commands

  • Show config commands

  • Password commands

  • Secret key commands

  • MIB CLI commands

Feature-specific show commands

For feature-specific show commands, the following prompt appears before the sensitive information is displayed when using enhanced secure mode:

This may show sensitive information. Continue (y/n)?

If “y/Y” is entered, the normal output of the command is displayed. If any other key is pressed, the command is not executed and there is no output. The default is “n/N” when interactive mode is disabled.

Show flash and show version command output

When using enhanced secure mode, the output from the show flash and show version commands is slightly different.

Output of the show flash Command

Output of the show version Command

Show config commands

The show config commands that may show sensitive information on the console are:

  • show config

  • show running-config

  • show default-config

  • write terminal

When one of the above commands is executed in enhanced secure mode, the following prompt displays:

Do you want to show sensitive information (y/n)?

If “Y/y” is entered, the normal command output is displayed on the console. If “N/n” is entered, all the sensitive information is hidden and will be displayed as asterisks (“*****”). The default option is “N/n” when interactive mode is disabled.

MIB CLI commands

When MIB CLI commands are executed in enhanced secure mode, the following prompt appears before the sensitive information for the getmib or walkmib command is displayed:

This may show sensitive information. Continue (y/n)?

If “Y/y” is entered, the sensitive information is displayed in plain text. If ‘N/n’ is entered, the command is not executed and there is no output. The default is “n/N” when interactive mode is disabled.

When using enhanced secure mode, the secret input echo for the setmib command is not replaced with asterisks, however, a warning message displays when this command is executed:

The setmib command should not be used in enhanced secure
mode.

Password commands

When the switch is in enhanced secure mode, a plaintext password cannot be entered inline; it is prompted for interactively twice, for example, for an operator password:

New password for operator: *****
Please retype new password for operator: *****

Additional password command option

There is an additional password command option that allows the setting of a password for the ROM console. See Configuring Username and Password Security for more information about setting passwords on the switch.

Syntax

password <manager | operator>[username <ASCII-STR>][sha1<hashed-password>]
password <rom-console> | all
[no]password port-access [username <ASCII-STR>]

Sets or clears the local password/user name for a given access level. If no password is entered in the command, you are prompted twice to enter the password. When the switch is in enhanced secure mode, the password for manager, operator, and the ROM console must be at least 8 characters long. The ROM password cannot be set or changed in the Web Agent. When the no form of the command is executed, the command removes specific local password protection. Note: The port-access option is available only if “includecredentials” is enabled.

Prompt for password when first logging in

All user names and passwords should be configured at startup after transitioning to enhanced secure mode, however, the switch will enter enhanced secure mode regardless of the password settings.

After a cold reboot from a console session...
ROM console passwords must be set before continuing.
New Manager password:******
Retype password:******
New Operator password:******
Retype password:******

Behavior when changing or exiting levels

Behavior for Manager and Operator Levels

Current Role CLI: enable CLI: exit CLI: logout
operator Enter manager role - ask for credential Session terminated Session terminated
manager Not available Session terminated Session terminated

Additional password commands

Password Commands Affected by Enhanced Secure Mode

Command in Standard Secure Mode Command in Enhanced Secure Mode Location
snmpv3 user <user-name> auth [md5 | sha] <password> [priv [des | aes] ] snmpv3 user <user-name> auth [md5 | sha][priv] management and configuration guide
aaa port-access supplicant <port-list> identity <user-name> secret [<port-list>] aaa port-access supplicant <port-list> identity <user-name> secret <port-list> Commands to configure the global MAC authentication password
aaa port-access mac-based password <password> aaa port-access mac-based password
stack member <switch-num> mac-address <mac-addr>[password <password>] stack member <switch-num> mac-address <mac-addr> password] advanced traffic configuration guide

Secret keys

When the switch security is in enhanced secure mode, CLI commands that take a secret key as a parameter have the echo of the secret typing replaced with asterisks, unless the secret is not used for authorizing access to switch access. The input for <key-string> is prompted for interactively:

Enter key-string: ********
Re-enter key-string: ********

Or

Enter authentication-key: ********
Re-enter authentication-key: ********

Secret key commands

Command in Standard Secure Mode Command in Enhanced Secure Mode Location
key-chain <chain-name> key <1-255> key-string <key-str> key-chain <chain-name> key <1-255> key-string <key-str>  
radius-server [host<ip-addr>] key <key-str> radius-server [host <ip-addr>] key Configuring the switch global RADIUS parameters
tacacs-server [host <ip-addr>] key <key-str> tacacs-server [host <ip-addr>] key Configuring the switch TACACS+ server access
sntp authentication key-id <1-4294967295> authentication-mode md5 key-value <key-str> [trusted] sntp authentication key-id <1-4294967295> authentication-mode md5 key-value [trusted] management and configuration guide
router ospf area <area-id> virtual-link <ip-addr> authentication-key <key-str> router ospf area <area-id> virtual-link <ip-addr> authentication-key multicast and routing guide
vlan <vid> ip rip [<ip-addr>] authentication-key vlan <vid> ip rip [<ip-addr>] authentication-key multicast and routing guide
vlan <vid> ip ospf [<ip-addr>] authentication-key <key-str> vlan <vid> ip ospf [<ip-addr>] authentication-key multicast and routing guide
autorun encryption-key <key-str> autorun encryption-key management and configuration guide
encrypt-credentials [pre-shared-key <hex | plaintext> <key-str>] encrypt-credentials [pre-shared-key <hex | plaintext>] Enabling Encrypt-Credentials

SSH changes

There are fewer options available for the ip ssh cipher command in enhanced secure mode. The following options are unavailable:

  • 3des-cbc

  • rijndael-dbd@lysator.liu.se

The only option available for the ip ssh mac <mac-type>command in enhanced secure mode is hmac-sha1.

SSL changes

When operating in enhanced secure mode, the SSL server will not allow protocol versions lower than TLS 1.0.

See Secure web management for more information about SSL.

Zeroizing with HA

For the 8200 switch, when zeroization is triggered by a secure mode transition, HA handles zeroization on the AMM and SMM automatically.

When zeroization is started from the ROM console, there is no synchronization performed between the AMM and SMM, as zeroization from the ROM console is treated as a recovery facility. Each MM has to be zeroized individually.

Opacity shields command


[CAUTION: ]

CAUTION: You can use this command only for the 5200 and 8200 switches.


Certification efforts are in progress for the 3800 switch.

Syntax

[no]opacity-shields

Indicates that opacity shields have been installed. This causes the system threshold temperature to be decreased to 35 degrees Centigrade. Default: Disabled