Security Mode Configuration
26-2 Configuring Security Features
FIPS mode is disabled by default. It can be enabled using the set security profile c2 command.
FIPS mode is persistent and shown in the running configuration. When changing between Normal
and FIPS mode, a system reboot is required, indicated by a warning message:
Warning: Changing the security profile requires system reset.
Do you want to continue (y/n) [n]?
FIPS mode can be cleared using the clear security profile command.
When FIPS mode (security profile = c2) is enabled, FIPS cryptographic module initialization is
invoked as per Section 2.3 of the OpenSSL FIPS 140-2 Security Policy.
Configuring the Security Mode
Procedure 26-1 on page 26-2 lists the commands to configure the security mode of the switch.
Refer to the CLI Reference for your platform for details of the commands listed.
Security Mode and SNMP
When FIPS mode (security profile = c2) is enabled, the default authentication mechanism for
SNMPv3 is HMAC-SHA-1. The entire SNMPv3 message will be checked for integrity using
HMAC-SHA-1. The authentication option of the set snmp user command will not accept MD5 as
an option. Only the FIPS cryptographic module will be used for HMAC-SHA-1 even if this same
algorithm is provided by other functions.
When FIPS mode (security profile = c2) is enabled, the encryption mechanism for SNMPv3 will be
AES-128. The encryption option of the set snmp user command will not accept DES as an option
while in FIPS mode. Only the FIPS cryptographic module will be used for AES-128 even if this
same algorithm is provided by other functions.
Table 26-1 lists the SNMP commands that require different user access permissions when the
security mode is set to C2.
Procedure 26-1 Configuring the Security Mode
Step Task Command(s)
1. Display the current security mode setting. show security profile
2. If necessary, change the security mode.
When prompted for a system reboot, enter y.
set security profile {c2 | normal}
3. If desired, return the switch to the default state of
FIPS mode disabled (normal).
When prompted for a system reboot, enter y.
clear security profile
Table 26-1 SNMP Commands Affected by Security Mode Settings
Commands
Access When Security Mode Setting Is:
Normal C2
set/clear snmp user Read-Write Super User
set/clear snmp group Read-Write Super User
set/clear snmp community Read-Write Super User
set/clear snmp access Read-Write Super User
set/clear snmp view Read-Write Super User
set/clear snmp targetparams Read-Write Super User
To Next Page
Loading...
Need help?
General