Cisco 2621XM User Guide - Page 18

System Initialization and Configuration, IPSec Requirements and Cryptographic Algorithms - password recovery

Get Cisco 2621XM PDF manuals and user guides
UPC - 746320664927
View all Cisco 2621XM manuals
Add to My Manuals
Save this manual to your list of manuals

Page 18 highlights

Secure Operation of the Cisco 2621XM/2651XM Router • The Crypto Officer must disable IOS Password Recovery by executing the following commands: configure terminal no service password-recovery end show version Note Once Password Recovery is disabled, administrative access to the module without the password will not be possible. System Initialization and Configuration • The Crypto Officer must perform the initial configuration. Cisco IOS version 12.3(3d) is the only allowable image; no other image may be loaded. • The value of the boot field must be 0x0102. This setting disables break from the console to the ROM monitor and automatically boots the Cisco IOS image. From the "configure terminal" command line, the Crypto Officer enters the following syntax: config-register 0x0102 • The Crypto Officer must create the "enable" password for the Crypto Officer role. The password must be at least 8 characters and is entered when the Crypto Officer first engages the "enable" command. The Crypto Officer enters the following syntax at the "#" prompt: enable secret • The Crypto Officer must always assign passwords (of at least 8 characters) to users. Identification and authentication on the console port is required for Users. From the "configure terminal" command line, the Crypto Officer enters the following syntax: line con 0 password login local • The Crypto Officer shall only assign users to a privilege level 1 (the default). • The Crypto Officer shall not assign a command to any privilege level other than its default. • The Crypto Officer may configure the module to use RADIUS or TACACS+ for authentication. Configuring the module to use RADIUS or TACACS+ for authentication is optional. If the module is configured to use RADIUS or TACACS+, the Crypto-Officer must define RADIUS or TACACS+ shared secret keys that are at least 8 characters long. • If the Crypto Officer loads any IOS image onto the router, this will put the router into a non-FIPS mode of operation. IPSec Requirements and Cryptographic Algorithms • There are two types of key management method that are allowed in FIPS mode: Internet Key Exchange (IKE) and IPSec manually entered keys. • Although the Cisco IOS implementation of IKE allows a number of algorithms, only the following algorithms are allowed in a FIPS 140-2 configuration: - ah-sha-hmac - esp-des Cisco 2621XM and Cisco 2651XM Modular Access Routers with AIM-VPN/EP FIPS 140-2 Non-Proprietary Security Policy 18 OL-6262-01

  • 1
  • 2
  • 3
  • 4
  • 5
  • 6
  • 7
  • 8
  • 9
  • 10
  • 11
  • 12
  • 13
  • 14
  • 15
  • 16
  • 17
  • 18
  • 19
  • 20
  • 21
  • 22
  • 23
  • 24
18
Cisco 2621XM and Cisco 2651XM Modular Access Routers with AIM-VPN/EP FIPS 140-2 Non-Proprietary Security Policy
OL-6262-01
Secure Operation of the Cisco 2621XM/2651XM Router
The Crypto Officer must disable IOS Password Recovery by executing the following commands:
configure terminal
no service password-recovery
end
show version
Note
Once Password Recovery is disabled, administrative access to the module without the
password will not be possible.
System Initialization and Configuration
The Crypto Officer must perform the initial configuration. Cisco IOS version 12.3(3d) is the only
allowable image; no other image may be loaded.
The value of the boot field must be 0x0102. This setting disables break from the console to the ROM
monitor and automatically boots the Cisco IOS image. From the “configure terminal” command
line, the Crypto Officer enters the following syntax:
config-register 0x0102
The Crypto Officer must create the “enable” password for the Crypto Officer role. The password
must be at least 8 characters and is entered when the Crypto Officer first engages the “enable”
command. The Crypto Officer enters the following syntax at the “#” prompt:
enable secret
<PASSWORD>
The Crypto Officer must always assign passwords (of at least 8 characters) to users. Identification
and authentication on the console port is required for Users. From the “configure terminal”
command line, the Crypto Officer enters the following syntax:
line con 0
password
<PASSWORD>
login local
The Crypto Officer shall only assign users to a privilege level 1 (the default).
The Crypto Officer shall not assign a command to any privilege level other than its default.
The Crypto Officer may configure the module to use RADIUS or TACACS+ for authentication.
Configuring the module to use RADIUS or TACACS+ for authentication is optional.
If the module
is configured to use RADIUS or TACACS+, the Crypto-Officer must define RADIUS or TACACS+
shared secret keys that are at least 8 characters long.
If the Crypto Officer loads any IOS image onto the router, this will put the router into a non-FIPS
mode of operation.
IPSec Requirements and Cryptographic Algorithms
There are two types of key management method that are allowed in FIPS mode: Internet Key
Exchange (IKE) and IPSec manually entered keys.
Although the Cisco IOS implementation of IKE allows a number of algorithms, only the following
algorithms are allowed in a FIPS 140-2 configuration:
ah-sha-hmac
esp-des