Cisco CISCO2851 User Guide - Page 17

Secure Operation of the Cisco 2851 Router - 2851 password recovery

Get Cisco CISCO2851 PDF manuals and user guides View all Cisco CISCO2851 manuals
Add to My Manuals
Save this manual to your list of manuals

Page 17 highlights

Secure Operation of the Cisco 2851 Router - 3DES Known Answer Test - HMAC-SHA-1 Known Answer Test - SHA-1 Known Answer Test Secure Operation of the Cisco 2851 Router The Cisco 2851 routers meet all the Level 2 requirements for FIPS 140-2. Follow the setting instructions provided below to place the module in FIPS-approved mode. Operating this router without maintaining the following settings will remove the module from the FIPS approved mode of operation. Initial Setup • The Crypto Officer must apply tamper evidence labels as described in the "Physical Security" section on page 8 of this document. • The Crypto Officer must disable IOS Password Recovery by executing the following commands: configure terminal no service password-recovery end show version Note Once Password Recovery is disabled, administrative access to the module without the password will not be possible. System Initialization and Configuration • The Crypto Officer must perform the initial configuration. IOS version 12.3(11)T03, Advanced Security build (advsecurity) is the only allowable image; no other image should be loaded. • The value of the boot field must be 0x0102. This setting disables break from the console to the ROM monitor and automatically boots the IOS image. From the "configure terminal" command line, the Crypto Officer enters the following syntax: config-register 0x0102 • The Crypto Officer must create the "enable" password for the Crypto Officer role. The password must be at least 8 characters to include at least one number and one letter and is entered when the Crypto Officer first engages the "enable" command. The Crypto Officer enters the following syntax at the "#" prompt: enable secret [PASSWORD] • The Crypto Officer must always assign passwords (of at least 8 characters) to users. Identification and authentication on the console port is required for Users. From the "configure terminal" command line, the Crypto Officer enters the following syntax: line con 0 password [PASSWORD] login local • RADIUS and TACACS+ shared secret key sizes must be at least 8 characters long. OL-8717-01 Cisco 2851 Integrated Services Router FIPS 140-2 Non Proprietary Security Policy 17

  • 1
  • 2
  • 3
  • 4
  • 5
  • 6
  • 7
  • 8
  • 9
  • 10
  • 11
  • 12
  • 13
  • 14
  • 15
  • 16
  • 17
  • 18
  • 19
  • 20
  • 21
  • 22
  • 23
  • 24
17
Cisco 2851 Integrated Services Router FIPS 140-2 Non Proprietary Security Policy
OL-8717-01
Secure Operation of the Cisco 2851 Router
3DES Known Answer Test
HMAC-SHA-1 Known Answer Test
SHA-1 Known Answer Test
Secure Operation of the Cisco 2851 Router
The Cisco 2851 routers meet all the Level 2 requirements for FIPS 140-2. Follow the setting instructions
provided below to place the module in FIPS-approved mode. Operating this router without maintaining
the following settings will remove the module from the FIPS approved mode of operation.
Initial Setup
The Crypto Officer must apply tamper evidence labels as described in the
“Physical Security”
section on page 8
of this document.
The Crypto Officer must disable IOS Password Recovery by executing the following commands:
configure terminal
no service password-recovery
end
show version
Note
Once Password Recovery is disabled, administrative access to the module without the
password will not be possible.
System Initialization and Configuration
The Crypto Officer must perform the initial configuration. IOS version 12.3(11)T03, Advanced
Security build (advsecurity) is the only allowable image; no other image should be loaded.
The value of the boot field must be 0x0102. This setting disables break from the console to the ROM
monitor and automatically boots the IOS image. From the “configure terminal” command line, the
Crypto Officer enters the following syntax:
config-register 0x0102
The Crypto Officer must create the “enable” password for the Crypto Officer role. The password
must be at least 8 characters to include at least one number and one letter and is entered when the
Crypto Officer first engages the “enable” command. The Crypto Officer enters the following syntax
at the “#” prompt:
enable secret [PASSWORD]
The Crypto Officer must always assign passwords (of at least 8 characters) to users. Identification
and authentication on the console port is required for Users. From the “configure terminal”
command line, the Crypto Officer enters the following syntax:
line con 0
password [PASSWORD]
login local
RADIUS and TACACS+ shared secret key sizes must be at least 8 characters long.