Dell PowerSwitch S4128F-ON SmartFabric OS10 Security Best Practices Guide July - Page 26

Installed FIPS certificates, Example: Security profile in RADIUS over TLS authentication

Get Dell PowerSwitch S4128F-ON PDF manuals and user guides View all Dell PowerSwitch S4128F-ON manuals
Add to My Manuals
Save this manual to your list of manuals

Page 26 highlights

• Assign a certificate and private key pair to the security profile in SECURITY-PROFILE mode. For certificate-name, enter the name of the certificate-key pair as it appears in the show crypto certs output without the .pem extension. OS10(config-sec-profile)# certificate certificate-name exit • (Optional) Enable CRL checking for certificates received from external devices in SECURITY-PROFILE mode. CRL checking verifies the validity of a certificate using the CRLs installed on the switch. OS10(config-sec-profile)#revocation-check • (Optional) Enable peer name checking for certificates presented by external devices in SECURITY-PROFILE mode. Peer name checking ensures that the certificate matches the name of the peer device, such as a remote server name. OS10(config-sec-profile)#peer-name-check • Use the security profile to configure X.509v3-based service; for example, to configure RADIUS over TLS authentication using an X.509v3 certificate, enter the radius-server host tls command: OS10(config)# radius-server host {hostname | ip-address} tls security-profile profile-name [auth-port port-number] key {0 authentication-key | 9 authentication-key | authenticationkey} Example: Security profile in RADIUS over TLS authentication OS10# show crypto cert Installed non-FIPS certificates dv-fedgov-s6010-1.pem Installed FIPS certificates OS10# OS10(config)# OS10(config)# crypto security-profile radius-prof OS10(config-sec-profile)# certificate dv-fedgov-s6010-1 OS10(config-sec-profile)# revocation-check OS10(config-sec-profile)# peer-name-check OS10(config-sec-profile)# exit OS10(config)# OS10(config)# radius-server host radius-server-2.test.com tls security-profile radius-prof key radsec OS10(config)# end OS10# show running-configuration crypto security-profile ! crypto security-profile radius-prof certificate dv-fedgov-s6010-1 OS10# show running-configuration radius-server radius-server host radius-server-2.test.com tls security-profile radius-prof key 9 2b9799adc767c0efe8987a694969b1384c541414ba18a44cd9b25fc00ff180e9 26 OS10 security best practices

  • 1
  • 2
  • 3
  • 4
  • 5
  • 6
  • 7
  • 8
  • 9
  • 10
  • 11
  • 12
  • 13
  • 14
  • 15
  • 16
  • 17
  • 18
  • 19
  • 20
  • 21
  • 22
  • 23
  • 24
  • 25
  • 26
Assign a certificate and private key pair to the security profile in SECURITY-PROFILE mode. For
certificate-name
, enter the
name of the certificate-key pair as it appears in the
show crypto certs
output without the
.pem
extension.
OS10(config-sec-profile)# certificate certificate-name
exit
(Optional) Enable CRL checking for certificates received from external devices in SECURITY-PROFILE mode. CRL checking verifies
the validity of a certificate using the CRLs installed on the switch.
OS10(config-sec-profile)#revocation-check
(Optional) Enable peer name checking for certificates presented by external devices in SECURITY-PROFILE mode. Peer name
checking ensures that the certificate matches the name of the peer device, such as a remote server name.
OS10(config-sec-profile)#peer-name-check
Use the security profile to configure X.509v3-based service; for example, to configure RADIUS over TLS authentication using an
X.509v3 certificate, enter the
radius-server host tls
command:
OS10(config)# radius-server host {
hostname
|
ip-address
} tls security-profile
profile-name
[auth-port
port-number
] key {0
authentication-key
| 9
authentication-key
|
authenticationkey}
Example: Security profile in RADIUS over TLS authentication
OS10# show crypto cert
--------------------------------------
| Installed non-FIPS certificates |
--------------------------------------
dv-fedgov-s6010-1.pem
--------------------------------------
| Installed FIPS certificates |
--------------------------------------
OS10#
OS10(config)#
OS10(config)# crypto security-profile radius-prof
OS10(config-sec-profile)# certificate dv-fedgov-s6010-1
OS10(config-sec-profile)# revocation-check
OS10(config-sec-profile)# peer-name-check
OS10(config-sec-profile)# exit
OS10(config)#
OS10(config)# radius-server host radius-server-2.test.com tls security-profile radius-prof
key radsec
OS10(config)# end
OS10# show running-configuration crypto security-profile
!
crypto security-profile radius-prof
certificate dv-fedgov-s6010-1
OS10# show running-configuration radius-server
radius-server host radius-server-2.test.com tls security-profile radius-prof key 9
2b9799adc767c0efe8987a694969b1384c541414ba18a44cd9b25fc00ff180e9
26
OS10 security best practices