Configuration for Common Criteria NDcPP v1.0 … · Configuration for Common Criteria NDcPP v1.0 ... Configure the Management Port IP Address ... FPT_STM.1

Configuration for Common Criteria NDcPP v1.0 Evaluated Dell Networking OS 9.11(0.0P9)S5000, S3100 Series, C9010, S6100–ON, S6010–ON, S3048–ON, S4048–ON, S4048T-ON, and Z9100–ON Switches

Copyright © 2017 Dell Inc. or its subsidiaries. All rights reserved. Dell, EMC, and other trademarks are trademarks of Dell Inc. or its subsidiaries. Other trademarks may be trademarks of their respective owners.

2017 - 04

Rev. A02

Contents

1 About this Guide.............................................................................................................................................7Overview of this Guide...................................................................................................................................................... 7Audience..............................................................................................................................................................................8About Common Criteria.....................................................................................................................................................8Conventions........................................................................................................................................................................8Related Documents............................................................................................................................................................8Documentation feedback.................................................................................................................................................. 9

2 Configuration Fundamentals.........................................................................................................................10Accessing the Command Line.........................................................................................................................................10

Connecting to the Serial Console Port.................................................................................................................... 10Connecting to the Management Ethernet Port...................................................................................................... 11Starting CLI Mode....................................................................................................................................................... 11Important Points to Remember................................................................................................................................. 11

CLI Modes.......................................................................................................................................................................... 11The do Command ............................................................................................................................................................ 13Undoing Commands......................................................................................................................................................... 13Obtaining Help...................................................................................................................................................................14Entering and Editing Commands.................................................................................................................................... 14

Important Points to Remember................................................................................................................................ 14

3 Getting Started............................................................................................................................................ 16Important Points to Remember...................................................................................................................................... 16Console Access................................................................................................................................................................. 17Serial Console.................................................................................................................................................................... 17Factory-Default Configuration.........................................................................................................................................17Configuring a Host Name................................................................................................................................................ 17Configure the Management Port IP Address................................................................................................................ 17Configuring a Management Route................................................................................................................................. 18Configuring the System Clock........................................................................................................................................ 18Configuring a Username and Password.........................................................................................................................18Configuring the Enable Password...................................................................................................................................19Configuration File Management......................................................................................................................................19Copy Files to and from the System................................................................................................................................ 19

Important Points to Remember................................................................................................................................ 19Save the Running-Configuration....................................................................................................................................20Viewing Files..................................................................................................................................................................... 20

4 Upgrading and Downgrading the Software ..................................................................................................22

5 Setting Up the Common Criteria Configuration........................................................................................... 24Attaching to the System................................................................................................................................................. 27

Contents 3

Saving the Configuration.................................................................................................................................................27Configuring Reload-Type................................................................................................................................................. 27Configuring Security........................................................................................................................................................ 27

Enabling FIPS Mode.................................................................................................................................................. 28Enabling secure-cli Mode..........................................................................................................................................29Generate SSH Server RSA Host Keys ................................................................................................................... 29Configuring Encryption Algorithms and HMAC Algorithms..................................................................................30Enabling RSA Authentication.................................................................................................................................... 31Enabling SSH and Disabling Telnet...........................................................................................................................32

Configuring Password Attributes................................................................................................................................... 32Create a Password Policy that Matches Your Organization................................................................................. 33Configuring the Login Lockout Period.....................................................................................................................33

Obscuring Passwords and Keys..................................................................................................................................... 34Configuring Console and Terminal Lines....................................................................................................................... 34

Configuring the Console Time-out.......................................................................................................................... 34Configuring Remote Access Time-out.................................................................................................................... 35

Configuring the Banner...................................................................................................................................................35Creating a Message of the Day Banner.................................................................................................................. 35Creating a Login Banner ...........................................................................................................................................36

Configuring Role-Based Access Control and AAA.......................................................................................................36Create UserIDs on TOE............................................................................................................................................. 37Configure AAA Authentication and Authorization..................................................................................................37

Configuring the Hostname............................................................................................................................................. 39Configure the Management Port IP Address............................................................................................................... 39Configuring a Management Route.................................................................................................................................39Configuring Logging........................................................................................................................................................ 40

Configuring Log Time Stamps..................................................................................................................................40Enabling Audit and Security Logs............................................................................................................................ 40Displaying Audit and Security Logs..........................................................................................................................40Clearing Audit Logs.....................................................................................................................................................41Configuring Logging Format......................................................................................................................................41Configuring Logging Buffer Size............................................................................................................................... 41Configuring Logging Level......................................................................................................................................... 41Configuring Core Dump Logging on ALL Stack Units........................................................................................... 42Audit Entries............................................................................................................................................................... 42

Configuring SYSLOG Servers.........................................................................................................................................43Information about Setting up a Trusted Channel to the Syslog Server.............................................................. 44Checking the Trusted Channel Connection to the Syslog Server....................................................................... 45

Configuring the System Date and Time........................................................................................................................45Setting the Time and Date for the Switch Hardware Clock.................................................................................45Setting the Timezone................................................................................................................................................ 46

Configuring SNMPv3...................................................................................................................................................... 46Configuring an SNMP v3 policy with Read-only Permission................................................................................46Configuring Traps....................................................................................................................................................... 47Configuring a Trap Group..........................................................................................................................................48

4 Contents

Configuring the Recipient of an SNMPv3 Trap Operation................................................................................... 48Configuring a New User to an SNMPv3 Group..................................................................................................... 49Configuring an SNMPv3 View ................................................................................................................................ 49Processes and Open Ports....................................................................................................................................... 50

Configuring X.509v3........................................................................................................................................................ 51Building a Trusted Certificate Store..........................................................................................................................51Creating Certificate Signing Requests (CSR)......................................................................................................... 51Installing Trusted Certificates................................................................................................................................... 52Configuring OCSP behavior..................................................................................................................................... 53Configuring Revocation Behavior............................................................................................................................ 53Configuring OSCP responder preference............................................................................................................... 53Debugging X.509v3 Certificates..............................................................................................................................53

A Appendix A — Role-Based Access Control .................................................................................................56Overview of RBAC...........................................................................................................................................................56

Privilege-or-Role Mode versus Role-only Mode.................................................................................................... 56Configuring Role-based Only AAA Authorization.................................................................................................. 56System-Defined RBAC User Roles ......................................................................................................................... 57

User Roles.........................................................................................................................................................................58Creating a New User Role ....................................................................................................................................... 58Modifying Command Permissions for Roles ..........................................................................................................59Adding and Deleting Users from a Role................................................................................................................... 61

AAA Authentication and Authorization for Roles..........................................................................................................61Configure AAA Authentication for Roles................................................................................................................. 61Configure AAA Authorization for Roles...................................................................................................................62Configuring TACACS+ and RADIUS VSA Attributes for RBAC............................................................................64

Role Accounting............................................................................................................................................................... 64Configuring AAA Accounting for Roles................................................................................................................... 64Applying an Accounting Method to a Role............................................................................................................. 65Displaying Active Accounting Sessions for Roles ................................................................................................. 65

Display Information About User Roles...........................................................................................................................65Displaying User Roles................................................................................................................................................ 65Displaying Role Permissions Assigned to a Command ......................................................................................... 66Displaying Information About Users Logged into the Switch ..............................................................................66

B Appendix B — X.509v3............................................................................................................................... 67Introduction to X.509v3 certification.............................................................................................................................67

X.509v3 certificates...................................................................................................................................................67Certificate authority (CA)......................................................................................................................................... 67Certificate signing requests (CSR).......................................................................................................................... 67How certificates are requested................................................................................................................................ 67Advantages of X.509v3 certificates........................................................................................................................68

X.509v3 support in Dell Networking OS.......................................................................................................................68Information about installing CA certificates.................................................................................................................. 70

Installing CA certificate..............................................................................................................................................70Information about Creating Certificate Signing Requests (CSR).............................................................................. 70Signing X.509v3 Certificates...........................................................................................................................................71

Contents 5

Information about installing trusted certificates...........................................................................................................74Transport layer security (TLS)........................................................................................................................................ 74

Syslog over TLS......................................................................................................................................................... 75Online Certificate Status Protocol (OSCP).................................................................................................................. 75Verifying certificates........................................................................................................................................................ 76

Verifying Server certificates..................................................................................................................................... 76Verifying Client Certificates...................................................................................................................................... 76

Event logging.................................................................................................................................................................... 76C Appendix C — Navigating CLI Modes..........................................................................................................77D Appendix D — Auditable Events...................................................................................................................81

Log Record Format...........................................................................................................................................................81Log Levels......................................................................................................................................................................... 82Audit Log Records............................................................................................................................................................82

FAU_GEN.1..................................................................................................................................................................83FIA_UAU_EXT.2, FIA_UIA_EXT.1..............................................................................................................................84FIA_X509_EXT.1........................................................................................................................................................ 84FMT_MOF.1................................................................................................................................................................ 85FMT_MTD.1................................................................................................................................................................ 86FPT_STM.1..................................................................................................................................................................87FPT_TUD_EXT.1......................................................................................................................................................... 87FTA_SSL.3, FTA_SSL_EXT.1.................................................................................................................................... 87FTA_SSL.4.................................................................................................................................................................. 87FTP_ITC.1 and FCS_TLSC_EXT...............................................................................................................................88FTP_TRP.1 and FCS_SSHS_EXT.1........................................................................................................................... 88

Self-test Failures.............................................................................................................................................................. 88Power-on Self-tests...................................................................................................................................................89System Software Self-tests..................................................................................................................................... 90FIPS Self-tests............................................................................................................................................................ 91Offline Diagnostics..................................................................................................................................................... 92

E Appendix E — NTP..................................................................................................................................... 93Configuring an NTP Time-Serving Host....................................................................................................................... 93Configuring an Authentication Key for NTP Traffic..................................................................................................... 93Configuring an NTP Time-Serving Host....................................................................................................................... 93Authenticating the System to Which NTP Synchronizes........................................................................................... 94

6 Contents

About this GuideThis guide provides the information needed to set up, use, and administer Dell Networking S5000, S3100 Series, C9010, S6000–ON, S6010–ON, S6100–ON, S4048–ON, S3048–ON, S4048T-ON, and Z9100–ON switches in compliance with the Common Criteria specification. It shows you how to set up a Common Criteria configuration that is Network Device Collaborative Protection Profile (ND cPP) compliant to the National Information Assurance Partnership (NIAP). To do so you must ensure that the Dell Networking OS software settings of each system match the specific configuration evaluated and certified as secure by the Common Criteria specification.

NOTE: You may note the name “Force10” in publications regarding some of these models. Dell Inc. acquired Force10 Networks in August 2011. The name “Force10” and “Dell Force10” was used in some publications for a transition period after the acquisition.

This guide also supplements the information available in product documentation regarding specific component configurations and guidelines with configurations required for Dell Networking certified components. The information in this guide supersedes related information in other Dell Networking OS documentation.

NOTE: The information in this guide supersedes related information in other Dell Networking OS documentation.

NIAP certified the Dell Networking switches against requirements defined in the cPP and NIAP Common Criteria Evaluation & Validation Scheme. Details about components that are certified can be found at https://www.niap-ccevs.org/

Topics:

• Overview of this Guide

• Audience

• About Common Criteria

• Conventions

• Related Documents

• Documentation feedback

Overview of this GuideThis guide contains multiple sections.

Many provide background material or preparation material to configuring the system into a Common Criteria compliant configuration. Section 5 specifically covers the details on how to configure a Common Criteria compliant system.

• Section 2: Configuration Fundamentals

This section provides details on how to use the command line interface (CLI) for the Dell systems. This is necessary background information for the rest of the document.

• Section 3: Getting Started

This section provides the necessary information if you are starting from a brand-new Dell system. Some very basic configuration is required before creating a Common Criteria compliant system.

• Section 4: Upgrading and Downgrading the Software

This section provides the details on how to either upgrade or downgrade the system software to the desired software OS version.

• Section 5: Setting up the Common Criteria Configuration

This section provides the detailed commands on how to build a Common Criteria compliant configuration on a system that is installed and has basic network connectivity.

1

About this Guide 7

https://www.niap-ccevs.org/

• Section 6: Role-Based Access Control (RBAC)

This section provides detailed background information on how the RBAC feature is implemented on the Dell systems. This is recommended as review material before creating userids and user roles for customer use.

• Section 7: X.509v3

This section provides information on how X.509v3 certificates are supported on the Dell Networking switches.

• Section 8: Navigating CLI Modes

This section provides details on how to use the CLI and its various configuration modes. This is an extension of Section 2.

• Section 9: Auditable Events

This section provides details log record format, log record contents, and self-tests available on the system.

• Section 10: NTP

This section provides information on configuring date and time on your device.

AudienceThis document is intended for system administrators who are responsible for configuring and maintaining networks and assumes knowledge in Layer 2 and Layer 3 networking technologies.

About Common CriteriaThe Common Criteria for Information Technology Security Evaluation (ISO/IEC 15408) is an international standard for certification of the security of computer systems, networks, and operating environments.

A Dell Networking operating system (OS) running and tested on the hardware in the evaluated configuration is referred to as the Common Criteria Evaluated Configuration. The evaluated configuration consists of the Dell Networking OS, release 9.11(0.0P9) on the Dell Networking certified switches. The Common Criteria configuration provides effective security measures only if it is installed, managed, and used in accordance with the instructions in this document.

ConventionsThis guide uses the following conventions to describe command syntax:

Keyword Keywords are in Courier (a monospaced font) and must be entered in the CLI as listed.

parameter Parameters are in italics and require a number or word to be entered in the CLI.

{X} Keywords and parameters within braces must be entered in the CLI.

[X] Keywords and parameters within brackets are optional.

x|y Keywords and parameters separated by a bar require you to choose one option.

x||y Keywords and parameters separated by a double bar allows you to choose any or all of the options.

Related DocumentsFor more information about the Dell Networking certified switches, see the following documents, release 9.11(0.0P9). Go to www.dell.com/manuals to access all Dell Networking documentation.

• Dell Networking Getting Started Guide for the S5000 Switch

• Dell Networking Getting Started Guide for the S3100 Series Switches

• Dell Networking Getting Started Guide for the S6100–ON Switch



• Dell Networking Getting Started Guide for the S4048T–ON Switch

8 About this Guide

http://www.dell.com/manuals



• Dell Networking Getting Started Guide for the C9010 Switch

• Dell Networking Getting Started Guide for the Z9100–ON Switch

• Dell Networking Installation Guide for the S5000 Switch

• Dell Networking Installation Guide for the S3100 Series

• Dell Networking Installation Guide for the S6100–ON Switch



• Dell Networking Installation Guide for the S4048T–ON Switch


• Dell Networking Installation Guide for the C9010 Series

• Dell Networking Installation Guide for the Z9100–ON Switch

• Dell Networking Command Line Reference Guide for the S5000 Switch

• Dell Networking Command Line Reference Guide for the S3100 Series

• Dell Networking Command Line Reference Guide for the S6100–ON Switch



• Dell Networking Command Line Reference Guide for the S4048T–ON Switch


• Dell Networking Command Line Reference Guide for the C9010 Series

• Dell Networking Command Line Reference Guide for the Z9100–ON Switch

• Dell Networking Configuration Guide for the S5000 Switch

• Dell Networking Configuration Guide for the S3100 Series

• Dell Networking Configuration Guide for the S6100–ON Switch



• Dell Networking Configuration Guide for the S4048T–ON Switch


• Dell Networking Configuration Guide for the C9010 Series

• Dell Networking Configuration Guide for the Z9000 Switch

• Dell Networking Release Notes for the S5000 Switch

• Dell Networking Release Notes for the S3100 Series

• Dell Networking Release Notes for the S6100–ON Switch



• Dell Networking Release Notes for the S4048T–ON Switch


• Dell Networking C9010 Release Notes

• Dell Networking Release Notes for the Z9100–ON Switch

Documentation feedbackTo provide feedback on this document, email Dell Networking InfoDev at [email protected]. Please include the title of this document and the software version in your comments.

About this Guide 9

Configuration FundamentalsThe Dell Networking Operating System (OS) command line interface (CLI) is a text-based interface you can use to configure interfaces and protocols.

The CLI is largely the same for the Dell Networking switches except for some commands and command outputs. The CLI is structured in modes for security and management purposes. Different sets of commands are available in each mode. The product(s) support two different methods of limiting user command access: user roles (RBAC) or privilege levels. Common Criteria evaluated configurations must use the RBAC method.

In Dell Networking OS, after you enable a command, it is entered into the running configuration file. You can view the current configuration for the whole system or for a particular CLI mode. To save the current configuration, copy the running configuration locally. When you do this, the configuration takes effect on the next reboot. You can also copy the configuration remotely using SCP and then use it as a template to configure other switches.

NOTE: Due to differences in hardware architecture and continued system development, features may occasionally differ between the platforms. Differences are noted in each CLI description and related documentation.

Topics:

• Accessing the Command Line

• CLI Modes

• The do Command

• Undoing Commands

• Obtaining Help

• Entering and Editing Commands

Accessing the Command LineAccess the CLI through a serial console port or a SSH session.

Connecting to the Serial Console PortThe serial console port on the system may be connected to a terminal server or directly to a PC through an RJ-45 copper cable.

You can connect to the console using an RJ-45 to DB-9 adapter along with an RJ-45 rollover cable if the DTE has a DB-9 interface or with just an RJ-45 rollover cable to connect to a terminal server.

Use these default terminal settings on the console port:

9600 baud rateNo parity8 data bits1 stop bitNo flow control

Exact details for connecting to the console port of a particular system are documented in the Quick Start Guide or Getting Started Guide for that switch model.

2

10 Configuration Fundamentals

Connecting to the Management Ethernet PortConnect the Ethernet management port on the system to an ethernet network, preferably a management network.

After you have configured a management IP address on the system, test the connectivity using the ping utility.

Configure secure remote access using the SSH server (version 2). Any terminal program you use to connect to the system must be capable of supporting SSH version 2, one of the desired ciphers (aes128-cbc or aes-256-cbc), and one of the desired HMAC algorithms (hmac-sha1, hmac-sha1-96, or hmac-sha2-256).

Starting CLI ModeIf you access the CLI through the console, you enter the command line in EXEC mode (if login authentication is not yet configured on the console, e.g. first boot-up).

If login authentication is configured on the console, a login prompt is presented similar to accessing the system remotely through SSH.

Login: usernamePassword:Dell>

Important Points to Remember

• Where you enter the CLI depends on your user role or privilege level.

• For users with user roles set at network admin, system admin, or security system admin, the user enters at EXEC Privilege mode instead of EXEC mode.

• If you are setting up a system that is not configured, you can initially login as administrator (admin). When you turn on Role-Based Only AAA Authorization, you must login with a userid associated with a user role. The Common Criteria specification only allows users with a user role to login to the switch. Users with only a privilege level and no associated user role are not permitted to login to the switch.

• After you have configured role based access control (RBAC), the enable password no longer applies to users who have associated user roles because RBAC automatically puts you in EXEC or EXEC Privilege mode after you have been authorized to login to the switch.

• For remote access, the Common Criteria specification requires that you use only a secure channel, SSHv2. Do not use Telnet. Before you can SSH into the system, you must configure an authentication rule on a virtual terminal line. Therefore, you must use a console connection when connecting to the system for the first time. For information on the console, see Console Access.

For information about how to access the command-line, see Enabling the SSH Server, Configuring Console and Terminal Lines andConfiguring Syslog.

CLI ModesDifferent sets of commands are available in each mode.

A command found in one mode cannot be executed from another mode, except for EXEC mode commands where the do command

precedes the EXEC mode command (see the do command section).

The Dell Networking OS CLI is divided into three major mode levels:

• EXEC mode is the default mode. Only a limited selection of commands is available, notably the show commands, which allow you to view system information.

• EXEC Privilege mode has commands to view configurations, clear counters, manage configuration files, run diagnostics, and enable or disable debug operations. You can configure a password for this mode. For information about this feature, see the Configuring the Enable Password section in the Getting Started chapter of this document.

NOTE: When you login to the switch using a user role, you are already authenticated and authorized. You do not need to enter an enable password because the system puts you in EXEC mode or EXEC Privilege mode, based on your user role.

Configuration Fundamentals 11

• Beneath CONFIGURATION mode are sub-modes that apply to interfaces, protocols, and features. For more information about CLI modes, see the Navigating CLI Modes.

The following example shows the sub-mode command structure. Two sub-CONFIGURATION modes are important when configuring the chassis for the first time:

• INTERFACE sub- mode - the mode in which you configure Layer 2 and Layer 3 protocols and IP services specific to an interface. An interface can be physical (Management interface, 1 Gigabit Ethernet, 10 Gigabit Ethernet, 40 Gigabit Ethernet), or logical (Loopback, Null, port channel, or virtual local area network [VLAN]).

• LINE sub-mode - is the mode in which you configure the console and virtual terminal lines.

NOTE: The CLI modes can vary depending on your system. For information about CLI modes, refer to the “CLI Modes” and Navigating CLI Modes” section in the Dell Networking OS Configuration Guide . See http://www.dell.com/support for all Dell Networking documentation.

The CLI modes are:

EXEC EXEC PrivilegeuBoot CONFIGURATIONAS-PATH ACLCONTROL-PLANECLASS-MAPDCB POLICYDHCPDHCP POOLECMP-GROUPEXTENDED COMMUNITYFRRPINTERFACEGROUPGIGABIT ETHERNET10 GIGABIT ETHERNET25 GIGABIT ETHERNET40 GIGABIT ETHERNET50 GIGABIT ETHERNET100 GIGABIT ETHERNETINTERFACE RANGELOOPBACKMANAGEMENT ETHERNETNULLPORT-CHANNELTUNNELVLANVRRPIPIPv6IP COMMUNITY-LISTIP ACCESS-LISTSTANDARD ACCESS-LISTEXTENDED ACCESS-LISTMAC ACCESS-LISTLINEAUXILLIARYCONSOLEVIRTUAL TERMINALLLDPLLDP MANAGEMENT INTERFACEMONITOR SESSIONMULTIPLE SPANNING TREEOPENFLOW INSTANCEPVSTPORT-CHANNEL FAILOVER-GROUPPREFIX-LISTPRIORITY-GROUPPROTOCOL GVRPQOS POLICY


HTTP://WWW.DELL.COM/SUPPORT

RSTPROUTE-MAPROUTER BGPBGP ADDRESS-FAMILYROUTER ISISISIS ADDRESS-FAMILYROUTER OSPFROUTER OSPFV3ROUTER RIPSPANNING TREETRACE-LISTVLT DOMAINVRRPUPLINK STATE GROUP

NOTE: At any time, entering a question mark (?) displays the available command options. For example, when you are in CONFIGURATION mode, entering the question mark first lists all available commands, including the possible submodes.

The do Command You can enter an EXEC mode command from any CONFIGURATION mode (CONFIGURATION, INTERFACE, SPANNING TREE, and so on.) without having to return to EXEC mode by preceding the EXEC mode command with the do command.

The following example shows the output of the do command.

dv-fedgov-s4000-1(conf)#do show system briefStack MAC : 34:17:eb:f2:57:c4Reload-Type : normal-reload [Next boot : normal-reload]-- Stack Info --Unit UnitType Status ReqTyp CurTyp Version Ports------------------------------------------------------------------ 1 Management online S4048-ON S4048-ON 9-11(0-154) 72 2 Member not present 3 Member not present 4 Member not present 5 Member not present 6 Member not present-- Power Supplies --Unit Bay Status Type FanStatus FanSpeed(rpm)-------------------------------------------------------- 1 1 up UNKNOWN up 6984 1 2 absent absent 0-- Fan Status --Unit Bay TrayStatus Fan1 Speed Fan2 Speed------------------------------------------------ 1 1 up up 6971 up 7021 1 2 up up 7021 up 7021 1 3 up up 7021 up 7021

Speed in RPM

Undoing CommandsTo disable a command and remove it from the running-config, enter the no form of the command, then the original command. For example,

to delete an IP address configured on an interface, use the no ip address command.

IMPORTANT: When you enter a command, the command line is added to the running configuration file (running-config) if the command is not the default configuration.

NOTE: Use the help or ? command.

Example of Viewing Disabled CommandsDell(conf)#interface tengigabitethernet 4/17Dell(conf-if-te-4/17)#ip address 192.168.10.1/24


Dell(conf-if-te-4/17)#show config! interface tenGigabitEthernet 4/17 ip address 192.168.10.1/24no shutdownDell(conf-if-te-4/17)#no ip addressDell(conf-if-te-4/17)#show config!interface tenGigabitEthernet 4/17 no ip address no shutdown

Obtaining HelpObtain a list of keywords and a brief functional description of those keywords at any CLI mode using the ? or help command:

• To list the keywords available in the current mode, enter ? at the prompt or after a keyword.

• Enter ? after a command prompt to list all of the available keywords. The output of this command is the same as the help command.

Dell#?cd Change current directoryclear Reset functionsclock Manage the system clockconfigure Configuring from terminalcopy Copy from one file to anotherdebug Debug functions--More--

• Enter ? after a partial keyword lists all of the keywords that begin with the specified letters.

Dell(conf)#cl?class-mapclockDell(conf)#cl

• Enter [space]? after a keyword lists all of the keywords that can follow the specified keyword.

Dell(conf)#clock ?summer-time Configure summer (daylight savings) timetimezone Configure time zoneDell(conf)#clock

Entering and Editing Commands

Important Points to Remember• You can enter partial CLI keywords.

• Enter the minimum number of letters to uniquely identify a command. For example, you cannot enter cl as a partial keyword because both the clock and class-map commands begin with the letters “cl.” You can enter clo, however, as a partial keyword because only one command begins with those three letters.

NOTE: The CLI is not case-sensitive.

• The TAB key auto-completes keywords in commands. Enter the minimum number of letters to uniquely identify a command.

• The UP and DOWN arrow keys display previously entered commands.

• The BACKSPACE and DELETE keys erase the previous letter.

• Key combinations are available to move quickly across the command line. The following table describes these short-cut key combinations.

Short-Cut Key Combination

Action

CNTL-A Moves the cursor to the beginning of the command line.


Short-Cut Key Combination

Action

CNTL-B Moves the cursor back one character.

CNTL-D Deletes character at cursor.

CNTL-E Moves the cursor to the end of the line.

CNTL-F Moves the cursor forward one character.

CNTL-I Completes a keyword.

CNTL-K Deletes all characters from the cursor to the end of the command line.

CNTL-L Re-enters the previous command.

CNTL-N Return to more recent commands in the history buffer after recalling commands with CTRL-P or the UP arrow key.

CNTL-P Recalls commands, beginning with the last command.

CNTL-R Re-enters the previous command.

CNTL-U Deletes the line.

CNTL-W Deletes the previous word.

CNTL-X Deletes the line.

CNTL-Z Ends continuous scrolling of command outputs.

Esc B Moves the cursor back one word.

Esc F Moves the cursor forward one word.

Esc D Deletes all characters from the cursor to the end of the word.


Getting Started

For information about setting up the switch and getting it started, see the Dell Networking Getting Started Guide for your system. Go to www.dell.com/manuals to access all Dell Networking documentation.

Important Points to RememberNot all software features available with the Dell Networking switches are recommended for use in a Common Criteria compliant configuration. Specifically some features must not be used as they may compromise the security of the system with regards to Common Criteria requirements. These features must not be used:

• Telnet server on the switch (disabled by default)

• HTTP/HTTPS server on the switch (disabled by default)

• FTP server on the switch (disabled by default)

• Bare Metal Provisioning (BMP) feature

• SupportAssist feature

NOTE: SSH version 2 must be used for remote connectivity to the switch.

The remainder of this chapter covers the necessary steps to prepare a Dell Networking switch prior to applying a Common Criteria compliant configuration. Specific settings for cryptographic ciphers, access security, and system log and time setup are covered in the “Setting Up the Common Criteria Configuration” Section later in this document.

Topics:

• Console Access

• Serial Console

• Factory-Default Configuration

• Configuring a Host Name

• Configure the Management Port IP Address

• Configuring a Management Route

• Configuring the System Clock

• Configuring a Username and Password

• Configuring the Enable Password

• Configuration File Management

• Copy Files to and from the System

• Save the Running-Configuration

• Viewing Files

3

16 Getting Started


Console AccessWhen you first get your switch, there is no required login on the console. Make sure you configure the login authentication on the console. For information on console access, see the Console Access section in the Dell Networking Configuration Guide and Dell Networking Getting Started Guide for your system.

Serial ConsoleFor information about the serial console, see the Serial Console section in the Dell Networking Configuration Guide and Dell Networking Getting Started Guide for your system.

Factory-Default ConfigurationA version of the Dell Networking OS is pre-loaded on the chassis; however, the system is configured with the factory default configuration when you power up for the first time (except for the default hostname, which is Dell).

You must configure the system using the CLI to match your requirements. This may include disabling the Bare Metal Provisioning (BMP) feature as well as setting the hostname and management IP address of the system.

Configuring a Host NameThe host name appears in the prompt. The default host name is Dell.

• Host names must start with a letter and end with a letter or digit.

• Characters within the string can be letters, digits, and hyphens.

To create a host name, use the hostname name command in Configuration mode.

hostname command example

Dell(conf)#hostname R1R1(conf)#

Configure the Management Port IP AddressTo access the system remotely, assign IP addresses to the management ports.

1 Enter INTERFACE mode for the Management port.

CONFIGURATION mode

interface ManagementEthernet slot/port• slot: the range starts from 0 for non-ON platforms and 1 for ON platforms.

• port: the range starts from 0 for non-ON platforms and 1 for ON platforms..

2 Assign an IP address to the interface.

INTERFACE mode

ip address ip-address/mask• ip-address — Enter the IPv4 address in dotted decimal format. (A.B.C.D).

• mask: a subnet mask in /prefix-length format (/ xx).

NOTE: DHCP is not supported for IPv4 address for the management port.

NOTE: You can also assign 1 to 2 IPv6 addresses to the interface. To specify an IPV6 address, use the ipv6 address [ipv6-address/mask | autoconfig] command.

Getting Started 17

3 Enable the interface.

INTERFACE mode

no shutdown

Configuring a Management RouteDefine a path from the switch to the network from which you are accessing the system remotely. Management routes are separate from IP routes and are only manage the switch through the management port. You must configure network access to management network— the IP address on the management interface and any necessary management routes.

NOTE: You must setup an IP address on the management interface before setting up a management route.

NOTE: When you configure the management route, Dell Networking recommends not using the default route.

To configure the management route through the management port, use the management route {{ip-address mask | {ipv6-address prefix-length}}{forwarding-router-address | managementethernet} command in CONFIGURATION

mode. For example:

Dell(conf)#management route 192.100.0.0/24 100.3.73.235NOTE: For complete information about using the management route feature, see the IPv4 Routing section in the Dell Networking Command Line Reference Guide for your system.

Configuring the System ClockThe system clock may be modified locally or managed through Network Time Protocol (NTP).

For information on how to change the system time, see the Dell Networking OS Time and Date section in the Configuration Guide.

Configuring a Username and PasswordTo access the system, configure a system username and password.

• Configure a username and password to access the system remotely.

CONFIGURATION mode

username name [access-class access-list-name] [nopassword | {password | secret | sha256-password} [encryption-type] password] [privilege level] [role role-name]

• encryption-type: specifies how you are inputting the password, is 0 by default, and is not required.

• 0 is for inputting the password in clear text.

• 7 is for inputting a password that is already encrypted using a Type 7 hash. Obtain the encrypted password from the configuration of another Dell Networking system.

NOTE: The sha256–password option is the recommended option for encrypting the password.

NOTE: Typically the password parameter is entered in clear text. For security concerns, ensure you are not being observed. Note that the username commands are saved in the configuration file but the passwords are not saved in clear

text; they are encrypted.

18 Getting Started

Configuring the Enable PasswordConfigure an enable password as a basic security measure to control access to the EXEC Privilege mode from the EXEC mode. EXEC Privilege mode is unrestricted by default.

There are two types of enable passwords:

• enable password stores the password in the running/startup configuration using a DES encryption method.

• enable secret stores the password using a stronger MD5 encryption method. This must be used for Common Criteria conformance.

NOTE: When you login to the switch using a user role, you are already authenticated and authorized based on the authorization of your user role. You do not need to enter an enable password because the system puts you in EXEC Privilege mode unless you are a network operator, in which case you are put in EXEC mode.

• Create a password to access EXEC Privilege mode.

CONFIGURATION mode

enable sha256-password {0 cleartext-password | 8 encrypted-password}• sha256–password: specifies that the password you enter is a sha256 password.

• encryption-type: specifies how you are inputting the password, is 0 the default and not required.

• 0 is for inputting the password in clear text.

• 7 is for inputting a password that is already encrypted using a DES hash. Obtain the encrypted password from the configuration file of another Dell Networking system.

• 5 is for inputting a password that is already encrypted using an MD5 hash. Obtain the encrypted password from the configuration file of another Dell Networking system.

Configuration File ManagementFiles can be stored on and accessed from various storage media. Rename, delete, and copy files on the system from EXEC Privilege mode.

Copy Files to and from the SystemThe command syntax for copying files is similar to UNIX. The copy command uses the format copy source-file-url destination-file-url. To comply with the Common Criteria specification, use only SCP to copy the image to the switch.

NOTE: For a detailed description of the copy command, see the Dell Networking Command Line Reference Guide.

• To copy a local file to a remote system, combine the file-origin syntax for a local file location with the file-destination syntax for a remote file location.

• To copy a remote file to Dell Networking system, combine the file-origin syntax for a remote file location with the file-destination syntax for a local file location.

Table 1. Syntax to copy File From an SCP Server

Location source-file-url Syntax destination-file-url Syntax

For a remote file location:

SCP server

copy scp://{hostip | hostname}/filepath/ filename

scp://{hostip | hostname}/filepath/filename

Important Points to Remember• You may not copy a file from one remote system to another.

Getting Started 19

• You may not copy a file from one location to the same location.

• When copying to a server, you can only use a hostname if a domain name server (DNS) server is configured.

• The usbflash command is supported. For supported platforms, see the Copy Files to and from the System section of the Dell Networking OS Configuration Guide and for your system. See your system’s Release Notes for a list of approved USB vendors.

Example of Copying a File to an SCP Server

Dell#copy flash://Dell-EF-8.2.1.0.bin scp://myusername:[email protected]//Dell/Dell-EF-8.2.1.0!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!27952672 bytes successfully copied

NOTE: Copy commands are not saved in configuration files as they perform a one-time action and are not part of the configuration of the system.

Save the Running-ConfigurationThe running-configuration contains the current system configuration. Dell Networking recommends coping your running-configuration to the startup-configuration.The commands in this section follow the same format as those commands in the Copy Files to and from the System section in this document but use the filenames startup-configuration and running-configuration. These commands assume that current directory is the internal flash, which is the system default.

• Save the running-configuration to the startup-configuration on the internal flash of the primary RPM.

EXEC Privilege mode

copy running-config startup-config• Save the running-configuration to the internal flash on an RPM.

EXEC Privilege mode

copy running-config flash://filename• Save the running-configuration to an SCP server.

EXEC Privilege mode

copy running-config scp://{hostip | hostname}/ filepath/filename

When copying to a server, you can only use a host name if you configure a DNS server.

Viewing FilesYou can only view file information and content on local file systems using the following commands:

• View a list of files on the internal flash.

EXEC Privilege mode

dir flash:• View the running-configuration.

EXEC Privilege mode

show running-config

dir command example

The output of the dir command also shows the read/write privileges, size (in bytes), and date of modification for each file.

Dell#dirDirectory of flash:

1 drw- 32768 Jan 01 1980 00:00:00 . 2 drwx 512 Jul 23 2007 00:38:44 ..

20 Getting Started

3 drw- 8192 Mar 30 1919 10:31:04 TRACE_LOG_DIR 4 drw- 8192 Mar 30 1919 10:31:04 CRASH_LOG_DIR 5 drw- 8192 Mar 30 1919 10:31:04 NVTRACE_LOG_DIR 6 drw- 8192 Mar 30 1919 10:31:04 CORE_DUMP_DIR 7 d--- 8192 Mar 30 1919 10:31:04 ADMIN_DIR 8 -rw- 33059550 Jul 11 2007 17:49:46 FTOS-EF-7.4.2.0.bin 9 -rw- 27674906 Jul 06 2007 00:20:24 FTOS-EF-4.7.4.302.bin10 -rw- 27674906 Jul 06 2007 19:54:52 boot-image-FILE11 drw- 8192 Jan 01 1980 00:18:28 diag12 -rw- 7276 Jul 20 2007 01:52:40 startup-config.bak13 -rw- 7341 Jul 20 2007 15:34:46 startup-config14 -rw- 27674906 Jul 06 2007 19:52:22 boot-image15 -rw- 27674906 Jul 06 2007 02:23:22 boot-flash--More--Dell#dir flash:Directory of flash:

1 drwx 4096 Jan 01 1980 00:00:00 +00:00 . 2 drwx 3072 Sep 06 2015 12:41:26 +00:00 .. 3 d--- 4096 Aug 09 2015 06:52:28 +00:00 ADMIN_DIR 4 drwx 4096 Sep 04 2015 18:58:20 +00:00 CONFIG_TEMPLATE 5 drwx 4096 Aug 09 2015 06:56:32 +00:00 TRACE_LOG_DIR 6 drwx 4096 Aug 09 2015 06:56:32 +00:00 CONFD_LOG_DIR 7 drwx 4096 Aug 09 2015 06:56:32 +00:00 CORE_DUMP_DIR 8 drwx 4096 Aug 09 2015 06:56:32 +00:00 RUNTIME_PATCH_DIR 9 -rwx 53285 Sep 01 2015 18:08:54 +00:00 TestReport-SU-1.txt 10 -rwx 630 Sep 02 2015 17:53:14 +00:00 TestReportIndividual-SU-1.txt 11 -rwx 2760 Sep 04 2015 18:51:26 +00:00 startup-config 12 -rwx 294418 Sep 04 2015 18:51:36 +00:00 confd_cdb.tar.gz 13 -rwx 54238335 Sep 06 2015 13:04:58 +00:00 FTOS-Z9100-ON-9.8.1.0.bin

flash: 4286574592 bytes total (4170424320 bytes free)Dell#dir flash:Directory of flash:

1 drwx 4096 Jan 01 1980 00:00:00 +00:00 . 2 drwx 3072 Sep 06 2015 12:41:26 +00:00 .. 3 d--- 4096 Aug 09 2015 06:52:28 +00:00 ADMIN_DIR 4 drwx 4096 Sep 04 2015 18:58:20 +00:00 CONFIG_TEMPLATE 5 drwx 4096 Aug 09 2015 06:56:32 +00:00 TRACE_LOG_DIR 6 drwx 4096 Aug 09 2015 06:56:32 +00:00 CONFD_LOG_DIR 7 drwx 4096 Aug 09 2015 06:56:32 +00:00 CORE_DUMP_DIR 8 drwx 4096 Aug 09 2015 06:56:32 +00:00 RUNTIME_PATCH_DIR 9 -rwx 53285 Sep 01 2015 18:08:54 +00:00 TestReport-SU-1.txt 10 -rwx 630 Sep 02 2015 17:53:14 +00:00 TestReportIndividual-SU-1.txt 11 -rwx 2760 Sep 04 2015 18:51:26 +00:00 startup-config 12 -rwx 294418 Sep 04 2015 18:51:36 +00:00 confd_cdb.tar.gz 13 -rwx 54238335 Sep 06 2015 13:04:58 +00:00 FTOS-S6100-ON-9.10.0.0.bin

flash: 4286574592 bytes total (4170424320 bytes free)NOTE: Configuration commands are saved in the running and startup configuration files because they are necessary to define how the system operates. The startup configuration file is used to rebuild the system into this configuration after a reboot. This includes definitions of user roles, userids, and passwords on the system. Passwords are saved in the configuration files in their encrypted form by default. However, some commands are used strictly for viewing or monitoring the system—for example, any of the show commands, debug commands, and so forth—these are not saved in the configuration files. There are other

commands that perform one-time actions that do not modify how the system operates; these are also not saved in the configuration files. Some examples of these commands are copy commands and upgrade commands.

Getting Started 21

Upgrading and Downgrading the Software This section describes how to install, upgrade, or downgrade the software needed to operate a Dell Networking certified switch in the Common Criteria evaluated configuration. To get started setting up the Common Criteria evaluated configuration, you must start with Dell Networking OS release 9.11(0.0P9). The application of additional updates or patches is encouraged between completion of the evaluation and the Assurance Maintenance Date. With updates properly installed, the product is still considered by NIAP to be in its evaluated configuration.

Before you Begin

Obtain a user ID and password to access the Dell Networking release notes, software, and published hash on iSupport at https://www.force10networks.com/support. Use the published hash to validate the software. The published hash and release notes are with the software.

To upgrade or downgrade the Dell Networking OS to release 9.11(0.0P9):

1 To verify the Dell Networking OS version running on the switch, use the show version command in EXEC Privilege mode. This command displays the current Dell Networking OS version information on the system.

In this example, the switch is running Dell Networking OS 9.5 (1.0B5) and must be upgraded to 9.11(0.0P9).

Dell#show version Dell Real Time Operating System Software Dell Operating System Version: 2.0 Dell Application Software Version: 9.5(1.0B5)

2 If you need to upgrade or downgrade to Dell Networking OS 9.11(0.0P9), review the 9.11(0.0P9) release notes for your platform at https://www.force10networks.com/software and then download the software. The release notes are with the software.

3 To validate the software image on the flash drive, after you transfer the image to the system, but before you install the image, use the verify command in EXEC Priv mode. The validation calculates a hash value of the downloaded image file on system’s flash drive. You can compare this hash with the Dell Networking published hash for that file by logging into the iSupport site.

The SHA256 hash provides a method of validating that you have downloaded the original software. Calculating the hash on the local image file, and comparing the result to the hash published for that file on iSupport, provides a high level of confidence that the local copy is exactly the same as the published software image. This validation procedure, and the verify command to support it,

prevents the installation of corrupted or modified images.

IMPORTANT:

This section satisfies the common criteria requirement PT_TUD_EXT.1 (trusted updates).

To comply with common criteria specification, select only the SHA256 Secure Hash Algorithm to validate the software image on the flash drive. Compare the generated hash value to the expected hash value published to validate the software for your platform.

The verify command calculates and displays the hash of any file on the specified local flash drive. Compare the displayed hash

against the appropriate hash published on iSupport. To obtain the published hash:

a Go to the iSupport page at https://www.force10networks.com/support. To access this site, you must have a user ID and password.

b Click the Software Center tab.

c In the left pane, select the platform: S-series, Z series, or C Series.

d Locate your platform, software image, and the published SHA256 hash listed in the Software column.

4

22 Upgrading and Downgrading the Software

https://www.force10networks.com/support


HTTPS://WWW.FORCE10NETWORKS.COM/SOFTWARE


NOTE: If you cannot find the software image in the Current Release, click the link below the Current Release software that says the following: Note: To see the full list of Supported downloads, please click here.

To validate the software image using the verify command:

a Download the Dell Networking OS software image file from the iSupport page to the local SCP server. The published hash for that file displays next to the software image file on the iSupport page.

b Go on to the Dell Networking system and copy the software image to the flash drive, using the copy command. To comply with

the Common Criteria specification, use only SCP to copy the image to the switch. For information about how to copy a file from an SCP server, see Copy Files to and from the System section.

c Run the verify sha256 [ flash://]img-file [hash-value] command in EXEC Privilege mode.

• sha256: SHA256 Secure Hash Algorithm

• flash (Optional): Specifies the flash drive. The default is to use the flash drive. You can just enter the image file name.

• hash-value: (Optional). Specify the relevant hash published on iSupport.

• img-file: Enter the name of the Dell Networking software image file to validate.

d Compare the generated hash value to the expected hash value published on the iSupport page. For example:

Dell# verify sha256 flash://FTOS-SE-9.11(0.0P9).bin e6328c06faf814e6899ceead219afbf9360e986d692988023b749e6b2093e933SHA256 hash VERIFIED for FTOS-SE-9.11(0.0P9).bin

4 When you have successfully validated the image, follow the upgrade or downgrade directions in the release notes for your platform.

When the upgrade or downgrade completes, the system provides a log message indicating success. You can then reboot your system to take advantage of the new software. For more information, see the Release Notes for your platform.

NOTE: If the image did not validate successfully, ensure you have copied the correct binary file for upgrading your system. Repeat the procedure if there is an issue with either the selected file or the download process.

Upgrading and Downgrading the Software 23

Setting Up the Common Criteria ConfigurationThis section describes how to set up the configuration of a Dell Networking switch in accordance withe the Common Criteria (CC) collaborative Protection Profile for Network Devices version 1.0.

There are specific conditions that are assumed to exist in the TOE’s Operational Environment. The following table lists assumptions about the Operational Environment.

Table 2. Assumptions for Operational Environment

Assumption Name Assumption Definition

A.PHYSICAL_PROTECTION The network device is assumed to be physically protected in its operational environment and not subject to physical attacks that compromise the security and/or interfere with the device’s physical interconnections and correct operation. This protection is assumed to be sufficient to protect the device and the data it contains. As a result, the cPP will not include any requirements on physical tamper protection or other physical attack mitigations. The cPP will not expect the product to defend against physical access to the device that allows unauthorized entities to extract data, bypass other controls, or otherwise manipulate the device.

A.LIMITED_FUNCTIONALITY The device is assumed to provide networking functionality as its core function and not provide functionality/ services that could be deemed as general purpose computing. For example the device should not provide computing platform for general purpose applications (unrelated to networking functionality).

A.NO_THRU_TRAFFIC_PROTECTION A standard/generic network device does not provide any assurance regarding the protection of traffic that traverses it. The intent is for the network device to protect data that originates on or is destined to the device itself, to include administrative data and audit data. Traffic that is traversing the network device, destined for another network entity, is not covered by the ND cPP. It is assumed that this protection will be covered by cPPs for particular types of network devices (e.g, firewall).

A.TRUSTED_ADMINISTRATOR The Security Administrator(s) for the network device are assumed to be trusted and to act in the best interest of security for the organization. This includes being appropriately trained, following policy, and adhering to guidance documentation. Administrators are trusted to ensure passwords/credentials have sufficient strength and entropy and to lack malicious intent when administering the device. The network device is not expected to be capable of defending against a malicious administrator that actively works to bypass or compromise the security of the device.

A.REGULAR_UPDATES The network device firmware and software is assumed to be updated by an administrator on a regular basis in response to the release of product updates due to known vulnerabilities.

A.ADMIN_CREDENTIALS_SECURE The administrator’s credentials (private key) used to access the network device are protected by the platform on which they reside.

The following table identifies the organizational security policies applicable to the TOE as specified in the PP:

5

24 Setting Up the Common Criteria Configuration

Table 3. Security Policies

Policy Name Policy Definition

P.ACCESS_BANNER The TOE shall display an initial banner describing restrictions of use, legal agreements, or any other appropriate information to which users consent by accessing the TOE.

Before you Begin

• Review the Overview of RBAC section. This section is useful because RBAC impacts how you interact with the CLI.

• Install the required software, Dell Networking OS, release 9.11(0.0P9). For information about how to install the software, see Upgrading and Downgrading the Software.

NOTE: If you are setting up a system that is not configured, you can initially remotely login as administrator (admin). By default, the console does not require you to login.

NOTE: If Role-Based Only AAA Authorization (RBAC) has been enabled, you must login with a userid that is associated with the system administrator user role. For information about the CLI Navigation modes that are used to configure the Common Criteria configuration, see Navigating CLI Modes. Verify that the user ID for the system administrator user role is working before you enable the aaa authorization role-only command.

NOTE: After you have configured RBAC, the enable password no longer applies for users who have define user roles because RBAC automatically puts you in Enable mode after you are authorized to login to the switch. For information about RBAC CLI commands, see the Role-Based Access Control Commands section in the Dell Networking Command Line Reference Guide for your system.

To set up the software according to the Common Criteria specification to achieve the evaluated configuration, complete the following tasks:

1 Configure Security

2 Configure Password Attributes

3 Obscure Passwords and Keys

4 Configuring Console and Terminal Lines

5 Configure Banner

6 Configure Role-Based Access Control and AAA

IMPORTANT: Make sure that you verify that the user ID for the system administrator user role is working before you enable the aaa authorization role-only command.

NOTE: After you have configured RBAC, the enable password no longer applies for users who have defined user roles because RBAC automatically puts you in enable mode after you have been authorized to login to the switch.

For information about RBAC CLI commands, see the Role-Based Access Control Commands section in the Dell Networking CLI Guide for your system. Go to www.dell.com/manuals to access all Dell Networking documentation.

7 Configure Hostname

8 Configuring Management Port IP Address

9 Configure Management Route

10 Configuring Logging

11 Configure Syslog Servers

12 Configure SNMPv3

13 Configure X.509v3

The following table lists the common criteria requirements and the Dell Networking Common Criteria configuration that satisfies these requirements.

Setting Up the Common Criteria Configuration 25


Table 4. Dell Networking Common Criteria Configuration Mapping

Common Criteria Requirement

Category Dell Networking Common Criteria Configuration Mapping

FAU_GEN and FAU_STG_EXT

Syslog• Configuring Syslog

FCS_CKM Cryptographic Keys• Generating RSA Host Keys

FCS_COP Cryptographic Operation• Enabling FIPS Mode

• Configuring Encryption Algorithms and HMAC Algorithms

• Enabling RSA Authentication

• Enabling the SSH Server and Disabling Telnet

FCS_SSH_EXT SSH• Enabling FIPS Mode

• Generating RSA Host Keys

• Configuring Encryption Algorithms and HMAC Algorithms

• Enabling RSA Authentication

• Enabling the SSH Server and Disabling Telnet

FCS_TLSC_EXT Syslog Configuring SYSLOG Servers

FIA_PMG_EXT password management• Configuring Password Attributes

FIA_UIA_EXT User Identification and Authentication

• Configuring the Banner

• Configuring Role-Based Access Control and AAA

FIA_UAU_EXT password-based authentication


FIA_X509_EXT X.509 Certificate• Configuring X.509v3 Certificaates

• Building a Trusted Certificate Store

FMT_SMR Restrictions on Security Roles• Configuring Role-Based Access Control and AAA

NOTE: To set up the software according to the Common Criteria specification to achieve the evaluated configuration, complete all tasks in this chapter in the order given in the following sections.

Topics:

• Attaching to the System

• Saving the Configuration

• Configuring Reload-Type

• Configuring Security

• Configuring Password Attributes

• Obscuring Passwords and Keys

• Configuring Console and Terminal Lines

• Configuring the Banner


• Configuring the Hostname


• Configure the Management Port IP Address

• Configuring a Management Route

• Configuring Logging

• Configuring SYSLOG Servers

• Configuring the System Date and Time

• Configuring SNMPv3

• Configuring X.509v3

Attaching to the SystemYou must attach to the system through the console port to perform the first several steps of creating a Common Criteria compliant configuration.

This action is necessary to change the system to the normal reload-type and to configure the system to FIPS-compliant mode. You cannot perform these configuration actions remotely. Details about console port settings are presented in this section.

In addition, you must configure the system’s security policies, userids and management ethernet IP address(es) before the system is reachable through network connectivity. After you configuration you system, you can continue the system configuration remotely. However, it is simplest to use the console for all the configuration actions in this section.

You must have sufficient permissions to configure the system. If there is no userid yet setup; for example, a brand new system, you must add userid(s) that have the necessary privileges for security administration.

Saving the ConfigurationDuring the configuration process, you can save the configuration as many times as desired.

To ensure the configuration is available upon reboot of the system, you must save the configuration when you complete configuring the system.

Configuring Reload-TypeThe system is shipped with a factory default configuration which has the reload-type of the system set to use the bare metal provisioning (BMP) feature.

This feature relies on booting the system via DHCP using on-site DHCP servers. This is not appropriate for a Common Criteria configuration.

To ensure that you are using the normal boot methods where the boot parameters are specified using the boot command, you must use

the normal method.

NOTE: If the system has booted with BMP enabled, the default factory configuration, you must stop the BMP process. Using the console, hit any key on the keyboard and it interrupts the BMP process. You are given several options—choose A for Abort. The BMP process then terminates.

After a prompt is available on the console, move to CONFIGURATION mode and change the reload-type using the following command:

Dell (conf)#reload-type Dell (conf-reload-type)#boot-type normal-reload

Configuring SecurityThe Dell Networking security configuration satisfies the following Common Criteria requirements:

• FCS_COP (cryptography)

• FCS_SSH_EXT (SSH)

• FTP_TRP (trusted path)


To comply with the Common Criteria specifications, complete the following tasks:

1 Enable FIPS Mode

NOTE: Enable FIPS mode before doing any of the following configuration steps. Otherwise, you must reconfigure some of the Dell Networking features.

2 Enabling secure-cli Mode

3 Generate RSA Host Keys

4 Encryption Algorithms and HMAC Algorithms

5 Enable RSA Authentication

6 Enable SSH Server and Disable Telnet

Enabling FIPS ModeFederal information processing standard (FIPS) cryptography provides cryptographic algorithms conforming to various FIPS standards published by the National Institute of Standards and Technology (NIST), a non-regulatory agency of the US Department of Commerce. FIPS mode is also validated for numerous platforms to meet the FIPS-140-2 standard for a software-based cryptographic module.

The use of other cryptographic engines was not evaluated nor tested during the CC evaluation of the TOE. You cannot install any other cryptographic engine as the Dell switches are not general purpose machines.

To ensure you are using the correct cryptographic algorithms, enable FIPS mode.

Preparing the System

Before you enable FIPS mode, Dell Networking recommends making the following changes to your system:

1 Disable the Telnet server using the following command in CONFIGURATION mode.

Dell(conf)# no ip telnet server enable2 Disable the HTTP/HTTPS server using the following commands in CONFIGURATION mode. The first disables the clear text HTTP

protocol; the second disables the SSL HTTP protocol. The HTTP server is disabled by default.

Dell(conf)# no http-server httpDell(conf)# no http-server secure-http

3 Disable the FTP server using the following command in CONFIGURATION mode. The FTP server is disabled by default.

Dell(conf)# no ftp-server enable

1 Enable FIPS mode.

Dell (conf)#fips mode enableWARNING: Enabling FIPS mode will close all SSH/Telnet connection, restart those servers, and destroy all configured host keys.proceed (y/n) ? y Dell (conf)

NOTE: If the system fails to transition to FIPS mode, an error message displays. The system is not in a FIPS-compliant state.

2 To verify that FIPS mode is enabled, use the show fips status command.

The following example shows that FIPS mode is successfully enabled:

Dell#show fips statusFIPS Mode: Enabled

NOTE: When you enable FIPS mode, new 2048-bit cryptographic keys may generate. There are two conditions necessary for key generation—FIPS mode enabled and SSH server enabled. If only one of the two conditions is true, keys do not generate when FIPS mode is enabled. You can generate the keys at a later time using the command in the next section or the keys generate the next time the SSH server is enabled.


For complete information about FIPS mode, see the Enabling FIPS Cryptography section in the Dell Networking Configuration Guide and the FIPS Cryptography section in the Dell Networking Command Line Reference Guide for your system. See http://www.dell.com/support for all Dell Networking documentation.

Enabling secure-cli ModeSecured CLI mode prevents users from enhancing permissions or promoting privilege levels. After entering the command, save the running-configuration.

Enable the secure-cli mode in CONFIGURATION mode.

secure-cli enable

After you save the running-configuration, secured CLI mode is enabled. If you do not want to enter the secured mode, do not save the running-configuration or restore the system to factory default settings.

Dell(Conf)#secure-cli enableAfter saved, to disable secured CLI mode, manually edit the startup-configuration file and reboot the system.

Generate SSH Server RSA Host Keys Host keys are required for key-exchange by the SSH server. If the keys are not found when you enable the SSH server, the keys are automatically generated.

After you enable FIPS mode, the cryptographic keys generate. If you wish to re-generate the keys at any time, use the crypto key generate command in CONFIGURATION mode. To generate SSHv2 RSA host keys, enter the keyword rsa. Wait for the system to

generate the crypto key. Only a user with superuser permissions can generate host-keys.

Syntax

crypto key generate rsa

NOTE: When TOE is running in FIPS mode, the switch only generates 2048-bit keys. The system does not prompt you to specify a key size.

For complete information about this feature, see the Enabling FIPS Mode section in the Dell Networking OS Configuration Guide and the SSH Server and SCP Commands section in the Dell Networking CLI Guide for your system.

To generate 2048-bit RSA host keys to use with SSHv2:

1 Generate 2048-bit RSA host keys using the crypto key generate rsa command in CONFIGURATION mode.

Dell(conf)# crypto key generate rsaGenerating 2048-bit SSHv2 RSA key.! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! !! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! !! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ... Dell(conf)#Sep 7 19:16:04: %STKUNIT0-M:CP %SEC-5-CRYPTO_KEY_GENERATED: RSA key generated for SSH, by default from console

2 Display the public part of the SSHv2 host-keys using the show crypto key mypubkey rsa command in EXEC mode.

Dell#show crypto key mypubkey rsaAAAAB3NzaC1yc2EAAAADAQABAAABAQCmKiJB+DIPp/A3KE/tiNlAXhgrGAwC9GPsclXkybevG5erlh5w4mIUyNely6E878PjdETsqUHNUJ5IRYvG9KdyylB48tMk5Yny4Qc8xPAcCHcXSoYmeVNVKusNnCUjpNPSb3JEhFp5dHkVFuE70+HsUr0OUc1k5VBJKx+jy76IL9c9HBMHiwhFnPpLFQXexui9VPpRslAF6ztq6/vVWjGtllBTT/5F/FskBoNBIToVCevX1m9DStDzmTQpJkvbGH/i3/a2IOFOoKE+sawoHx+1MdK/hKTQfqFQdhKYKriAHXT9lyoTIF5SIxugtIa0uRl0uTZtp6Ir671+MyO46D4d



Configuring Encryption Algorithms and HMAC AlgorithmsTo configure the encryption algorithms and HMAC algorithms supported by the SSH server:

1 Configure Encryption Algorithms

2 Configure HMAC Algorithms

3 Verify the SSHv2 Server Configuration

Configuring Encryption Algorithms for SSH Server

For complete information on this feature, see the Configuring the SSH Server Cipher List section in the Dell Networking OS Configuration Guide and the ip ssh server command in the SSH Server and SCP Commands section in the Dell Networking CLI Guide for your

system. Go to www.dell.com/manuals to access all Dell Networking documentation.

The Dell Networking OS supports multiple HMAC algorithms. You must have an HMAC algorithm selection to be compliant. To meet Common Criteria requirements, reduce the number of algorithms to the following list:

• aes128-cbc

• aes256-cbc

Configure the cipher list supported by the SSHv2 server.

CONFIGURATION

ip ssh server

The following example limits the encryption algorithms to 128 and 256-bit AES using CBC mode:

Dell(conf)# ip ssh server cipher aes128-cbc aes256-cbc

Configuring HMAC Algorithms for SSH Server

For complete information on this feature, see the Configuring the HMAC Algorithm for the SSH Server section in the Dell Networking OS Configuration Guide and the ip ssh server command in the SSH Server and SCP Commands section in the Dell Networking

Command Line Reference Guide for your system.

To meet Common Criteria requirements, limit the HMAC algorithms to the following:

• hmac-sha1

• hmac-sha1-96

• hmac-sha2-256

Configure the HMAC algorithm for the SSH server.

CONFIGURATION

ip ssh server[mac hmac-algorithm]

hmac-algorithm: Enter a space-delimited list of keyed-hash message authentication code (HMAC) algorithms supported by the SSH server.



The following example limits the HMAC algorithms to hmac-sha1, hmac-sha1-96, and hmac-sha2-256.

Dell(conf)# ip ssh server mac hmac-sha1 hmac-sha1-96 hmac-sha2-256

Verifying the SSHv2 Server Configuration

To display information about SSHv2 with FIPS mode enabled, use the show ip ssh command enabled in EXEC or EXEC Privilege mode.

Use this command to verify that the following is configured. By default, password authentication is enabled.

• SSH server• SSH version 2• SSH server ciphers: aes128-cbc and aes256-cbc• HMAC algorithms: hmac-sha1, hmac-sha1-96, hmac-sha2-256

Dell#show ip sshSSH server: enabled.SSH server version: v2.SSH server vrf: default.SSH server ciphers: aes128-cbc aes256-cbc.SSH server macs: hmac-sha1,hmac-sha1-96,hmac-sha2-256.SSH server kex algorithms: diffie-hellman-group14-sha1.Password Authentication: enabled.Hostbased Authentication: disabled.RSA Authentication: disabled....

NOTE: After you have enabled FIPS mode, there is only one key exchange method allowed: diffie-hellman-group14-sha1. There is a command to set the key exchange method: ip ssh server kex diffie-hellman-group14-sha1. However, because this is the default key exchange method with FIPS mode enabled, it is not necessary to enter the command.

Enabling RSA AuthenticationTo enable RSA authentication, use the ip ssh rsa-authentication enable command in CONFIGURATION mode. Password

authentication is enabled by default.

ip ssh rsa-authentication enable

To install a user’s public keys for RSA authentication with SSH, see the Using RSA Authentication of SSH section in the Dell Networking Configuration Guide and the SSH Server and SCP commands section in the Dell Networking Command Line Reference Guide for your system.

Dell(conf)# ip ssh rsa-authentication enableNOTE: You must copy the public key for the SSH client to the Dell Networking system. However, if you attempt to copy the file over an existing file of the same name on the Dell system, the copy action fails. It does not indicate a failure on the command line. Ensure that you either delete the existing file of the same name before the copy action or copy the file over using a unique local file name.

Displaying the Authorized-keys for the RSA Authentication

To display the authorized-keys for the RSA authentication, use the show ip ssh rsa-authentication command in EXEC mode.

This command displays the contents of the flash:/ADMIN_DIR/ssh/authorized-keys.username file.

show ip ssh rsa-authentication {my-authorized-keys}my-authorized-keys — Display the RSA authorized keys.

Dell#show ip ssh rsa-authentication my-authorized-keysAAAAB3NzaC1yc2EAAAABIwAAAIEAyB17l4gFp4r2DRHIvMc1VZd0Sg5GQxRV1y1X1JOMeO6Nd0WuYyzrQMM4qJAoBwtneOXf


LBcHF3V2hcMIqaZN+CRCnw/zCMlnCf0+qVTd1oofsea5r09kS0xTp0CNfHXZ3NuGCq9Ov33m9+U9tMwhS8vy8AVxdH4x4km3c3t5Jvc=freedom@poclab4

Enabling SSH and Disabling TelnetThis section contains the following topics:

1 Enabling the SSH Server

2 Disabling the Telnet Server

Enabling the SSH Server

To enable the SSH server, use the ip ssh server enable command in CONFIGURATION mode.

ip ssh server enable

For complete information about this feature, see the Enabling SCP and SSH section in the Dell Networking Configuration Guide and the Dell Networking Command Line Reference Guide for your system.

IMPORTANT: When you enable FIPS mode, the system uses SSHv2.

Dell(conf)# ip ssh server enableTo verify that SSH server is enabled, use the show ip ssh command in EXEC or EXEC Privilege mode.

In the following example, the show ip ssh command shows that SSHv2 is enabled.

Dell#show ip sshSSH server: enabled. SSH server version: v2. ...

Disabling the Telnet Server

To disable the Telnet server, use the no ip telnet server enable command in CONFIGURATION mode.

For complete information on this feature, see the Telnet section in the Dell Networking Configuration Guide and the Dell Networking Command Line Reference Guide for your system.

Dell(conf)# no ip telnet server enable

Configuring Password AttributesThis section satisfies the FIA_PMG_EXT (password management) Common Criteria requirement.

To configure password attributes:

1 Create a Password Policy that Matches Your Organization

2 Configuring Login Lockout Period


Create a Password Policy that Matches Your OrganizationTo define the minimum security policy to create passwords, use the password-attributes command in CONFIGURATION mode. You

must define the password attributes that match your organization’s security policy. Your security policy may be more robust than the Common Criteria settings.

Syntax

password-attributes [min-length number] [max-retry number] [lockout-period minutes][character-restriction [upper number] [lower number] [numeric number] [special-char number]]

• min-length number — Enter the keywords then the number of characters. The range is from 0 to 32.

• max-retry number — (OPTIONAL) Enter the keywords then the number of maximum password retries. The range is from 0 to 16.

• lockout-period minutes — (OPTIONAL) Enter the keyword then the number of minutes. The range is from 1 to 1440 minutes. The default is 0 minutes and the lockout-period is not enabled. This parameter enhances the security of the switch by locking out sessions on the Telnet or SSH sessions when there is consecutive failed login attempts. The console is not locked out.

• character-restriction — (OPTIONAL) Enter the keywords then the number of special characters permitted. The range is from 0 to 31. Enter the keywords to indicate a character restriction for the password.

• upper number — (OPTIONAL) Enter the keyword then the upper number. The range is from 0 to 31.

• lower number — (OPTIONAL) Enter the keyword then the lower number. The range is from 0 to 31.

• numeric number — (OPTIONAL) Enter the keyword then the numeric number. The range is from 0 to 31.

• special-char number — (OPTIONAL) Enter the keywords then the number of special characters permitted. The range is from 0 to 31.

NOTE: The list of invalid password characters in the CLI manual is incorrect. The correct list must include the following invalid characters: double quote, tilde, and question mark. The full correct invalid password characters is !@#$%^&*()_+{}|:<>-=[]\;',./.

For complete information about this feature, see the password-attributes command in the Authentication and Password Commands

section in the Dell Networking Command Line Reference Guide for your system.

To meet Common Criteria requirements, as a minimum, you must configure the following password attributes:

• Contains at least 15 characters. The range is from 0 to 32 characters.

The following example commands show how to configure password attributes for a minimum 15-character password with at least one character of lower-case, upper-case, numeric, and special character.

Dell(conf)# password-attributes min-length 15Dell(conf)# password-attributes character-restriction lower 1Dell(conf)# password-attributes character-restriction upper 1Dell(conf)# password-attributes character-restriction numeric 1Dell(conf)# password-attributes character-restriction special-char 1

Configuring the Login Lockout PeriodAs an example of tightening the login security, Dell highly recommends configuring the login lockout period and max-retries to match your organization’s security policy, in particular changing the lockout period to be non-zero.

To configure the login lockout period, use the password-attributes max-retry number lockout-period minutes command in CONFIGURATION mode.

• max-retry number — Enter the keywords then the number of maximum password retries. The range is from 0 to 16.

• lockout-period minutes — Enter the keyword then the number of minutes. The range is from 1 to 1440 minutes. The default is 0 minutes and the lockout-period is not enabled. Changing the lockout period to a non-default value enhances the security of the


switch by locking out remote sessions after consecutive failed login attempts. The console is never locked out due to failed login attempts.

In the following example, after 5 unsuccessful login attempts, the remote session goes into a locked state for 5 minutes. If all the 10 sessions are locked out with 5 unsuccessful attempts in each session, no users can login during the lockout-period.

Dell(conf)#password-attributes max-retry 5 lockout-period 5For complete information about this feature, see the password-attributes command in the Authentication and Password Commands

section in the Dell Networking Command Line Reference Guide for your system. See http://www.dell.com/support for all Dell Networking documentation.

Obscuring Passwords and KeysPasswords and keys are stored encrypted in the configuration file and by default display in the encrypted form when the configuration displays. For Common Criteria compliant configurations, passwords must be obscured during display.

Obscuring passwords prevents a user from reading the passwords and keys. Password obscuring masks the password and keys by displaying asterisks instead of the encrypted passwords and keys. It does not change the contents of the file. For Common Criteria compliant configurations, obscure the passwords and keys with asterisks when the configuration displays. Use the service obscure-passwords command in CONFIGURATION mode. When using RBAC, only the system administrator and security administrator roles can

use the service obscure-password command.

Dell(conf)# service obscure-passwordsTo verify that you have successfully obscured passwords and keys, use the show running-config command or show startup-configcommand and view the output.

Dell#show running-configDell#show startup-configFor complete information about using the obscure password feature, see the Obscuring Passwords and Keys section in the Dell Networking Configuration Guide and the Security section in the Dell Networking Command Line Reference Guide for your system. See http://www.dell.com/support to access all Dell Networking documentation.

Configuring Console and Terminal LinesThis section satisfies the FMT_SMF Common Criteria specification.

To comply with the FMT_SMF Common Criteria specification, complete the following tasks.

1 Configuring Console Access

2 Configuring Remote Access Using SSHv2

When you configure remote access, make sure you only use SSHv2. Telnet does not satisfy Common Criteria requirements.

Configuring the Console Time-outThe console line (console) connects you through the console port in the route processor modules (RPMs). The timeout period for the console must be set to match your organization’s security policy. Common Criteria requires the use of an inactivity timer which must not be to zero. For the console, the default timer is 10 minutes. Dell recommends a 10 minute setting.





The following command accesses LINE mode, where you set the access conditions for the designated line.

1 Navigate to the line console context.

Dell#config Dell(conf)#line console 0

2 Set the inactivity time out on the console to 10 minutes and 0 seconds.

Dell(config-line-console)#exec-timeout 10 0

Configuring Remote Access Time-outThe virtual terminal lines (VTYs) connect you remotely through SSH to the system. The time-out period for a VTY line must be set to match your organization’s security policy. Common Criteria requires the use of an inactivity timer which must not be set to zero. For VTY lines, the default timer is 30 minutes. Dell recommends a 10 minute time-out setting.

You may configure multiple VTY lines at one time. The following command accesses LINE mode, where you set the access conditions for the designated line:

1 Navigate to the line vty context and configure all the virtual terminal lines 0 through 9.

CONFIGURATION

Dell(conf)#line vty 0 92 Set the inactivity time out for the remote session, the virtual terminal, to 10 minutes and 0 seconds.

Dell(config-line-vty)#exec-timeout 10 0

Configuring the BannerThis section satisfies the following Common Criteria requirements:

• FIA_UIA_EXT

• FTA_TAB

To configure the message of day and login banner, complete the following tasks:

1 Create a Message of the Day Banner

2 Create a Login Banner

Creating a Message of the Day BannerWhen a user connects to the router, if you configure a message of the day banner, it displays first. If you do not configure a message of the day banner, the login banner and prompt displays. After a user logs in, the EXEC banner displays, if configured.

To configure the message-of-the-day (MOTD) banner that displays when the user logs in to the switch, use the banner motd command

in CONFIGURATION mode. The command accepts multiple lines of input. After entering the banner motd command, type one or more

spaces and a delineator character. Enter the banner text then the second delineator character.

The following example creates the following message of the day (MOTD): “Good Morning. Next Monday is a holiday”

Enter the following command in Configuration mode:

banner motd %

Dell#configDell(conf)#banner motd %Enter TEXT message. End with the character '%'.


Good Morning. Next Monday is a holiday.%

Creating a Login Banner When a user connects to a router, if defined, the login banner and login prompt appears. If configured, after a user logs in, the EXEC banner displays.

To configure the login banner and acknowledgement message, use the banner login acknowledgement command in

CONFIGURATION mode. This command accepts multiple lines of input. After entering the banner login command, type one or more

spaces and a delimiter character. Enter the banner text then the second delineator character.

Enable banner login.

CONFIGURATION

banner login % aqcknowledgement

Dell(conf)#banner login % acknowledgementEnter TEXT message. End with the character '%'.This is a banner.%

The following example creates a banner login message that displays a security message.

Dell(conf)#banner login ^C*****************************************************************You are accessing a U.S. Government (USG) Information System (IS) that isprovided for USG-authorized use only.By using this IS (which includes any device attached to this IS), you consentto the following conditions:-The USG routinely intercepts and monitors communications on this IS forpurposes including, but not limited to, penetration testing, COMSEC monitoring,network operations and defense, personnel misconduct (PM), law enforcement(LE), and counterintelligence (CI) investigations.-At any time, the USG may inspect and seize data stored on this IS.-Communications using, or data stored on, this IS are not private, are subjectto routine monitoring, interception, and search, and may be disclosed or used for any USG authorized purpose.-This IS includes security measures (e.g., authentication and access controls)to protect USG interests--not for your personal benefit or privacy.-Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative searching or monitoring of the content of privileged communications, or work product, related to personal representation or services by attorneys, psychotherapists, or clergy, and their assistants. Such communications and work product are private and confidential. See UserAgreement for details.*****************************************************************

NOTE: To require a positive acknowledgement from the user while logging in to the system, enter the acknowledgement keyword with the login banner command.

Configuring Role-Based Access Control and AAAThis section satisfies the following Common Criteria requirements:

• FIA_UAU_EXT (local password-based authentication)

• FMT_MTD (data management)

• FMT_SMR (security roles)

To enable role-based access control (RBAC):


1 Create UserIDs on TOE

2 Configuring AAA Authentication and Authorization

IMPORTANT: Make sure that you verify that the user ID for the system administrator user role is working before you enable the aaa authorization role-only command.

Create UserIDs on TOEWhen you configure a system using the factory default configuration, only one userid is created on the system.

The default userid is admin and, by default, it has no user role associated with it. You must create any additional userids with associated

user roles.

To create a userid on the TOE, use the username command in CONFIGURATION mode. You may want to create userids with different

user roles as shown:

Dell(conf)# username ccadmin sha-256 password role sysadminDell(conf)# username netad sha-256 password role netadminDell(conf)# username secad sha-256 password role secadmin

NOTE: Ensure that the password entered with the command follows the password restrictions that are already defined. After the userid is created, the password is saved in an encrypted form.

To view the defined user names, use the show running-config user command.

Dell# show running-config users ! ! username admin password 7 ******** username ccadmin sha-256 ******** role sysadmin username netad sha-256 ******** role netadmin username secad sha-256 ******** role secadmin

WARNING: To avoid locking yourself out of the system, before you enable the aaa authorization role-only command, verify that the user ID for the system administrator user role is working.

NOTE: The sysadmin user role has full control over the system, including access to some vendor maintenance commands such as the start shell command. Dell recommends creating an additional user role that inherits the system admin user role authorization and then limit access to the start shell command using the role command.

The following example outlines the procedure; you must be logged in as a userid with the sysadmin user role to use some of these commands:

Dell(conf)# userrole systemadmin inherit sysadminDell(conf)# username sysad_no_maint sha-256 password role systemadminTo execute this command, you may need to logout and log back in. To use this command, you must be logged as a userid with the sysadmin user role. You may need to complete the section Configure AAA Authentication and Authorization and logout/login before running this command.

Dell(conf)# role exec deleterole systemadmin start shell

Configure AAA Authentication and Authorization

For complete information about enforcing authentication and authorization of users connecting to system through the console or SSH, see the Configuring Login Authentication for Terminal Lines and Configuring AAA Authentication Login Methods sections in the Dell Networking Configuration Guide and the Control and Monitoring section in the Dell Networking Command Line Reference Guide for your system.


For detailed information about how to configure AAA Authentication and Authorization for Roles, see AAA Authentication and Authorization for Roles in the Role-Based Access Control in Appendix A.

Configuring AAA Authentication

Authentication services verify the user ID and password combination. Users with associated roles and users with privileges are authenticated with the same mechanism during the login process.

To ensure that login authentication is applied consistently across all methods of local and remote access, you must establish authentication methods. You may configure named authentication method lists for each line separately, but the simplest approach is to define the default method list and let it apply to all methods.

To define the default method list for login authentication, use the aaa authentication login command in CONFIGURATION mode.

You do not have to apply the default method list to the lines.

Dell(conf)# aaa authentication login default localIf you need different methods applied to different methods of access, use named method lists and then apply them to the different lines.

Dell(conf)# aaa authentication login vtyauthlist localDell(conf)# line vty 0 9Dell(conf-line-vty)# login authentication vtyauthlistDell(conf)# aaa authentication login consolelist localDell(conf)# line console 0Dell(conf-line-console)# login authentication consolelist

Configuring AAA Authorization

Authorization services determine which commands and command modes users have access to based on their user role or privilege. After the user is authenticated during login, the user’s authorization rights are retrieved.

To ensure authorization applies consistently across all methods of local and remote access, establish default authorization methods. You may configure named authorization method lists for each line separately, but the simplest approach is to define the default method list and let it apply to all methods.

To define the default method list for authorization, use the aaa authorization exec command in CONFIGURATION mode. You do

not have to apply the default method list to the lines.

Dell(conf)# aaa authorization exec default localIf you need different methods applied to different methods of access, use named method lists and apply them to different lines.

Dell(conf)# aaa authorization exec vtyauthorlist localDell(conf)# line vty 0 9Dell(conf-line-vty)# login authentication vtyauthorlistDell(conf)# aaa authentication login consoleaauthorlist localDell(conf)# line console 0Dell(conf-line-console)# login authentication consoleauthorlist

Configuring Role-only Authorization

After you have enabled role-only authorization, a userid with no associated user role is denied access to the system at the login prompt.

It is essential that you create a userid with an associated system admin user role. You must also ensure that the userid can be used to login successfully.

When you enable Role-Based Only AAA Authorization using the aaa authorization role-only command in CONFIGURATION

mode, the Dell Networking OS checks to ensure that you do not lock yourself out and that the user authentication is available for all terminal lines. Error or warning messages display if you have not followed all the configuration steps.


NOTE: Before you enable Role-Based Only AAA Authorization, carefully review the Configuring Role-based Only AAA Authorization section.

Dell(conf)# aaa authorization role-onlyFor complete information about using the RBAC feature, see Role-Based Access Control. For information about how authentication and authorization is applied to the console and terminal, see the Console and Terminal Lines section.

Configuring the HostnameTo configure the system's network name (hostname), use the hostname command in CONFIGURATION mode. The default host name is

Dell.

• Host names must start with a letter and end with a letter or digit.

• Characters within the string can be letters, digits, and hyphens.

Syntax

hostname name

name — Enter a text string, up to 32 characters long.

Dell(conf)# hostname Dell-switchNOTE: Dell Networking highly recommends creating unique hostnames for all your Dell switches. When you use one SYSLOG server for multiple Dell switches, the hostname is very useful in distinguishing log messages from different switches.

NOTE: The hostname is used for the default Common Name in the system's X.509 certificate.

Configure the Management Port IP AddressTo access the system remotely, assign IP addresses to the management ports.

1 Enter INTERFACE mode for the Management port using the following command in CONFIGURATION mode. The port range is 0.

interface ManagementEthernet slot/port2 Assign an IP address to the interface using the following command in INTERFACE mode.

ip address ip-address/mask

• ip-address—Enter the IPv4 address in dotted decimal format. (A.B.C.D).

• mask—a subnet mask in /prefix-length format (/ xx).

NOTE: DHCP is not supported for the Pv4 address for the management port.

NOTE: You may assign one to two IPv6 addresses to the interface. For the IPV6 address, use the following command in INTERFACE mode: ipv6 address [ipv6-address/mask | autoconfig].

3 Enable the interface in INTERFACE mode.

no shutdown

Configuring a Management RouteDefine a path from the switch to the network from which you are accessing the system remotely. Management routes are separate from IP routes and are only manage the switch through the management port. You must configure network access to management network— the IP address on the management interface and any necessary management routes.

NOTE: You must setup an IP address on the management interface before setting up a management route.


NOTE: When you configure the management route, Dell Networking recommends not using the default route.

To configure the management route through the management port, use the management route {{ip-address mask | {ipv6-address prefix-length}}{forwarding-router-address | managementethernet} command in CONFIGURATION

mode. For example:

Dell(conf)#management route 192.100.0.0/24 100.3.73.235NOTE: For complete information about using the management route feature, see the IPv4 Routing section in the Dell Networking Command Line Reference Guide for your system.

Configuring LoggingSee the following sections to configure the system and audit log settings, such as log version, buffer size, logging server, and core dump destination. For examples on audit log entries, refer to Examples — Audit Log Entries.

For complete information about logging configurations, see the Configuring Logging section in the Dell Networking Configuration Guide and the Dell Networking Command Line Reference Guide for your system. See to http://www.dell.com/support for all Dell Networking documentation.

Configuring Log Time Stamps

To debug and log messages and to add time stamps, use the service timestamp command in CONFIGURATION mode. This

command adds either the uptime or the current time and date.

The following example sets the current time and date for log and debug messages. Dell highly recommends also using the msec parameter

to display milliseconds in the timestamp.

Dell(conf)#service timestamps log datetime msecDell(conf)#service timestamps debug datetime msec

NOTE: To view the current options set for the service timestamps command, use the show running-config command.

For complete information about using the service timestamp feature, see the Control and Monitoring section in the Dell Networking Command Line Reference Guide for your system.

Enabling Audit and Security Logs

To enable audit and security logs to monitor configuration changes or determine if these changes affect the operation of the system in the network, log audit and security events to a system log server using the logging extended command in CONFIGURATION mode.

logging extendedDell(conf)#logging extended

Displaying Audit and Security Logs

To display audit logs, use the show logging auditlog command in Exec mode. To view these logs, you must first enable the

logging extended command. The following lists restrictions for viewing audit and security logs:

• Only the RBAC system administrator user role can view audit logs.

• Only the RBAC security administrator and system administrator user roles can view security logs.



NOTE: If you disable extended logging, the audit log is disabled and the configuration is no longer Common Criteria compliant.

Dell#show logging auditlogMay 12 12:20:25: Dell#: %CLI-6-logging extended by admin from vty0 (10.14.1.98)May 12 12:20:42: Dell#: %CLI-6-configure terminal by admin from vty0(10.14.1.98)May 12 12:20:42: Dell#: %CLI-6-service timestamps log datetime by admin fromvty0 (10.14.1.98)To view security logs, use the show logging command.

Dell#show loggingJun 10 04:23:40: %STKUNIT0-M:CP %SEC-5-LOGIN_SUCCESS: Login successful for useradmin on line vty0 ( 10.14.1.91

Clearing Audit Logs

To clear audit logs, use the clear logging auditlog command in Exec mode. When you enable RBAC, only the system administrator

user role is capable of issuing this command. This action clears all contents of the audit log.

Dell# clear logging auditlog

Configuring Logging Format

To display Syslog messages in RFC 5424 format, use the logging version 1 command in CONFIGURATION mode.

Dell(conf)#logging version ?<0-1> Select syslog version (default = 0) Dell(conf)#logging version 1

Configuring Logging Buffer Size

To enable logging and specify the size—the number of messages—stored on the logging buffer, use the logging buffered command

in CONFIGURATION mode. By default, all messages are logged only to the internal buffer. The size of the buffer ranges from 40960 to 524288. The default is 40960 bytes. The number of messages buffered depends on the size of each message.

The following example sets the buffer to the maximum size. This size allows for 512 entries.

Dell(conf)#logging buffered 524288

The internal buffer is circular. After it fills up, it stores new log messages by overwriting the oldest message first. Because the buffer is circular, it is not possible for the system to exhaust the buffer space.

Configuring Logging Level

To configure the logging level, use the logging monitor command in CONFIGURATION mode. To meet Common Criteria requirements,

the logging level must be at level 7. The default logging level is 7.

The following example sets the logging level to 7.

Dell(conf)#logging monitor 7


Configuring Core Dump Logging on ALL Stack Units

To enable core dump logging on all the stack units, use the logging coredump stack-unit all command in CONFIGURATION

mode.

Dell(conf)#logging coredump stack-unit all

Audit Entries

The following are examples of audit entries for:

• configuration changes

• successful logins

• failed logins

• terminated sessions

• time changes

The following audit entry displays configuration changes. The audit entry contains the following information:

• time and date of configuration change

• userid that is associated with the log entry. Use this information to associate a specific userid with the action

• location from where the user accessed the switch (console or vty). If the user accessed the switch through the vty (virtual terminal), the system lists the vty number and the remote IP address (or hostname). In this case, “console”

• audit log category of change – In this example “CONF”.

• severity level – “INFO” maps to syslog severity levels such as critical, error, or warning. Audit log entries are always “INFO” unlike syslog entries which vary depending on the event.

The example audit entry displays the configuration change: “username sysad password 0 ****** role sysadmin”.

1 2014-09-05T23:38:48Z hostname - CLI CONF - INFO:SUCCESSFUL configure by admin from console1 2014-09-05T23:39:02Z dv-fedgov-z9000-3 - CLI CONF - INFO:SUCCESSFUL username sysad password 0 ****** role sysadmin by admin from console

Audit messages are generated when a user successfully or unsuccessfully attempts login access to the switch. For example, the following audit entry is the result of successful login attempt by the userid “sysad” from a remote session on “vty 0” with an IP address of 10.14.1.91. SEC (security) indicates the audit log category of change.

1 2014-09-05T23:40:23Z hostname - SEC LOGIN_SUCCESS - INFO: Login successful for user sysad on line vty0 ( 10.14.1.91 )

The following audit entry is the result of three unsuccessful login attempts. The audit entry contains the following information:

• userid that is associated with the audit log entry

• location from where the user accessed the switch (console or vty). If the user accessed the switch through the vty (virtual terminal), the system lists the vty number and the remote IP address (or hostname). In this case, the vty session is “0” and the IP address is “10.14.1.91”.

• authentication method - In this example, “local” authentication

• category of change – In this example, “SEC” (security)

• severity level – “INFO” maps to syslog severity levels such as critical, error, or warning. Audit log entries are always “INFO” unlike syslog entries which vary depending on the event

1 2014-09-05T23:41:03Z hostname 3 - SEC AUTHENTICATION_FAILURE - INFO: Authentication failure on vty0 (10.14.1.91) for method "local" user "sysad"1 2014-09-05T23:41:06Z hostname - SEC AUTHENTICATION_FAILURE - INFO: Authentication failure on vty0 (10.14.1.91) for method "local" user "sysad"


1 2014-09-05T23:41:10Z hostname - SEC AUTHENTICATION_FAILURE - INFO: Authentication failure on vty0 (10.14.1.91) for method "local" user "sysad"1 2014-09-05T23:41:10Z hostname - SEC LOGIN_FAILURE - INFO: Login failure for user sysad on line vty0 ( 10.14.1.91 )

The following audit entry displays a session termination (whether user-initiated or system initiated):

• date and time the user was logged out

• user id (sysad)

• location from where the user accessed the switch ( console or vty number). If the user accessed the switch through the vty, the system lists the vty number and the remote IP address (or hostname). In this case, the vty session is “0” and the IP address is “10.14.1.91”

• category of change – In this example, SEC (security)


1 2014-09-05T23:40:54Z hostname - SEC LOGOUT - INFO: Exec session is terminated for user sysad on line vty0 (10.14.1.91 )

Any changes made to the system time are logged in the audit log. The audit entry contains:

• date and time of the change

• userid who made the change. In this example, the change was made by the userid “sysad”

• location from where the user accessed the switch (console or vty). If the user accessed the switch through the vty, the system lists the vty number and the remote IP address (or hostname)

• original date and time as well as the new date and time


1 2014-09-05T16:56:00Z hostname - CLI CLI_TIME_CHANE - INFO: old time23:43:37.954 UTC Fri Sep 5 2014 new time 16:56:00.0 UTC Fri Sep 5 2014 sourceby sysad from console

Configuring SYSLOG ServersLog messages may be transmitted to remote SYSLOG servers to ensure that the audit trail is recorded to a system with greater storage capacity than the local switch.

It is possible to configure multiple Dell switches to transmit log messages to the same remote SYSLOG server. Dell recommends ensuring each system has a uniquely identifiable hostname. Typically, multiple systems send their logs to the same SYSLOG server. The hostname aids in differentiating the log entries.

Audit log records record locally and are sent to any remote SYSLOG server. If communication is lost and then re-established at a later time, there is no synchronization of audit records between the TOE and the remote SYSLOG server.

It is possible to configure transmission to logging servers using the logging command in CONFIGURATION mode. For complete

information about this feature, see the Simple Network Management Protocol (SNMP) and Syslog section in the Dell Networking Command Line Reference Guide for your system.

The Dell Networking OS does not support self-signed certificates for the SYSLOG server.

Common Criteria requires a secure trusted channel to the audit server. If the connection to the SYSLOG server drops for some reason, use the logging secure command to validate the connection using X.509v3 certificates.

NOTE: For more information about secure logging, see Information about Setting up a Trusted Channel to Syslog Server and Setting up Trusted Channel to Syslog Server sections.


Information about Setting up a Trusted Channel to the Syslog Server

This section describes the prerequisites that need to be met in order to secure a trusted channel to the Syslog server. The remote Syslog server must conform to the requirements in RFC 5425 including the support of TLS version 1.2 for transport.

The following list describes various steps that are required to establish a secure connection to the Syslog server:

• Ensure that the system has X.509v3 Certificate Authority (CA) hierarchy setup. This hierarchy includes at least one root CA and one intermediate CA.

NOTE: For more information on setting up a Certificate Authority, see the X.509v3 Support on Dell Networking OS section.

• NOTE: The best practice is to take the root CA offline.

Ensure that the system is in FIPS mode (use the fips mode enable command) in order for the underlying TLS1.2 protocol to select the compliant cipher suites.

• Ensure that copies of various CA certificates are available to install on the switch, the SYSLOG server, and OCSP responders.

NOTE: For more information about installing certificates, see the Installing CA Certificates section.

• Ensure that you create the X.509v3 certificates for both the switch as well as the SYSLOG server using the same X.509v3 CA hierarchy. For this purpose, ensure that you create CSRs for the switch and Syslog server and have them signed by the appropriate CA.

NOTE: For more information on creating CSRs, see the Creating Certificate Signing Requests section.

NOTE: Dell Networking highly recommends using the Subject Alt Name instead of the Common Name (which is now deprecated) while creating CSRs. Systems need to be identified either using the DNS names or the IPv4 or IPv6 addresses in the Subject Alt Name fields of their own certificates. If you use DNS names, ensure that the DNS hierarchy is setup and is made usable by both parties. IPv4 or IPv6 addresses must NOT be used in the Common Name field.

• After the CA signs the X.509v3 certificates, ensure that you install the relevant certificate on each of the switches and the SYSLOG.

NOTE: For more information about installing trusted certificates, see Installing Trusted Certificates section.

• Ensure that the OCSP server is configured and is active. When the OCSP server is active, ensure that the OCSP server field in each

certificate is configured through the AuthorityInformationAccess extension. Also, ensure that the OSCP server is reachable

across the network.

NOTE: For more information about OCSP, see the Online Certificate Status Protocol and the Configuring OCSP Behavior Configuring OCSP Behavior sections.

• Ensure to check whether the Syslog server’s certificates can be validated at the switch end. You can run a test using the debug crypto command.

NOTE: For more information about validation checking, see the Debugging X.509v3 Certificates section.

• Ensure whether you are able to test the connection to the Syslog server using logging syslog-server secure port port-number command. The Syslog server name or IP address must match the contents of the Subject Alt Name field. You can also use the debug ip tls-handshake command (in EXEC PRIVILEGE mode) before running the logging secure command to get more detail about the connection process.

NOTE: For more information about testing TLS handshake, see the Debugging X.509v3 TLS Handshake section.


NOTE: If the connection test succeeds, then the logging secure command is appended to the running-config file. If the connection test fails, then the logging secure command is not entered into the running-config file. The log messages that are generated by the logging secure command indicate whether the connection test is a success or a failure.

NOTE: You can also create self-signed certificates for the switch. However, the system does not accept self-signed certificates (with CA flag set to FALSE) from the Syslog server.

Checking the Trusted Channel Connection to the Syslog Server

Enter the logging secure command in Configuration mode.

logging syslog-server-name secure port port-number

NOTE: For more information about secure logging, see the logging secure section in the X.509v3 chapter of the Dell Networking Command Line Reference Guide for your system.

Configuring the System Date and TimeThis section describes how to set up the system clock and time zone.

NOTE: For more information about configuring NTP, see Appendix E - NTP.

The following sections describe how to configure the system clock and time zone:

1 Setting the Time and Date for the Switch Hardware Clock

2 Setting the Timezone

Setting the Time and Date for the Switch Hardware ClockTo set the time and date for the switch hardware clock, use the following command.

• Set the hardware clock to the current time and date.

EXEC Privilege mode

calendar set time month day year

• time: enter the time in hours:minutes:seconds. For the hour variable, use the 24-hour format; for example, 17:15:00 is 5:15 pm.

• month: enter the name of one of the 12 months in English. You can enter the name of a day to change the order of the display to time day month year.

• day: enter the number of the day. The range is from 1 to 31. You can enter the name of a month to change the order of the display to time day month year.

• year: enter a four-digit number as the year. The range is from 1993 to 2035.

Example of the calendar set Command

Dell#calendar set 08:55:00 september 18 2009Dell#


Setting the TimezoneUniversal time coordinated (UTC) is the time standard based on the International Atomic Time standard, commonly known as Greenwich Mean time.When determining system time, include the differentiator between UTC and your local timezone. For example, San Jose, CA is the Pacific Timezone with a UTC offset of -8.

To set the clock timezone, use the following command.

• Set the clock to the appropriate timezone.

CONFIGURATION mode

clock timezone timezone-name offset

• timezone-name: enter the name of the timezone. Do not use spaces.• offset: enter one of the following:

• a number from 1 to 23 as the number of hours in addition to UTC for the timezone.• a minus sign (-) then a number from 1 to 23 as the number of hours.

Example of the clock timezone CommandDell#confDell(conf)#clock timezone Pacific -8Dell(conf)#01:40:19: %RPM0-P:CP %CLOCK-6-TIME CHANGE: Timezoneconfiguration changed from "UTC 0 hrs 0 mins" to "Pacific -8 hrs 0mins"Dell#Dell#confDell(conf)#clock timezone Pacific -8Dell(conf)#01:40:19: %SYSTEM-P:CP %CLOCK-6-TIME CHANGE: Timezoneconfiguration changed from "UTC 0 hrs 0 mins" to "Pacific -8 hrs 0mins"Dell#

Configuring SNMPv3To configure SNMPv3, complete the following tasks:

1 Configuring an SNMP v3 Policy with Read-only Permission

2 Configuring Traps

3 Configuring a Trap Group

4 Configuring the Recipient of an SNMPv3 Trap Operation

5 Configuring a New User to an SNMPv3 Group

6 Configuring SNMP View

Configuring an SNMP v3 policy with Read-only PermissionConfigure the User-based Security Model (USM) for version 3 of the Simple Network Management Protocol. The Simple Network Management Protocol (SNMP) is designed to manage devices on IP networks by monitoring device operation, which might require administrator intervention.

To configure an SNMP v3 policy with read-only permission, use the snmp-server command in CONFIGURATION mode.

Syntax


no snmp-server community public ro

For complete information on using the SNMP feature, see the Simple Network Management Protocol (SNMP) section in the Dell Networking Configuration Guide and the Simple Network Management Protocol (SNMP) and Syslog section in the Dell Networking Command Line Reference Guide for your system.

Dell(conf)# no snmp-server community public ro

Configuring TrapsEnable the following SNMP traps using the snmp-server enable traps command in CONFIGURATION mode. There other traps you

can enable.

Syntax

snmp-server enable traps [notification-type] [notification-option]

Trap Notification Types

• bgp — Enable notification of changes in the BGP process.

• config — Enable notification of changes to startup or running configuration.

• ecfm — Enable notification of changes to ECFM.

• ecmp — Enable notification of traffic imbalance in ECMP or a link bundle.

• entity —Enable notification of Entity Management Information Base (MIB) changes.

• envmon — Enable notification when an environmental threshold is exceeded.

• ets — Enables ets traps.

• fips — Enables FIPS snooping state change traps.

• isis — Enable notification of IS-IS adjacency state changes.

• lacp — Enable notification of LACP state changes.

• pfc — Enable notification of PFC state changes. Priority-based Flow Control as defined in 802.1Qbb.

• snmp — Enable SNMP notifications defined in RFC 1157.

• authentication — Enable authentication trap.

• coldstart — Enable cold start trap.

• linkdown — Enable link down trap.

• linkup — Enable link up trap.

• syslog-reachable — Enable trap for SYSLOG server reachable.

• syslog-unreachable — Enable trap for SYSLOG server unreachable.

• stack — Enable stacking role change traps.

• stp — Enable notification of a state change in the spanning tree protocol (RFC 1493).

• vlt — Enable notification of VLT state changes.

• vrrp —Enable notification of a state change in a VRRP group.

• xstp — Enable notification of a state change in MSTP (802.1s), RSTP (802.1w), and PVST+.

Trap notification-options

• cam-utilization

• fan

• supply

• temperature


For the cam-utilization notification option, the system generates syslogs and SNMP traps when the L3 host table or route

table utilization goes above the threshold.

If you do not configure this command, no traps controlled by this command are sent. If you do not specify a notification-type and

notification-option, all traps are enabled.

Dell(conf)# snmp-server enable traps bgpDell(conf)# snmp-server enable traps configDell(conf)# snmp-server enable traps ecfmDell(conf)# snmp-server enable traps ecmpDell(conf)# snmp-server enable traps etsDell(conf)# snmp-server enable traps entityDell(conf)# snmp-server enable traps fipsDell(conf)# snmp-server enable traps isisDell(conf)# snmp-server enable traps lacpDell(conf)# snmp-server enable traps pfcDell(conf)# snmp-server enable traps stackDell(conf)#snmp-server enable traps stpDell(conf)#snmp-server enable traps vltDell(conf)#snmp-server enable traps vrrpDell(conf)#snmp-server enable traps xstpDell(conf)# snmp-server enable traps envmon cam-utilization fan supply temperatureDell(conf)# snmp-server enable traps snmp authentication coldstart linkdown linkup

Configuring a Trap GroupTo configure a new SNMPv3 group or a table that maps SNMP users to SNMP views, use the snmp-server group command in

CONFIGURATION mode.

Syntax

snmp-server group group_name 3 priv snmpv3-password [read name] [write name] [notify name]

For more information this command, see the Simple Network Management Protocol (SNMP) section in the Dell Networking Configuration Guide and the Simple Network Management Protocol (SNMP) and Syslog section in the Dell Networking Command Line Reference Guide for your system.

Dell(conf)# snmp-server group ccGroup 3 priv read ccReadView write ccWriteView notify ccNotifyView

Configuring the Recipient of an SNMPv3 Trap OperationTo configure the recipient of an SNMPv3 trap operation, use the snmp-server host command in CONFIGURATION mode.

Syntax

Parameters

• ip-address — Enter the keyword host then the IP address of the host (configurable hosts is limited to 16).

• traps — Enter the keyword traps to send trap notifications to the specified host. The default is traps.

• version — Enter the keyword version to specify the security model then the security model version number 3. Version 3 is the

most secure of the security modes. The default is version 1.

• priv snmpv3-password— Enter the keyword priv to specify both authentication and then the SNMPv3 password.


• udp-port — (OPTIONAL) Enter the keywords followed by the port number, 162, of the remote host to use. The range is from 0 to

65535. The default is 162.

Dell(conf)# snmp-server host 10.16.150.203 traps version 3 priv mySNMPv3Password udp-port 162

Configuring a New User to an SNMPv3 GroupWhen the FIPS mode is enabled on the system, SNMPv3 operates in a FIPS-compliant manner, and only the FIPS-approved algorithm options are available for SNMPv3 user configuration. SHA authentication needs to be used with the AES-CFB128 privacy algorithm only when FIPS is enabled because SHA is then the only available authentication level. When the FIPS mode is disabled on the system, all options are available for SNMPv3 user configuration.

For information about SNMPv3 and FIPS, see the SNMPv3 Compliance With FIPS section in the Dell Networking Configuration Guide.

To configure a new user to an SNMP group, use the snmp-server user command in CONFIGURATION mode.

IMPORTANT: To meet Common Criteria requirements, specify the secure hash algorithm and Advanced Encryption Standard (AES) Cipher Feedback (CFB) 128-bit encryption algorithm.

Syntax

snmp-server user name group_name 3 [auth sha auth-password] [priv aes128 priv password]

Parameters

• name — Enter the name of the user (not to exceed 20 characters), on the host that connects to the agent.

• group-name — Enter a text string (up to 20 characters long) as the name of the group.

— Enter the security model version number 3 to use SNMPv3. SNMPv3 is the most secure of the security modes.

• priv sha — Enter the keyword priv sha (Secure Hash Algorithm) to designate the authentication level and then the sha

password.

• aes128 — AES CFB 128-bit encryption algorithm.

Dell(conf)# snmp-server user ccUser ccGroup 3 auth sha myShaPassword priv aes128 myAesPasswd

Configuring an SNMPv3 View To configure an SNMPv3 view, use the snmp-server view command in CONFIGURATION mode.

Syntax

snmp-server view view-name oid-tree included

• view-name — Enter the name of the view (not to exceed 20 characters).

• oid-tree — Enter the OID sub tree for the view (not to exceed 20 characters).

• included — Enter the keyword included to include the MIB family in the view.

Dell(conf)#snmp-server view ccWriteView .1 includedDell(conf)#snmp-server view ccReadView .1 includedDell(conf)#snmp-server view ccNotifyView .1 included


Processes and Open Ports

On Common Criteria compliant configurations, there are several processes that are capable of processing data/packets received on behalf of the management interfaces. All processes run in user space and at root privilege level.

Table 5. Processes and Open Ports

Process Name Name Description

login_console Login process for console Provides login/password entry for console.

login Login process for remote session Provides login/password for remote session. CLI for remote session launched from this process

pamMgr pluggable authentication manager Provides authentication/authorization service for each session upon startup.

clish: n Command line interpreter Parses the command line for the console. One process for each current connected session. There is one for the console and one for each current SSH session.

igmp internet management group protocol daemon

Used for managing multicast groups for the data interfaces and management interface.

acl access control list Provides configuration service for any access control lists customer creates (for data interfaces and for management interfaces).

sysd system daemon Main system daemon for switch. Many minor control plane clients are included in sysd process including NTP.

sysdlp system data plane daemon Main system daemon for data plane. Configures data plane processor structures.

sysmon system monitor Used to save log messages.

arpm arp manager Manages the ARP table for MAC addresses for data interfaces and for management interfaces.

ndpm neighbor discovery protocol manager Manages the neighbor discovery addresses for data interfaces and for management interfaces, incluing DAD notification.

sshd SSH server daemon Manages the SSH remote connections to the switch.

flashmntr Flash monitor daemon Used for managing on-board flash.

Most of these processes do not specifically open a port to listen on a TCP/UDP socket but they do process packets and update local structures with information; for example, arpm, ndpm, and igmp. However, the following two processes open ports for listening:

• process name: sshd

The SSH server runs in process sshd at root level. It opens the TCP port 22 listening for SSH connections for remote access. This includes the SSH connection used for the reverse SSH tunnel for the SYSLOG server trusted channel.

• process name: sysd


The main control plane application runs in process sysd at root level. Both the NTP client and the SNMP server run in this process. This process listens on:

• UDP port 123

If the NTP client is configured for managing the clock on the system, this port is open for receiving time updates from the designated NTP server.

• UDP port 161

If the SNMP version 3 server is configured, this port is open for receiving SNMP requests from a remote client. Dell systems do not support configuration via SNMP, only monitoring.

A port scan tool, for example nmap, confirms these are the only ports open based on the Common Criteria compliant configuration.

NOTE: If there are any other ports open, some additional features may have been configured on the system. Ensure that only the desired protocols are enabled on the system.

Configuring X.509v3This section provides information on configuring X.509v3 certificates on the Dell switches.

This sections contains the following sub-sections:

• Building Trusted CA Store

• Installing Trusted Certificates

• Creating Self-signed Requests

• Configuring OSCP Setting on a CA

• Debugging X.509v3 Certificates

NOTE: For complete information on X.509v3 support in Dell Networking OS, see the Dell Networking OS Command Line Reference Guide and the Dell Networking Configuration Guide for your system. See http://www.dell.com/support to access all Dell Networking documentation. Further, Dell Networking HIGHLY recommends reading the Dell Networking Configuration Guide for you system FIRST as it provides more background on X.509v3 certificates.

Building a Trusted Certificate Store

When you create an X.509v3 infrastructure, you are building a trusted CA certificate store on each system. Each device in the network contains a trusted chain of CA certificates that are installed locally. These certificates include root certificates, trunck certificates, branch certificates, and so on.

To establish X.509v3 authentication on each device on the network, you need to install more than a root CA certificate on the devices. Each device must contain either the entire CA chain (with root CA last). Alternatively, each device can contain individual CA certificates starting with the root CA certificate, followed by the trunk CA certificate, then the branch CA certificate, and so on.

If you do not strictly follow this order, the CA certificates are not installed correctly and the system returns an error message indicating that the certificates were not installed.

For more information about X.509v3 certificates, see X.509v3.

Creating Certificate Signing Requests (CSR)To create a private key and CSR, perform the following step:

In CONFIGURATION mode, enter the following command:

crypto cert generate {self-signed | request} [cert-file cert-path key-file {private | key-path}] [country 2-letter code] [state state] [locality city] [organization organization-name]



[orgunit unit-name] [cname common-name] [email email-address] [validity days] [length length] [altname alt-name]

You must specify the following parameters for this command:

• Certificate File

• Private Key

• Country Name

• State or Province Name

• Locality Name

• Organization Name

• Organization Unit Name

• Common Name

• Email address

• Validity

• Length

• Alternate Name

NOTE: Depending on your organization’s policy, you can choose to have either a self-signed certificate or create a certificate signing request to be signed a CA.

NOTE: For more information about the process of signing X.509v3 certificates, see Signing X.509v3 Certificates.

Installing Trusted CertificatesNOTE: You can install either a self-signed certificate or a signed certificate copied back from the CA after it has signed it.

Enter the following command in EXEC Privilege mode to install a trusted certificate.

crypto cert install cert-file cert-path key-file {key-path | private} [password passphrase]

• cert-file — specify the certificate to download.

• cert-path — the path where the certificate is locally stored. The path can be a full path or a relative path. If the system accepts this path, a notification is sent indicating the location where the certificate file is stored. Following are example of a path that you can specify: flash://certs/s4810-001-request.crtand usbflash:/certs/s3100-001-cert.pem

NOTE: Before installing a trusted certificate, first download it from a remote CA using the copy command.

• key-file — specify the private key.

• private — specify that the key is stored in a hidden location in the NVRAM. Only one private key can exist in a hidden location at any time.

• key-path — the absolute or relative location on the device where the key is stored.

NOTE: After the certificate is successfully installed, the private key deletes from the specified location and copies to the hidden location in NVRAM.

• password passphrase — (Optional) enter the keyword then the password phrase used to decrypt the private key.

NOTE: You can generate the private key and certificate on another host. You must keep the private key encrypted with a passphrase so that the private key is not compromised during transport. The password phrase acts as a facility to decrypt the private key before installing it on the switch.


NOTE: After the certificate installation completes, the key file is erased from the file system. You cannot access the installed key after it is erased from the file system as the key file is stored in NVRAM.

Configuring OCSP behaviorYou can configure how the OCSP requests and responses are signed when the CA or the device contacts the OCSP responders.To configure this behavior, follow this step:


crypto x509 ocsp {[nonce] [sign-request]}

Both the none and sign-request parameters are optional. The default behavior is to not use these two options. If your OCSP

responder uses pre-computed responses, you cannot use the none feature in the switch's communcations with the responder. If your

OCSP responder requires signed requests, you can use the sign-requests option.

Configuring Revocation BehaviorYou can configure the system behavior if an OCSP responder fails.By default, when all the OCSP responders fail to send a response to an OSCP request, the system accepts the certificate and logs the event. However, you can configure the system to reject the certificate in case OCSP responders fail.

To configure OCSP revocation settings:


crypto x509 revocation ocsp [accept | reject]

The default behavior is to accept certificates if either an OCSP responder is unavailable or if no responder is identified.

Configuring OSCP responder preferenceYou can configure the preference or order that the CA or a device follows while contacting multiple OCSP responders.

Enter the following command in Certificate mode:

ocsp-server prefer

Debugging X.509v3 CertificatesYou can test a particular X.509 certificate that is external to TLS communications.

Before you test the X.509v3 certificates, ensure that you have the trusted CA store installed on the switch. You can view the current trusted CA store using the show crypto ca-certs command. The following example shows the output of the show crypto ca-certs command:

===== Certificate Authority #1 =====Certificate: Data: Version: 3 (0x2) Serial Number: 4096 (0x1000) Signature Algorithm: sha256WithRSAEncryption Issuer: C=US, ST=California, L=Santa Clara, O=Dell Inc., OU=Networking Fedgov, CN=Fedgov_BranchCA2/[email protected] Validity Not Before: Mar 25 14:42:50 2016 GMT


Not After : Sep 15 14:42:50 2021 GMT Subject: C=US, ST=California, L=Santa Clara, O=Dell Inc., OU=Networking Fedgov, CN=Fedgov_TwigCA2/[email protected] X509v3 extensions: X509v3 Subject Key Identifier: B7:EA:95:8C:F4:03:3D:00:33:D7:79:50:91:C3:D6:32:14:6E:7B:9B X509v3 Authority Key Identifier: keyid:2D:D6:5D:A7:9E:84:22:DC:92:FB:AD:CD:C3:BA:AF:F7:A8:3A:CF:8B....

You must also copy the desired X.509 certificate to the Flash file system of the switch using the copy command. The following example

shows the copy command:

# copy ftp://userid.password@hostip/filepath/test_certificate.pem flash://test_certificate.pem

You can use the debug crypto cert file command to test the desired X.509v3 certificate. This command shows the process of

verifying a certificate including the revocation process for the current trusted CA store and any existing X.509v3 configuration.

To test a X.509v3 certificate:

Enter the debug crypto command on the certificate file.

EXEC Privilege Mode

debug crypto flash://certificate.pem

# debug crypto flash://test_certificate.pem

Attempting to validate certificate chain.Certificate chain did not pass verification.%% Error: Certificate chain did NOT validate.Attempting to validate certificate chain. with issuer subject-key-id: b7:ea:95:8c:f4:03:3d:00:33:d7:79:50:91:c3:d6:32:14:6e:7b:9bOSCP URL from certificate http://10.11.178.155:8888 OCSP URL: http://10.11.178.155:8888 Response - VALIDChecking cert subject-key-id: b7:ea:95:8c:f4:03:3d:00:33:d7:79:50:91:c3:d6:32:14:6e:7b:9b with issuer subject-key-id: 2d:d6:5d:a7:9e:84:22:dc:92:fb:ad:cd:c3:ba:af:f7:a8:3a:cf:8b No OCSP responder specifiedChecking cert subject-key-id: 2d:d6:5d:a7:9e:84:22:dc:92:fb:ad:cd:c3:ba:af:f7:a8:3a:cf:8b with issuer subject-key-id: dd:ba:a0:4d:4f:63:2b:2d:ee:86:7e:b0:12:79:14:05:94:ad:11:53 No OCSP responder specifiedChecking cert subject-key-id: dd:ba:a0:4d:4f:63:2b:2d:ee:86:7e:b0:12:79:14:05:94:ad:11:53 with issuer subject-key-id: 9f:80:8a:75:d6:76:f8:7d:c2:36:82:e0:09:33:27:13:32:fa:53:8d No OCSP responder specifiedChecking cert subject-key-id: 9f:80:8a:75:d6:76:f8:7d:c2:36:82:e0:09:33:27:13:32:fa:53:8d Last certificate self-signedCertificate chain validated correctly.

Debugging X.509v3 TLS Hand Shake

You can view details corresponding to the TLS handshake between the switch and the audit SYSLOG server.

1 Enable debugging using the following command in EXEC Privilege mode:

debug ip tls-handshake {basic | detailed}

NOTE: To see basic or detailed debugging information, use either the basic or detailed options. This command

allows you to debug X.509 certificate issues when setting up Syslog communication over TLS.

Debugging is enabled.

2 Start the connection to the SYSLOG server using the following command in Configuration mode:

logging syslog-server-name secure 6514


The details corresponding to the TLS handshake appear.

>>> TLS 1.2 [length 0005]>>> TLS 1.2 Handshake [length 0068], ClientHello<<< TLS 1.2 Handshake [length 0056], ServerHello<<< TLS 1.2 Handshake [length 1db9], Certificate<<< TLS 1.2 Handshake [length 0004], ServerHelloDone>>> TLS 1.2 Handshake [length 0106], ClientKeyExchange>>> TLS 1.2 ChangeCipherSpec [length 0001]>>> TLS 1.2 Handshake [length 0010], Finished<<< TLS 1.2 ChangeCipherSpec [length 0001]<<< TLS 1.2 Handshake [length 0010], Finished

TLS connection successfuldv-fedgov-s4810-3(conf)#2017-01-20T01:41:57Z - - EVL SERVER_REACHABLE - STKUNIT0-M:CP Syslog server 10.11.178.203 (port: 6514) is reachable


Appendix A — Role-Based Access Control

Topics:

• Overview of RBAC

• User Roles

• AAA Authentication and Authorization for Roles

• Role Accounting

• Display Information About User Roles

Overview of RBACWith Role-Based Access Control (RBAC), access and authorization is controlled based on a user’s role. Users are granted permissions based on their user roles, not on their individual user ID. User roles are created for job functions and through those roles they acquire the permissions to perform their associated job function. Each user is assigned only a single role. Many users can have the same role.

The Dell Networking OS supports the constrained RBAC model. With the model, you can inherit permissions when you create a new user role, restrict or add commands a user can enter, and the actions the user can perform. This allows for greater flexibility in assigning permissions for each command to each role. As a result, it is easier and much more efficient to administer user rights. If a user’s role matches one of the allowed user roles for that command, then command authorization is granted.

A constrained RBAC model provides for separation of duty and as a result, provides greater security than the hierarchical RBAC model. A constrained model puts some limitations around each role’s permissions to allow you to partition tasks. However, some inheritance is possible.

Default command permissions are based on CLI mode, such as configure, interface, or router, any specific command settings, and the permissions allowed by the privilege and role commands. The role command allows you to change permissions based on the role. You can modify the permissions specific to that command and/or command option.

NOTE: When you enter a user role, you have already been authenticated and authorized. You do not need to enter an enable password because you are automatically placed in EXEC Priv mode.

Privilege-or-Role Mode versus Role-only ModeBy default, the system provides access to commands determined by the user’s role or by the user’s privilege level. The user’s role takes precedence over a user’s privilege level. If the system is in “privilege or role” mode, then all existing user IDs can continue to access the switch even if they do not have a user role defined. To change to more secure mode, use role-based AAA authorization. When role-based only AAA authorization is configured, access to commands is determined only by the user’s role. For more information, see Configuring Role-based Only AAA Authorization.

Configuring Role-based Only AAA AuthorizationYou can configure authorization so that access to commands is determined only by the user’s role. If the user has no user role, access to the system is denied as the user is not able to login successfully. When you enable role-based only AAA authorization using the aaa

A

56 Appendix A — Role-Based Access Control

authorization role-only command in Configuration mode, the Dell Networking OS checks to ensure that you do not lock yourself

out and that the user authentication is available for all terminal lines.

Pre-requisites

Before you enable role-based only AAA authorization:

1 Locally define a system administrator user role. This gives you access to login with full permissions even if network connectivity to remote authentication servers is not available.

2 Configure login authentication on the console. This ensures that all users are properly identified through authentication no matter the access point.

If you do not configure login authentication on the console, the system displays an error when you attempt to enable role-based only AAA authorization.

3 Specify an authentication method list—RADIUS, TACACS+, or Local.

You must specify at least local authentication. For consistency, the best practice is to define the same authentication method list across all lines, in the same order of comparison; for example VTY and console port.

You could also use the default authentication method to apply to all the LINES; for example, console port and VTY.

NOTE: The authentication method list must be in the same order as the authorization method list. For example, if you configure the authentication method list in the following order—TACACS+, local—Dell Networking recommends configuring the authorization method list in the same order—TACACS+, local.

4 Specify the authorization method list—RADIUS, TACACS+, or Local. At a minimum, you must specify local authorization.

For consistency, the best practice is to define the same authorization method list across all lines, in the same order of comparison; for example, VTY and console port.

You could also use the default authorization method list to apply to all the LINES—console port, VTY.

If you do not, the following error displays when you attempt to enable role-based only AAA authorization:

% Error: Exec authorization must be applied to more than one line to be useful, e.g. console and vty lines. Could use default authorization method list as alternative.

5 Verify the configuration is applied to the console or VTY line.

Dell (conf)#do show running-config line !line console 0login authentication testauthorization exec test exec-timeout 0 0line vty 0login authentication testauthorization exec testline vty 1login authentication testauthorization exec test

To enable role-based only AAA authorization, enter the following command in Configuration mode:

Dell(conf)#aaa authorization role-only

System-Defined RBAC User Roles By default, the Dell Networking OS provides 4 system defined user roles. You can create up to 8 additional user roles.

NOTE: You cannot delete any system defined roles.

Appendix A — Role-Based Access Control 57

The system defined user roles are as follows:

• Network Operator (netoperator) - This user role has no privilege to modify any configuration on the switch. You can access Exec mode (monitoring) to view the current configuration and status information.

• Network Administrator (netadmin): This user role can configure, display, and debug the network operations on the switch. You can access all of the commands that are available from the network operator user role. This role does not have access to the commands that are available to the system security administrator for cryptography operations, AAA, or the commands reserved solely for the system administrator.

• Security Administrator (secadmin): This user role can control the security policy across the systems that are within a domain or network topology. The security administrator commands include FIPS mode enablement, password policies, inactivity timeouts, banner establishment, and cryptographic key operations for secure access paths.

• System Administrator (sysadmin). This role has full access to all the commands in the system, exclusive access to commands that manipulate the file system formatting, and access to the system shell. This role can also create user IDs and user roles.

The following summarizes the modes that the predefined user roles can access.

Role Modes

netoperator

netadmin Exec Config Interface Router IP Route-map Protocol MAC

secadmin Exec Config Line

sysadmin Exec Config Interface Line Router IP Route-map Protocol MAC

User RolesThis section describes how to create a new user role and configure command permissions and contains the following topics.

• Creating a New User Role

• Modifying Command Permissions for Roles

• Adding and Deleting Users from a Role

Creating a New User Role Instead of using the system-defined user roles, you can create a new user role that best matches your organization. When you create a new user role, you can first inherit permissions from one of the system defined roles. Otherwise you would have to create a user role’s command permissions from scratch. You then restrict commands or add commands to that role. For more information about this topic, see Modifying Command Permissions for Roles.

NOTE: You can change user-role permissions on the system using pre-defined user roles or user-defined user roles.

Important Points to Remember

• Only the system administrator and user-defined roles inherited from the system administrator can create roles and user names. Only the system administrator, security administrator, and roles inherited from these can use the role command to modify command permissions. The security administrator and roles inherited by the security administrator can only modify permissions for commands they already have access to.

• Make sure you select the correct role you want to inherit.

• If you inherit a user role, you cannot modify or delete the inheritance. If you want to change or remove the inheritance, delete the user role and create it again. If the user role is in use, you cannot delete the user role.

1 Create a new user role in Configuration mode.


userrole name [inherit existing-role-name]2 Verify that the new user role has inherited the security administrator permissions.

Dell(conf)#do show userroles3 After you create a user role, to configure permissions for the new user role, see Modifying Command Permissions for Roles.

Example of Creating a User Role

The configuration in the following example creates a new user role, myrole, which inherits the security administrator (secadmin)

permissions.

Create a new user role, myrole and inherit security administrator permissions.

Dell(conf)#userrole myrole inherit secadminVerify that the user role, myrole, has inherited the security administrator permissions. The output highlighted in bold indicates that the user role has successfully inherited the security administrator permissions.

Dell(conf)#do show userroles

************* Mon Apr 28 14:46:25 PDT 2014 **************

Authorization Mode: role or privilegeRole Inheritance Modes netoperator netadmin Exec Config Interface Router IP Route-map Protocol MAC secadmin Exec Config Line sysadmin Exec Config Interface Line Router IP Route-map Protocol MAC. myrole secadmin Exec Config Line

Modifying Command Permissions for Roles You can modify (add or delete) command permissions for newly created user roles and system defined roles using the role mode { { { addrole | deleterole } role-name } | reset } command in Configuration mode.

NOTE: You cannot modify system administrator command permissions.

If you add or delete command permissions using the role command, those changes only apply to the specific user role. They do not apply

to other roles that have inheritance from that role. Authorization and accounting only apply to the roles specified in that configuration.

When you modify a command for a role, you specify the role, the mode, and whether you want to restrict access using the deleterole keyword or grant access using the addrole keyword followed by the command you are controlling access. For information about how to

create new roles, see also Creating a New User Role.

The following output displays the modes available for the role command.

Dell (conf)#role ?configure Global configuration mode exec Exec Mode interface Interface configuration mode line Line Configuration mode route-map Route map configuration mode router Router configuration mode Example: Deny Network Administrator from Using the show users Command.


The following example denies the netadmin role from using the show users command and then verifies that netadmin cannot

access the show users command in exec mode. Note that the netadmin role is not listed in the Role access: secadmin,sysadmin, which means the netadmin cannot access the show users command.

Dell(conf)#role exec deleterole netadmin show users

Dell#show role mode exec show usersRole access: secadmin,sysadminExample: Allow Security Administrator to Configure Spanning Tree

The following example allows the security administrator (secadmin) to configure the spanning tree protocol. Note command is protocol spanning-tree.

Dell(conf)#role configure addrole secadmin protocol spanning-tree

Example: Allow Security Administrator to Access Interface Mode

The following example allows the security administrator (secadmin) to access Interface mode.

Dell(conf)#role configure addrole secadmin ?LINE Initial keywords of the command to modifyDell(conf)#role configure addrole secadmin interface

Example: Allow Security Administrator to Access Only 10-Gigabit Ethernet Interfaces

The following example allows the security administrator (secadmin) to only access 10-Gigabit Ethernett interfaces and then shows that

the secadmin, highlighted in bold, can now access Interface mode. However, the secadmin can only access 10-Gigabit Ethernet

interfaces.

Dell(conf)#role configure addrole secadmin ?LINE Initial keywords of the command to modifyDell(conf)#role configure addrole secadmin interface tengigabitethernet

Dell(conf)#show role mode configure interfaceRole access: netadmin, secadmin, sysadmin

Example: Verify that the Security Administrator Can Access Interface Mode

The following example shows that the secadmin role can now access Interface mode (highlighted in bold).

Role Inheritance Modes netoperator netadmin Exec Config Interface Router IP RouteMap Protocol MAC secadmin Exec Config Interface Line sysadmin Exec Config Interface Line Router IP RouteMap Protocol MACExample: Remove Security Administrator Access to Line Mode.

The following example removes the secadmin access to LINE mode and then verifies that the security administrator can no longer

access LINE mode, using the show role mode configure line command in EXEC Privilege mode.

Dell(conf)#role configure deleterole secadmin ?LINE Initial keywords of the command to modifyDell(conf)#role configure deleterole secadmin line

Dell(conf)#do show role mode ?configure Global configuration mode exec Exec Mode interface Interface configuration mode line Line Configuration mode route-map Route map configuration mode router Router configuration mode


Dell(conf)#do show role mode configure lineRole access:sysadminExample: Grant and Remove Security Administrator Access to Configure Protocols

By default, the system defined role, secadmin, is not allowed to configure protocols. The following example first grants the secadmin role to configure protocols and then removes access to configure protocols.

Dell(conf)#role configure addrole secadmin protocolDell(conf)#role configure deleterole secadmin protocol

Example: Resets Only the Security Administrator role to its original setting.

The following example resets only the secadmin role to its original setting.

Dell(conf)#no role configure addrole secadmin protocol Example: Reset System-Defined Roles and Roles that Inherit Permissions

In the following example the command protocol permissions are reset to their original setting or one or more of the system-defined roles and any roles that inherited permissions from them.

Dell(conf)#role configure reset protocol

Adding and Deleting Users from a RoleTo create a user name that is authenticated based on a user role, use the username name password encryption-type password role role-name command in CONFIGURATION mode.Example

The following example creates a user name that is authenticated based on a user role.

Dell (conf) #username john password 0 password role secadminThe following example deletes a user role.

NOTE: If you already have a user ID that exists with a privilege level, you can add the user role to username that has a privilege

Dell (conf) #no username john The following example adds a user, to the secadmin user role.

Dell (conf)#username john role secadmin password 0 password

AAA Authentication and Authorization for RolesThis section describes how to configure AAA Authentication and Authorization for Roles.

Configuration Task List for AAA Authentication and Authorization for Roles

This section contains the following AAA Authentication and Authorization for Roles configuration tasks:

• Configuring AAA Authentication for Roles

• Configuring AAA Authorization for Roles

• Configuring TACACS+ and RADIUS VSA Attributes for RBAC

Configure AAA Authentication for RolesAuthentication services verify the user ID and password combination. Users with associated roles and users with privileges are authenticated with the same mechanism. For information, see AAA Authentication and Authorization for Roles.


To configure AAA authentication, use the aaa authentication login command in CONFIGURATION mode.

Syntax

aaa authentication login{method-list-name | default} method [… method4]

For complete information about how to configure the aaa authentication login command, see the AAA Authentication and

Authorization for Roles section and the Dell Networking Command Line Reference Guide for your system.

Dell(conf)# aaa authentication login ccaaa_console localDell(conf)# aaa authentication login ccaaa_vty localIf the user has no user role, access to the system is denied as the user will not be able to login successfully. When you enable role-based only AAA authorization using the aaa authorization role-only command in CONFIGURATION mode, the Dell Networking OS

checks to ensure that you do not lock yourself out and that the user authentication is available for all terminal lines.

Syntax

aaa authorization role-only

IMPORTANT: Before you enable role-based only AAA authorization, carefully review the and pre-requisites in the “Configuring Role-based Only AAA Authorization".

For complete information on using the role-based access control (RBAC) feature, see Role-Based Access Control. For information about how authentication and authorization is applied to the console and terminal, see the Console and Terminal Lines section in this document.

Dell(conf)# aaa authorization role-only

Configure AAA Authorization for RolesAuthorization services determine if the user has permission to use a command in the CLI. Users with only privilege levels can use commands in privilege-or-role mode (the default) provided their privilege level is the same or greater than the privilege level of those commands. Users with defined roles can use commands provided their role is permitted to use those commands. Role inheritance is also used to determine authorization.

Users with roles and privileges are authorized with the same mechanism. There are six methods available for authorization: radius,

tacacs+, local, enable, line, and none.

When role-based only AAA authorization is enabled, the enable, line, and none methods are not available. Each of these three

methods allows users to be authorized with either a password that is not specific to their userid or with no password at all. Because of the lack of security, these methods are not available for role-based only mode.

To configure AAA authorization, use the aaa authorization exec command in CONFIGURATION mode. The aaa authorization exec command determines which CLI mode the user will start in for their session; for example, Exec mode or Exec

Privilege mode. For information about how to configure authentication for roles, see Configure AAA Authentication for Roles.

aaa authorization exec {method-list-name | default} method [… method4]You can further restrict users’ permissions, using the aaa authorization command command in CONFIGURATION mode.

aaa authorization command {method-list-name | default} method [… method4]

Examples of Applying a Method List


The following configuration example applies a method list: TACACS+, RADIUS and local:

!radius-server host 10.16.150.203 key <clear-text>!tacacs-server host 10.16.150.203 key <clear-text>!aaa authentication login ucraaa tacacs+ radius localaaa authorization exec ucraaa tacacs+ radius localaaa accounting commands role netadmin ucraaa start-stop tacacs+!

The following configuration example applies a method list other than default to each VTY line.

NOTE: Note that the methods were not applied to the console so the default methods (if configured) are applied there.

!line console 0exec-timeout 0 0line vty 0login authentication ucraaaauthorization exec ucraaaaccounting commands role netadmin ucraaaline vty 1login authentication ucraaaauthorization exec ucraaaaccounting commands role netadmin ucraaaline vty 2login authentication ucraaaauthorization exec ucraaaaccounting commands role netadmin ucraaaline vty 3login authentication ucraaaauthorization exec ucraaaaccounting commands role netadmin ucraaaline vty 4login authentication ucraaaauthorization exec ucraaaaccounting commands role netadmin ucraaaline vty 5login authentication ucraaaauthorization exec ucraaaaccounting commands role netadmin ucraaaline vty 6login authentication ucraaaauthorization exec ucraaaaccounting commands role netadmin ucraaaline vty 7login authentication ucraaaauthorization exec ucraaaaccounting commands role netadmin ucraaaline vty 8login authentication ucraaaauthorization exec ucraaaaccounting commands role netadmin ucraaaline vty 9login authentication ucraaaauthorization exec ucraaaaccounting commands role netadmin ucraaa!


Configuring TACACS+ and RADIUS VSA Attributes for RBACFor RBAC and privilege levels, the Dell Networking OS RADIUS and TACACS+ implementation supports two vendor-specific options: privilege level and roles. The Dell Networking vendor-ID is 6027 and the supported option has attribute of type string, which is titled

“Force10-avpair”. The value is a string in the following format:

protocol : attribute sep value “attribute” and “value” are an attribute-value (AV) pair defined in the Dell Network OS TACACS+ specification, and “sep” is “=”. These attributes allow the full set of features available for TACACS+ authorization and are authorized with the same attributes for RADIUS.

Example for Configuring a VSA Attribute for a Privilege Level 15

The following example configures an AV pair which allows a user to login from a network access server with a privilege level of 15, to have access to EXEC commands.

The format to create a Dell Network OS AV pair for privilege level is shell:priv-lvl=<number> where number is a value between 0

and 15.

Force10-avpair= ”shell:priv-lvl=15“

Example for Creating a AVP Pair for System Defined or User-Defined Role

The following section shows you how to create an AV pair to allow a user to login from a network access server to have access to commands based on the user’s role. The format to create an AV pair for a user role is Force10-avpair= ”shell:role=<user-

role>“ where user-role is a user defined or system-defined role.

In the following example, you create an AV pair for a system-defined role, sysadmin.

Force10-avpair= "shell:role=sysadmin"

In the following example, you create an AV pair for a user-defined role. You must also define a role, using the userrole myrole inherit command on the switch to associate it with this AV pair.

Force10-avpair= ”shell:role=myrole“

The string, “myrole”, is associated with a TACACS+ user group. The user IDs are associated with the user group.

Role AccountingThis section describes how to configure role accounting and how to display active sessions for roles.

This sections consists of the following topics:

• Configuring AAA Accounting for Roles

• Applying an Accounting Method to a Role

• Displaying Active Accounting Sessions for Roles

Configuring AAA Accounting for RolesTo configure AAA accounting for roles, use the aaa accounting command in CONFIGURATION mode.

aaa accounting {system | exec | commands {level | role role-name}} {name | default} {start-stop | wait-start | stop-only} {tacacs+}

Example of Configuring AAA Accounting for Roles


The following example shows you how to configure AAA accounting to monitor commands executed by the users who have a secadmin user role.

Dell(conf)#aaa accounting command role secadmin default start-stop tacacs+

Applying an Accounting Method to a RoleTo apply an accounting method list to a role executed by a user with that user role, use the accounting command in LINE mode.

accounting {exec | commands {level | role role-name}} method-list

Example of Applying an Accounting Method to a Role

The following example applies the accounting default method to the user role secadmin (security administrator).

Dell(conf-vty-0)# accounting commands role secadmin default

Displaying Active Accounting Sessions for Roles To display active accounting sessions for each user role, use the show accounting command in EXEC mode.Example of Displaying Active Accounting Sessions for Roles

Dell#show accountingActive accounted actions on tty2, User john Priv 1 Role netoperatorTask ID 1, EXEC Accounting record, 00:00:30 Elapsed,service=shellActive accounted actions on tty3, User admin Priv 15 Role sysadminTask ID 2, EXEC Accounting record, 00:00:26 Elapsed,service=shell

Display Information About User RolesThis section describes how to display information about user roles and consists of the following topics:

• Displaying User Roles

• Displaying Information About Roles Logged into the Switch

• Displaying Active Accounting Sessions for Roles

Displaying User RolesTo display user roles using the show userrole command in EXEC Privilege mode, use the show userroles and show users commands in EXEC privilege mode.Example of Displaying User Roles

Dell#show userrolesRole Inheritance Modesnetoperator Execnetadmin Exec Config Interface Line Router IP Routemap Protocol MACsecadmin Exec Config sysadmin Exec Config Interface Line Router IP Routemap Protocol MAC testadmin netadmin Exec Config Interface Line Router IP Routemap Protocol MAC


Displaying Role Permissions Assigned to a Command To display permissions assigned to a command, use the show role command in EXEC Privilege mode. The output displays the user role and or permission level.Example of Role Permissions Assigned to a Command

Dell#show role mode ?configure Global configuration mode exec Exec Mode interface Interface configuration mode line Line Configuration mode route-map Route map configuration mode router Router configuration mode

Dell#show role mode configure usernameRole access: sysadmin

Dell##show role mode configure password-attributesRole access: secadmin,sysadmin

Dell#show role mode configure interfaceRole access: netadmin, sysadmin

Dell#show role mode configure lineRole access: netadmin,sysadmin

Displaying Information About Users Logged into the Switch To display information on all users logged into the switch, using the show users command in EXEC Privilege mode. The output displays privilege level and/or user role. The mode is displayed at the start of the output and both the privilege and roles for all users is also displayed. If the role is not defined, the system displays "unassigned" .Example of Displaying Information About Users Logged into the Switch

Dell#show usersAuthorization Mode: role or privilege

Line User Role Privilege Host(s) Location 0 console 0 admin sysadmin 15 idle *3 vty 1 sec1 secadmin 14 idle 172.31.1.4 4 vty 2 ml1 netadmin 12 idle 172.31.1.5


Appendix B — X.509v3

Topics:

• Introduction to X.509v3 certification

• X.509v3 support in Dell Networking OS

• Information about installing CA certificates

• Information about Creating Certificate Signing Requests (CSR)

• Signing X.509v3 Certificates

• Information about installing trusted certificates

• Transport layer security (TLS)

• Online Certificate Status Protocol (OSCP)

• Verifying certificates

• Event logging

Introduction to X.509v3 certificationX.509v3 is a standard for public key infrastructure (PKI) to manage digital certificates and public key encryption.

The X.509v3 standard specifies a format for public-key certificates or digital certificates.

Transport Layer Security (TLS) relies on public key certificates to work.

X.509v3 certificatesA X.509v3 or digital certificate is an electronic document used to prove ownership of a public key. It contains information about the key's identity, information about the key's owner, and the digital signature of an entity that has verified the certificate's content as correct.

Certificate authority (CA)The entity that verifies the contents of the digital certificate and signs it indicating that the certificate is valid and correct is called the Certificate Authority (CA).

Certificate signing requests (CSR)In an X.509v3 system, an entity that wants a signed certificate or a digital certificate requests one through a Certificate Signing Request (CSR).

How certificates are requestedThe following enumeration describes the generic steps that are involved in issuing a digital certificate:

B

Appendix B — X.509v3 67

1 An entity or organization that wants a digital certificate requests one through a CSR.

2 To request a digital certificate through a CSR, a key pair is generated and the CSR is signed using the secret private key. The CSR contains information identifying the applicant and the applicant's public key. This public key is used to verify the signature of the CSR and the Distinguished Name (DN).

3 This CSR is sent to a Certificate Authority (CA). The CA verifies the certificate and signs it using the CA's own private key.

4 The CA then issues the certificate by binding a public key to a particular distinguished name (DN). This certificate becomes the entity's trusted root certificate.

Advantages of X.509v3 certificatesPublic key authentication is preferred over password-based authentication, although both may be used in conjunction, for various reasons. Public-key authentication provides the following advantages over normal password-based authentication:

• Public-key authentication avoids the human problems of low-entropy password selection and provides more resistance to brute-force attacks than password-based authentication.

• It facilitates trusted, provable identities—when using certificates signed by trusted CAs.

• It also provides integrity and confidentiality in addition to authentication.

X.509v3 support in Dell Networking OSDell Networking OS supports the X509v4 certificate format.

Many organizations or entities need to let their customers know that the connection to their devices and network is secure. These organizations pay an internationally trusted Certificate Authorities (CAs) such as VeriSign, DigiCert, and so on, to sign a certificate for their domain.

To implement a X.509v3 infrastructure, Dell Networking OS recommends you to act as your own CA. Common use cases for acting as your own CA include issuing certificates to clients to allow them to authenticate to a server. For example, Apache, OpenVPN, and so on.

Acting as a certificate authority (CA) means dealing with cryptographic pairs of private keys and public certificates. The first cryptographic pair you create is the root pair. This root pair consists of the root key (ca.key.pem) and root certificate—ca.cert.pem. This pair forms the identity of your CA.

Typically, a root CA does not sign server or client certificates directly. The root CA is only ever used to create one or more intermediate CAs. These intermediate CAs are trusted by the root CA to sign certificates on their behalf. This is the best practice. It allows the root key to be kept offline and used to a minimal extent, as any compromise of the root key is disastrous.

For more generic information on setting up your own Certificate Authority (CA), see https://jamielinux.com/docs/openssl-certificate-authority/index.html#.

The following is a sample network topology in which a simple X.509v3 infrastructure is implemented:

68 Appendix B — X.509v3

HTTPS://JAMIELINUX.COM/DOCS/OPENSSL-CERTIFICATE-AUTHORITY/INDEX.HTML

HTTPS://JAMIELINUX.COM/DOCS/OPENSSL-CERTIFICATE-AUTHORITY/INDEX.HTML

The Root CA generates a private key and a self-signed CA certificate.

The Intermediate CA generates a private key and a Certificate Signing Request (CSR).

Using its private key, the root CA signs the intermediate CA’s CSR generating a CA certificate for the Intermediate CA. This intermediate CA can then sign certificates for hosts in the network and also for further intermediate CAs. These CA certificates (root CA and any intermediate CAs), but not the corresponding private keys, are made publicly available on the network.

NOTE: CA certificates may also be bundled together for ease of installation. Their .PEM files are concatenated in order from the “lowest” ranking CA certificate to the Root CA certificate. Dell Networking OS handles installation of bundled certificate files.

The other hosts on the network, such as the SUT switch, syslog server, and OCSP server, generate private keys and create Certificate Signing Requests (CSRs). The hosts then upload the CSRs to the Intermediate CA or make the CSRs available for the Intermediate CA to download. Dell Networking OS generates a CSR using the crypto cert generate request command.

The hosts on the network (SUT, syslog, OCSP…) also download and install the CA certificates from the Root and Intermediate CAs into their own trusted CA store of certificates. By installing these CA certificates, the hosts trust any certificates signed by these CAs.

NOTE: You can download and install CA certificates in one step using the crypto ca-cert install command.

The intermediate CA signs the host’s CSRs and makes the resulting certificates available for download through FTP root or otherwise.

Alternatively, the Intermediate CA can also generate private keys and certificates for the hosts. The CA then makes the private key or certificate pairs available for each host to download. You can password-encrypt the private key for additional security and then decrypt it with a password using the crypto cert install command.

The hosts on the network (SUT, syslog, OCSP…) download and install their corresponding signed certificates. These hosts can also verify whether they have their own certificates using the private key that they have previously generated.

NOTE: When you use the crypto cert install command to download and install certificates, Dell Networking OS automatically verifies whether a device has its own certificate.

Now that the X.509v3 certificates are installed on the SUT and Syslog server, these certificates can be used during TLS protocol negotiations so that the devices can verify each other’s trustworthiness and exchange session keys to protect session data. The devices verify each other’s certificates using the CA certificates they installed earlier. The SUT enables Syslog-over-TLS by configuring the secure keyword in the logging configuration. For example, logging 10.11.178.1 secure 6514.


During the initial TLS protocol negotiation, both participating parties also check to see if the other’s certificate is revoked by the CA. To do this check, the devices query the CA’s designated OCSP responder on the network. The OCSP responder information is included in the presented certificate, the Intermediate CA inserts the info upon signing it, or it may be statically configured on the host.

Information about installing CA certificatesDell Networking OS enables you to download and install X.509v3 certificates from Certificate Authorities (CAs).

In a data center environment, CA certificates are created by trusted hosts on the network. By digitally signing devices' certificates with the CA's private key, trust can be established among all devices in a network. These CA certificates, installed on each of the devices, are used to verify certificates presented by clients and servers such as the Syslog servers.

Dell Networking OS allows you to download CA certificates using the crypto ca-cert install command. In this command, you can

specify:

• That the certificate is a CA certificate

• The location from which to download the certificate and the protocol to use. For example, tftp://192.168.1.100/certificates/CAcert.pem. Locations can be usbflash, built-in flash, TFTP, FTP, or SCP hosts.

After you download a CA certificate, the system verifies the following aspects of the CA certificate:

• The system checks if “CA:TRUE” is specified in the certificate’s extensions section and the keyCertSign bit (bit 5) is set in the KeyUsage bit string extension. If these extensions are not set, the system does not install the certificate.

• The system checks if the Issuer and Subject fields are the same. If these fields are the same, then the certificate is a self-signed certificate. These certificates are also called the root CA certificates, as they are not signed by another CA. The system verifies the certificate with its own public key and install the certificate.

• If the Issuer and Subjects fields differ, then the certificate is signed by another CA farther up the chain. These certificates are also called intermediate certificates. If a higher CA certificate is installed on the switch, then the system verifies the downloaded certificate with the CA's public key. The system repeats this process until the root certificate is reached. The certificate is rejected if the signature verification fails.

• If a higher CA certificate is not installed on the switch, the system rejects the intermediate CA certificate and logs the attempt. The system also displays a message indicating the reason for the failure of CA certificate installation. The system checks the “not before” and “not after” fields against the current system date to ensure that the certificate has not expired.

The verified CA certificate is installed on the switch by adding it to an existing file that contains trusted certificates. The certificate is inserted into the certificate file that stores certificates in a root-last order. Meaning, the downloaded certificate is fit into the file before its own issuer but following any certificates that it may have issued. This way, the system ensures that the CA certificates file is kept in a root-last order. The file may contain multiple certificates in PEM format concatenated together. This file is stored in a private and persistent location on the device such as the flash://ADMIN_DIR folder.

After the CA certificate is installed, the system can secure communications with TLS servers by verifying certificates that are signed by the CA.

Installing CA certificateTo install a CA certificate, enter the crypto ca-cert install {path} command in Global Configuration mode.

Information about Creating Certificate Signing Requests (CSR)Certificate Signing Request (CSR) enables a device to get a X.509v3 certificate from a CA.

In order for a device to get a X.509v3 certificate, the device first requests a certificate from a CA through a Certificate Signing Request (CSR). While creating a CSR, you need to provide the information about the certificate and the private key details. Dell Networking OS enable you to create a private key and a CSR for a device using a single command.


NOTE: For the procedure about creating CSRs, see Creating Certificate Signing Requests.

If you do not specify the cert-file option, the system prompts you to enter metadata information related to the CSR as follows:

You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank.For some fields there will be a default value; if you enter '.', the field will be left blank.-----

Country Name (2 letter code) [US]:State or Province Name (full name) [Some-State]:CaliforniaLocality Name (eg, city) []:San FranciscoOrganization Name (eg, company) []:Starfleet CommandOrganizational Unit Name (eg, section) []:NCC-1701ACommon Name (eg, YOUR name) [hostname]:S4810-001Email Address []:[email protected] switch uses SHA-256 as the digest algorithm and the public key algorithm is RSA with a 2048-bit modulus. The KeyUsage bits of the certificate assert keyEncipherment (bit 2) and keyAgreement (bit 4). The keyCertSign bit (bit 5) is NOT be set. The ExtendedKeyUsage fields indicate serverAuth and clientAuth.

The attribute CA:FALSE is set in the Extensions section of the certificate. The certificate is NOT used to validate other certificates. The CSR is then copied out to the CA server. It can be copied from flash to a destination like usbflash, TFTP, FTP, or SCP.

The CA server signs the CSR with its private key. The CA server then makes the signed certificate available for the requesting device to download and install.

Signing X.509v3 CertificatesThis section explains how X.509v3 certificates are signed.

The process of creating a certificate signing request results in two files: a certificate signing request (CSR) file and a private key file. Both these files are in PEM (Privacy Enhanced Mail) format. The CSR file must be signed by a Certificate Authority for it be processed into a certificate PEM file.

OpenSSL is one of the tools that can be used to sign certificates. The OpenSSL utility on the CA system can be used to sign the certificate following the guidelines and policies defined in its configuration file and possibly external files. The following figure illustrates a typical directory setup of the OpenSSL utility:


Figure 1. Example OpenSSL Directory Structure

Example Scenario — Using OpenSSL to Sign CSRs

This section describes how to sign CSRs. Please note that this is an example scenario that gives you a holistic idea on how certificate signing is achieved using OpenSSL.

The following list enumerates the process of signing X.509v3 certificates using OpenSSL directory structure shown in Figure 1:

1 The intermediate CA that signs the certificates must have its own private key and certificate file ready for use before it can sign any certificate. This example scenario assumes that the CA’s private key is stored at the following location: /usr/local/ssl/certs/ca/intermediateCA/private/intCA.key.pem. Also, the CA’s certificate assumed to be stored at the following

location: /usr/local/ssl/certs/ca/intermediateCA/certs/intCA.pem.

NOTE: For more information on creating CA infrastructure, see your TLS utility’s documentation.

2 Ensure that the OpenSSL configuration file contains a reference to the CA’s private key. Following example shows part of the CA’s configuration file:

[ ca ]default_ca = CA_default

[ CA_default ]#Directory and file locations.dir = /usr/local/ssl/certs/ca/intermediateCAcerts = $dir/certscrl_dir = #dir/crlnew_certs_dir = $dir/newcertsdatabase = $dir/index.txtserial = $dir/serialRANDFILE = $dir/private/.randcopy_extensions = copy

# the CA key and CA certificate.private_key = $dir/private/intCA.key.pemcertificate = $dir/certs/intCA.pem

...3 Copy the PEM file corresponding to the certificate signing request to the CA system that is used to sign the certificates. This system

is typically an intermediate CA system and must be present in the csr directory for use with OpenSSL.


4 Ensure that the contents of the OpenSSL configuration file match the desired fields in the certificate. Following are some of the desired fields in the certificate:

• Serial Number

• Validity

• Subject details which are typically provided in the CSR

• Basic Constraints

• Subject Key Identifier (optional)

• Authority Key Identifier

• Key Usage (flags)

• Extended Key Usage (optional)

• Authority Info Access (used to identify the OCSP responder address)

• Subject Alternative Name – can be used to identify the system by IP(v4 or IPv6 address, DNS name, and so on.

Following example shows a section in the OpenSSL configuration file:

[ usr_cert ]# Extensions for client certificates (`man x509v3_config`).basicConstraints = critical,CA:FALSEsubjectKeyIdentifier = hashauthorityKeyIdentifier = keyid,issuer:alwayskeyUsage = critical, nonRepudiation, digitalSignature, keyEncipherment, keyAgreementextendedKeyUsage = clientAuth,serverAuthauthorityInfoAccess = OCSP;URI:http://10.11.178.155:8888

Any certificate signed using the fields in this section of the configuration file contains these fields as part of the certificate.

An important field that is unique to a certificate is the Subject Alt Name.

NOTE: Although, the PEM file corresponding to the CSR contains the Common Name field (typically the hostname of the system), the Common Name field is deprecated by newer versions of the X.509 standards. The Common Name field can never contain an IP address.

Since the Subject Alt Name field must be unique per system, either the OpenSSL configuration file is changed for each certificate or an external file is used to further define the fields. The external file has the Subject Alt Name field that contains either an IP address (IPv4 or IPv6) or a DNS name.

subjectAltName = 10.11.179.33

NOTE: Dell Networking highly recommends using the SubjectAltName field for all certificates.

5 You can now sign the certificates. Following is an example command:

openssl ca -config intermediateCA_openssl.cnf -extensions usr_cert -days 365 -notext -md sha256 –extfile s48107.ext -in csr/dv-s4810-7.csr.pem -out certs/dv-s4810-7.pemWhere, usr_cert refers to the section in the OpenSSL configuration file. The intermediateCA_openssl.cnf and the

external file s48107.ext contains the subjectAltName line.

Using configuration from intermediateCA_openssl.cnfCheck that the request matches the signatureSignature okCertificate Details: Serial Number: 4101 (0x1005) Validity Not Before: Apr 1 15:18:12 2016 GMT Not After : Apr 1 15:18:12 2017 GMT Subject: countryName = US stateOrProvinceName = California localityName = Santa Clara organizationName = My COmpany


organizationalUnitName = Networking commonName = dv-s4810-7 emailAddress = [email protected] X509v3 extensions: X509v3 Basic Constraints: critical CA:FALSE X509v3 Subject Key Identifier: 8D:14:A0:78:68:05:52:A7:B2:6F:F0:2B:54:64:EE:58:84:D4:FC:94 X509v3 Authority Key Identifier: keyid:B7:EA:95:8C:F4:03:3D:00:33:D7:79:50:91:C3:D6:32:14:6E:7B:9B DirName:/C=US/ST=California/L=Santa Clara/O=Dell Inc./OU=Networking Fedgov/CN=Fedgov_BranchCA2/[email protected] serial:10:00

X509v3 Key Usage: critical Digital Signature, Non Repudiation, Key Encipherment, Key Agreement X509v3 Extended Key Usage: TLS Web Client Authentication, TLS Web Server Authentication Authority Information Access: OCSP - URI:http://10.11.178.155:8888 X509v3 Subject Alternative Name: IP Address:10.11.179.33Certificate is to be certified until Apr 1 15:18:12 2017 GMT (365 days)Sign the certificate? [y/n]:y

1 out of 1 certificate requests certified, commit? [y/n]yWrite out database with 1 new entriesData Base Updated

6 After the certificate is signed, the newly signed certificate must be copied back to the original system and is ready for installation.

Information about installing trusted certificatesDell Networking OS also enables you to install a trusted certificate. The system can then present this certificate for authentication to clients such as SSH and HTTPS.

This trusted certificate is also presented to the TLS server implementations that require client authentication such as Syslog. The certificate is digitally signed with the private key of a CA server.

You can download the trusted certificate for a device from flash, usbflash, tftp, ftp, or scp. This certificate is stored in the BSD file system and can be used to authenticate the switch to clients.

Transport layer security (TLS)Transport Layer Security (TLS) provides cryptographic protection for TCP-based application protocols.

In the Dell Networking OS, TLS already protects secure HTTP for REST and HTTPD server implementations.

NOTE: There are three modern versions of the TLS protocol: 1.0, 1.1, and 1.2. Older versions, called “SSL” v1, v2, and v3, are not supported.

The TLS protocol implementation in Dell Networking OS takes care of the following activities:

• Session negotiation and shutdown

• Protocol Version

• Cryptographic algorithm selection

• Session resumption and renegotiation

• Certificate revocation checking, which may be accomplished through OCSP

When operating in FIPS mode, the system is restricted to only the TLS 1.2 protocol version and support the following cipher suites in line with the NIST SP800-131A Rev 1 policy document—published July 2015:

TLS_DHE_RSA_WITH_AES_256_CBC_SHA256TLS_DHE_RSA_WITH_AES_128_CBC_SHA256TLS_RSA_WITH_AES_256_CBC_SHA256


TLS_RSA_WITH_AES_128_CBC_SHA256TLS_DHE_RSA_WITH_AES_256_CBC_SHATLS_DHE_RSA_WITH_AES_128_CBC_SHATLS_RSA_WITH_AES_256_CBC_SHATLS_RSA_WITH_AES_128_CBC_SHAWhen not operating in FIPS mode, the system may support TLS 1.0 up to 1.2, and older ciphers and hashes:

TLS_ECDHE_RSA_WITH_AES_256_CBC_SHATLS_ECDHE_RSA_WITH_AES_128_CBC_SHATLS_DHE_RSA_WITH_AES_256_CBC_SHATLS_DHE_RSA_WITH_AES_128_CBC_SHATLS_DHE_RSA_WITH_3DES_EDE_CBC_SHATLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHATLS_ECDH_RSA_WITH_AES_256_CBC_SHATLS_ECDH_RSA_WITH_AES_128_CBC_SHATLS_DH_RSA_WITH_AES_256_CBC_SHATLS_DH_RSA_WITH_AES_128_CBC_SHATLS compression is disabled by default. TLS session resumption is also supported to reduce processor and traffic overhead due to public key cryptographic operations and handshake traffic. However, the maximum time allowed for a TLS session to resume without repeating the TLS authentication or handshake process is configurable. The default is 1 hour.

As the encryption algorithms are restricted to match the FIPS mode correctly, TLS version 1.2 does not require configuration.

In FIPS mode, the ciphers are:

• DHE RSA key exchange with aes128-cbc

• RSA key exchange with aes128-cbc

• DHE RSA key exchange with aes256-cbc

• RSA key exchange with aes256-cbc

As the HMAC algorithms are restricted to match the FIPS mode correctly, TLS version 1.2 does not require configuration. SHA-1 and SHA–256 cipher is used in FIPS mode.

Syslog over TLSSyslog over TLS mandates that a client certificate must be presented, to ensure that all Syslog entries written to the server are from a trusted client.

Online Certificate Status Protocol (OSCP)Use the Online Certificate Status Protocol (OSCP) to obtain the revocation status of a X.509v3 certificate.

A device or a Certificate Authority (CAs) can check the status of a X.509v3 certificate by sending an OCSP request to an OCSP server or responder. An OCSP responder, a server typically run by the certificate issuer, returns a signed response signifying that the certificate specified in the request is 'good', 'revoked', or 'unknown'. The OCSP response indicates whether the presented certificate is valid.

OCSP provides a way for Certificate Authorities to revoke signed certificates before the expiration date. In a CA certificate, OCSP Responder information is specified in the authorityInfoAccess extension.

A CA can verify the revocation status of a certificate with multiple OCSP responders. When multiple OCSP responders exist, you can configure the order or preference the CA takes while contacting various OCSP responders for verification.

Upon receiving a presented certificate, the system sends an OCSP request to an OCSP responder through HTTP. The system then verifies the OCSP response using either a trusted public key or the OCSP responder’s own self-signed certificate. This self-signed certificate installs on the device's trusted location even before an OCSP request is made. The system accepts or rejects the presented certificate based on the OCSP response.


In a scenario where all OCSP responders are unreachable, the switch accepts the certificate. This action is the default behavior. You can also configure an alternate system behavior when all OCSP responders are unreachable. However, the switch may become vulnerable to denial-of-service attack if you configure the system to deny the certificate when OCSP responders are not reachable.

The system creates logs for the following events:

• Failures to reach OCSP responders

• Invalid OCSP responses—for example, cannot verify the signed response with an installed CA certificate.

• Rejection of a certificate due to OCSP

Verifying certificatesA CA certificate’s public key is used to decrypt a presented certificate’s signature to obtain a hash value.

The rest of the presented certificate is also hashed and if the two hashes match then the certificate is considered valid.

During verification, the system checks the presented certificates for revocation information. The system also enables you to configure behavior in case a certificate’s revocation status cannot be verified; for example, when the OCSP responder is unreachable you can alter system behavior to accept or reject the certificate depending on configuration. The default behavior is to accept the certificates. The system also logs the events where the OSCP responders fail or invalid OSCP responses are received.

A CA certificate can also be revoked.

Verifying Server certificatesVerifying server certificates is mandatory in the TLS protocol.

As a result, all TLS-enabled applications require certificate verification, including Syslog servers. The system checks the Server certificates against installed CA certificates.

NOTE: As part of the certificate verification, the hostname or IP address of the server is verified against the hostname or IP address specified in the application. For example, when using SYSLOG over TLS, the hostname or IP address specified in the logging syslog-server secure port port-number command is compared against the SubjectAltName or Common Name field in the server certificate.

Verifying Client CertificatesVerifying client certificates is optional in the TLS protocol and is not explicitly required by Common Criteria.

However, TLS-protected Syslog and RADIUS protocols mandate that certificate-based mutual authentication be performed.

Event loggingThe system logs the following events:

• A CA certificate is installed or deleted.

• A self-signed certificate and private key are generated.

• An existing host certificate, a private key, or both are deleted.

• A host certificate is installed successfully.

• An installed certificate (host certificate or CA certificate) is within seven days of expiration. This alert is repeated periodically.

• An OCSP request is not answered with an OCSP response.

• A secure session negotiation fails due to invalid, expired, or revoked certificate.


Appendix C — Navigating CLI ModesThis section lists the main CLI modes you use to set up the Common Criteria Configuration. Use this table as guide to help you navigate the CLI. The Dell Networking OS prompt changes to indicate the CLI mode.

The following table lists the CLI mode, its prompt, and information about how to access and exit the CLI mode. Move linearly through the command modes, except for the end command which takes you directly to EXEC Privilege mode and the exit command which moves

you up one command mode level.

NOTE: Command modes can vary depending on the switch platform. For a complete list of CLI modes, see the Navigation CLI Commands section in the Dell Networking Configuration Guide for your system. Go to www.dell.com/manuals to access all Dell Networking documentation.

NOTE: Sub-CONFIGURATION modes all have the letters conf in the prompt with more modifiers to identify the mode and slot/

port information.

Table 6. Dell Networking OS Command Modes

CLI Command Mode Prompt Access Command

EXEC Dell> Access the router through the console or terminal line.

EXEC Privilege Dell#• From EXEC mode, enter the enable

command.

• From any other mode, use the end command.

CONFIGURATION Dell(conf)#• From EXEC privilege mode, enter the

configure command.

• From every mode except EXEC and EXEC Privilege, enter the exit command.

NOTE: Access all of the following modes from CONFIGURATION mode.

AS-PATH ACL Dell(config-as-path)# ip as-path access-listGigabit Ethernet Interface Dell(conf-if-gi-1/1)# interface (INTERFACE modes)

10 Gigabit Ethernet Interface Dell(conf-if-te-0/0)#Dell(conf-if-te-1/1)#

Dell(conf-if-te-1/49)#

Dell(conf-if-te-1/1/1)#

Dell(conf-if-te-1/1/1/1)#

interface (INTERFACE modes)

40 Gigabit Ethernet Interface Dell(conf-if-fo-0/0)#Dell(conf-if-fo-1/52)#

Dell(conf-if-fo-1/1/1)#


C

Appendix C — Navigating CLI Modes 77



25 Gigabit Ethernet Interface Dell(conf-if-tf-1/1/1/1)#Dell(conf-if-tf-1/1/1)#

interface(INTERFACE modes)

50 Gigabit Ethernet Interface Dell(conf-if-fi-1/1/1)#Dell(conf-if-fi-1/1/1/1)#


100 Gigabit Ethernet Interface Dell(conf-if-hu-1/1)#Dell(conf-if-hu-1/1/1)#


Interface Group Dell(conf-if-group)# interface(INTERFACE modes)Interface Range Dell(conf-if-range)# interface (INTERFACE modes)

Loopback Interface Dell(conf-if-lo-0)# interface (INTERFACE modes)

Management Ethernet Interface Dell(conf-if-ma-1/1)#Dell(conf-if-ma-0/0)#


Null Interface Dell(conf-if-nu-0)# interface (INTERFACE modes)

Port-channel Interface Dell(conf-if-po-1)# interface (INTERFACE modes)

Tunnel Interface Dell(conf-if-tu-1)# interface (INTERFACE modes)

VLAN Interface Dell(conf-if-vl-1)# interface (INTERFACE modes)

STANDARD ACCESS-LIST Dell(config-std-nacl)# ip access-list standard (IP

ACCESS-LIST Modes)

EXTENDED ACCESS-LIST Dell(config-ext-nacl)# ip access-list extended (IP

ACCESS-LIST Modes)

IP COMMUNITY-LIST Dell(config-community-list)# ip community-listAUXILIARY Dell(config-line-aux)# line (LINE Modes)

CONSOLE Dell(config-line-console)# line (LINE Modes)

VIRTUAL TERMINAL Dell(config-line-vty)# line (LINE Modes)

STANDARD ACCESS-LIST Dell(config-std-macl)# mac access-list standard (MAC

ACCESS-LIST Modes)

EXTENDED ACCESS-LIST Dell(config-ext-macl)# mac access-list extended (MAC

ACCESS-LIST Modes)

MULTIPLE SPANNING TREE Dell(config-mstp)# protocol spanning-tree mstpPer-VLAN SPANNING TREE Plus Dell(config-pvst)# protocol spanning-tree pvstPREFIX-LIST Dell(conf-nprefixl)# ip prefix-listRAPID SPANNING TREE Dell(config-rstp)# protocol spanning-tree rstpREDIRECT Dell(conf-redirect-list)# ip redirect-listROUTE-MAP Dell(config-route-map)# route-mapROUTER BGP Dell(conf-router_bgp)# router bgpBGP ADDRESS-FAMILY Dell(conf-router_bgp_af)# (for

IPv4)

address-family {ipv4 multicast | ipv6 unicast} (ROUTER BGP

Mode)

78 Appendix C — Navigating CLI Modes


Dell(conf-routerZ_bgpv6_af)# (for IPv6)

ROUTER ISIS Dell(conf-router_isis)# router isisISIS ADDRESS-FAMILY Dell(conf-router_isis-af_ipv6)# address-family ipv6 unicast

(ROUTER ISIS Mode)

ROUTER OSPF Dell(conf-router_ospf)# router ospfROUTER OSPFV3 Dell(conf-ipv6router_ospf)# ipv6 router ospfROUTER RIP Dell(conf-router_rip)# router ripSPANNING TREE Dell(config-span)# protocol spanning-tree 0TRACE-LIST Dell(conf-trace-acl)# ip trace-listCLASS-MAP Dell(config-class-map)# class-mapCONTROL-PLANE Dell(conf-control-cpuqos)# control-plane-cpuqosDHCP Dell(config-dhcp)# ip dhcp serverDHCP POOL Dell(config-dhcp-pool-name)# pool (DHCP Mode)

ECMP Dell(conf-ecmp-group-ecmp-group-id)#

ecmp-group

EIS Dell(conf-mgmt-eis)# management egress-interface-selection

FRRP Dell(conf-frrp-ring-id)# protocol frrpLLDP Dell(conf-lldp)# or Dell(conf-if

—interface-lldp)#protocol lldp (CONFIGURATION or

INTERFACE Modes)

LLDP MANAGEMENT INTERFACE Dell(conf-lldp-mgmtIf)# management-interface (LLDP Mode)

LINE Dell(config-line-console) or Dell(config-line-vty)

line console orline vty

MONITOR SESSION Dell(conf-mon-sess-sessionID)# monitor sessionOPENFLOW INSTANCE Dell(conf-of-instance-of-id)# openflow of-instancePORT-CHANNEL FAILOVER-GROUP Dell(conf-po-failover-grp)# port-channel failover-groupPRIORITY GROUP Dell(conf-pg)# priority-groupPROTOCOL GVRP Dell(config-gvrp)# protocol gvrpQOS POLICY Dell(conf-qos-policy-out-ets)# qos-policy-outputSUPPORTASSIST Dell(support-assist)# support-assistVLT DOMAIN Dell(conf-vlt-domain)# vlt domainVRRP Dell(conf-if-interface-type-

slot/port-vrid-vrrp-group-id)#vrrp-group

u-Boot Dell=> Press any key when the following line appears on the console during a system boot: Hit any key to stop autoboot:

Appendix C — Navigating CLI Modes 79


Grub grub> Press the Esc key when the following line appears on the console during a system boot: Hit any key to stop autoboot:

UPLINK STATE GROUP Dell(conf-uplink-state-group-groupID)#

uplink-state-group

80 Appendix C — Navigating CLI Modes

Appendix D — Auditable Events

Topics:

• Log Record Format

• Log Levels

• Audit Log Records

• Self-test Failures

Log Record FormatAudit log records have the same general format for all records, although some log records have different data depending on the message type. If logging is configured as version 1, the general format follows the format described in RFC 5424 “The Syslog Protocol”, March 2009:

[<PRI>] [VERSION] SP [TIMESTAMP] SP [HOSTNAME] SP [APP-NAME] SP [PROCID] SP [MSGID] SP [STRUCTURED-DATA] SP [MSG]

Where fields can be left blank with a “-“ character. The fields take the following form:

• PRI: the PRIVAL field is typically not used in the TOE’s audit records but is visible in session output to the screen.

• VERSION: if logging version 1 is in effect, then this field contains a 1.

• TIMESTAMP: formatted according to RFC 3339 “Date and Time on the Internet: Timestamps” July 2002. Two formats are typically used:

• <month(in name form) day time (24 hour clock)>

• <year-month(in numerical form)-day>Tear-month(in numerical form)-day>T>Z

The value may be based on the real-time clock or on uptime since the system was booted. Dell recommends configuring time based on real-time clock.

• HOSTNAME: may be the hostname of the system (if configured) or the stack-unit # of this system in the stack of units. Dell recommends configuring the hostname of the system.

• APP-NAME: Usually contains acronym of system component—for example, CLI, SEC, or NDPM.

• PROCID & MSGID: Varies depending on system component—for example, CONF or LOGIN.

• STRUCTURED-DATA: field is empty in our implementation.

• MSG: Specific log message varies widely depending on the component of the system logging the record. Success or failure is shown as “_SUCCESS(FUL)” or “_FAILURE”.

For administrative action records and for authentication log records, the log message includes the userid for that CLI session and the IP address where the user has logged in from.

The following shows examples of audit log records:

Oct 6 16:33:43: dv-fedgov-s4810-4: %SEC-6-LOGIN_SUCCESS:Login successful for user netad on line vty0 ( 10.11.8.67 )Jun 8 10:12:13: %STKUNIT0-M:CP %NTP-6-STRATUM: NTP stratum changed, peer: 120.88.47.10, stratum: 3

D

Appendix D — Auditable Events 81

Log LevelsThere are eight levels of log messages that may be recorded, ranging from level 0 to 7. Each level includes the contents of the lower levels. The levels are:

Table 7. Log Levels

0 emergencies System is unusable

1 alert Immediate action needed

2 critical Critical conditions

3 errors Error conditions

4 warnings Warning conditions

5 notifications Normal but significant conditions

6 informational Informational messages

7 debugging Debugging messages

For the purposes of Common Criteria requirements, Dell recommends the monitoring level be set to the debugging level (level 7); it is the default logging level. This setting provides as much information as possible including command lines as entered in the CLI sessions.

Audit Log RecordsAudit log records are generated for many events as outlined by the log levels. This includes events around success/failure of identification and authentication, actions or events that modify the time of the system, and connections to the system from a remote source. The following table outlines which Common Criteria requirements are expected to generate auditable events.

Table 8. Audit Log Records

Requirement Auditable Events Additional Audit Record Contents

FAU_GEN.1 None None

FAU_GEN.2 None None

FAU_STG_EXT.1 None None

FCS_CKM.1 None None

FCS_CKM.2 None None

FCS_CKM.4 None None

FCS_COP.1(1) None None




FCS_RBG_EXT.1 None None

FIA_PMG_EXT.1 None None

FIA_UIA_EXT.1 All use of identification and authentication mechanism

Provided user identity, origin of the attempt (e.g. IP address)

82 Appendix D — Auditable Events

FIA_UAU_EXT.2 All use of identification and authentication mechanism

Origin of the attempt (e.g. IP address)

FIA_UAU.7 None None

FIA_X509_EXT.1 Unsuccessful attempt to validate a certificate

Reason for failure

FIA_X509_EXT.2 None None

FIA_X509_EXT.3 None None

FMT_MOF.1(1) Any attempt to initiate a manual update None

TrustedUpdate

FMT_MTD.1 All management activities of TSF data None

FMT_SMF.1 None None

FMT_SMR.2 None None

FPT_SKP_EXT.1 None None

FPT_APW_EXT.1 None None

FPT_TST_EXT.1 None None

FPT_TUD_EXT.1 Initiation of update; result of the update attempt (success or failure)

No additional information

FPT_STM.1 Changes to time The old and new values for the time. Origin of the attempt to change time for success and failure (e.g. IP address)

FTA_SSL_EXT.1 Any attempts at unlocking of an interactive session

None

FTA_SSL.3 The termination of a remote session by the session locking mechanism

None

FTA_SSL.4 The termination of an interactive session None

FTA_TAB.1 None None

FTP_ITC.1 Initiation of the trusted channel. Termination of the trusted channel. Failure of the trusted channel functions.

Identification of the initiator and target of failed trusted channels establishment attempt.

FCS_TLSC_EXT Failure to establish a TLS session Reason for failure

FTP_TRP.1 Intiation of the trusted path. Termination of the trusted path. Failure of the trusted path functions.

cation of the claimed user identitiy.

FCS_SSH_EXT.1 Failure to establish an SSH session Reason for failure

FCS_TLSC_EXT Failure to establish a TLS Session Reason for failure

FCS_SSHS_EXT.1 Failure to establish an SSH session Reason for failure

FAU_GEN.1There are several auditable events:


• Start-up/shutdown of the audit function: The audit function is started when you configure the logging extended command and terminated when you configure the no logging extended command. These commands are recorded in the audit log with the userid/session. For example:

2014-10-08T11:03:47Z dv-fedgov-s4810-4 - SSH3 2014-10-08T11:03:47Z dv-fedgov-s4810-4 - SSH3 CONF - INFO:SUCCESSFUL logging extended by sysad from vty1 (10.11.8.67)CONF - INFO:SUCCESSFUL no logging extended by sysad from vty1 (10.11.8.67)If the TOE restarts after an unexpected shutdown, a log message is sent to any remote Syslog server indicating that some outage may have occurred. For example:

Oct 10 19:34:32: dv-fedgov-s4810-4: %CLI-6-Chassis has undergone an uncontrolled shutdown previously

• All auditable events for the not specified level of audit: All events that are at a lower logging level number are recorded in the audit log along with records for the specified level of audit.

• All administrative actions: All commands executed by any user on the system are recorded in the audit log along with their userid and session (IP address). For example:

Oct 16 19:24:54: dv-fedgov-s4810-4: %CLI-6-configure by sysad on line vty1 ( 10.11.8.67 )Oct 16 19:25:22: dv-fedgov-s4810-4: %CLI-6-banner motd %Today by sysad on line vty1 ( 10.11.8.67 )Oct 16 20:18:24: dv-fedgov-s4810-4: %CLI-6-configure by sysad on line vty1 ( 10.11.8.67 )Oct 16 20:18:41: dv-fedgov-s4810-4: %CLI-6-username testing password 0 ****** role netadmin by sysad on line vty1 ( 10.11.8.67 )Oct 16 20:19:53: dv-fedgov-s4810-4: %CLI-6-router ospf 3 by sysad on line vty1 ( 10.11.8.67 )

FIA_UAU_EXT.2, FIA_UIA_EXT.1For each use of the authentication system, there is a record no matter if success or failure. The userid and origin of the attempt (IP address) is present in the record. For example:

1 2014-10-08T11:20:10Z dv-fedgov-s4810-4 - SEC LOGIN_SUCCESS - INFO: Login successful for user sysad on line vty1 ( 10.11.8.67 )1 2014-10-08T11:16:11Z dv-fedgov-s4810-4 - SEC AUTHENTICATION_FAILURE - INFO: Authentication failure on vty1 (10.11.8.67) for method "local" user "sysad"

FIA_X509_EXT.1CA certificates may be installed on the TOE into its trusted CA store. As part of the installation process, there are multiple checks for a valid CA certificate. If any of the checks fail, an auditable event is generated giving the reason for the failure. For example:

dv-fedgov-s4810-3#crypto ca-cert install flash://dv-fedgov-ubuntu-3.v4cn.cert.pemLoading CA certificate PEM-formatted file... done.Verifying CA certificate(s)...% Error: CA certificate has invalid parameters.Successfully installed 0 CA certificates.dv-fedgov-s4810-3#2017-02-03T20:47:29Z - - SEC CA_CERT_UNVERIFIED - STKUNIT0-M:CP Unable to verify CA Certificate CN=10.11.178.203 against certificate store

A successful installation provides command output showing what actions were taken. No auditable event is generated for successful actions.

dv-fedgov-s4810-3#crypto ca-cert install flash://fedgov_CAchain2.pemLoading CA certificate PEM-formatted file... done.Verifying CA certificate(s)......CA certificate already installed....CA certificate already installed....CA certificate already installed....CA certificate already installed.Successfully installed 0 CA certificates.

There are auditable events related to the success or failure to connect to an audit server using SYSLOG over TLS with X.509 certificates.


A successful connection may be made using an IPv4 address, IPv6 address, or DNS hostname for a SYSLOG server, provided that the address/name used for the connection can be verified by comparing it against fields in the server’s X.509v3 certificate—specifically its SubjectAltName or its Common Name.

Connections may fail for several reasons: unable to resolve a DNS name, unable to reach the SYSLOG server, or unable to complete the connection due to hostname verification failure. Examples:

• Unable to resolve the hostname:

dv-fedgov-s4810-3(conf)#logging blabl secure 6514Translating "blabl", enter to break...domain server (10.11.178.203)...domain server (10.11.178.203)...domain server (10.11.178.203)...domain server (10.11.178.203)% Error: Unrecognized host or IP address.

• Unable to reach the SYSLOG server:

ip host centos-155 10.11.178.155dv-fedgov-s4810-3(conf)#logging centos-155 secure 6514Translating "centos-155", enter to breakIPv4 address: 10.11.178.155dv-fedgov-s4810-3(conf)#2017-02-03T20:12:03Z - - EVL SERVER_NOT_REACHABLE - STKUNIT0-M:CP Syslog server 10.11.178.155 (port: 6514) is not reachable

• Unable to complete the connection due to hostname verification failure showing debug output. In this case, the SubjectAltName contained an IP address only and the Common Name field did not match the server name on the connection:

dv-fedgov-s4810-3(conf)#logging dv-fedgov-ubuntu-3 secure 6514Translating "dv-fedgov-ubuntu-3", enter to breakIPv4 address: 10.11.178.203>>> TLS 1.2 [length 0005]>>> TLS 1.2 Handshake [length 0068], ClientHello<<< TLS 1.2 Handshake [length 0056], ServerHello<<< TLS 1.2 Handshake [length 1db9], Certificate<<< TLS 1.2 Handshake [length 0004], ServerHelloDone>>> TLS 1.2 Handshake [length 0106], ClientKeyExchange>>> TLS 1.2 ChangeCipherSpec [length 0001]>>> TLS 1.2 Handshake [length 0010], Finished<<< TLS 1.2 ChangeCipherSpec [length 0001]<<< TLS 1.2 Handshake [length 0010], FinishedFailed to verify host dv-fedgov-ubuntu-3 as certificate TestCN2-ubuntu-3Failed to verify host dv-fedgov-ubuntu-3.dellnetfedgov.com as certificate TestCN2-ubuntu-3dv-fedgov-s4810-3(conf)#2017-02-03T20:04:10Z - - EVL ERROR - STKUNIT0-M:CP Syslog server dv-fedgov-ubuntu-3 TLS connection failed - unable to verify server: Peer's Common Name does not match connection2017-02-03T20:04:10Z - - EVL SERVER_NOT_REACHABLE - STKUNIT0-M:CP Syslog server 10.11.178.203 (port: 6514) is not reachable

FMT_MOF.1The TOE does not allow for automated updates of its software nor does it perform automatic checking for updates. All upgrades must be initiated manually by a userid which has sufficient permission for the upgrade command. If a user attempts to initiate an update without

sufficient permissions, an auditable event is generated.

dv-fedgov-s3000-1#$upgrade system flash://dv-fedgov-s3000-1.bin stack-unit 1 B: ^% Error: Invalid input at "^" marker.dv-fedgov-s3000-1#2017-03-16T15:52:11.065Z - - SEC NO_PERMISSION - STKUNIT1-M:CP upgrade system flash://dv-fedgov-s3000-1.bin stack-unit 1 B:


FMT_MTD.1We do generate audit log messages when we install or delete X.509 certificates/keys, for both CA certificates and the system certificate.

- Deleting the system certificatedv-fedgov-s4810-3#crypto cert delete WARNING: this will delete the existing certificate and private key andthe existing FIPS-mode certificate and private key.Proceed (y/n) ? ydv-fedgov-s4810-3#2017-02-03T22:20:52Z - - SEC FIPS_CERT_DELETED - STKUNIT0-M:CP FIPS-mode host certificate deleted.

- Deleting all the CA certificatesdv-fedgov-s4810-3#crypto ca-cert delete all WARNING: You are about to delete the entire CA certificate store.Proceed (y/n) ? yAll installed CA Certificates deleted.dv-fedgov-s4810-3#2017-02-03T22:21:14Z - - SEC CA_CERT_DELETED_ALL - STKUNIT0-M:CP CA Certificate store deleted

- Installing all the CA certificatesdv-fedgov-s4810-3#crypto ca-cert install flash://fedgov_CAchain2.pemLoading CA certificate PEM-formatted file... done.Verifying CA certificate(s)......Installed Root CA certificate CommonName = Fedgov_RootCA2 Subject Key ID = 9F:80:8A:75:D6:76:F8:7D:C2:36:82:E0:09:33:27:13:32:FA:53:8D2017-02-03T22:21:34Z - - SEC CA_CERT_INSTALLED - STKUNIT0-M:CP CA Certificate CN=Fedgov_RootCA2 installed in certificate store...Installed CA certificate CommonName = Fedgov_TrunkCA2 Subject Key ID = DD:BA:A0:4D:4F:63:2B:2D:EE:86:7E:B0:12:79:14:05:94:AD:11:532017-02-03T22:21:35Z - - SEC CA_CERT_INSTALLED - STKUNIT0-M:CP CA Certificate CN=Fedgov_TrunkCA2 installed in certificate store...Installed CA certificate CommonName = Fedgov_BranchCA2 Subject Key ID = 2D:D6:5D:A7:9E:84:22:DC:92:FB:AD:CD:C3:BA:AF:F7:A8:3A:CF:8B2017-02-03T22:21:36Z - - SEC CA_CERT_INSTALLED - STKUNIT0-M:CP CA Certificate CN=Fedgov_BranchCA2 installed in certificate store...Installed CA certificate CommonName = Fedgov_TwigCA2 Subject Key ID = B7:EA:95:8C:F4:03:3D:00:33:D7:79:50:91:C3:D6:32:14:6E:7B:9BSuccessfully installed 4 CA certificates.dv-fedgov-s4810-3#2017-02-03T22:21:37Z - - SEC CA_CERT_INSTALLED - STKUNIT0-M:CP CA Certificate CN=Fedgov_TwigCA2 installed in certificate store

- Installing all the system certificate and keydv-fedgov-s4810-3#crypto cert install cert-file flash://dv-fedgov-s4810-3.v4cn.cert.pem key-file flash://mlkey.pemWARNING: this will install a FIPS-mode certificate and private key for use.Proceed (y/n) ? y2017-02-03T22:24:34Z - - SEC CERT_UPDATED - STKUNIT0-M:CP Host certificate updated for FIPS modeCertificate installed successfully. Please note that the input key file is removed.dv-fedgov-s4810-3#2017-02-03T22:24:36Z - - SEC FIPS_CERT_UPDATED - STKUNIT0-M:CP FIPS-mode host certificate updated.

We also generate audit log messages when generating the SSH RSA keys.dv-fedgov-s4810-3(conf)#crypto key generate rsa Generating 2048-bit SSHv2 RSA key.! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! !


! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! dv-fedgov-s4810-3(conf)#2017-02-03T21:22:23Z - - SEC CRYPTO_KEY_GENERATED - STKUNIT0-M:CP RSA key generated for SSH, by default from console

FPT_STM.1There are numerous auditable events related to the changes of the time on the system. It is possible to configure the origin of the clock source—local or NTP server—time zone, local time change, and configuration of NTP server. Each of these events generates a record showing the origin of the attempt (IP address) and change in time (if applicable) showing old and new times. For examples:

Oct 6 18:23:38: %STKUNIT0-M:CP %CLOCK-6-TIME CHANGE: Timezone configuration changed from "UTC 0 hrs 0 mins" to "Pacific -8 hrs 0 mins"Oct 6 18:25:45: %STKUNIT0-M:CP %SYS-5-CONFIG_I: Configured from vty0 ( 10.11.8.67 )by sysadOct 6 17:00:00: %STKUNIT0-M:CP %CLOCK-6-TIME CHANGE: System clock time changed from 10:26:15.752 Pacific Mon Oct 6 2014 to 09:00:00 6 Oct 2013Oct 6 18:25:55: %STKUNIT0-M:CP %CLOCK-6-TIME CHANGE: System clock time changed from 09:00:22.288 Pacific Sun Oct 6 2013 to 10:25:55 6 Oct 2014

FPT_TUD_EXT.1The update command generates an audit record at the completion of the upgrade command indicating success or failure and which userid started the upgrade. For example:

1 2014-10-10T07:48:43Z dv-fedgov-s4810-4 - SSH2 CONF - INFO:SUCCESSFUL upgrade system tftp://10.11.178.3/dv-fedgov-s4810-4.bin A: by sysad from vty0 (10.11.8.67)1 2014-10-10T07:52:32Z dv-fedgov-s4810-4 - SSH2 CONF - INFO:FAILED upgrade system tftp://10.11.178.3/blah.bin A: by sysad from vty0 (10.11.8.67)

Where sysad is the userid that started the upgrade in a remote CLI session from 10.11.18.67.

FTA_SSL.3, FTA_SSL_EXT.1The TOE does not support session locking capability. There are no audit records available for either of these requirements.

FTA_SSL.4When a session terminates due to inactivity, an audit record generates. The inactivity timer for CLI sessions is configurable. For example:

1 2014-10-08T11:35:27Z dv-fedgov-s4810-4 - SEC LOGOUT - INFO: Exec session is terminated for user sysad on line vty1 ( 10.11.8.67 )


FTP_ITC.1 and FCS_TLSC_EXTThe TOE supports a trusted channel to a remote Syslog server using a TLS version 1.2 connection. The TOE acts as a TLS client with the remote SYSLOG server acting as the TLS server. If the TLS connection did not succeed, the reason displays in the audit event. An audit event also displays for a successful connection. The following example shows a successful TLS connection:

dv-fedgov-s3000-1(conf)#logging dv-fedgov-ubuntu-3 secure 6514Translating "dv-fedgov-ubuntu-3", enter <Ctrl-C> to breakIPv4 address: 10.11.178.203dv-fedgov-s3000-1(conf)#2017-03-16T16:32:53.598Z - - EVL SERVER_REACHABLE - STKUNIT1-M:CP Syslog server 10.11.178.203 (port: 6514) is reachableThe following example shows a failed TLS connection—mismatched DNS domain names:

dv-fedgov-s3000-1(conf)#ip domain-name blahdv-fedgov-s3000-1(conf)#logging dv-fedgov-ubuntu-3 secure 6514Translating "dv-fedgov-ubuntu-3", enter <Ctrl-C> to breakIPv4 address: 10.11.178.203dv-fedgov-s3000-1(conf)#2017-03-16T16:34:53.565Z - - EVL ERROR - STKUNIT1-M:CP Syslog server dv-fedgov-ubuntu-3 TLS connection failed - unable to verify server: Peer's Subject Alt Name does not match connection2017-03-16T16:34:53.682Z - - EVL SERVER_NOT_REACHABLE - STKUNIT1-M:CP Syslog server 10.11.178.203 (port: 6514) is not reachable

FTP_TRP.1 and FCS_SSHS_EXT.1The TOE supports trusted paths for use as remote CLI sessions to a remote server through SSH sessions. The audit records for these trusted paths are identical to those shown under sections for FCS_SSH_EXT.1, FIA_UAU_EXT.2, FIA_UIA_EXT.1, and FTA_SSL.4.

• Failed SSH remote login (authentication failure)

2017-03-16T16:10:40.109Z - - - - - STKUNIT1-M:CP Failed none for secadmin from 10.14.1.99 port 51369 ssh2

• Failed SSH remote login (mismatched cipher spec)

2017-03-16T16:19:43.816Z - - SSH CONNECTION - STKUNIT1-M:CP Negotiation failed with 10.14.1.99: no matching cipher found. Their offer 3des-cbc2017-03-16T16:19:44.103Z - - - - - STKUNIT1-M:CP fatal: Unable to negotiate with 10.14.1.99 port 47242: no matching cipher found. Their offer: 3des-cbc2017-03-16T16:19:44.216Z - - SEC LOGIN_FAILURE - STKUNIT1-M:CP Login failure on line vty0 ( 10.14.1.99 )

• uccessful SSH remote login

2017-03-16T16:10:42.132Z - - SEC LOGIN_SUCCESS - STKUNIT1-M:CP Login successful for user secadmin on line vty0 ( 10.14.1.99 )2017-03-16T16:10:44.923Z - - - - - STKUNIT1-M:CP Starting session: shell on ttyp1 for secadmin from 10.14.1.99 port 51369 id 0

• Successful logout of SSH remote session

2017-03-16T16:12:51.487Z - - SEC LOGOUT - STKUNIT1-M:CP Exec session is terminated for user secadmin on line vty0 ( 10.14.1.99 ) (Reason : User Request)

Self-test FailuresThere are some self-tests that can be executed on the TOE. These include self-tests run when the TOE reboots before applying the startup configuration, self-tests when system software is started, FIPS self-tests, and offline diagnostics.


Power-on Self-tests

A number of tests are run in boot loader context at system startup; these are referred to as power-on self-tests (POST). The boot loader is part of the BIOS, not part of the system software, and is installed at the factory before shipment.

Currently, only the S5000 and Z9500 platforms support POST. The POST procedures include testing hardware components in the system and configuration settings. From the boot loader OS, you can configure POST behaviors. However, these settings are not saved persistently; only the enable/disable of POST is a persistent configuration change saved in NVRAM. The controllable features are:

• enable/disable POST

• enable/disable verbose mode

• enable/disable general extended test

• enable/disable extended lower DRAM test

• enable/disable extended upper DRAM test

Each test sends messages that appear on the console during system boot and startup. The POST procedures include testing:

• critical register values

• performance ratio

• real-time clock battery state and clock value

• memory:

• verifying DIMM SPD EEPROM

• configuring hardware accelerator for DRAM access

• NVRAM tests (write, read, verify), DRAM (status, addressability, ECC bits)

• FPGA (platform specific)

• PCI/PCIe devices

If there is an issue with any of the POST results, the system does not boot. If restarting the system does not clear the issue, consult your Dell support procedures.

Here is an example of console output for the BIOS boot including POST on a Z9500 system:

BIOS (Dell Force10 Networks) Boot Selector 9500 132-port TE/FG (ZC) 3.2.0.0 (P2)POST Configuration CPU Signature 30669 CPU FamilyID=6, Model=36, SteppingId=9, Processor=0 Microcode Revision 10b POST Control=0xea000303, Status=0xe6000d00MSRs: Platform ID: f09884b08f PMG_CST_CFG_CTL: 263006 BBL_CR_CTL3: 7e00010f Perf Ctrl: 63d Perf Status: 63d104f06000648 M-Perf (fixed freq): 866f0de0 A-Perf (current): 34d0e986 Clk Flex Max: 0 Misc EN: 60840080 Therm Status: 88450000 MC0 Ctl: 0 MC0 Status: 1000000000000000CPGC Memtest for rank 0 ..................... PASSCPGC Memtest for rank 1 ..................... PASSNOT DISABLING SPD WRITEPOST:POST SPD Test...


DIMM is DDR3POST SPD test ............................... PASSPOST DRAM Test entry SpeedStep enabled, Processor Bus Ratio=10, Vid=5a Interface test Short memory cell test.... M-Perf (fixed freq): a232ff18 A-Perf (current): a8b9be20POST DRAM test .............................. PASS

System Software Self-tests

After the BIOS is successfully started, the system software loads based on the primary and secondary boot parameters as you configured. The system attempts to load the software from the primary location. If this fails, the system attempts to load the software from the secondary location. If there are no valid software files available, the system continually reboots, going through the loop—primary, secondary, default—until it can successfully find a valid software file.

View the values for the software images using the show bootvar command. For example:

dv-fedgov-s4810-4#show bootvarPRIMARY IMAGE FILE = tftp://10.11.178.3/dv-fedgov-s4810-4.binSECONDARY IMAGE FILE = system://ADEFAULT IMAGE FILE = system://ALOCAL CONFIG FILE = variable does not existPRIMARY HOST CONFIG FILE = variable does not existSECONDARY HOST CONFIG FILE = variable does not existPRIMARY NETWORK CONFIG FILE = variable does not existSECONDARY NETWORK CONFIG FILE = variable does not existCURRENT IMAGE FILE = tftp://10.11.178.3/dv-fedgov-s4810-4.binCURRENT CONFIG FILE 1 = flash://startup-configCURRENT CONFIG FILE 2 = variable does not existCONFIG LOAD PREFERENCE = local firstBOOT INTERFACE GATEWAY IP ADDRESS = 10.11.178.254Reload Mode = normal-reload

After a valid system software file is located, it loads and execution starts. Additional self-tests execute at this time. This includes:

• file system check

• checking on status of power and fans

• checking for line card existence, if applicable for that model

• checking for hardware connectivity on interfaces

If there is any major issue at startup that prevents the system from proceeding, the system automatically reboots itself, if possible. If there are missing components that are non-critical, the system continues the boot process but report a warning message. The system launches numerous processes and loads the startup configuration file, executing those configuration commands. Any launched process that depends on the FIPS-capable crypto library loads the library into memory and execute the FIPS self-tests at that time. This is described in more detail in the next section.

An example of output at system startup:

** /dev/rld0g** File system is clean; not checkingStarting Dell Networking OS00:00:10: %STKUNIT0-M:CP %RAM-6-ELECTION_ROLE: Stack-unit 0 is transitioning to Management unit.00:00:11: %STKUNIT0-M:CP %CRYPTO-5-FIPS_SELF_TEST_PASSED: [sysd] FIPS crypto module self-test passed00:00:11: %STKUNIT0-M:CP %CHMGR-5-STACKUNITDETECTED: Stack-unit 0 present00:00:12: %STKUNIT0-M:CP %CHMGR-5-CHECKIN: Checkin from stack-unit 0 (type S4810, 64 ports)00:00:13: %STKUNIT0-M:CP %CHMGR-0-PS_UP: Power supply 0 in unit 0 is up00:00:18: %STKUNIT0-M:CP %IFMGR-5-OSTATE_UP: Changed interface state to up: Ma 0/000:00:19: %STKUNIT0-M:CP %IFMGR-5-OSTATE_DN: Changed interface state to down: Ma 0/0


00:00:22: %STKUNIT0-M:CP %IFMGR-5-OSTATE_UP: Changed interface state to up: Ma 0/000:00:27: %STKUNIT0-M:CP %CHMGR-5-STACKUNITUP: stack-unit 0 is up00:00:28: %STKUNIT0-M:CP %CHMGR-2-SYSTEM_READY: System ready00:00:29: %S4810:0 %IFAGT-5-INSERT_OPTICS: Optics SFP inserted in slot 0 port 4500:00:31: %S4810:0 %IFAGT-5-INSERT_OPTICS: Optics SFP inserted in slot 0 port 4600:00:32: %STKUNIT0-M:CP %CONFD_MGR-5-CONFD_STARTUP: ConfD startup succeeded in phase000:00:33: %STKUNIT0-M:CP %CONFD_MGR-5-CONFD_STARTUP: ConfD startup succeeded in phase100:00:33: %S4810:0 %IFAGT-5-INSERT_OPTICS: Optics SFP inserted in slot 0 port 4700:00:35: %STKUNIT0-M:CP %CONFD_MGR-5-CONFD_STARTUP: ConfD startup succeeded in phase200:00:35: %S4810:0 %IFAGT-5-INSERT_OPTICS_PLUS: Optics SFP+ inserted in slot 0 port 000:00:35: %S4810:0 %IFAGT-5-INSERT_OPTICS_PLUS: Optics SFP+ inserted in slot 0 port 100:00:36: %S4810:0 %IFAGT-5-INSERT_OPTICS_PLUS: Optics SFP+ inserted in slot 0 port 2. . . .00:00:44: %S4810:0 %IFAGT-5-INSERT_OPTICS_QSFP: Optics QSFP inserted in slot 0 port 6000:00:44: %STKUNIT0-M:CP %SYS-5-CONFIG_LOAD: Loading configuration fileOct 24 15:46:56: %STKUNIT0-M:CP %SEC-5-USER_ACC_CREATION_SUCCESS: User account "admin" created or modified by default from console successfullyOct 24 15:46:57: %STKUNIT0-M:CP %SEC-5-USER_ACC_CREATION_SUCCESS: User account "sysad" created or modified by default from console successfullyOct 24 15:46:58: %STKUNIT0-M:CP %IFMGR-5-ASTATE_UP: Changed interface Admin state to up: Te 0/45Oct 24 15:46:58: %STKUNIT0-M:CP %IFMGR-5-ASTATE_UP: Changed interface Admin state to up: Te 0/46Oct 24 15:47:00: %STKUNIT0-M:CP %IFMGR-5-OSTATE_DN: Changed interface state to down: Ma 0/0Oct 24 15:47:00: %STKUNIT0-M:CP %CLI-6-ROLE_MODE_ENABLED: by default from consoleOct 24 15:47:01: %STKUNIT0-M:CP %CONFD_MGR-5-CONFD_STARTUP: ConfD is readyOct 24 15:47:01: %STKUNIT0-M:CP %IFMGR-5-OSTATE_UP: Changed interface state to up: Ma 0/0Login: Oct 24 15:47:02: %STKUNIT0-M:CP %SNMP-6-SNMP_WARM_START: Agent Initialized - SNMP WARM_START.Oct 24 15:47:04: %STKUNIT0-M:CP %IFMGR-5-OSTATE_UP: Changed interface state to up: Te 0/45Oct 24 15:47:04: %STKUNIT0-M:CP %IFMGR-5-OSTATE_UP: Changed interface state to up: Te 0/46

FIPS Self-tests

The TOE includes a suite of FIPS self-tests that validate the integrity of the Dell OpenSSL Cryptographic Library and verify the implementation of the FIPS DRBG and the cryptographic algorithms.

The FIPS self-tests are executed whenever a process loads the library into memory, per the latest FIPS 140-2 Implementation Guidance. In particular, the sysd process is launched early in the startup procedure and, among other duties, first loads the cryptographic library and runs the FIPS self-tests. This happens independently of, and prior to, the configuration of the FIPS cryptographic module’s mode of operation. The results are recorded in the system log for both pass and fail results, e.g.:

00:00:11: %STKUNIT0-M:CP %CRYPTO-5-FIPS_SELF_TEST_PASSED: [sysd] FIPS crypto module self-test passed00:00:11: %STKUNIT0-M:CP %CRYPTO-5-FIPS_SELF_TEST_FAILED: [sysd] FIPS crypto module self-test failed

Later in the startup procedure, the configuration file is processed and the FIPS mode is enabled if that was previously configured and saved. When FIPS mode is enabled, the FIPS self-tests are run a second time. If the FIPS self-tests fail again, the attempt to enable FIPS mode will also fail and a system log message will be generated. For example (the message contains the error reported from the FIPS module):

Oct 3 10:49:32: %STKUNIT0-M:CP %CRYPTO-3-FIPS_MODE_ENABLE_FAILURE: FIPS mode enable failed, error:2D079089:FIPS routines:fips_pkey_signature_test:test failure

At this point the system will be unable to operate in a FIPS-validated manner, so further processing will be halted. In particular, no interfaces or protocols will be configured. The console will instruct the administrator to restart the system. This is the only action that can be performed when the FIPS self-tests fail and FIPS mode is enabled. The console session will show the following:

FIPS mode enable failed. Reload required.Proceed with reload [confirm yes/no]:

The only response accepted is “yes”; otherwise the message is repeated.


Offline Diagnostics

There is an offline diagnostic test suite available for use. Diagnostics are not executed on an on-line system. This diagnostic test suite is grouped into three levels:

• Level 0 — Level 0 diagnostics check for the presence of various components and perform essential path verifications. In addition, they verify the identification registers of the components on the board.

• Level 1 — A smaller set of diagnostic tests. Level 1 diagnostics perform status/self-test for all the components on the board and test their registers for appropriate values. In addition, they perform extensive tests on memory devices (for example, SDRAM, flash, NVRAM, or EEPROM) wherever possible.

• Level 2 —The full set of diagnostic tests. Level 2 diagnostics are used primarily for on-board Loopback tests and more extensive component diagnostics. Various components on the board are put into Loopback mode and test packets are transmitted through those components. These diagnostics also perform snake tests using VLAN configurations.

Diagnostic results are stored in a local for file for further review. Sample output:

Dell#diag stack-unit 2Warning - the stack unit will be pulled out of the stack for diagnostic executionProceed with Diags [confirm yes/no]: yesWarning - diagnostic execution will cause multiple link flaps on the peer side - advisableto shut directly connected portsProceed with Diags [confirm yes/no]: yesDell#00:03:13: %S25P:2 %DIAGAGT-6-DA_DIAG_STARTED: Starting diags on stack unit 200:03:13 : Approximate time to complete these Diags ... 6 Min00:03:13 : Diagnostic test results will be stored on stack unit 2 file: flash:/TestReport-SU-2.txt

Dell#00:03:35: %STKUNIT1-M:CP %CHMGR-2-STACKUNIT_DOWN: Stack unit 2 down - card removed00:08:50: %STKUNIT1-M:CP %CHMGR-5-STACKUNITDETECTED: Stack unit 2 present00:09:00: %STKUNIT1-M:CP %CHMGR-5-CHECKIN: Checkin from Stack unit 2 (type S25P, 28 ports)00:09:00: %S25P:2 %CHMGR-0-PS_UP: Power supply 0 in unit 2 is up00:09:00: %STKUNIT1-M:CP %CHMGR-5-STACKUNITUP: Stack unit 2 is up[output from the console of the unit in which diagnostics are performed]Dell(stack-member-2)#Diagnostic test results are stored on file: flash:/TestReport-SU-2.txtDiags completed... Rebooting the system now!!!


Appendix E — NTPDell Networking OS supports NTPv4 with MD5 encryption but does not support NTP over IPSec or the Autokey feature.

iNTP is evaluated for use in a Common Criteria compliant configuration now with out these features. This section is for informational use only.

Topics:

• Configuring an NTP Time-Serving Host

• Configuring an Authentication Key for NTP Traffic

• Configuring an NTP Time-Serving Host

• Authenticating the System to Which NTP Synchronizes

Configuring an NTP Time-Serving HostNTP authentication and the corresponding trusted key provide a reliable means of exchanging NTP packets with trusted time sources.

NOTE: For complete information about NTP, see the Configuring NTP Authentication section in the Dell Networking Configuration Guide and the System Time and Date section in the Dell Networking Command Line Reference Guide for your system.

To enable authentication of NTP traffic between the switch and the NTP time serving hosts, use the ntp authenticate command in CONFIGURATION mode.

Enable authentication of NTP traffic between the switch and the NTP time serving hosts.

CONFIGURATION

Dell(conf)#ntp authenticate

Configuring an Authentication Key for NTP TrafficTo specify a key for authenticating the NTP server, use the ntp authentication-key command in CONFIGURATION mode. By

default, NTP authentication is not configured.

The authentication key has a wide range, from 1 to 4294967295, but not all NTP servers support the full range of possible values. You must match the authentication key with your own established NTP server(s) in your organization.

Set an authentication key with encryption in Configuration mode.

ntp authentication-key 8 md5 0 <clear-text-key>

Configuring an NTP Time-Serving HostYou can configure multiple time-serving hosts. From these time-serving hosts, the Dell OS chooses one NTP host with which to synchronize using the ntp server command. To determine which server was selected, use the show ntp associations command.Configure time-serving hosts using the following command in CONFIGURATION mode.

Enter the ntp server command.

ntp server 192.100.0.16 key 1000

E

Appendix E — NTP 93

Authenticating the System to Which NTP SynchronizesTo set a key to authenticate the system to which NTP synchronizes, use the ntp trusted-key number command in

CONFIGURATION mode.

The number parameter in the ntp trusted-key command must be the same number as the number parameter in the ntp authentication-key command. If you change the ntp authentication-key command, you must also change the ntp trusted-key command in CONFIGURATION mode.

Dell(conf)#ntp trusted-key 1000

94 Appendix E — NTP