Administrator Guide

ManualsBrandsDell ManualsserversDell Brocade 300

651

652

653

654

655

656

657

658

659

660

Fabric OS Administrator’s Guide 653

53-1002920-02

Preparing a switch for FIPS

The RADIUS server must also be configured to use only PEAP-MSCHAPv2. Note that among

the Windows RADIUS servers supported, only Windows 2000-, Windows 2003-, and

Windows 2008-based RADIUS servers may be used in a FIPS-compliant configuration.

• If the switch is set for LDAP, refer to the instructions in “Setting up LDAP for FIPS mode” on

page 649.

4. Optional: Set the authentication protocols.

a. Enter the authUtil

--set -h sha1 command to set the hash type for MD5, which is used in

the DH-CHAP and FCAP authentication protocols.

b. Enter the authUtil

--set -g n command (where n represents the DH group) to set the DH

group to 1, 2, 3, or 4.

5. Install the LDAP CA certificate on the switch and Microsoft Active Directory server. Refer to

“LDAP certificates for FIPS mode” on page 650.

6. Enter the ipFilter

--show command and verify that no active IP filter policy permits access to

Telnet or HTTP ports, even if a higher priority policy explicitly denies such access. If an active IP

policy does permit any of these ports, you must modify or deactivate the policy. Create

separate policies for IPv4 and IPv6, and block access on Telnet and HTTP ports.

a. Enter the ipFilter command to create IP filter policies for IPv4 and IPv6. Refer to “Creating

an IP Filter policy” on page 254.

b. Add rules to each IP filter policy. Refer to “Adding a rule to an IP Filter policy” on page 259.

You can use the following modifications to the rule to block access to Telnet and HTTP

ports:

ipfilter --addrule policyname -rule rule_number -sip source_IP -dp

dest_port -proto protocol -act deny

• The -sip option can be given as any.

• The -dp options for the port numbers for Telnet and HTTP are 23 and 80, respectively.

• The -proto option should be set to TCP.

c. Activate each IP filter policy. Refer to “Activating an IP Filter policy” on page 255.

d. Save each IP filter policy. Refer to “Saving an IP Filter policy” on page 255.

Example

ipfilter --create http_block_v4 -type ipv4

ipfilter --addrule http_block_v4 -rule 1 -sip any -dp 80 -proto tcp -act deny

ipfilter --activate http_block_v4

7. Use the snmpConfig --set seclevel command to turn on SNMP security. When prompted to

select the SNMP SET Security Level, enter 3, for no access.

Example

switch:FID128:admin> snmpconfig --set seclevel

Select SNMP GET Security Level

(0 = No security, 1 = Authentication only, 2 = Authentication and Privacy, 3 =

No Access): (0..3) [0]

Select SNMP SET Security Level

(0 = No security, 1 = Authentication only, 2 = Authentication and Privacy, 3 =

No Access): (0..3) [0] 3

8. Enter the fipsCfg --disable bootprom command to block access to the boot PROM.