Connectivity Guide
3 Use the security prole to congure X.509v3-based service; for example, to congure RADIUS over TLS authentication using an X.
509v3 certicate, enter the radius-server host tls command:
radius-server host {hostname | ip-address} tls security-profile profile-name
[auth-port port-number] key {0 authentication-key | 9 authentication-key | authentication-
key}
Example: Security prole conguration and use for RADIUS over TLS authentication
OS10# show crypto cert
--------------------------------------
| Installed non-FIPS certificates |
--------------------------------------
dv-fedgov-s6010-1.pem
--------------------------------------
| Installed FIPS certificates |
--------------------------------------
OS10#
OS10(config)#
OS10(config)# crypto security-profile radius-prof
OS10(config-sec-profile)# certificate dv-fedgov-s6010-1
OS10(config-sec-profile)# exit
OS10(config)#
OS10(config)# radius-server host radius-server-2.test.com tls security-profile radius-prof key
radsec
OS10(config)# end
OS10# show running-configuration crypto security-profile
!
crypto security-profile radius-prof
certificate dv-fedgov-s6010-1
OS10# show running-configuration radius-server
radius-server host radius-server-2.test.com tls security-profile radius-prof key 9
2b9799adc767c0efe8987a694969b1384c541414ba18a44cd9b25fc00ff180e9
Cluster security
When you enable VLT or a fabric automation application, switches that participate in the cluster use secure channels to communicate with
each other. The secure channels are enabled only when you enable the cluster (VLT or fabric) conguration on a switch. OS10 installs a
default X.509v3 certicate-key pair, which is used to establish secure channels between peer devices in a cluster.
In a deployment where untrusted devices access the management or data ports on an OS10 switch, you should replace the default
certicate-key pair used for cluster applications. Create a custom X.509v3 certicate-key pair by conguring an application-specic
security prole with the cluster security-profile command.
When you replace the default certicate-key pair for cluster applications, ensure that all devices in the cluster use the same custom
certicate-key pair or a unique certicate-key pair issued by the same CA.
CAUTION
: While you replace the default certicate-key pair, cluster devices temporarily lose their secure channel connectivity. It
is, therefore, recommended that you change the cluster security conguration during a maintenance window.
This example shows how to install an X.509v3 CA and host certicate-key pair for a cluster application. For more information, see:
• Importing and installing a CA certicate — see Manage CA certicates.
• Generating a CSR and installing a host certicate — see Request and install host certicates.
1. Install a trusted CA certicate.
OS10# copy tftp://CAadmin:secret@172.11.222.1/GeoTrust_Universal_CA.crt
home:// GeoTrust_Universal_CA.crt
OS10# crypto ca-cert install home://GeoTrust_Universal_CA.crt
Processing certificate ...
Installed Root CA certificate
Security
837