Connectivity Guide

ManualsBrandsDell ManualsAccess PlatformsPowerSwitch S4048-ON

831

832

833

834

835

836

837

838

839

840

3 Use the security prole to congure X.509v3-based service; for example, to congure RADIUS over TLS authentication using an X.

509v3 certicate, enter the radius-server host tls command:

radius-server host {hostname | ip-address} tls security-profile profile-name

[auth-port port-number] key {0 authentication-key | 9 authentication-key | authentication-

key}

Example: Security prole conguration and use for RADIUS over TLS authentication

OS10# show crypto cert

--------------------------------------

| Installed non-FIPS certificates |

--------------------------------------

dv-fedgov-s6010-1.pem

--------------------------------------

| Installed FIPS certificates |

--------------------------------------

OS10#

OS10(config)#

OS10(config)# crypto security-profile radius-prof

OS10(config-sec-profile)# certificate dv-fedgov-s6010-1

OS10(config-sec-profile)# exit

OS10(config)#

OS10(config)# radius-server host radius-server-2.test.com tls security-profile radius-prof key

radsec

OS10(config)# end

OS10# show running-configuration crypto security-profile

crypto security-profile radius-prof

certificate dv-fedgov-s6010-1

OS10# show running-configuration radius-server

radius-server host radius-server-2.test.com tls security-profile radius-prof key 9

2b9799adc767c0efe8987a694969b1384c541414ba18a44cd9b25fc00ff180e9

Cluster security

When you enable VLT or a fabric automation application, switches that participate in the cluster use secure channels to communicate with

each other. The secure channels are enabled only when you enable the cluster (VLT or fabric) conguration on a switch. OS10 installs a

default X.509v3 certicate-key pair, which is used to establish secure channels between peer devices in a cluster.

In a deployment where untrusted devices access the management or data ports on an OS10 switch, you should replace the default

certicate-key pair used for cluster applications. Create a custom X.509v3 certicate-key pair by conguring an application-specic

security prole with the cluster security-profile command.

When you replace the default certicate-key pair for cluster applications, ensure that all devices in the cluster use the same custom

certicate-key pair or a unique certicate-key pair issued by the same CA.

CAUTION

: While you replace the default certicate-key pair, cluster devices temporarily lose their secure channel connectivity. It

is, therefore, recommended that you change the cluster security conguration during a maintenance window.

This example shows how to install an X.509v3 CA and host certicate-key pair for a cluster application. For more information, see:

• Importing and installing a CA certicate — see Manage CA certicates.

• Generating a CSR and installing a host certicate — see Request and install host certicates.

1. Install a trusted CA certicate.

OS10# copy tftp://CAadmin:secret@172.11.222.1/GeoTrust_Universal_CA.crt

home:// GeoTrust_Universal_CA.crt

OS10# crypto ca-cert install home://GeoTrust_Universal_CA.crt

Processing certificate ...

Installed Root CA certificate

Security

837