Users Guide
1. Create an application-specific security profile in CONFIGURATION mode.
crypto security-profile profile-name
2. Assign a certificate and private key pair to the security profile in SECURITY-PROFILE mode. For certificate-name,
enter the name of the certificate-key pair as it appears in the show crypto certs output without the .pem extension.
certificate certificate-name
exit
3. (Optional) Enable CRL checking for certificates received from external devices in SECURITY-PROFILE mode. CRL checking
verifies the validity of a certificate using the CRLs installed on the switch.
revocation-check
4. (Optional) Enable peer name checking for certificates presented by external devices in SECURITY-PROFILE mode. Peer
name checking ensures that the certificate matches the name of the peer device, such as a remote server name.
peer-name-check
5. Use the security profile to configure X.509v3-based service; for example, to configure RADIUS over TLS authentication
using an X.509v3 certificate, enter the radius-server host tls command:
radius-server host {hostname | ip-address} tls security-profile profile-name
[auth-port port-number] key {0 authentication-key | 9 authentication-key |
authentication-key}
Example: Security profile in RADIUS over TLS authentication
OS10# show crypto cert
--------------------------------------
| Installed non-FIPS certificates |
--------------------------------------
dv-fedgov-s6010-1.pem
--------------------------------------
| Installed FIPS certificates |
--------------------------------------
OS10#
OS10(config)#
OS10(config)# crypto security-profile radius-prof
OS10(config-sec-profile)# certificate dv-fedgov-s6010-1
OS10(config-sec-profile)# revocation-check
OS10(config-sec-profile)# peer-name-check
OS10(config-sec-profile)# exit
OS10(config)#
OS10(config)# radius-server host radius-server-2.test.com tls security-profile radius-
prof key radsec
OS10(config)# end
OS10# show running-configuration crypto security-profile
!
crypto security-profile radius-prof
certificate dv-fedgov-s6010-1
OS10# show running-configuration radius-server
radius-server host radius-server-2.test.com tls security-profile radius-prof key 9
2b9799adc767c0efe8987a694969b1384c541414ba18a44cd9b25fc00ff180e9
Cluster security
When you enable VLT or a fabric automation application, switches that participate in the cluster use secure channels to
communicate with each other. The secure channels are enabled only when you enable the VLT or fabric cluster configuration on
a switch. OS10 installs a default X.509v3 certificate-key pair to establish secure channels between the peer devices in a cluster.
NOTE:
From 10.5.1.0 release onwards, there is no need for X.509v3 certificate in a VLT domain if both the VLT peers are
running OS10 software version 10.5.1.0 or later. However, you still need the certificates during VLT upgrade from earlier
version to 10.5.1.0. The upgraded VLT device has to communicate with the other VLT peer in a domain until the other
device is also upgraded to 10.5.1.0.
Security 1391