Users Guide

Table Of Contents
Security profiles
To use independent sets of security credentials for different OS10 applications, you can configure multiple security profiles and
assign them to OS10 applications. A security profile consists of a certificate and private key pair.
For example, you can maintain different security profiles for RADIUS over TLS authentication and SmartFabric services. You can
assign a security profile to an application when you configure the profile.
When you install a certificate-key pair, both take the name of the certificate. For example, if you install a certificate using:
OS10# crypto cert install cert-file home://Dell_host1.pem key-file home://abcd.key
The certificate-key pair is installed as Dell_host1.pem and Dell_host1.key. In configuration commands, refer to the pair
as Dell_host1. When you configure a security profile, you would enter Dell_host1 in the certificate certificate-
name command.
Configure security profile
1. Create an application-specific security profile in CONFIGURATION mode.
crypto security-profile profile-name
2. Assign a certificate and private key pair to the security profile in SECURITY-PROFILE mode. For certificate-name,
enter the name of the certificate-key pair as it appears in the show crypto certs output without the .pem extension.
certificate certificate-name
exit
3. (Optional) Enable CRL checking for certificates received from external devices in SECURITY-PROFILE mode. CRL checking
verifies the validity of a certificate using the CRLs installed on the switch.
revocation-check
4. (Optional) Enable peer name checking for certificates presented by external devices in SECURITY-PROFILE mode. Peer
name checking ensures that the certificate matches the name of the peer device, such as a remote server name.
peer-name-check
5. Use the security profile to configure X.509v3-based service; for example, to configure RADIUS over TLS authentication
using an X.509v3 certificate, enter the radius-server host tls command:
radius-server host {hostname | ip-address} tls security-profile profile-name
[auth-port port-number] key {0 authentication-key | 9 authentication-key |
authentication-key}
Example: Security profile in RADIUS over TLS authentication
OS10# show crypto cert
--------------------------------------
| Installed non-FIPS certificates |
--------------------------------------
dv-fedgov-s6010-1.pem
--------------------------------------
| Installed FIPS certificates |
--------------------------------------
OS10#
OS10(config)#
OS10(config)# crypto security-profile radius-prof
OS10(config-sec-profile)# certificate dv-fedgov-s6010-1
OS10(config-sec-profile)# revocation-check
OS10(config-sec-profile)# peer-name-check
OS10(config-sec-profile)# exit
OS10(config)#
OS10(config)# radius-server host radius-server-2.test.com tls security-profile radius-
prof key radsec
OS10(config)# end
OS10# show running-configuration crypto security-profile
!
crypto security-profile radius-prof
certificate dv-fedgov-s6010-1
Security
1059