Control Plane Security
Transport Layer Security
Transport Layer Security (TLS), the successor to Secure Sockets Layer (SSL), is a security protocol used to communicate between client and server. It establishes an encrypted communication channel to secure data.
- RSA key sizes must be greater than or equal to 2048 bits.
- There must be less than 825 days to expiry.
- Certificate must use SHA-2 family of Hashing function.
- Certificate
- Key
An SSL certificate is required to establish a secure connection between the client and server. The certificate includes all of the details which are necessary for authentication. Cryptographic keys are used to provide a secure channel of communication. TLS uses two cryptographic keys: a private keyknown only to the server and a public key embedded in the certificate. The keys are used to validate the certificate.
Overview
With the SSL certificate, key, and profile management framework we can manage and configure SSL certificates, keys and profiles. SSL is an application-layer protocol which transfers the data securely between the client and server using a combination of authentication, encryption, and data integrity. SSL uses certificates and private-public key pairs to provide this security. An user can configure an SSL profile which includes certificate, key and trusted CA certificates used in SSL communication. A user can manage certificates, keys, and also multiple SSL profiles. A SSL profile can be configured and attached to any other EOS configuration which supports SSL communication. The individual EOS configuration using this framework includes details of using the SSL profile in their configuration.
The only private keys supported are those using the RSA algorithm. Both the certificate and keys must be encoded in the Privacy Enhanced Mail (PEM) format.
Example
This is a code sample of a PEM encoded certificate.
$cat server.crt
-----BEGIN CERTIFICATE-----
MIIC3zCCAkgCAQkwDQYJKoZIhvcNAQEEBQAwcTELMAkGA1UEBhMCVVMxCzAJBgNV
BAgMAkNBMQswCQYDVQQHDAJTQzEPMA0GA1UECgwGQXJpc3RhMQwwCgYDVQQLDANT
RE4xCzAJBgNVBAMMAmNhMRwwGgYJKoZIhvcNAQkBFg1jYUBhcmlzdGEuY29tMCAX
DTE0MDgxMTIxNDQxN1oYDzIwNjkwNTE0MjE0NDE3WjB5MQswCQYDVQQGEwJVUzEL
MAkGA1UECAwCQ0ExCzAJBgNVBAcMAlNDMQ8wDQYDVQQKDAZBcmlzdGExDDAKBgNV
BAsMA1NETjEPMA0GA1UEAwwGc2VydmVyMSAwHgYJKoZIhvcNAQkBFhFzZXJ2ZXJA
YXJpc3RhLmNvbTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAOBOP/jh
xk28sUH+lhM/mY6QoyLGcbnygwe/hzIjn2mASnf7uPFGhB62JTt7tQv2xmu/MJfs
aVsNeYXP3ZOcmRO0uk9suGVbII7QJUomnsq1dJh59UyMfws6V6ergmhwEZCDIirV
7nbUDz+uSdNutQL4w/VB+juuWXQ8ztbmygT2ymySaHRK3XnDrAiva0UUVbSmEHH0
wLPsNVNYUxJ4PpOB9luw4upe6ACF9SFtMDz3BDcrL6Gq5idWw3YkQfzBwEl+5hkF
hu0owON29I5T8FpAx+Hzpl48YWW65d/4F40S3XRN312xALM8RrQOU/Chx9Sfg0iJ
dsXWNagx1eyW2EECAwEAATANBgkqhkiG9w0BAQQFAAOBgQBedfuKHvNDpEkdO2AE
Kihs/YeRGgp+5g7hXU0U2TMAMS545ZQ99pFbnScmIC0m68aw1VXILuj+vlkxAM27
oc8iB+gG7oaFtJpWTvmIHqzeHWb0zrwjPhtXTafWEoam8sJZt38Pc4UVb7lQCd6v
ZCLZZJmC2IL0SG7bLN7yaALCSQ==
-----END CERTIFICATE-----
Example
This is a code sample of a PEM encoded RSA key.
$cat server.key
-----BEGIN RSA PRIVATE KEY-----
MIIEowIBAAKCAQEA4E4/+OHGTbyxQf6WEz+ZjpCjIsZxufKDB7+HMiOfaYBKd/u4
8UaEHrYlO3u1C/bGa78wl+xpWw15hc/dk5yZE7S6T2y4ZVsgjtAlSiaeyrV0mHn1
TIx/CzpXp6uCaHARkIMiKtXudtQPP65J0261AvjD9UH6O65ZdDzO1ubKBPbKbJJo
dErdecOsCK9rRRRVtKYQcfTAs+w1U1hTEng+k4H2W7Di6l7oAIX1IW0wPPcENysv
oarmJ1bDdiRB/MHASX7mGQWG7SjA43b0jlPwWkDH4fOmXjxhZbrl3/gXjRLddE3f
XbEAszxGtA5T8KHH1J+DSIl2xdY1qDHV7JbYQQIDAQABAoIBACv/TU8NQi+HXqGa
RWe7Juyu9EDi+fXGWutPJz6vfBpenrzQNGOnOE0p3z2+szGIkz0ZQHfcWIISr46O
ymCk6+XQombn5XeEG2vH6jiUQLt0Qk2SRopgWJ8kL4NlAexoZxmYj0AlvGO0jtUn
47VEVt8hWpal/WZteYByWQQQOvoj7EhlANIKUGUG9yOcBcEApdHsgOcXewrbilZQ
d4kbpegxQhjKU9jLUXRsIPV2YFrDcT83/94PFTRk/vFBOnWS/Ygt5vRedcoF2HcR
TJMyE+JwnwGJzTPKwbPJgLnjrEGVrqEerCuTU9v0PpFxu0AOEeV1kPyNbRZzzC+p
al70ZI0CgYEA/Ge1Hj5OBjS2DLUYG0zhmc4xoiIqcgPJCn6QQmfqa6DbscQzXsnp
GqNlwvB76L0mwNOSABX53YaXhFCrYXMRsXWl95hK7NYCGnD6f/fYcr3u+NdBm5+N
qEiqcq779arAXqGaN/TGKsm507ngyLBrMbUlaPQEXfaBjrQL3f0k7qMCgYEA44AW
1ptUWy0Wx5oa1wdYVgGw+Wbxb8JY88pj29JhE3Qwhy9FBq7x0wZOoQDSkyvbu9aZ
bEiUtctXDDNE/Fy7XgEBMiqrn4R383pbZ5LnmsFKZEcADU1Pe4HjDgSq1rjNSJSA
xEz8xRQvIvy4kpp/tpKsN/Xg2ZBnQmqgj6LWv8sCgYBKeSsWnlmVOS5R94kCXR/f
qtg4N46Aj59dClT0Uwb29MJ95B8oI7k00+ttpllZJZ5unL5iahmMhG7maor2uOYK
j2UF9hh9YvPB633uDin+SQ5eu9yu11gLxE0Og5TyOoyCH3qKch2aeGTtFNY/QNaQ
FxvPqNg1BUva2EL8H/oqswKBgQDjbW1nZSjTbSPUrq4eQG2CrXYqHUtHmlYqgS2K
16nMNN8+hXbP05xUhX2dXqEkFzg3c7U0lupzQq/mtmpEjr+Qnhh/+kBP27G+aZdu
12FJR+oCjSf0JFFM+u/tV6UhuuUdpbeEhiI7Mo5cv6AUjvcVoVMhLmB1nvJbZxTU
AsoEOQKBgHHVuuq4kWDfORCYwTvZPX0byQu++QhlOFfClYBIVuCP4/cU0o3Kw1Z6
tf+zP2rBMOl5eD7IBHjAtOlNjXcFgiyymNxJDKJSmTpw1VePncmuT5UMq8rbljSW
Yg0QGwyvB1Cat2mpgqVWS7YT0nmTooWmQdO3Qp48f+bVvmO/dJXS
-----END RSA PRIVATE KEY-----
Configuration
Configuring Certificates
Copying a Certificate to the Switch
The copy file: certificate: command copies the certificate to the certificate: file system from any supported source URLs of the copy command. The source file may contain multiple PEM encoded certificates, but must not contain other entities such as keys.
Example
switch(config)#copy file:/tmp/ssl/server.crt certificate:
Copy completed successfully.
switch(config)#
Errors while Copying the Certificates
- The PEM encoded entities in the source file must all be certificates. If the
source file contains different types of entities (e.g. a certificate and a
key), the copy fails and an error message is displayed as
shown.
switch(config)#copy file:tmp/ssl/mixed.crt certificate: % Error copying file:tmp/ssl/mixed.crt to certificate: (Multiple types of entities in certificate file not supported) switch(config)#
- The source file must contain valid PEM encoded certificates. If the file
contains invalid certificates, the copy fails and an error message is
displayed as
shown.
switch(config)#copy file:tmp/ssl/bad.crt certificate: % Error copying file:tmp/ssl/bad.crt to certificate: (Invalid certificate) switch(config)#
- Only certificates with RSA public keys are supported. If the certificate
does not have an RSA public key, the copy fails and an error message is
displayed as
shown.
switch(config)#copy file:tmp/ssl/dsa.crt certificate: % Error copying file:tmp/ssl/dsa.crt to certificate: (Certificate does not have RSA key) switch(config)#
Deleting a Certificate
The delete certificate command deletes a certificate configuration from the certificate: file system on the switch.
Example
switch(config)#delete certificate:server.crt
switch(config)#
Generating Certificates
The following commands help the user to generate a self-signed certificate or Certificate Signing Request (CSR).
- This command generates a self-signed certificate or Certificate Signing
Request (CSR). In the example below, the existing private key
test.key is used to generate the certificates. The
user will be prompted for the common name, two-letter country code, etc. A
common name is required. The generated Certificate Signing Request (CSR) can
be viewed on the CLI, whereas a self-signed certificate will be saved to the
certificate: file system.
switch#security pki certificate generate self-signed test.crt key test.key Common Name for use in subject: test [...] certificate:test.crt generated switch#
- This command specifies the digest and the validity (in days) of the
certificate. The validity is applicable only for self-signed certificates.
switch#security pki certificate generate signing-request key test.key digest sha256 validity 365 Common Name for use in subject: test [...] certificate:test.crt generated switch#
- This command adds the certificate parameters such as common-name, country,
email, and others.
switch#security pki certificate generate signing-request key test.key parameters common-name Test [country US ...] certificate:test.crt generated switch#
Configuring Keys
Copying a Key to the Switch
The copy command copies an RSA key to the sslkey: file system. The key can be copied from any supported source URLs of the copy command. The source file must contain only one key. Password protected keys are not supported.
Example
switch#copy file:/tmp/ssl/server.key sslkey:
Copy completed successfully.
switch#
Errors While Copying the Keys
- Only one PEM encoded key per file is supported. If the source file contains
multiple PEM encoded keys, the copy fails and an error message is displayed
as shown.
switch#copy file:tmp/ssl/multi.key sslkey: % Error copying file:tmp/ssl/multi.key to sslkey: (Multiple PEM entities in single file not supported)
- The source file must contain a valid PEM encoded RSA key. If the file
contains an invalid RSA key, the copy fails and an error message is
displayed as
shown.
switch# copy file:tmp/ssl/bad.key sslkey: % Error copying file:tmp/ssl/bad.key to sslkey: (Invalid RSA key)
- Password protected keys are not supported. If the source file contains a
password protected key, the copy fails and an error message is displayed as
shown.
switch#copy file:/tmp/ssl/pass.key sslkey: % Error copying file:tmp/ssl/pass.key to sslkey: (Password protected keys are not supported)
Deleting a Key
The delete command deletes the key configuration from the switch.
Example
switch# delete sslkey:server.key
Generating Keys
The following commands help the user to generate RSA keys.
- This command generates a 2048-bit long RSA private key and saves it to
sslkey:test.key.
switch# security pki key generate rsa 2048 test.key
- This command generates a 4096-bit long self-signed certificate RSA key and
2048-bit long certificate signing request RSA
key.
switch# security pki certificate generate self-signed test.crt key test.key generate rsa 4096 switch#security pki certificate generate signing-request key test.key generate rsa 2048
Configuring a certificate with a RSA key in SSL Profile
A SSL profile is configured with a certificate and its corresponding RSA key. The public key information in the certificate must match the RSA key. This certificate and RSA key pair are used to authenticate to the peer during SSL negotiation. The individual EOS features that use SSL profile configuration will decide whether the certificate and key configuration is optional or mandatory.
-
switch# config switch(config)# management security switch(config-mgmt-security)# ssl profile server switch(config-mgmt-sec-ssl-profile-server)# certificate server.crt key server.key
-
In this case, if the RSA key configured in SSL profile does not match with the configured certificate, the SSL profile state becomes invalid, and an error message is displayed.
switch(config-mgmt-security)# ssl profile server switch(config-mgmt-sec-ssl-profile-server)# certificate server.crt key client.key switch(config-mgmt-sec-ssl-profile-server)# show management security ssl profile Profile State Error ------------- ------------- ---------------------------------------- server invalid Certificate 'server.crt' does not match with key
Configuring SSL Profile with a Certificate Authority (CA)
During SSL negotiation with mutual authentication, the peer (or client) certificate is verified by checking if it is signed by one of these trusted certificates. For peer certificates that do not have a chain to a trusted certificate, the full bundle of certificates leading to the trusted certificates must be included. The individual EOS features that use SSL profile configuration will decide whether the trusted certificate configuration is optional or mandatory.
Example
switch# config
switch(config)# management security
switch(config-mgmt-security)# ssl profile server
switch(config-mgmt-sec-ssl-profile-server)# trust certificate ca1.crt
switch(config-mgmt-sec-ssl-profile-server)# trust certificate ca2.crt
Configuring Certificate Chains
Certificate chains are used to provide a chain of trust for the SSL Profile server certificate to a remote party. Several chain certificate commands can be issued to build a certificate chain with many intermediate CAs, regardless of the order. Use the chain certificate command to configure the certificate chain for a SSL profile. The no form of the command deletes the certificate configuration.
Examples
- These commands configure the certificate chain shown schematically in figure
Configuring Certificate Chains above. server.crt is issued
by an intermediate CA intermediate.crt and
intermediate.crt is itself issued by the root CA
ca.crt.
switch#(config)# management security switch#(config-mgmt-security)# ssl profile server switch#(config-mgmt-sec-ssl-profile-server)# certificate server.crt key server.key switch#(config-mgmt-sec-ssl-profile-server)# chain certificate intermediate.crt switch#(config-mgmt-sec-ssl-profile-server)# exit switch(config)#
- The other peer can be configured to trust ca.crt in order
to verify the certificate chain during the TLS handshake as shown
below.
switch# config switch#(config)# management security switch(config-mgmt-security)# ssl profile client switch(config-mgmt-sec-ssl-profile-client)# certificate client.crt key client.key switch(config-mgmt-sec-ssl-profile-client)# trust certificate ca.crt
- To check the revocation status of the server certificate chain, the client
can add the Certificate Revocation List (CRLs) to its SSL profile
configuration. One CRL needs to be specified for every CA in the chain, even
if its not revoking any
certificate.
switch# config switch#(config)# management security switch(config-mgmt-security)# ssl profile client switch(config-mgmt-sec-ssl-profile-client)# crl intermediate.crl switch(config-mgmt-sec-ssl-profile-client)# crl ca.crl
Note: Both the chain certificate and crl commands look into the certificate: file system to find the right PEM file.
switch(config)#management security
switch(config-mgmt-security)#ssl profile server2
switch(config-mgmt-sec-ssl-profile-server2)#certificate server2.crt key server2.key
switch(config-mgmt-sec-ssl-profile-server2)#chain certificate intermediate2.crt
switch(config-mgmt-sec-ssl-profile-server2)#chain certificate intermediate.crt
switch(config-mgmt-sec-ssl-profile-server2)#exit
switch(config-mgmt-security)#exit
switch(config)#
A certificate chain can be split into two parts, each part configured on a different peer. The location of the split can be anywhere, as long as between the client and the server, a complete certificate chain can be constructed. The following example shows a server and client SSL profile configuration with a split certificate chain.
switch(config)#management security
switch(config-mgmt-security)#ssl profile server2
switch(config-mgmt-sec-ssl-profile-server2)#certificate server2.crt key server2.key
switch(config-mgmt-sec-ssl-profile-server2)#chain certificate intermediate2.crt
switch(config-mgmt-sec-ssl-profile-server2)#exit
switch(config-mgmt-security)#exit
switch(config)#
switch(config)#management security
switch(config-mgmt-security)#ssl profile client
switch(config-mgmt-sec-ssl-profile-client)#certificate client.crt key client.key
switch(config-mgmt-sec-ssl-profile-client)#trust certificate ca.crt
switch(config-mgmt-sec-ssl-profile-client)#trust certificate intermediate.crt
switch(config-mgmt-sec-ssl-profile-client)#exit
switch(config-mgmt-security)#exit
switch(config)#
The following configuration will not work, as it results in invalid SSL profiles.
switch(config)#management security
switch(config-mgmt-security)#ssl profile server2
switch(config-mgmt-sec-ssl-profile-server2)#certificate server2.crt key server2.key
switch(config-mgmt-sec-ssl-profile-server2)#chain certificate intermediate.crt
switch(config-mgmt-sec-ssl-profile-server2)#show management security ssl profile
Profile State Additional Info
---------------------------- ------------- ----------------------------------------
server3 invalid Profile has invalid certificate chain
switch(config-mgmt-sec-ssl-profile-server3)#exit
switch(config-mgmt-security)#exit
switch(config)#
switch(config)#management security
switch(config-mgmt-security)#ssl profile client3
switch(config-mgmt-sec-ssl-profile-client3)#certificate client3.crt key client3.key
switch(config-mgmt-sec-ssl-profile-client3)#trust certificate intermediate.crt
switch(config-mgmt-sec-ssl-profile-client3)#show management security ssl profile
Profile State Additional Info
---------------------------- ------------- ----------------------------------------
client3 invalid Profile has invalid trusted certificate
chain
switch(config-mgmt-sec-ssl-profile-client3)#exit
switch(config-mgmt-security)#exit
switch(config)#
Local Certificate Checks
EOS performs various checks on the certificates in an SSL profile before allowing the use of the profile. The way these checks is performed can be modified, added to or relaxed locally. The following are some of the checks that can be performed before any communication with the peer.
- Check whether the certificate has an extended key usage attribute:
switch(config-mgmt-sec-ssl-profile-client)# certificate requirement extended-key-usage
- Check whether all the trusted certificates or certificates in the chain have
CA basic constraints set to
true.
switch(config-mgmt-sec-ssl-profile-client)# trust certificate requirement basic-constraints ca true switch(config-mgmt-sec-ssl-profile-client)# chain certificate requirement basic-constraints ca true
- Do not mark an expired certificate as
invalid.
switch(config-mgmt-sec-ssl-profile-client)# certificate policy expiry-date ignore
Displaying SSL profile status and SSL profile errors
The show management security ssl profile command displays the SSL profile status information. To view a specific SSL profile status, use the name of the SSL profile. Otherwise, all SSL profile statuses are displayed.
Example
switch# show management security ssl profile server
Profile State
------------- -----------
server valid
If there are any errors in the SSL profile, an invalid state is displayed and the errors are listed in the third column. Once the error is fixed, the SSL profile becomes valid.
- When the certificate server.crt does not match
with the key, the following error message is
shown.
switch# show management security ssl profile server Profile State Error ------------- ------------- ---------------------------------------- server invalid Certificate 'server.crt' does not match with key
- When a trusted certificate ca2.crt does not exist,
the following error message is
shown.
switch# show management security ssl profile server Profile State Error ------------- ------------- ------------------------------------- server invalid Certificate 'ca2.crt' does not exist
- When a trusted certificate foo.crt is not a
self-signed root certificate, the following error message is
shown.
switch# show management security ssl profile server Profile State Error ------------- ------------- ---------------------------------------- server invalid Certificate 'foo.crt' is trusted and not a root certificate
- When the certificate server.crt is expired the
following error message is
shown.
switch# show management security ssl profile server Profile State Error ------------- ------------- ------------------------------------- server invalid Certificate 'server.crt' has expired
- When the certificate chain is missing an intermediate certificate, the
following error message is
shown.
switch# show management security ssl profile server Profile State Error -------------- ------------- --------------------------------------------- server invalid Profile has invalid certificate chain Certificate 'intermediate.crt' does not exist
Rotating Certificate and Key Pair
switch01# show running-config section ssl
management security
ssl profile profile01
certificate cert.pem key key.pem
Run the
security pki certificate generate
signing-request rotation ssl profile command
to generate a new key and corresponding signing request for SSL profile
profile01. This command also
generates a unique rotation ID that can be later used to import the
certificate.switch01# security pki certificate generate signing-request rotation ssl profile profile01 key generate rsa 2048 parameters common-name switch01
Rotation ID: 2ad7771e8cbc11ebbba37483ef8d9c4b
Certificate Signing Request:
-----BEGIN CERTIFICATE REQUEST-----
MIICZzCCAU8CAQAwEzERMA8GA1UEAwwIc3dpdGNoMDEwggEiMA0GCSqGSIb3DQEB
AQUAA4IBDwAwggEKAoIBAQCy5EsczfEZlAVNZQ8/nfRgEF3bg/tz0XrQJwP/zHhI
UFx1A1VI4O7XhUrYReH1h4OQWhXXX0AHTLTsaClJWHH9m7SXb4iZVo/Y1zXGdyju
1FmnWnNDi72M8f60WXG9gAMtnZK9K53A3lwvrKS+CwJkLCOjlH4xyp1Wsg1+yfay
AdfXAj+s1Vmg3Rux/XR8iP3N620YVbQ+AfWUQkSNFSsykcTeLvx2WybqX4p4Kids
nqU28ml/NZPS5wEc2OXhagrBn3jHbxdmI33/4SJHN8iNZ6h+gQz+JI18bQrlTHng
RzAx1ENvnz7ZzzeN/n/wh/ArZ6Q9aojrBtAk55aGuY4hAgMBAAGgDzANBgkqhkiG
9w0BCQ4xADANBgkqhkiG9w0BAQsFAAOCAQEAqwQbAsdw6UhpvjDk8OdmXLgCNOSC
jGFLFZe4I67gDmyGQR2lG1brRTQPKp7OphpPxaqr3YvxErEFdQ35gvIUyo9j8qp1
F22yAZGjLqU3prnGLEAZ/I3PcdivNVzL9UJw/JMfHI1CMH6yGtbEI2BXsCTetfxm
JE+N9ujfBlQ/MjUR6IszNxEB2YkFh/DvnVUHoqV0ka+JRmMhGkmTrXwad8bhxYZs
g7cwXktsMLuy2otK21fkFcRvd9OHXssJ2Mf7914ALiDe2sfixHX+35SytR8bahTk
z09HPCkxJmfl+cdhS9SWXrXpHHwXicjwYCj1pqZulBFXtgnVs2Kmd3NnRA==
-----END CERTIFICATE REQUEST-----
The complete syntax of the
above command is as follows. The import-timeout
specifies the timeout for this rotation ID. If no certificate is imported
within this timeout, the rotation ID expires and will be deleted.
switch# security pki certificate generate signing-request rotation ssl profile <profile-name>
key generate rsa <2048|3072|4096>
[ import-timeout <minutes> ] (default: 60 mins)
[ digest <sha256|sha384|sha512> ] (default: sha256) parameters common-name <common-name>
[ country <country-code> ]
[ state <state-name> ]
[ locality <locality-name> ]
[ organization <org-name> ]
[ organization-unit <org-unit-name> ]
[ email <email> ]
[ subject-alternative-name [ ip <ip1 ip2 …> ]
[ dns <nm1 nm2 …> ] [ dns <nm1 nm2 …> ]
Use the
show security pki certificate
rotation command to view the status of rotation
IDs.switch# show security pki certificate rotation
Rotation ID Profile Name State Expiry
--------------------------------- ------------ --------------- -------------------
2ad7771e8cbc11ebbba37483ef8d9c4b profile01 Import Pending 2021-03-24 10:15:37
Copy
the signing request, get it signed by a CA and import the certificate using
the security pki certificate rotation import
<rotation-id> command. Use the rotation ID
that was generated with the signing request. switch# security pki certificate rotation import 2ad7771e8cbc11ebbba37483ef8d9c4b
Enter TEXT certificate. Type 'EOF' on its own line to end.
-----BEGIN CERTIFICATE-----
MIICnTCCAYWgAwIBAgIJANzHst3ljdWfMA0GCSqGSIb3DQEBCwUAMA4xDDAKBgNV
BAMMA2ZvbzAeFw0yMTAzMjQxNjAyMDdaFw0yMjAzMjQxNjAyMDdaMA4xDDAKBgNV
BAMMA2ZvbzCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAK2LhqPnQ3Oz
1Pg1PB5toNyCNB60IdCDUVXZcwmyCgS6ifwBYgmw/mCq3iOFncEilaCNIkaFKiWf
b7s43jQd9tmAbnnQw3xUO8jDweus+yCumMNjLLQApbTOZDE4zDonmbWh6kswh8qI
batiz9wR7l5K1bPbbmQx6nO28LrcLCuFSZWrw4R2nprQxdoo5eAotMsGDQdh2vn7
k4yD0CQGVCquVzKI+iVgW7yIfiZ9cwWdFTAlTmkrqQsq+edZmvnuNcOaZm22R5Sb
aPy9osv82oZk8iMX+oDYddY2wMQzLd7ByWlAh4bzCJxNMPIz8hrxU84up0I4srXi
xDVXdL1d2JsCAwEAATANBgkqhkiG9w0BAQsFAAOCAQEADkjfobxF7BAVFdIjyWHL
ID+9D1t96JvCe+PDUyggow6iZE8ROq2fIFHuXhXMrd/neN3WtxqtjvGBnS49t4fa
qIcjerkIPwLaBSwWdpm/1FrIFejYqU0symRE3bKJULLBEdQhyox37D2uqPm71ado
5rXCX9pSu2oNOThd/877QKxtrKa5pekx1acxEa4E0QJ0/YPwkA5nCzM9jy7DZlH2
+cdtCxREeqlhOJUJxQ2354LyykU2fOXe6AGGdVE9hdIOJDnG26VVb+gFt2qaKD5+
3D3/Gd1pm4P3+9aENlhAcr0PUoL3xUApeIdkEf7n8KHiNP+gmlPyVDTCAudwHnwq
Vg==
-----END CERTIFICATE-----
EOF
Success
switch# security pki certificate rotation commit 2ad7771e8cbc11ebbba37483ef8d9c4b
Success
switch# security pki certificate rotation commit ssl profile profile01
Enter TEXT private key. Type 'EOF' on its own line to end.
-----BEGIN PRIVATE KEY-----
MIIEvAIBADANBgkqhkiG9w0BAQEFAASCBKYwggSiAgEAAoIBAQCti4aj50Nzs9T4
NTwebaDcgjQetCHQg1FV2XMJsgoEuon8AWIJsP5gqt4jhZ3BIpWgjSJGhSoln2+7
ON40HfbZgG550MN8VDvIw8HrrPsgrpjDYyy0AKW0zmQxOMw6J5m1oepLMIfKiG2r
Ys/cEe5eStWz225kMepztvC63CwrhUmVq8OEdp6a0MXaKOXgKLTLBg0HYdr5+5OM
g9AkBlQqrlcyiPolYFu8iH4mfXMFnRUwJU5pK6kLKvnnWZr57jXDmmZttkeUm2j8
vaLL/NqGZPIjF/qA2HXWNsDEMy3ewclpQIeG8wicTTDyM/Ia8VPOLqdCOLK14sQ1
V3S9XdibAgMBAAECggEAEdDMLSD4HTVzDFoBW8mlpQ10G/TNBd1Sk7gY0FV9JCLM
OIPMfzHdeKoB15lcv691DIArP8cQM8A21ab5tKr2JOTuMnDaffXIagyikzb0/tQT
1qhaFeHaHCTFP4yBQKBgQDczahFFYJRP0joT4Hu
iywlkhbyOHV7b9xuPPhqwQxFYqHvEE0qBnmjBzXujbpdb+V18QFGyl0uH4mHr+lt
izcyAbEx5YL/y5Vu08bITZr0mUxS0ZkDXg6n6GKJVIPUH05xSZb/eqtSFIq/DsBQ
YSwu6WzOj4dNpEQAeD8jMmGAlwKBgQDJNWTNyC2JgDYmF039gwNEOY+UuJQ3v/Jo
Ei2IHG4ISxVlZc9lZgLuWHDyS6zNOIeSAYIzDVSsRAGH9sWaK4E4Yno4KHptRC5F
MEbtnrojTO2ANC9JcWo2EgP31r1OJolFpKUiPhOEAzdEYd/sdp9tWEusszTrn8fb
PHvSHUFknQKBgDe8VhByOH4HyoCRqUusp80oDlDAPa+V8f+FtnNEHbPaDORKqh/E
mKm1ZUC9V+DEIRjfaCIVbOX6of21Quga7yjZUoA03hdxrVvXa2Mea9H4bFKvg79c
27g4qb7erZQ6/tML72i370z90HQf5h2kGcIRvBx8EHxhzaSMtetNiV0rAoGAP3Qz
QiJrGf3xFborwlNa6F0uxrwfIiXKkL+K1G4C1WK4cK3W5idxrTD/DaqH6IB3YLhR
E0CU/27C/Nn6H1CxA9MqsCMz2NmzreY3uCBim1dbXx8V+pdl439y+Ooj8U195RSz
b0UcanmJKGulbrFKPfWmh+RMQDK3mJBOjEjlopECgYAr6F+60TZ7ZAvA0vZ9Plrn
tzvY7GhopJgJfAvfi5nBXPS+fkdKtWzOmhW1jon1ka0fEeRQnQjB7DSYB4zldufPKiD+EXgJtQbhS
qfdtgL7QlhVrpO/s5tUrPE/KRu/yLGtEWruQlDCawpMPA63eP4XER/MHVXBkqbWy
85vx46SisOBAnuEum0yMngru5fARoBKO1aV7G94FI7Eu5rDqeVYsE5jrdnWJTZTg
pHf9RYUOlz8RwwbD/xUs+cKbM1qhaFeHaHCTFP4yBQKBgQDczahFFYJRP0joT4Hu
iywlkhbyOHV7b9xuPPhqwQxFYqHvEE0qBnmjBzXujbpdb+V18QFGyl0uH4mHr+lt
izcyAbEx5YL/y5Vu08bITZr0mUxS0ZkDXg6n6GKJVIPUH05xSZb/eqtSFIq/DsBQ
YSwu6WzOj4dNpEQAeD8jMmGAlwKBgQDJNWTNyC2JgDYmF039gwNEOY+UuJQ3v/Jo
Ei2IHG4ISxVlZc9lZgLuWHDyS6zNOIeSAYIzDVSsRAGH9sWaK4E4Yno4KHptRC5F
MEbtnrojTO2ANC9JcWo2EgP31r1OJolFpKUiPhOEAzdEYd/sdp9tWEusszTrn8fb
PHvSHUFknQKBgDe8VhByOH4HyoCRqUusp80oDlDAPa+V8f+FtnNEHbPaDORKqh/E
mKm1ZUC9V+DEIRjfaCIVbOX6of21Quga7yjZUoA03hdxrVvXa2Mea9H4bFKvg79c
27g4qb7erZQ6/tML72i370z90HQf5h2kGcIRvBx8EHxhzaSMtetNiV0rAoGAP3Qz
QiJrGf3xFborwlNa6F0uxrwfIiXKkL+K1G4C1WK4cK3W5idxrTD/DaqH6IB3YLhR
E0CU/27C/Nn6H1CxA9MqsCMz2NmzreY3uCBim1dbXx8V+pdl439y+Ooj8U195RSz
b0UcanmJKGulbrFKPfWmh+RMQDK3mJBOjEjlopECgYAr6F+60TZ7ZAvA0vZ9Plrn
tzvY7GhopJgJfGr1GYQPJi38DJ5NR/w64js21t5X2yJ4xcCB3H7R0QWJ9EE+fc+7
nBYFJlaDzSRBbES24yGh4n4Vc6luYW9A+YJR3EaElE6RMWyzIY8J8kV2xuTaK9xe
pdM9x1J1kIm2rA1mcO4Xqw==
-----END PRIVATE KEY-----
EOF
Enter TEXT certificate. Type 'EOF' on its own line to end.
-----BEGIN CERTIFICATE-----
MIICnTCCAYWgAwIBAgIJANzHst3ljdWfMA0GCSqGSIb3DQEBCwUAMA4xDDAKBgNV
BAMMA2ZvbzAeFw0yMTAzMjQxNjAyMDdaFw0yMjAzMjQxNjAyMDdaMA4xDDAKBgNV
BAMMA2ZvbzCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAK2LhqPnQ3Oz
1Pg1PB5toNyCNB60IdCDUVXZcwmyCgS6ifwBYgmw/mCq3iOFncEilaCNIkaFKiWf
b7s43jQd9tmAbnnQw3xUO8jDweus+yCumMNjLLQApbTOZDE4zDonmbWh6kswh8qI
batiz9wR7l5K1bPbbmQx6nO28LrcLCuFSZWrw4R2nprQxdoo5eAotMsGDQdh2vn7
k4yD0CQGVCquVzKI+iVgW7yIfiZ9cwWdFTAlTmkrqQsq+edZmvnuNcOaZm22R5Sb
aPy9osv82oZk8iMX+oDYddY2wMQzLd7ByWlAh4bzCJxNMPIz8hrxU84up0I4srXi
xDVXdL1d2JsCAwEAATANBgkqhkiG9w0BAQsFAAOCAQEADkjfobxF7BAVFdIjyWHL
ID+9D1t96JvCe+PDUyggow6iZE8ROq2fIFHuXhXMrd/neN3WtxqtjvGBnS49t4fa
qIcjerkIPwLaBSwWdpm/1FrIFejYqU0symRE3bKJULLBEdQhyox37D2uqPm71ado
5rXCX9pSu2oNOThd/877QKxtrKa5pekx1acxEa4E0QJ0/YPwkA5nCzM9jy7DZlH2
+cdtCxREeqlhOJUJxQ2354LyykU2fOXe6AGGdVE9hdIOJDnG26VVb+gFt2qaKD5+
3D3/Gd1pm4P3+9aENlhAcr0PUoL3xUApeIdkEf7n8KHiNP+gmlPyVDTCAudwHnwq
Vg==
-----END CERTIFICATE-----
EOF
Success
Resetting Diffie-Hellman Parameters
The Diffie-Hellman parameters file is used for symmetric key exchange during SSL negotiation. When the system is booted, the system auto generates a Diffie-Hellman parameters file if one does not exist. To reset the auto generated Diffie-Hellman parameters file, use the reset command. The individual features that use SSL profile configuration will decide whether they also use the Diffie-Hellman parameters file. The switch uses 2048-bit Diffie-Hellman parameters with no options to select the size.
Example
switch# reset ssl diffie-hellman parameters
Displaying the Diffie-Hellman parameters
The show management security ssl diffie-hellman command displays the Diffie-Hellman parameters.
Example
switch# show management security ssl diffie-hellman
Last successful reset on Apr 10 16:18:08 2015
Diffie-Hellman Parameters 1024 bits
Generator: 2
Prime: dc47b5edc0d2b41451432f79f45efab452bba7b1ab118c194d671d6752ed1c550
664ed8f052ad0fdad623c1d54ae5aee5e728d2bd7a6221636b787a4c08d1fef8c
6dcd10759d38f8b70b47d1c7972d69b0b295a2ee6ab44cfc7352cb133e85197c8
9f1fc27aac7e8e02afb4fb01ca1cb05558a7bef505b73a8d06cdfe403576b
Configuring the TLS Handshake Settings
During a TLS handshake, both peers send each other a list of the TLS versions they support as a way to agree on and use the highest common version. In a SSL profile the following allowable versions can be configured using the tls versions command. By default, TLSv1, TLSv1.1, and TLSv1.2 are enabled.
- This command forces TLSv1.2 to be used. If the other peer
does not support this version, the TLS handshake
fails.
switch# config switch#(config)# management security switch(config-mgmt-security)# ssl profile client switch(config-mgmt-sec-ssl-profile-client)# switch(config-mgmt-sec-ssl-profile-client)# tls versions 1.2
- These commands add support for TLSv1.1 on top of the already
configured
TLSv1.2.
switch(config-mgmt-sec-ssl-profile-client)# tls versions add 1.1 switch(config-mgmt-sec-ssl-profile-client)# tls versions 1.1 1.2
Similarly to the TLS version, the cipher suite is negotiated between the client and the server during a TLS handshake. Ideally, the client will send the list of cipher suites it supports and the server will choose a common cipher suite after looking at the clients list as well as its own list of cipher suites. The default cipher-list setting here is an Open SSL cipher string that is HIGH:!eNULL:!aNULL:!MD5, which only allows key length larger than 128 bits and forbids cipher suites using MD5. The full list of cipher suites can be expanded using the shell command openssl ciphers HIGH:!eNULL:!aNULL:!MD5
Example
switch(config-mgmt-sec-ssl-profile-client)# cipher-list AESGCM
switch(config-mgmt-sec-ssl-profile-client)# cipher-list SHA256:SHA384
switch(config-mgmt-sec-ssl-profile-client)# cipher-list ECDHE-ECDSA-AES256-GCM-SHA384
Enabling the Federal Information Processing Standards (FIPS) Mode
Federal Information Processing Standards (FIPS) is a cryptographic standard used to restrict the cryptographic functions and protocol versions that are used by OpenSSL.
Example
switch(config-mgmt-sec-ssl-profile-client)# fips restrictions
Syslog with TLS Support
To collect Syslog information on a remote Syslog server define an SSL profile. Traffic to the server is then sent over a TLS connection.
Configuring Syslog with TLS Support
switch(config)# logging host test.example.com 1234 protocol tls ssl-profile test-profile
SSL Profile Example (Minimal)
switch(config-mgmt-security)# ssl profile test-profile
switch(config-mgmt-sec-ssl-profile-test-profile)# certificate clientCert key clientKey
switch(config-mgmt-sec-ssl-profile-test-profile)# trust certificate serverCA
Displaying Certificate and Key Information
Displaying Certificate Information
Displaying the Directory Information
The dir command displays the directory output of certificate file systems.
Example
switch# dir certificate:
Directory of certificate:/
-rw- 3319 Apr 10 11:50 server.crt
No space information available
Displaying the certificate information
The show management security ssl certificate command displays the certificate information. To view a specific certificate use the name of the certificate, else all the certificates are displayed.
Example
switch# show management security ssl certificate server.crt
Certificate server.crt:
Version: 1
Serial Number: 9
Issuer:
Common name: ca
Email address: This email address is being protected from spambots. You need JavaScript enabled to view it.
Organizational unit: Foo Org
Organization: Foo
Locality: SC
State: CA
Country: US
Validity:
Not before: Aug 11 21:44:17 2014 GMT
Not After: May 14 21:44:17 2069 GMT
Subject:
Common name: server
Email address: This email address is being protected from spambots. You need JavaScript enabled to view it.
Organizational unit: Foo Org
Organization: Foo
Locality: SC
State: CA
Country: US
Subject public key info:
Encryption Algorithm: RSA
Size: 2048 bits
Public exponent: 65537
Modulus: e04e3ff8e1c64dbcb141fe96133f998e90a322c671b9f28307bf873
2239f69804a77fbb8f146841eb6253b7bb50bf6c66bbf3097ec695b
0d7985cfdd939c9913b4ba4f6cb8655b208ed0254a269ecab574987
ea5ee80085f5216d303cf704372b2fa1aae62756c3762441fcc1c04
635a831d5ec96d841
Displaying Certificate Revocation List (CRL) Information
The show management security ssl crl command displays the installed Certificate Revocation List (CRL) information. To view a specific CRL use the name of the CRL, else all the CRLs are displayed.
Example
switch# show management security ssl crl intermediate.crl
CRL intermediate.crl:
CRL Number: 11
Issuer:
Common name: intermediate
Email address: This email address is being protected from spambots. You need JavaScript enabled to view it.
Organizational unit: Foo Org
Organization: Foo
State: CA
Country: US
Validity:
Last Update: Jul 19 19:27:34 2016 GMT
Next Update: Dec 05 19:27:34 2043 GMT
Displaying Key Information
Displaying the Directory Information
The dir command displays the directory output of SSL key file systems.
Example
switch# dir sslkey:
Directory of sslkey:/
-rw- 1675 Apr 10 12:55 server.key
No space information available
Displaying the RSA Key Information
The show management security ssl key command displays the RSA key information. To view a specific RSA key use the name of the key, otherwise, all the keys are displayed. For security reasons, only the public part of the key is displayed.
Example
switch# show management security ssl key server.key
Key server.key:
Encryption Algorithm: RSA
Size: 2048 bits
Public exponent: 65537
Modulus: e04e3ff8e1c64dbcb141fe96133f998e90a322c671b9f28307bf873
2239f69804a77fbb8f146841eb6253b7bb50bf6c66bbf3097ec695b
0d7985cfdd939c9913b4ba4f6cb8655b208ed0254a269ecab574987
b502f8c3f541fa3bae59743cced6e6ca04f6ca6c9268744add79c3a
f8178d12dd744ddf5db100b33c46b40e53f0a1c7d49f83488976c5d
TLS Commands
Configuration Commands
Show Commands
copy file: certificate:
The copy file: certificate: command copies the certificate to the certificate: file system. The certificate can be copied from any supported source URL of the copy command.
Command Mode
Global Configuration
Command Syntax
copy file: file_name certificate:
Parameters
file_name location or the path of the file or the directory where the certificate is saved.
Guidelines
- A single source file can contain multiple PEM encoded entities, but they
must all be certificates. If other types such as SSL keys are also included,
the copy fails and an error message is displayed as
shown.
switch(config)#copy file:tmp/ssl/mixed.crt certificate: % Error copying file:tmp/ssl/mixed.crt to certificate: (Multiple types of entities in certificate file not supported) switch(config)#
- The source file must contain valid PEM encoded certificates. If the file
contains invalid certificates, the copy fails and an error message is
displayed as
shown.
switch(config)#copy file:tmp/ssl/bad.crt certificate: % Error copying file:tmp/ssl/bad.crt to certificate: (Invalid certificate) switch(config)#
- Only certificates with RSA public keys are supported. If the certificate
does not have an RSA public key, the copy fails and an error message is
displayed as
shown.
switch(config)#copy file:tmp/ssl/dsa.crt certificate: % Error copying file:tmp/ssl/dsa.crt to certificate: (Certificate does not have RSA key) switch(config)#
Example
switch(config)# copy file:/tmp/ssl/server.crt certificate:
Copy completed successfully.
copy file: sslkey:
The copy file: sslkey: command copies the SSL key to the sslkey: file system. The key can be copied from any supported source URL of the copy command.
Command Mode
Global Configuration
Command Syntax
copy file: file_name sslkey:
Parameters
file_name location or the path of the file or the directory where the key is saved.Guidelines
- Only one PEM encoded key per file is supported. If the source file contains
multiple PEM encoded keys, the copy fails and an error message is displayed
as shown.
switch#copy file:tmp/ssl/multi.key sslkey: % Error copying file:tmp/ssl/multi.key to sslkey: (Multiple PEM entities in single file not supported)
- The source file must contain a valid PEM encoded RSA key. If the file
contains an invalid RSA key, the copy fails and an error message is
displayed as
shown.
switch#copy file:tmp/ssl/bad.key sslkey: % Error copying file:tmp/ssl/bad.key to sslkey: (Invalid RSA key)
- Password protected keys are not supported. If the source file contains a
password protected key, the copy fails and an error message is displayed as
shown.
switch#copy file:/tmp/ssl/pass.key sslkey: % Error copying file:tmp/ssl/pass.key to sslkey: (Password protected keys are not supported)
Example
switch(config)#copy file:/tmp/ssl/server.key sslkey:
Copy completed successfully.
switch(config)#
delete certificate:
The delete certificate: command deletes a specified certificate from certificate: file system on the switch.
Command Mode
Global Configuration
Command Syntax
delete certificate: certificate_name
Parameters
certificate_name name of the certificate to be deleted.
Example
switch(config)# delete certificate:server.crt
delete sslkey:
The delete sslkey: command deletes a SSL key from sslkey: file system on a switch.
Command Mode
Global Configuration
Command Syntax
delete sslkey: key_name
Parameters
key_name name of the key.
Example
switch(config)# delete sslkey:server.key
dir certificate:
The dir certificate: command displays the directory output of certificate: file system on the switch.
Command Mode
Global Configuration
Command Syntax
dir certificate:
Example
switch(config)# dir certificate:
Directory of certificate:/
-rw- 3319 Apr 10 11:50 server.crt
No space information available
dir sslkey:
The dir sslkey: command displays the directory output of sslkey: file system on the switch.
Command Mode
Global Configuration
Command Syntax
dir sslkey:
Example
switch(config)# dir sslkey:
Directory of sslkey:/
-rw- 1675 Apr 10 12:55 server.key
No space information available
reset ssl diffie-hellman parameters
The reset ssl diffie-hellman parameters command resets the Diffie-Hellman parameters file after a system reboot.
Command Mode
Global Configuration
Command Syntax
reset ssl diffie-hellman parameters
Example
switch(config)# reset ssl diffie-hellman parameters
switch(config)#
security pki certificate generate
The security pki certificate generate command is used to generate a self-signed certificate or a Certificate Signing Request (CSR) certificate. The generated CSR is displayed on the CLI, whereas a self-signed certificate is saved to the certificate: file system.
Many other parameters can be entered and applied to the certificate as shown in the following examples below.
Command Mode
Global Configuration
Command Syntax
security pki certificate generate {self-signed | signing-request} certificate_name Key key_name
- certificate_name name of the certificate to
generate. Options includes:
- self-signed request to generate self-signed certificate.
- signing-request request to generate signing-request.
- digest signs the certificate or key with the following cryptographic hash algorithm (sha256, sha384, sha512).
- key_name name of the key to modify.
- parameters signing request parameters for a
certificate. Option includes:
- common-name common name for use in subject.
- country two-letter country code for use in subject.
- email email address for use in subject.
- locality locality name for use in subject.
- organization organization name for use in subject.
- organization-unit organization Unit Name for use in subject.
- state state for use in subject.
- subject-alternative-name subject alternative name extension.
- rotation to generate a unique rotation ID.
- validity validity of the certificate in days. Value ranges from 1 to 30000 .
- This command generates a self-signed certificate or CSR certificate. In the
example below an existing private key (test.key)
is used to generate the certificates.
switch(config)# security pki certificate generate self-signed test.crt key test.key
- This command specifies the digest and the validity (in days) of the
certificate or key.
switch(config)# security pki certificate generate signing-request key test.key digest sha256 validity 365
- This command adds the certificate parameters such as
common-name, country, email, and others.
switch(config)# security pki certificate generate signing-request key test.key parameters common-name Test [country US ...]
security pki key generate
The security pki key generate command generates a RSA key used to validate a specific certificate.
The key generated can be modified and saved by entering the value of the length in generate rsa <length> parameter.
Command Mode
Global Configuration
Command Syntax
security pki key generate rsa key_name
- rsa use Rivest-Shamir-Adleman (RSA) algorithm. Options
include.
- 2048 Use 2048-bit keys.
- 3072 Use 3072-bit keys.
- 4096 Use 4096-bit keys.
- key_name name of the key to generate.
- This command generates a a 2048-bit long RSA private
key(test.key) and save it to
sslkey:test.key.
switch(config)#security pki key generate rsa 2048 test.key
- This command modifies the generated RSA key length
value.
switch(config)# security pki certificate generate self-signed test.crt key test.key generate rsa 4096 switch(config)# security pki certificate generate signing-request key test.key generate rsa 2048
show management security ssl certificate
The show management security ssl certificate command displays information about the certificate. Provide the name of the certificate if you want to view more information of the certificate. If no name is provided, this command displays information of all the certificates.
Command Mode
EXEC
Command Syntax
show management security ssl certificate [certificate_name]
Parameter
certificate_name name of the certificate. This is optional.
Example
switch# show management security ssl certificate server.crt
Certificate server.crt:
Version: 1
Serial Number: 9
Issuer:
Common name: ca
Email address: This email address is being protected from spambots. You need JavaScript enabled to view it.
Organizational unit: Foo Org
Organization: Foo
Locality: SC
State: CA
Country: US
Validity:
Not before: Aug 11 21:44:17 2014 GMT
Not After: May 14 21:44:17 2069 GMT
Subject:
Common name: server
Email address: This email address is being protected from spambots. You need JavaScript enabled to view it.
Organizational unit: Foo Org
Organization: Foo
Locality: SC
State: CA
Country: US
Subject public key info:
Encryption Algorithm: RSA
Size: 2048 bits
Public exponent: 65537
Modulus: e04e3ff8e1c64dbcb141fe96133f998e90a322c671b9f28307bf873
2239f69804a77fbb8f146841eb6253b7bb50bf6c66bbf3097ec695b
0d7985cfdd939c9913b4ba4f6cb8655b208ed0254a269ecab574987
9f54c8c7f0b3a57a7ab826870119083222ad5ee76d40f3fae49d36e
b502f8c3f541fa3bae59743cced6e6ca04f6ca6c9268744add79c3a
c08af6b451455b4a61071f4c0b3ec3553585312783e9381f65bb0e2
ea5ee80085f5216d303cf704372b2fa1aae62756c3762441fcc1c04
97ee6190586ed28c0e376f48e53f05a40c7e1f3a65e3c6165bae5df
f8178d12dd744ddf5db100b33c46b40e53f0a1c7d49f83488976c5d
635a831d5ec96d841
show management security ssl crl
The show management security ssl crl command displays the basic information on the installed Certificate Revocation List (CRLs).To view information of a specific CRL provide the name of the CRL. If no name is provided, this command shows information of all the CRLs.
Command Mode
EXEC
Command Syntax
show management security ssl crl
Example
switch# show management security ssl crl intermediate.crl
CRL intermediate.crl:
CRL Number: 11
Issuer:
Common name: intermediate
Email address: This email address is being protected from spambots. You need JavaScript enabled to view it.
Organizational unit: Foo Org
Organization: Foo
State: CA
Country: US
Validity:
Last Update: Jul 19 19:27:34 2016 GMT
Next Update: Dec 05 19:27:34 2043 GMT
show management security ssl diffie-hellman
The show management security ssl diffie-hellman command displays the Diffie-Hellman parameter information.
Command Mode
EXEC
Command Syntax
show management security ssl diffie-hellman
Example
switch# show management security ssl diffie-hellman
Last successful reset on Apr 10 16:18:08 2015
Diffie-Hellman Parameters 1024 bits
Generator: 2
Prime: dc47b5edc0d2b41451432f79f45efab452bba7b1ab118c194d671d6752ed1c550
664ed8f052ad0fdad623c1d54ae5aee5e728d2bd7a6221636b787a4c08d1fef8c
6dcd10759d38f8b70b47d1c7972d69b0b295a2ee6ab44cfc7352cb133e85197c8
9f1fc27aac7e8e02afb4fb01ca1cb05558a7bef505b73a8d06cdfe403576b
show management security ssl key
The show management security ssl key command displays the RSA key information. To view information of a specific key, provide the name of the key in the command. If no name is provided, this command displays information of all the keys.
Command Mode
EXEC
Command Syntax
show management security ssl key [key_name]
Parameter
key_name name of the key. This is optional.
Example
switch# show management security ssl key server.key
Key server.key:
Encryption Algorithm: RSA
Size: 2048 bits
Public exponent: 65537
Modulus: e04e3ff8e1c64dbcb141fe96133f998e90a322c671b9f28307bf873
2239f69804a77fbb8f146841eb6253b7bb50bf6c66bbf3097ec695b
0d7985cfdd939c9913b4ba4f6cb8655b208ed0254a269ecab574987
9f54c8c7f0b3a57a7ab826870119083222ad5ee76d40f3fae49d36e
b502f8c3f541fa3bae59743cced6e6ca04f6ca6c9268744add79c3a
c08af6b451455b4a61071f4c0b3ec3553585312783e9381f65bb0e2
ea5ee80085f5216d303cf704372b2fa1aae62756c3762441fcc1c04
97ee6190586ed28c0e376f48e53f05a40c7e1f3a65e3c6165bae5df
f8178d12dd744ddf5db100b33c46b40e53f0a1c7d49f83488976c5d
635a831d5ec96d841
show management security ssl profile
The show management security ssl profile command displays the SSL profile status information. To display information of a specific SSL profile, provide the name of the profile. If no name is provided, this command displays profile status of all the SSL profiles.
If there are any errors in the SSL profile, the state is shown invalid and the errors are listed in the third column as shown in the example below.
Command Mode
EXEC
Command Syntax
show management security ssl profile [profile_name]
Parameter
profile_name name of the SSL profile, this is optional.
- This command displays the SSL profile status of profile
server.
switch# show management security ssl profile server Profile State ------------- ----------- server valid
- When the certificate server.crt
does not match with the key the following error
occurs.
switch# show management security ssl profile server Profile State Error ------------- ------------- ---------------------------------------- server invalid Certificate 'server.crt' does not match with key
- When a trusted certificate ca2.crt does not exist
the following error
occurs.
switch# show management security ssl profile server Profile State Error ------------- ------------- ---------------------------------------- server invalid Certificate 'ca2.crt' does not exist
- When a trusted certificate foo.crt is not
self-signed root certificate the following error
occurs.
switch# show management security ssl profile server Profile State Error ------------- ------------- ---------------------------------------- server invalid Certificate 'foo.crt' is trusted and not a root certificate
- When the certificate server.crt is expired the
following error
occurs.
switch# show management security ssl profile server Profile State Error ------------- ------------- ---------------------------------------- server invalid Certificate 'server.crt' has expired
- When the certificate chain is missing an intermediate certificate the
following error
occurs.
switch# show management security ssl profile server Profile State Error -------------- ------------- --------------------------------------------- server invalid Profile has invalid certificate chain Certificate 'intermediate.crt' does not exist
ssl profile
The ssl profile command places the switch in the SSL profile configuration mode. Various SSL profile management configurations are allowed in this mode. For example, this mode allows to configure a SSL profile with a certificate and its corresponding RSA key.
Similarly, other configurations such as trust certificate, chain certificate, crl, tls, cipher-list can be configured to a SSL profile in this mode.
The no form of the command deletes the SSL profile management configuration from running-config.
Command Mode
Management Security Mode
SSL Profile Mode
Command Syntax
ssl profile profile_name
Parameter
profile_name name of the profile.
- These commands place the switch in SSL profile
mode.
switch# config switch(config)# management security switch(config-mgmt-security)# ssl profile server switch(config-mgmt-sec-ssl-profile-server)#
- These commands configure SSL profile server with a certificate and its
corresponding RSA key. The no command deletes the certificate
configuration.
switch# config switch(config)# management security switch(config-mgmt-security)# ssl profile server switch(config-mgmt-sec-ssl-profile-server)# certificate server.crt key server.key switch(config-mgmt-sec-ssl-profile-server)# no certificate server.crt key server.key
- These commands configure the trust certificate ca1.crt to an SSL profile.
The no command deletes a trusted certificate
configuration.
switch# config switch(config)# management security switch(config-mgmt-security)# ssl profile server switch(config-mgmt-sec-ssl-profile-server)# trust certificate ca1.crt switch(config-mgmt-sec-ssl-profile-server)# no trust certificate ca1.crt
- These commands configure the intermediate.crt chain certificate to an SSL
profile. The no command deletes a chain certificate
configuration.
switch# config switch(config)# management security switch(config-mgmt-security)# ssl profile server switch(config-mgmt-sec-ssl-profile-server)# certificate server.crt key server.key switch(config-mgmt-sec-ssl-profile-server)# chain certificate intermediate.crt switch(config-mgmt-sec-ssl-profile-server)# no chain certificate intermediate.crt
- These commands provides Certificate Revocation List (CRL) to a SSL profile
to check the revocation status of the certificate chain. The no
command deletes the CRL configuration.
switch# config switch(config)# management security switch(config-mgmt-security)# ssl profile server switch(config-mgmt-sec-ssl-profile-server)# crl intermediate.crl switch(config-mgmt-sec-ssl-profile-server)# crl ca.crl switch(config-mgmt-sec-ssl-profile-server)# no crl ca.crl
- These commands configure TLSv1.2 to be used in the
SSL profile.
switch# config switch(config)# management security switch(config-mgmt-security)# ssl profile server switch(config-mgmt-sec-ssl-profile-server)# tls versions 1.2
- These commands build a cipher suite list.
-
switch# config switch(config)# management security switch(config-mgmt-security)# ssl profile server switch(config-mgmt-sec-ssl-profile-server)# cipher-list AESGCM switch(config-mgmt-sec-ssl-profile-server)# cipher-list SHA256:SHA38 switch(config-mgmt-sec-ssl-profile-server)# cipher-list ECDHE-ECDSA-AES256-GCM-SHA384
- This command check that the certificate has an extended key usage
attribute.
switch(config-mgmt-sec-ssl-profile-client)#certificate requirement extended-key-usage
- These commands check that all the trusted certificates or certificates in
the chain have a CA basic constraints set to
true.
switch(config-mgmt-sec-ssl-profile-client)# trust certificate requirement basic-constraints ca true switch(config-mgmt-sec-ssl-profile-client)# chain certificate requirement basic-constraints ca true
- This command enables the Federal Information Processing Standards (FIPS)
mode for a SSL profile.
switch(config-mgmt-sec-ssl-profile-client)# fips restrictions
802.1X Port Security
802.1X Port Security Introduction
802.1X is an IEEE standard protocol that prevents unauthorized devices from gaining access to the network.
- Supplicant (client).
- Authenticator (switch).
- Authentication server (RADIUS).
Before authentication can succeed, switchport is in unauthorized mode and blocks all traffic but, after authentication has succeeded, normal data can then flow through the switchport.
Port security control who can send or receive traffic from an individual switch port. An end node is not allowed to send or receive traffic through a port until the node is authenticated by a RADIUS server.
This prevents unauthorized individuals from connecting to a switch port to access your network. Only designated valid users on a RADIUS server will be allowed to use the switch to access the network.
802.1X Port Security Description
- Single Host Mode: Once the 802.1X supplicant is authenticated on the port, only the traffic coming from the supplicant's MAC is allowed through the port.
- Multi-Host Mode: Once the 802.1X supplicant is authenticated on the port, traffic coming from any source MAC is allowed through the port.
- Multi-Host authenticated Mode: Multiple 802.1X supplicants are allowed and the traffic coming from all authenticated supplicant’s MAC address is only allowed through the port.
The Single Host and the Multi-Host modes allow only one 802.1X supplicant to be authenticated for one port. Once it is successfully authenticated, no other 802.1X supplicant can be authenticated, unless the current one logs off. However, the Multi-Host authenticated Mode allows multiple 802.1X supplicants to be authenticated and provided access to the network.
Apart from 802.1X authentication, Arista switches also support MAC-Based Authentication (MBA), which allows devices not speaking 802.1X to have access to the network. The authenticator uses the MAC address of such devices as username/password in its RADIUS request packets. Depending on the MAC-Based Authentication configuration on the RADIUS server, it decides whether to authenticate the supplicant or not. Unlike 802.1X supplicants, multiple MBA supplicants are allowed on a single port. The MBA configuration is independent of the 802.1X host modes. MBA supplicants will not be considered to allow or reject unauthenticated traffic, based on the host mode.
Arista switches also support Dynamic VLAN assignment, which allows the RADIUS server to indicate the desired VLAN for the supplicant, using the tunnel attributes with the Access-Accept message. Both 802.1X and MBA supplicants can be assigned a VLAN via the RADIUS server. Note that only one VLAN per port is supported. When the first host authenticates, the authenticator port is put in the respective VLAN (via dynamic VLAN assignment) and subsequently, all other hosts must belong to that VLAN as well.
802.1X features are now supported on 802.1Q trunk ports allowing the user to have Port-Based Network Access Control (PNAC) on such a port. With this feature, traffic coming into an 802.1X enabled port with a VLAN tag can also be authenticated via both 802.1X or MBA.
By default, traffic from any unauthenticated device on an 802.1X enabled port is dropped. By configuring Authentication Failure VLAN on the authenticator switch, 802.1X or MBA supplicants traffic can be put into a specific VLAN, if the supplicant fails to authenticate via the RADIUS server.
Switch Roles for 802.1X Configurations
The 802.1X standard specifies the roles of Supplicant (client), Authenticator, and Authentication Server in a network. Switch Roles for 802.1X Configurations illustrates these roles.
Authentication Server The switch that validates the client and specifies whether or not the client may access services on the switch. The switch supports Authentication Servers running RADIUS.
Authenticator The switch that controls access to the network. In an 802.1X configuration, the switch serves as the Authenticator. As the Authenticator, it moves messages between the client and the Authentication Server. The Authenticator either grants or does not grant network access to the client based on the identity data provided by the client, and the authentication data provided by the Authentication Server.
Supplicant/Client The client provides a username or password data to the Authenticator. The Authenticator sends this data to the Authentication Server. Based on the supplicants information, the Authentication Server determines whether the supplicant can use services given by the Authenticator. The Authentication Server gives this data to the Authenticator, which then provides services to the client, based on the authentication result.
Authentication Process
- Either the authenticator (a switch port) or the supplicant starts an authentication message exchange. The switch starts an exchange when it detects a change in the status of a port, or if it gets a packet on the port with a source MAC address that is not included in the MAC address table.
- An authenticator starts the negotiation by sending an EAP-Request/Identity packet. A supplicant starts the negotiation with an EAPOL-Start packet, to which the authenticator answers with a EAP-Request/Identity packet.
- The supplicant answers with an EAP-Response/Identity packet to the authentication server via the authenticator.
- The authentication server responds with an EAP-Request packet to the supplicant via the authenticator.
- The supplicant responds with an EAP-Response.
- The authentication server transmits either an EAP-Success packet or EAP-Reject packet to the supplicant.
- If an EAP-Reject is received, the supplicant will receive an EAP-Reject message and their traffic will not be forwarded.
Communication Between the Switches
For communication between the switches, 802.1X port security uses the Extensible Authentication Protocol (EAP), defined in RFC 2284 and the RADIUS authentication protocol.
The 802.1X standard defines a method for encapsulating EAP messages so they can be sent over a LAN. This encapsulated kind of EAP is known as EAP over LAN (EAPOL). The standard also specifies a means of transferring the EAPOL information between the client or Supplicant, Authenticator, and Authentication Server.
EAPOL messages are passed between the Supplicants and Authenticators Port Access Entity (PAE). The figure below shows the relationship between the Authenticator PAE and the Supplicant PAE.
Authenticator PAE: The Authenticator PAE communicates with the Supplicant PAE to receive the Supplicants identifying information. Behaving as a RADIUS client, the Authenticator PAE passes the Supplicants information to the Authentication Server, which decides whether to grant the Supplicant access. If the Supplicant passes authentication, the Authenticator PAE allows it access to the port.
Supplicant PAE: The Supplicant PAE provides information about the client to the Authenticator PAE and replies to requests from the Authenticator PAE. The Supplicant PAE may initiate the authentication procedure with the Authenticator PAE, as well as send logoff messages.
Dot1x Dropped Counters
The Dot1x Dropped Counters count the packets dropped by dot1x interfaces. The dropped counter will not represent all the dropped packets in case of high volume dropping, and the CPU queue drop counter will reflect the rest of the dropped packet counter. This is due to the fact that EOS limits the bandwidth for the packets that get sent to the CPU.
- EAPOL unauthorized port (indicates the dropped packet number due to the unauthorized EAPOL port when Mac Base Authorization is disabled).
- EAPOL unauthorized host ( indicates the dropped packet number due to the unauthorized EAPOL host).
- MBA unauthorized host (counts the dropped packet due to the unauthorized host when Mac Base Authorization is enabled.)
Enable 802.1X Port Control
To enable 802.1X port authentication on the switch, global command configuration is required:
switch(config)# dot1x system-auth-control
Port mode can be set to access/trunk port and 802.1X port access entity is set to authenticator:
switch(config-if-Et1)# switchport mode access
switch(config-if-Et1)# dot1x pae authenticator
Controlled and Uncontrolled Ports
A physical port on the switch used with 802.1X has two virtual access points that include a controlled port and an uncontrolled port. The controlled port grants full access to the network. The uncontrolled port only gives access for EAPOL traffic between the client and the Authentication Server. When a client is authenticated successfully, the controlled port is opened to the client.
Control Port State
Before the port is authenticated, the port is in an unauthorized state. In this state, only EAPOL packets are processed by 802.1X agent and all other packets are dropped. After the port is successfully authenticated, the port is in the authorized state and all packets are allowed to pass. The state transition is controlled by authentication exchange between supplicant and authentication server. However, the user can control the state by using any one of the following commands:
dot1x port-control force-authorized
force-authorized: disables 802.1X authentication and directly put the port to the authorized state. This is the default setting.
dot1x port-control force-unauthorized
force-unauthorized: also disables 802.1X authentication and directly put the port to unauthorized state, ignoring all attempts by the client to authenticate.
dot1x port-control auto
auto: enables 802.1X authentication and put the port to unauthorized state first. The port state remains in an unauthorized state or transit to authorized state according to authentication result and configuration.
Uncontrolled Port State
The uncontrolled port on the Authenticator is the only one open before a client is authenticated. The uncontrolled port permits only EAPOL frames to be swapped between the client and the Authentication Server. No traffic is allowed to pass through the controlled portin the unauthorized state.
During authentication, EAPOL messages are swapped between the Supplicant PAE and the Authenticator PAE, and RADIUS messages are swapped between the Authenticator PAE and the Authentication Server. If the client is successfully authenticated, the controlled port becomes authorized, and traffic from the client can flow through the port normally.
All controlled ports on the switch are placed in the authorized state, allowing all traffic, by default. When authentication is initiated, the controlled port on the interface is initially set in the unauthorized state. If a client connected to the port is authenticated successfully, the controlled port is set in the authorized state.
Message Exchange During Authentication
The figure below illustrates an exchange of messages between an 802.1X-enabled client, a switch operating as Authenticator, and a RADIUS server operating as an Authentication Server.
Authenticating Multiple Clients Connected to the Same Port
Arista switches support 802.1X authentication for ports with more than one client connected to them. Figure 7 illustrates a sample configuration where multiple clients are connected to a single 802.1X port. 802.1X authentication may use multi-host mode, or (on selected switches) single-host mode. In both modes, the port authenticates the packets received from any one client, and the packets received from other clients are dropped, until the connected client is authenticated by the RADIUS server.
Single-host Mode
In single-host mode, once the 802.1X client has been authenticated by the RADIUS server further authentication is not required, but the port accepts packets only from the MAC address of the authenticated client.
Multi-host Mode
In multi-host mode, once the 802.1X client has been authenticated by the RADIUS server, the port is open to accept all packets from any connected client, and these packets do not require any authentication.
802.1X MAC- Based Authentication
The 802.1X MAC-based authentication allows a set of MAC addresses to be programmed into the RADIUS server. These MAC addresses (MAC-based authentication supplicants) do not connect to 802.1X profiles but are still allowed access to the network. The authenticator identifies devices that do not support 802.1X and uses the MAC address of these devices as username and password in its RADIUS request packets.
In a MAC-based authentication, every supplicant trying to gain access to the authenticator port is individually authenticated as opposed to authenticating just one supplicant on a given VLAN or port with 802.1X. The behavior is different for MAC-based authentication supplicants when we have a 802.1.x supplicant authenticated in single host and multi-host 802.1X modes.
To enable Mac-based authentication, use the following command:
Command syntax
dot1x mac based authentication
switch(config-if-Et1/1)# show active
speed forced 1000full
dot1x pae authenticator
dot1x port-control auto
dot1x mac based authentication
Mac-Based Authentication Delay
Use the mac based authentication delay command to configure a Mac-based Authentication delay. By default, the delay is triggered after 5 seconds.
Comman Syntax
mac based authentication delay 0-300 seconds
Mac-Based Authentication Hold-Period
When Mac Based Authentication is rejected by a AAA server, there is a default hold period of 60 seconds before the Mac Based Authentication is retried again even if the host continues to send traffic. However, the hold-period can be configured manually using the mac based authentication hold period command.
Command Syntax
802.1X AAA Unresponsive VLAN
Overview
Devices connected to 802.1X controlled ports must perform authentication before their generic traffic is allowed into the network. During this process, the switch contacts a configured AAA server that determines if the device’s access to the network is accepted or denied. When the AAA server is unresponsive, the default behavior is to deny all authentication attempts. The AAA Unresponsive VLAN feature allows the user to specify different behavior for this case, accepting authentication attempts and assigning devices to the native VLAN or a specified VLAN. As in other failure scenarios, the switch tries to authenticate the supplicant after the quiet period has passed.
Configuring 802.1X AAA Unresponsive VLAN
The aaa unresponsive action traffic allow vlan command is configured under the dot1x configuration sub-mode to enable the dot1x AAA unresponsive VLAN feature on the switch. When configured, the switch changes the action taken with regards to authentication attempts when the AAA server is unresponsive. The AAA server is considered unresponsive when communication with it times out.
Example
switch(config)# dot1x
switch(config-dot1x)# aaa unresponsive action traffic allow vlan
Limitations
- AAA unresponsive VLAN does not act on devices that tried to authenticate using VLAN-tagged frames.
- When AAA unresponsive VLAN is enabled without a VLAN, devices get assigned to the native VLAN – even phones that would otherwise be assigned to the phone VLAN. If phones should be assigned to the phone VLAN when AAA is unavailable, the knob aaa unresponsive phone vlan action allow should be additionally used.
802.1X Web Authentication
Configuring 802.1X Web authentication
Command Syntax
captive portal url URL][ssl profile profile]
Enabling the 802.1X Web authentication starts the redirection agent (Dot1xWeb) and its internal HTTP redirector, and makes 802.1X act on radius web-auth-start VSA’s. If a URL is specified, it’s used for the redirection when AAA does not provide a specific URL. If a valid SSL profile is specified, the configured certificate and key are used to start 802.1X Web’s internal HTTPS redirector.
switch(config-dot1x)# captive portal access-list ipv4 test-ACL
An ACL can be defined locally on the switch and be configured to use for web authentication, for cases, when AAA is not able to send ACL with web auth = start.
AttributeName | Attribute ID | Type | Value |
---|---|---|---|
Arista-WebAuth | 6 | integer |
start = 1 complete = 2 |
Arista-Captive-Portal | 10 | string | any valid url |
Show Commands
The “show” commands that display the state of a host show the new values for WebAuth stage as well.
switch(config)# show dot1x hosts
Interface: Ethernet36
Supplicant MAC Auth Method State VLAN Id
-------------- ----------- ----- -------
00:1c:73:73:f9:38 MAC-BASED-AUTH WEB-AUTH-START
00:1c:73:73:f9:39 MAC-BASED-AUTH WEB-AUTH-FAILED
Limitations
- Only one device per port is supported (MAC ACLs are not supported), connected in wired fashion.
- HTTPS redirection is only attempted when the connection is to the default TCP port 443.
- Limitations present in versions lower than RIO RELEASE.
- HTTPS is not supported.
- Limitations present in versions EOS Release 4.25.0 and
4.25.1:
- There is no downloadable ACL support - only implicit ACL support is available. This might not suffice if there is a need to allow multiple intranet websites.
- There is only support of one Captive portal at a time.
- Limitations in version EOS Release 4.25.0:
- IPv4 Management IP needs to be configured on the management interface. If the management ip address is changed, then captive portal configuration needs to be reconfigured.
- SVI needs to be configured for the VLAN where the host is going to be after the first phase of authentication - be it EAPOL or MBA.
Configuring 802.1X Port Security
Basic steps to implementing 802.1X Port-based Network Access Control and RADIUS accounting on the switch:
Configuring 802.1X Authentication Methods
IEEE 802.1X port security relies on external client-authentication methods, which must be configured for use. The method currently supported on Arista switches is RADIUS authentication. To configure the switch to use a RADIUS server for client authentication, use the aaa authentication dot1x command.
Example
switch(config)# aaa authentication dot1x default group radius
switch(config)#
Configuring Dot1x Dropped Counters
Use the statistics packets dropped command to cofigure the dot1x dropped counters on the switch under dot1x configuration mode. By default, the dot1x dropped counters is disabled. The no form of the command disables the dot1x dropped counters from the running configuration.
Example
switch(config-dot1x)# statistics packets dropped
Globally Enable IEEE 802.1X
To enable IEEE 802.1X port authentication globally on the switch, use the dot1x system-auth-control command.
Example
switch(config)# dot1x system-auth-control
switch(config)#
Designating Authenticator Ports
To set the port access entity (PAE) type of an Ethernet or management interface to the authenticator, use the dot1x pae authenticator command.
Example
switch(config)# interface ethernet 1
switch(config-if-Et1)# dot1x pae authenticator
switch(config-if-Et1)#
Example
For ports to act as authenticator ports to connected supplicants, those ports must be designated using the dot1x port-control command.
The auto option of thedot1x port-control command designates an authenticator port for immediate use, blocking all traffic that is not authenticated by the AAA server.
Example
switch(config)# interface ethernet 1
switch(config-if-Et1)# dot1x port-control auto
switch(config-if-Et1)#
The force-authorized option of the dot1x port-control command sets the state of the port to authorized without authentication, allowing traffic to continue uninterrupted.
Example
switch(config)# interface ethernet 1
switch(config-if-Et1)# dot1x port-controlforce-authorized
switch(config-if-Et1)#
To designate a port as an authenticator but prevent it from authorizing any traffic, use the force-unauthorized option of the dot1x port-control command.
Example
switch(config)# interface ethernet 1
switch(config-if-Et1)# dot1x port-controlforce-authorized
switch(config-if-Et1)#
Specifying the Authentication Mode for Multiple Clients
By default, Arista switches authenticate in multi-host mode, allowing packets from any source MAC address once 802.1X authentication has taken place. To configure the switch for single-host mode (allowing traffic only from the authenticated clients MAC address), use the dot1x host-mode command.
Example
switch(config)# interface Ethernet 1
switch(config-if-Et1)# dot1x host-mode single-host
switch(config-if-Et1)#
Configuring Re-authentication
The dot1x reauthentication command enables re-authentication of authenticator ports with the default values.
The dot1x timeout reauth-period command allows to customize the re-authentication period of authenticator ports.
- These commands configures the configuration mode interface to require
re-authentication from clients at regular
intervals.
switch(config)# interface Ethernet 1 switch(config-if-Eth)# dot1x reauthentication
- These commands configure the Ethernet interface 1
authenticator to require re-authentication from clients every
6 hours (21600
seconds).
switch(config)# interface Ethernet 1 switch(config-if-Et1)# dot1x reauthentication switch(config-if-Et1)# dot1x timeout reauth-period 21600 switch(config-if-Et1)#
- These commands deactivate re-authentication on Ethernet interface 1.
-
switch(config)# interface Ethernet 1 switch(config-if-Et1)# no dot1x reauthentication switch(config-if-Et1)#
Setting the EAP Request Maximum
The dot1x reauthorization request limit command configures the number of times the switch retransmits an 802.1X Extensible Authentication Protocol (EAP) request packet before ending the conversation and restarting authentication.
Example
switch(config)# interface ethernet 1
switch(config-if-Et1)# dot1x reauthorization request limit 4
switch(config-if-Et1)#
The default value is 2.
Disabling Authentication on a Port
To disable authentication on an authenticator port, use the no form of the dot1x port-control command.
Example
switch(config)# interface ethernet 1
switch(config-if-Et1)# no dot1x port-control
switch(config-if-Et1)#
Setting the Quiet Period
If the switch fails to immediately authenticate the client, the time the switch waits before trying again is specified by the dot1x timeout quiet-period command. This timer also indicates how long a client that failed authentication is blocked.
Example
switch(config)# interface ethernet 1
switch(config-if-Et1)# dot1x timeout quiet-period 30
The default value is 60 seconds.
Setting the Dot1x Timeout Reauth-period
The dot1x timeout reauth-period command specifies the time period in seconds that the configuration mode interface waits before requiring re-authentication from clients.
Example
switch(config)# interface Ethernet 1
switch(config-if-Et1)# dot1x reauthentication
switch(config-if-Et1)# dot1x timeout reauth-period 21600
The default value is 3600 seconds.
Setting the Transmission Timeout
Authentication and re-authentication are accomplished by the authenticator sending an Extensible Authentication Protocol (EAP) request to the supplicant and the supplicant sending a reply which the authenticator forwards to an authentication server. If the authenticator doesnt receive a reply to the EAP request, it waits a specified period of time before retransmitting. To configure that wait time, use the dot1x timeout tx-period command.
Example
switch(config)# interface Ethernet 1
switch(config-if-Et1)# dot1x timeout tx-period 30
switch(config-if-Et1)#
The default value is 5 seconds.
Enable Authentication Failure VLAN
Configure Authentication Failure VLAN on a dot1x-enabled port using the following CLI command under the interface-config mode. The CLI command to set VLAN10 as authentication failure VLAN is as follows:
switch(config-if-Et1/1)# dot1x authentication failure action traffic allow vlan 10
When no authentication failure VLAN is configured on a dot1x-enabled port, the default action is to drop any unauthorized traffic on the port. This behavior can also be specified using the following command:
Example
switch(config-if-Et1/1)# dot1x authentication failure action traffic drop
Clearing 802.1X Statistics
The clear dot1x statistics command resets the 802.1X counters.
- This command clears the 802.1X counters on all
interfaces.
switch# clear dot1x statistics all switch#
- This command clears the 802.1X counters on Ethernet interface
1.
switch# clear dot1x statistics interface ethernet 1 switch#
Displaying 802.1X Information
You can display information about 802.1X on the switch and on individual ports.
Displaying 802.1X statistics
Use the show dot1x statistics command to display 802.1X statistics for the specified port or ports.
- This command displays IEEE 802.1X statistics for Ethernet
interface
5.
switch# show dot1x interface ethernet 5 statistics Dot1X Authenticator Port Statistics for Ethernet5 ------------------------------------------------- RxStart = 0 RxLogoff = 0 RxRespId = 0 RxResp = 0 RxInvalid = 0 RxTotal = 0 TxReqId = 0 TxReq = 0 TxTotal = 0 RxVersion = 0 LastRxSrcMAC = 0000.0000.0000 switch#
- This command displays the dot1x dropped counters for all the
dot1x
interfaces.
switch# show dot1x all statistics Dot1X Authenticator Port Statistics for Ethernet51/1 ------------------------------------------------- RX start = 1 RX logoff = 0 RX response ID = 1 RX response = 10 RX invalid = 0 RX total = 12 TX request ID = 2 TX request = 11 TX total = 13 RX version = 2 Last RX src MAC = ded6.404b.ec94 Data packet drop counters: EAPOL unauthorized port = 2 EAPOL unauthorized host = 1 MBA unauthorized host = 0 Dot1X Authenticator Port Statistics for Ethernet49 ------------------------------------------------- RX start = 1 RX logoff = 0 RX response ID = 1 RX response = 10 RX invalid = 0 RX total = 12 TX request ID = 2 TX request = 11 TX total = 13 RX version = 2 Last RX src MAC = ded6.404b.ec94 Data packet drop counters: EAPOL unauthorized port = 2 EAPOL unauthorized host = 1 MBA unauthorized host = 0
Displaying 802.1X supplicant information
Use the show dot1x hosts command to display information for all the supplicants.
Example
switch# show dot1x hosts
Interface: Ethernet1/1
Supplicant MAC Auth Method State VLAN Id
-------------- ----------- ----- -------
e2:29:cb:11:2f:4a EAPOL SUCCESS 300
e2:29:cb:11:2f:4b MAC-BASED-AUTH SUCCESS 300
Displaying Mac-address Tables
Use the show mac address-table command to display the MAC address of the supplicants allowed to pass the traffic through the port.
Example
switch# show mac address-table
Mac Address Table
------------------------------------------------------------------
Vlan Mac Address Type Ports Moves Last Move
---- ----------- ---- ----- ----- ---------
300 e229.cb11.2f4a STATIC Et1/1
300 e229.cb11.2f4b STATIC Et1/1
Total Mac Addresses for this criterion: 2
Displaying Port Security Configuration Information
The show dot1x command shows information about the 802.1X configuration on the specified port or ports.
Example
switch# show dot1x interface ethernet 5
Dot1X Information for Ethernet5
--------------------------------------------
PortControl : auto
QuietPeriod : 60 seconds
TxPeriod : 5 seconds
ReauthPeriod : 3600 seconds
MaxReauthReq : 2
switch#
Displaying the Status of the 802.1X Attributes for each Port
Use the show dotx1 interface interface-id command to display the status of the 802x1 attributes for each port.
switch(config-if-Et1/1)# show dot1x interface ethernet1/1
Dot1X Information for Ethernet1
--------------------------------------------
PortControl : force-authorized
HostMode : multi-host
QuietPeriod : 60 seconds
TxPeriod : 5 seconds
ReauthPeriod : 0 seconds
MaxReauthReq : 2
ReauthTimeoutIgnore : No
AuthFailVlan : 10
Displaying 802.1X Information for all Ports
Use the show dot1x all brief command to display IEEE 802.1X status for all ports.
Example
switch# show dot1x all brief
Interface Client Status
---------- -------- -------------
Ethernet5 None Unauthorized
switch#
Displaying VLANS
Use the show vlan command to display if a VLAN has been dynamically assigned to the port.
Example
switch# show vlan
VLAN Name Status Ports
----- ------------- --------- ----------------------------------
1 default active
2 VLAN0002 active Et7, Et17, Et18, Et41
300* VLAN0300 active Et1/1, Et6, Et19, Et20, Et29
Et30, Et31, Et32, Et42, Et43, Et44
* indicates a Dynamic VLAN
Displaying EAPOL Fallback to MBA Authentication and MBA Timeout Information
Use the show dotx1 interface interface ID details command to display information about the EAPOL fallback to MBA authentication and MBA timeout details.
switch(config-if-Et1)# show dot1x interface Ethernet1 details
Dot1X Information for Ethernet1
--------------------------------------------
Port control: auto
Host mode: multi-host authenticated
Quiet period: 60 seconds
TX period: 5 seconds
Maximum reauth requests: 2
Ignore reauth timeout: No
Auth failure VLAN: 101
Unauthorized access VLAN egress: Yes
Unauthorized native VLAN egress: Yes
EAPOL: enabled
MAC-based authentication: disabled
EAPOL authentication failure fallback: MBA, timeout 200 seconds
Dot1X Authenticator Client
Port status: Authorized
Supplicant MAC Reauth Period (in seconds)
-------------- --------------------------
0022.0100.0001 120
802.1X Port Security Commands
Global Configuration Commands
Dot1x Configuration Commands
Interface Configuration CommandsEthernet Interface
Privileged EXEC Commands
aaa unresponsive action traffic allow vlan
The aaa unresponsive action traffic allow vlan enables the the dot1x AAA unresponsive VLAN feature on the switch.
The no aaa unresponsive action traffic allow vlan command disbales the dot1x AAA unresponsive VLAN feature from the running-config.
Command Mode
Dot1x Configuration Mode
Command Syntax
aaa unresponsive action traffic allow vlan VLAN-ID
no unresponsive action traffic allow vlan
Parameters
- unresponsive Configure AAA timeout options.
- action Set action for supplicant when AAA times out.
- traffic Set action for supplicant traffic when AAA times out.
- allow Allow traffic when AAA times out.
- vlan Allow traffic in VLAN when AAA times out.
- VLAN-ID Identifier for a Virtual LAN. Value ranges from 1 to 4094.
Example
switch(config)# dot1x
switch(config-dot1x)# aaa unresponsive action traffic allow vlan 50
captive portal
The captive portal command enables the 802.1X Web Authentication on the switch.
The no captive portal command removes the 802.1X Web Authentication configuration from the running-config.
Command Mode
Dot1x Configuration Mode
Command Syntax
captive portal url URL ssl profile profile access-list ipv4 ACL name
no captive portal url URL ssl profile profile access-list ipv4 ACL name
- url Configure captive portal URL.
- ssl Configure SSL related option.
- access-list Configure access control list.
- This command enables 802.1X Web Authentication on the switch.
switch(config)# dot1x switch(config-dot1x)# captive portal ssl profile test-ssl_profile
- This command enables the ACL based Web
authentication.
switch(config)# dot1x switch(config-dot1x)# captive portal access-list ipv4 test-ACL
clear dot1x statistics
The clear dot1x statistics command resets the 802.1X counters on the specified interface or all interfaces.
Privileged EXEC
clear dot1x statistics INTERFACE_NAME
- all Display information for all interfaces.
- interface ethernet e_num Ethernet interface specified by e_num.
- interface loopback l_num Loopback interface specified byl_num.
- interface management m_num Management interface specified by m_num.
- interface port-channel p_num Port-Channel Interface specified by p_num.
- interface vlan v_num VLAN interface specified by v_num.
Example
switch# clear dot1x statistics all
switch#
dot1x mac based authentication
The dot1x mac based authentication command enables MAC-based authentication on the existing 802.1X authenticator port.
The no dot1x mac based authentication and the default dot1x mac based authentication commands restore the switch default by disabling the corresponding dot1x mac based authentication command for the specific 802.1X authenticator port.
Interface-Ethernet Configuration
dot1x mac based authentication
no dot1x mac based authentication
default dot1x mac based authentication
Example
switch(config)# interface ethernet 1
switch(config-if-Et1)# dot1x mac based authentication
switch(config-if-Et1)#
dot1x mac based authentication delay
The dot1x mac based authentication delay command enables MAC-based authentication delay. By default, the delay is triggered after 5 seconds.
The no dot1x mac based authentication delay and the default dot1x mac based authentication delay commands restore the switch default by disabling the corresponding dot1x mac based authentication delay command.
Dot1x Configuration
dot1x mac based authentication delay delay-time seconds
no dot1x mac based authentication delay
default dot1x mac based authentication delay
- delay-time Delay in seconds. The value is from 0 to 300.
- seconds Unit in seconds.
Example
switch(config)# dot1x
switch(config-dot1x)# mac based authentication delay 30 seconds
dot1x mac based authentication hold period
The dot1x mac based authentication hold period command enables MAC-based authentication hold period. By default, the hold period is 60 seconds.
The no dot1x mac based authentication hold period and the default dot1x mac based authentication hold period commands restore the switch default by disabling the corresponding dot1x mac based authentication hold period command.
Dot1x Configuration
dot1x mac based authentication hold period hold period-time seconds
no dot1x mac based authentication hold period
default dot1x mac based authentication hold period
- hold period-time Hold period in seconds. The value is from 1 to 300 in seconds.
- seconds Unit in seconds.
Example
switch(config)# dot1x
switch(config-dot1x)# mac based authentication hold period 100 seconds
dot1x pae authenticator
The dot1x pae authenticator command sets the port access entity (PAE) type of the configuration mode interface to authenticator, which enables IEEE 802.1X on the port. IEEE 802.1X is disabled on all ports by default.
The no dot1x pae authenticator and default dot1x pae authenticator commands restore the switch default by deleting the corresponding dot1x pae authenticator command from running-config.
Interface-Ethernet Configuration
Interface-Management Configuration
dot1x pae authenticator
no dot1x pae authenticator
default dot1x pae authenticator
- These commands configure interface ethernet
2 as a port access entity (PAE) authenticator,
enabling IEEE 802.1X on the
port.
switch(config-if-Et1)# interface ethernet 2 switch(config-if-Et1)# dot1x pae authenticator switch(config-if-Et1)#
- These commands disable IEEE 802.1X authentication on interface
ethernet
2.
switch(config-if-Et1)# interface ethernet 2 switch(config-if-Et1)# no dot1x pae authenticator switch(config-if-Et1)#
dot1x reauthentication
The dot1x reauthentication command configures the configuration mode interface to require re-authentication from clients at regular intervals. The interval is set by the dot1x timeout reauth-period command.
The no dot1x reauthentication and default dot1x reauthentication commands restore the default setting by deleting the corresponding dot1x reauthentication command from running-config.
Interface-Ethernet Configuration
Interface-Management Configuration
dot1x reauthentication
no dot1x reauthentication
default dot1x reauthentication
Example
switch(config)#interface Ethernet 1
switch(config-if-Et1)#dot1x reauthentication
switch(config-if-Et1)#
dot1x reauthorization request limit
The dot1x reauthorization request limit command configures how many times the switch retransmits an 802.1X Extensible Authentication Protocol (EAP) request packet before ending the conversation and restarting authentication.
The no dot1x reauthorization request limit and default dot1x reauthorization request limit commands restore the default value of 2 by deleting the corresponding dot1x reauthorization request limit command from running-config.
Interface-Ethernet Configuration
Interface-Management Configuration
dot1x reauthorization request limit attempts
no dot1x reauthorization request limit
default dot1x reauthorization request limit
attempts Maximum number of attempts. Values range from 1 to 10; default value is 2.
- This command sets the 802.1X EAP-request retransmit limit to
6.
switch(config)# interface ethernet 1 switch(config-if-Et1)# dot1x reauthorization request limit 6 switch(config-if-Et1)#
- This command restores the default request repetition value of
2.
switch(config)# interface ethernet 1 switch(config-if-Et1)# no dot1x reauthorization request limit switch(config-if-Et1)#
dot1x system-auth-control
The dot1x system-auth-control command enables 802.1X authentication on the switch.
The no dot1x system-auth-control and default dot1x system-auth-control commands disables 802.1X authentication by removing the dot1x system-auth-control command from running-config.
Global Configuration
dot1x system-auth-control
no dot1x system-auth-control
default dot1x system-auth-control
- This command enables 802.1X authentication on the
switch.
switch(config)# dot1x system-auth-control switch(config)#
- This command disables 802.1X authentication on the
switch.
switch(config)# no dot1x system-auth-control switch(config)#
dot1x timeout quiet-period
If the switch fails to immediately authenticate the client, the time the switch waits before trying again is specified by the dot1x timeout quiet-period command. This timer also indicates how long a client that failed authentication is blocked.
The no dot1x timeout quiet-period and default dot1x timeout quiet-period commands restore the default quiet period of 60 seconds by removing the corresponding dot1x timeout quiet-period command from running-config.
Interface-Ethernet Configuration
Interface-Management Configuration
dot1x timeout quiet-period quiet_time
no dot1x timeout quiet-period
default dot1x timeout quiet-period
quiet_time Interval in seconds. Values range from 1 to 65535. Default value is 60.
Example
switch(config)# interface Ethernet 1
switch(config-if-Et1)# dot1x timeout quiet-period 30
switch(config-if-Et1)#
dot1x timeout reauth-period
The dot1x timeout reauth-period command specifies the time period that the configuration mode interface waits before requiring re-authentication from clients.
The no dot1x timeout reauth-period and default dot1x timeout reauth-period commands restore the default period of 60 minutes by removing the corresponding dot1x timeout reauth-period command from running-config.
Interface-Ethernet Configuration
Interface-Management Configuration
dot1x timeout reauth-period reauth_time
no dot1x timeout reauth-period
default dot1x timeout reauth-period
reauth_time The number of seconds the interface passes traffic before requiring re-authentication. Values range from 1 to 65535. Default value is 3600.
Example
switch(config)# interface Ethernet 1
switch(config-if-Et1)# dot1x reauthentication
switch(config-if-Et1)# dot1x timeout reauth-period 21600
switch(config-if-Et1)#
dot1x timeout tx-period
Authentication and re-authentication are accomplished by the authenticator sending an Extensible Authentication Protocol (EAP) request to the supplicant and the supplicant sending a reply which the authenticator forwards to an authentication server. If the authenticator does not get a reply to the EAP request, it waits a specified period of time before retransmitting. The dot1x timeout tx-periodcommand configures that wait time.
The no dot1x timeout tx-period and default dot1x timeout tx-period commands restore the default wait time by removing the corresponding dot1x timeout tx-period command from running-config.
Interface-Ethernet Configuration
Interface-Management Configuration
dot1x timeout tx-period tx_time
no dot1x timeout tx-period
default dot1x timeout tx-period
tx_time Values range from 1 to 65535. Default value is 5.
Example
switch(config)# interface Ethernet 1
switch(config-if-Et1)# dot1x timeout tx-period 30
switch(config-if-Et1)#
dot1x host-mode
When multiple clients are connected to an Ethernet interface providing 802.1X authentication, the port can accept packets from all MAC addresses once the supplicant has been authenticated (multi-host mode), or it can accept only those packets originating from the MAC address of the authenticated client (single-host mode) or ultiple authenticated clients (multi-host authenticated mode) . The dot1x host-mode command specifies the host mode for authentication of multiple clients on the configuration mode interface.
The no dot1x host-mode and default dot1x host-mode commands restore the switch default (multi-host mode) by removing the corresponding dot1x host-mode command for the configuration mode interface.
Command Mode
Interface-Ethernet Configuration
dot1x host-mode [multi-host | single-host | multi-host authenticated]
no dot1x host-mode
default dot1x host-mode
- multi-host Configures the interface to use multi-host mode (the default).
- single-host Configures the interface to use single-host mode.
- multi-host authenticated Configures the interface to use multi-host authenticated mode.
Example
switch(config)# interface ethernet 1
switch(config-if-Et1)# dot1x host-mode single-host
switch(config-if-Et1)#
dot1x port-control
The dot1x port-control command configures the configuration mode interface as an authenticator port and specifies whether it will authenticate traffic.
The no dot1x port-control and default dot1x port-control commands configure the port to pass traffic without authorization by removing the corresponding dot1x port-control command from running-config.
Interface-Ethernet Configuration
Interface-Management Configuration
dot1x port-control STATE
no dot1x port-control
default dot1x port-control
- auto Configures the port to authenticate traffic using Extensible Authentication Protocol messages.
- force-authorized Configures the port to pass traffic without authentication.
- force-unauthorized Configures the port to block all traffic regardless of authentication.
- These commands configure interface Ethernet 1 to
pass traffic without authentication. This is the default
setting.
switch(config)# interface Ethernet 1 switch(config-if-Et1)# dot1x port-control force-authorized switch(config-if-Et1)#
- These commands configure interface Ethernet 1 to
block all
traffic.
switch(config)# interface Ethernet 1 switch(config-if-Et1)# dot1x port-control force-unauthorized switch(config-if-Et1)#
- These commands configure interface Ethernet 1 to
authenticate traffic using EAP
messages.
switch(config)# interface Ethernet 1 switch(config-if-Et1)# dot1x port-control auto switch(config-if-Et1)#
show dot1x all brief
The show dot1x all brief command displays the IEEE 802.1X status for all ports.
EXEC
show dot1x all brief
Example
switch# show dot1x all brief
Interface Client Status
-------------------------------------------------
Ethernet5 None Unauthorized
switch#
show dot1x hosts
The show dot1x hosts command displays 802.1X information for all the supplicants.
EXEC
show dot1x hosts [ethernet]
ethernet e_num Ethernet interface specified by e_num.
Example
switch# show dot1x hosts
Interface: Ethernet1/1
Supplicant MAC Auth Method State VLAN Id
-------------- ----------- ----- -------
e2:29:cb:11:2f:4a MAC-BASED-AUTH SUCCESS 300
show dot1x statistics
The show dot1x statistics command displays 802.1X statistics for the specified port or ports.
EXEC
show dot1x INTERFACE_NAME statistics
- INTERFACE_NAME Interface type and number. Options
include:
- all Display information for all interfaces.
- ethernet e_num Ethernet interface specified by e_num.
- loopback l_num Loopback interface specified by l_num.
- management m_num Management interface specified by m_num.
- port-channel p_num Port-Channel Interface specified by p_num.
-
vlan v_num VLAN interface specified by v_num.
- Output Fields
- RxStartNumber of EAPOL-Start frames received on the port.
- TxReqIdNumber of EAP-Request/Identity frames transmitted on the port.
- RxVersionVersion number of the last EAPOL frame received on the port.
- RxLogoffNumber of EAPOL-Logoff frames received on the port.
- RxInvalidNumber of invalid EAPOL frames received on the port.
- TxReqNumber of transmitted EAP-Request frames that were not EAP-Request/Identity.
- LastRxSrcMAC The source MAC address in the last EAPOL frame received on the port.
- RxRespId The number of EAP-Response/Identity frames received on the port.
- RxTotal The total number of EAPOL frames transmitted on the port.
- TxTotal The total number of EAPOL frames transmitted on the port.
Example
switch# show dot1x interface ethernet 5 statistics
Dot1X Authenticator Port Statistics for Ethernet5
-------------------------------------------------
RxStart = 0 RxLogoff = 0 RxRespId = 0
RxStart= 0 RxInvalid = 0 RxTotal = 0
TxReqId = 0 TxReq = 0 TxTotal = 0
RxVersion = 0 LastRxSrcMAC = 0000.0000.0000
switch#
show dot1x
The show dot1x command displays 802.1X information for the specified interface.
EXEC
show dot1x INTERFACE_NAME INFO
- INTERFACE_NAME Interface type and number. Options
include:
- all Display information for all interfaces.
- ethernet e_num Ethernet interface specified by e_num.
- loopback l_num Loopback interface specified by l_num.
- management m_num Management interface specified by m_num.
- port-channel p_num Port-Channel Interface specified by p_num.
- vlan v_num VLAN interface specified by v_num.
- INFO Type of information the command displays. Values
include:
- no parameter displays summary of the specified interface.
- detail displays all 802.1X information for the specified interface.
- This command displays 802.1X summary information for interface
ethernet
5.
switch# show dot1x interface ethernet 5 Dot1X Information for Ethernet5 -------------------------------------------- PortControl : auto QuietPeriod : 60 seconds TxPeriod : 5 seconds ReauthPeriod : 3600 seconds MaxReauthReq : 2 switch#
- This command displays detailed 802.1X information for interface
ethernet
5.
switch# show dot1x interface ethernet 5 detail Dot1X Information for Ethernet5 -------------------------------------------- PortControl : auto QuietPeriod : 60 seconds TxPeriod : 5 seconds ReauthPeriod : 3600 seconds MaxReauthReq : 2 Dot1X Authenticator Client Port Status : Unauthorized switch#
statistics packets dropped
The statistics packets droppedcommand to cofigure the dot1x dropped counters on the switch under dot1x configuration mode. By default, the dot1x dropped counters is disabled. The no form of the command disables the dot1x dropped counters from the running configuration.
The no statistics packets dropped command disables the dot1x dropped counters from the running configuration.
Command Mode
Dot1x Configuration
Command Syntax
statistics packets dropped
no statistics packets dropped
Example
switch(config-dot1x)# statistics packets dropped