High Secure (Hsecure) Mode; Access Level Options - Hsecure Mode - Avaya VSP 4000 Technical Configuration Manual

3.3 High Secure (hsecure) Mode

The switch supports a configurable flag called high secure (hsecure). High secure mode introduces a
protection mechanism to filter invalid source network broadcast IP addresses communicating with the
CPU, limitation of failed logon attempts, and two restrictions on passwords: 10-character enforcement
and aging time. An example of an invalid source would be an interface in subnet 192.168.168.0/24 where
source IP addresses of 192.168.168.0 and 192.168.168.255 are discarded.
After you enable the hsecure flag, the software enforces the 10-character rule for all passwords. This
password must contain a minimum of two uppercase characters, two lowercase characters, two numbers,
and two special characters.
After you enable hsecure, the system requires you to save the configuration file and reboot the system for
hsecure to take effect. If the existing password does not meet the minimum requirements for hsecure, the
system prompts you to change the password during the first login.
The default username is rwa and the default password is rwa. In hsecure, the system prompts you to
change these during first login because they do not meet the minimum requirements for hsecure.
When you enable hsecure, the system disables Simple Network Management Protocol (SNMP) v1,
SNMPv2 and SNMPv3. If you want to use SNMP, you must re-enable SNMP, using the command no
boot config flag block-snmp.
After you enable the hsecure flag, you can configure a duration after which you must change your
password. You configure the duration by using the aging parameter.
For SNMP and File Transfer Protocol (FTP), after a password expires, access is denied. Before you
access the system, you must change a community string to a new string consisting of more than eight
characters.
Consider the following after you enable the hsecure flag:


You cannot enable the Web server for Enterprise Device Manager (EDM) access.

You cannot enable the Secure Shell (SSH) password authentication.
To enable hsecure mode, enter the following commands. You will be prompted with an error message if
telnet or rlogin is enabled.
VSPSwitch:1(config)#boot config flags hsecure
Warning: If your CLI session is running over Telnet or Rlogin -
you will be disconnected and will not be able to reconnect.
Are you sure you want to continue (y/n) ? y
Access Level Options – hsecure mode
3.3.1
If High Security (hsecure) is enabled, you can set the aging time, lockout time, mimimum password
length, and password history using the following command. By default, the aging time is set for 90
seconds, minimum password length is set for 10 characters, and the password history is set for 3
previous passwords.
VSPSwitch:1(config)#password ?
aging-time
default-lockout-time
min-passwd-len
password-history
March 2015
Set age-out time for passwords
Change the default lockout time after three invalid
attempts
Set the minimum length of passwords in hsecure mode
Number of previous passwords to remember
Avaya Inc. – External Distribution
avaya.com
20