Cisco IE-4000 Software Configuration Manual page 168

Configuring Switch-Based Authentication
Information About Configuring Switch-Based Authentication

If the switch is not configured with a hostname and a domain name, a temporary self-signed certificate is generated.
If the switch reboots, any temporary self-signed certificate is lost, and a new temporary new self-signed certificate
is assigned.

If the switch has been configured with a host and domain name, a persistent self-signed certificate is generated.
This certificate remains active if you reboot the switch or if you disable the secure HTTP server so that it will be there
the next time you reenable a secure HTTP connection.
Note: The certificate authorities and trustpoints must be configured on each device individually. Copying them from other
devices makes them invalid on the switch.
Note: The values that follow TP self-signed depend on the serial number of the device.
You can use an optional command (ip http secure-client-auth) to allow the HTTPS server to request an X.509v3
certificate from the client. Authenticating the client provides more security than server authentication by itself.
CipherSuites
A CipherSuite specifies the encryption algorithm and the digest algorithm to use on a SSL connection. When connecting
to the HTTPS server, the client Web browser offers a list of supported CipherSuites, and the client and server negotiate
the best encryption algorithm to use from those on the list that are supported by both. For example, Netscape
Communicator 4.76 supports U.S. security with RSA Public Key Cryptography, MD2, MD5, RC2-CBC, RC4, DES-CBC,
and DES-EDE3-CBC.
For the best possible encryption, you should use a client browser that supports 128-bit encryption, such as Microsoft
Internet Explorer Version 5.5 (or later) or Netscape Communicator Version 4.76 (or later). The
SSL_RSA_WITH_DES_CBC_SHA CipherSuite provides less security than the other CipherSuites, as it does not offer
128-bit encryption.
The more secure and more complex CipherSuites require slightly more processing time. This list defines the CipherSuites
supported by the switch and ranks them from fastest to slowest in terms of router processing load (speed):
1. SSL_RSA_WITH_DES_CBC_SHA—RSA key exchange (RSA Public Key Cryptography) with DES-CBC for message
encryption and SHA for message digest
2. SSL_RSA_WITH_RC4_128_MD5—RSA key exchange with RC4 128-bit encryption and MD5 for message digest
3. SSL_RSA_WITH_RC4_128_SHA—RSA key exchange with RC4 128-bit encryption and SHA for message digest
4. SSL_RSA_WITH_3DES_EDE_CBC_SHA—RSA key exchange with 3DES and DES-EDE3-CBC for message
encryption and SHA for message digest
RSA (in conjunction with the specified encryption and digest algorithm combinations) is used for both key generation and
authentication on SSL connections. This usage is independent of whether or not a CA trustpoint is configured.
Secure Copy Protocol
The Secure Copy Protocol (SCP) feature provides a secure and authenticated method for copying switch configurations
or switch image files. SCP relies on Secure Shell (SSH), an application and a protocol that provides a secure replacement
for the Berkeley r-tools.
For SSH to work, the switch needs an RSA public/private key pair. This is the same with SCP, which relies on SSH for its
secure transport.
Because SSH also relies on AAA authentication, and SCP relies further on AAA authorization, correct configuration is
necessary.

Before enabling SCP, you must correctly configure SSH, authentication, and authorization on the switch.
164