Table of Contents
Advertisement
Initial Setup
•
•
•
System Initialization and Configuration
•
•
•
•
•
•
•
•
Cisco 1721, 1760, 2621XM, 2651XM, 2691, 3725, and 3745 Modular Access Routers and 7206-VXR NPE-400 Router FIPS 140-2 Non-Proprietary
OL-6083-01
Secure Operation of the Cisco 1721, 1760, 2621XM, 2651XM, 2691, 3725, 3745, and 7206 VXR NPE-400 Routers
The Crypto Officer must apply tamper evidence labels as described in the
section of this document.
Only a Crypto Officer may add and remove WAN Interface Cards. When removing the tamper
evidence label, the Crypto Officer should remove the entire label from the router and clean the cover
of any grease, dirt, or oil with an alcohol-based cleaning pad. The Crypto Officer must re-apply
tamper evidence labels on the router as described in the
document.
The Crypto Officer must apply the opacity shield as described in the
Cryptographic Module"
of this document.
The Crypto Officer must perform the initial configuration. Cisco IOS version 12.3(3d) is the only
allowable image; no other image may be loaded.
For Cisco 1700, 2600, and 3700 series routers, the value of the boot field must be 0x0101. For Cisco
7200 series routers, the value of the boot field must be 0x0102. This setting disables break from the
console to the ROM monitor and automatically boots the Cisco IOS image. From the "configure
terminal" command line, the Crypto Officer enters the following syntax:
For Cisco 7200 series routers, enter:
–
config-register 0x0102
For Cisco 1700, 2600, and 3700 series routers, enter
–
config-register 0x0101
The Crypto Officer must create the "enable" password for the Crypto Officer role. The password
must be at least 8 characters and is entered when the Crypto Officer first engages the "enable"
command. The Crypto Officer enters the following syntax at the "#" prompt:
enable secret <PASSWORD>
The Crypto Officer must always assign passwords (of at least 8 characters) to users. Identification
and authentication on the console port is required for Users. From the "configure terminal"
command line, the Crypto Officer enters the following syntax:
line con 0
password <PASSWORD>
login local
The Crypto Officer shall only assign users to a privilege level 1 (the default).
The Crypto Officer shall not assign a command to any privilege level other than its default.
The Crypto Officer may configure the module to use RADIUS or TACACS+ for authentication.
Configuring the module to use RADIUS or TACACS+ for authentication is optional. If the module
is configured to use RADIUS or TACACS+, the Crypto-Officer must define RADIUS or TACACS+
shared secret keys that are at least 8 characters long.
If the Crypto Officer loads any IOS image onto the router, this will put the router into a non-FIPS
mode of operation.
"Physical Security"
"Physical Security"
section of this
"The Cisco 1721/1760
43
Hide quick links:
Advertisement
Table of Contents
