1. Manuals
  2. Brands
  3. Cisco Manuals
  4. Network Router
  5. ASR 1000 Series
  6. Common criteria operational user guidance and preparative procedures

Authentication Server Protocols; Logging Configuration - Cisco ASR 1000 Series Common Criteria Operational User Guidance And Preparative Procedures

Aggregation services router
Hide thumbs Also See for ASR 1000 Series:
Table of Contents

Advertisement

6. Configure vty lines to accept 'ssh' login services
TOE-common-criteria(config-line)# transport input ssh
7. Configure a SSH client to support only the following specific encryption algorithms:
o AES-CBC-128
o AES-CBC-256
peer#ssh -l cisco -c aes128-cbc 1.1.1.1
peer#ssh -l cisco -c aes256-cbc 1.1.1.1
8. Configure a SSH client to support message authentication. Only the following MACs are
allowed and "None" for MAC is not allowed:
a. hmac-sha1-96
b. hmac-sha1
peer#ssh -l cisco -m hmac-sha1-96 1.1.1.1
9. Configure the SSH rekey time-based rekey and volume-based rekey values (values can be
configured to be lower than the default values if a shorter interval is desired):
a. ip ssh rekey time 60
b. ip ssh rekey volume 1000000
 HTTP and HTTPS servers were not evaluated and must be disabled: no ip http server
no ip http secure-server
 SNMP server was not evaluated and must be disabled: no snmp-server
3.3.2

Authentication Server Protocols

 RADIUS (outbound) for authentication of TOE administrators to remote authentication
servers are disabled by default but should be enabled by administrators in the evaluated
configuration.
o To configure RADIUS refer to [17] Under Configure  Click on Configuration
Guides  Security, Services, and VPN  Click on Securing User Services
Configuration Guide Library  click on Authentication, Authorization, and
Accounting (AAA) Configuration Guide Configuring Authentication  How to
Configure AAA Authentication Methods  Configuring Login Authentication
Using AAA  Login Authentication Using Group RADIUS. Use best practices
for the selection and protection of a key to ensure that the key is not easily
guessable and is not shared with unauthorized users.
This protocol is to be tunneled over an IPsec connection in the evaluated configuration. The
instructions for setting up this communication are the same as those for protecting
communications with a syslog server, detailed in Section 3.3.4 below.
3.3.3

Logging Configuration

Logging of command execution must be enabled: [10]
Command Reference and Cisco IOS Debug Command References
Cisco IOS Configuration Fundamentals
Page 20 of 72
Show Quick Links

Hide quick links:

Advertisement

Table of Contents
loading

Related Manuals for Cisco ASR 1000 Series

Related Content for Cisco ASR 1000 Series

This manual is also suitable for:

Asr 1001Asr 1002xAsr 1004Asr 1006Asr 1013Asr 1001hx ... Show all

Table of Contents