Configuring Fips140-2 Cryptographic Mode - Cisco TelePresence Administrator's Manual

Maintenance
3. Set Advanced account security mode to On.
4. Click Save.
5. Reboot the VCS (Maintenance >
VCS functionality: changes and limitations
When in secure mode, the following changes and limitations to standard VCS functionality apply:
access over SSH and through the serial port is disabled and cannot be turned on (the pwrec password
n
recovery function is also unavailable)
access over HTTPS is enabled and cannot be turned off
n
the command line interface (CLI) and API access are unavailable
n
the root account, the admin account and any other local administrator accounts are disabled
n
administrator account authentication source is set to Remote only and cannot be changed
n
if there are three consecutive failed attempts to log in (by the same or different users), login access to the
n
VCS is blocked for 60 seconds
immediately after logging in, the current user is shown statistics of when they previously logged in and
n
details of any failed attempts to log in using that account
administrator accounts with read-only or read-write access levels cannot view the Event Log, Configuration
n
Log and Network Log pages (these pages can be viewed only by accounts with Auditor access level)
the Upgrade page only displays the System platform component
n
downgrades to version X5.0 or below are not allowed
n
The Event Log, Configuration Log, Network Log, call history, search history and registration history are
cleared whenever the VCS is taken out of advanced account security mode. Note that if
is enabled, this will cause any existing blocked addresses to become unblocked.

Configuring FIPS140-2 cryptographic mode

FIPS140 is a U.S. and Canadian government standard that specifies security requirements for cryptographic
modules. FIPS140-1 became a mandatory standard for the protection of sensitive data in 1994 and was
superseded by FIPS140-2 in 2001.
VCS X8.1 or later implements FIPS140-2 compliant features. When in FIPS140-2 cryptographic mode,
system performance may be affected due to the increased cryptographic workload.
Prerequisites
Before FIPS140-2 mode can be enabled:
Ensure that the system is not using NTLM protocol challenges with a direct Active Directory Service
n
connection for device authentication; NTLM cannot be used while in FIPS140-2 mode.
If login authentication via a remote LDAP server is configured, ensure that it uses TLS encryption if it is
n
using SASL binding.
The Advanced Account Security option key must be installed.
n
FIPS140-2 compliance also requires the following configuration settings:
Cisco VCS Administrator Guide (X8.1.1)
Reboot).
Advanced security
intrusion protection
Page 296 of 507