Enhanced secure mode

NOTE:

Enhanced secure mode is supported only on 2930, 3810, and 5400R switch series.

ArubaOS-Switch devices are capable of operating in one of two secure modes: standard and enhanced. In standard secure mode, passwords and security keys may be entered directly in plaintext from the configuration console (though they are, by default, stored separately from the switch configuration), and show commands generally do not hide or obscure configuration parameters.

In enhanced secure mode, there are a number of operating differences in software feature support, how commands are executed, and the way configuration parameters are displayed. Some significant changes include:

  • SSH drops support for less-secure ciphers, including 3des-cbc and rijndael-dbd@lysator.liu.se.

  • HTTPS supports only TLS 1.0 or later.

  • Passwords and authentication keys must be entered interactively, and can no longer be set as part of a command; password/key characters are displayed as asterisks.

  • Authentication must be completed any time a user transitions from one access level to another (for example, operator to manager or vice versa).

  • The switch ROM console is password-protected.

Entering enhanced secure mode results in the following sequence of events:

  • The switch is rebooted.

  • The management module file system is zeroized, then firmware images are restored. 

switch(config)# secure-mode enhanced
Validating software and configurations, this may take a minute...
The system will be rebooted and all management module files except software images will be erased and zeroized. This will take up to 60 minutes and the switch will not be usable during that time. A power-cycle will then be required to complete the transition. Continue (y/n)? y

The switch will reboot at this point. 

Zeroizing the file system ... 100%
Verifying cleanness of the file system... 100%
Restoring firmware image and other system files...
Zeroization of file system completed
Continue initializing...

The current switch operating mode can be displayed using the show secure-mode command: 

switch(config)# show secure-mode

 Level: Enhanced

For more details, refer to the chapter titled “Secure mode (FIPS)” in the ArubaOS-Switch Access Security Guide.