Federal government certification

The following phase 3 certification features are included in the 16.03 release.

Local command audit logging

The logging of all administrative actions on a device is a requirement for NDcPP certification:

  • All administrative actions (commands) must be logged locally.

  • Enabling and disabling of command log storage is required.

  • The identity of a user causing an event must be logged.

  • When the command log is exhausted by 80% and wraparound occurs, the event must be logged and a trap must be generated.

  • The logs have a maximum of 240 characters and are stored in the command log buffer. If the log message exceeds this maximum length, it is truncated and is not stored in the command log buffer.

Password storage in SHA-256 format

On Aruba switches, passwords can be configured either in plaintext or SHA-1 format. You can now configure the passwords in SHA-256 format as well. For more information, see the Access Security Guide of your switch.

SSH Re-keying

To comply with RFC 4251, session re-keying ensures that either the SSH server or the SSH client initiates a re-key. This results in a new set of encryption and integrity keys to be exchanged between them. Once the re-key is complete, new keys are used for further communication, which ensures that the same key is not used for a long duration and the security of the session is maintained. For more information, see the Access Security Guide of your switch.

OSPFv3 RFC compliance

This feature supports authentication for OSPFv3 routing traffic on Aruba devices via IPsec. The authentication support for OSPFv3 is provided in compliance with RFC 4552. Authentication is supported using AH protocol. Authentication and confidentiality support using ESP is not supported in this release. For more information, see the IPv6 Configuration Guide of your switch.

X.509v3 certificate extension RSA minimum key support

There are three requirements for NDcPP certification:

  • Minimum secure RSA key size.

  • Enforcement of TLS 1.1/TLS 1.2 for all TLS connections.

  • Validation of extended key usage extension for X509v3 certificates.

As part of the minimum secure RSA key size requirement, an option has been added to the existing tls configuration command to support minimum TLS version support for cloud application requirement.

X.509v3 certificate authentication for SSH

This feature supports user-authentication in SSH using X.509v3-based certificates. For more information, see the Access Security Guide of your switch.