Enhanced Secure Mode

Table 1. Enhanced Secure Mode product support

Feature

Product

Release introduced

Enhanced Secure mode

5320 Series

Fabric Engine 8.6

5420 Series

VOSS 8.4

5520 Series

VOSS 8.2.5

5720 Series

Fabric Engine 8.7

7520 Series

Fabric Engine 8.10

7720 Series

Fabric Engine 8.10

VSP 4450 Series

VOSS 4.2

VSP 4900 Series

VOSS 8.1

VSP 7200 Series

VOSS 4.2.1

VSP 7400 Series

VOSS 8.0

VSP 8200 Series

VOSS 4.2

VSP 8400 Series

VOSS 4.2

VSP 8600 Series

VSP 8600 4.5

XA1400 Series

VOSS 8.0.50

Enhanced Secure mode for JITC and non-JITC sub-modes.

5320 Series

Fabric Engine 8.6

5420 Series

VOSS 8.4

5520 Series

VOSS 8.2.5

5720 Series

Fabric Engine 8.7

7520 Series

Fabric Engine 8.10

7720 Series

Fabric Engine 8.10

VSP 4450 Series

VOSS 5.1

VSP 4900 Series

VOSS 8.1

VSP 7200 Series

VOSS 5.1

VSP 7400 Series

VOSS 8.0

VSP 8200 Series

VOSS 5.1

VSP 8400 Series

VOSS 5.1

VSP 8600 Series

VSP 8600 4.5

XA1400 Series

Not Supported

Enhanced Secure mode - sensitive file protection

5320 Series

Fabric Engine 8.6

5420 Series

VOSS 8.5

5520 Series

VOSS 8.5

5720 Series

Fabric Engine 8.7

7520 Series

Fabric Engine 8.10

7720 Series

Fabric Engine 8.10

VSP 4450 Series

VOSS 8.5

VSP 4900 Series

VOSS 8.5

VSP 7200 Series

VOSS 8.5

VSP 7400 Series

VOSS 8.5

VSP 8200 Series

VOSS 8.5

VSP 8400 Series

VOSS 8.5

VSP 8600 Series

Not supported

XA1400 Series

VOSS 8.5

Authentication Levels

After you enable enhanced secure mode with the boot config flags enhancedsecure-mode command, the switch supports role-based authentication levels. With enhanced secure mode enabled, the switch supports the following authentication access levels for local authentication, Remote Authentication Dial-In User Service (RADIUS), and Terminal Access Controller Access Control System Plus (TACACS+) authentication:

Each username is associated with a certain role in the product and appropriate authorization rights for viewing and executing commands are available for that role.

With enhanced secure mode enabled, the person in the role-based authentication level of administrator configures the login and password values for the other role-based authentication levels. The administrator access level cannot be disabled on VOSS switches.

The administrator initially logs on to the switch using the default login of admin and the default password of admin. After the initial login, the switch prompts the administrator to create a new password.

The following displays an example of the initial login to the switch by the administrator after enhanced secure mode is enabled.
Login: admin
Password: *****
        This is an initial attempt using the default user name and password.
        Please change the user name and password to continue.
Enter the new name : rwa
Enter the New password : ****************
Re-enter the New password : ****************
Password changed successfully
        Last Successful Login:Wed Oct 14 12:20:42 2015
         Unsuccessful Login attempts from last login is: 0

The administrator then configures default logins and passwords for the other users based on the role-based authentication levels of the user.

Access Level and Login Details

Access level

Description

Login location

Administrator

The administrator access level permits all read-write access, and can change security settings. The administrator access level can configure CLI and web-based management user names, passwords, and the SNMP community strings. The administrator access level can also view audit logs.

The administrator access level can be disabled on VSP 8600 Series only.

SSH/Telnet (in band/mgmt)/console

Privilege

The privilege access level has the same access permission as the administrator; however, the privilege access level cannot use RADIUS or TACACS+ authentication.

The privilege access level is known as the emergency-admin on VSP 8600 Series only.

SSH/Telnet(in band/mgmt)/console/

Operator

The operator access level can view most switch configurations and status information. The operator access level can change physical port settings at layer 2 and layer 3. The operator access level cannot access audit logs or security settings.

SSH/Telnet(in band/mgmt)/console/

Auditor

The auditor access level can view configuration information, status information, and audit logs.

SSH/Telnet(in band/mgmt)/console/

Security

The security access level can change security settings only. The security access level also has permission to view configuration and status information.

SSH/Telnet(in band/mgmt)/console/