Enabling enhanced secure mode

Use the following procedure to enable enhanced secure mode. Enhanced secure mode is disabled by default.

About this task

Note

Note

When you migrate your switch from enhanced secure mode enabled to disabled, or from disabled to enabled, you must build a new configuration. Do not use a configuration created in either enhanced secure mode disabled or enabled, and expect it to transfer over to the new mode.

The configuration file cannot be guaranteed if you transfer between enhanced secure mode enabled to disabled, or from enhanced secure mode disabled to enabled.

After you enable the enhanced secure mode, the system provides role-based access levels, stronger password requirements, and stronger rules on password length, password complexity, password change intervals, password reuse, and password maximum age use. The enhanced secure mode boot flag supports two sub-modes namely JITC and non-JITC.

After you disable enhanced secure mode, the authentication, access-level, and password requirements work similarly to any of the existing commercial releases.

Procedure

  1. Enter Global Configuration mode:

    enable

    configure terminal

  2. Enable enhanced secure mode:

    boot config flags enhancedsecure-mode [jitc | non-jitc]

    Note

    Note

    As a best practice, enable the enhanced secure mode in the non-JITC sub-mode, because the JITC sub-mode is more restrictive and prevents the use of some CLI commands that are commonly used for troubleshooting.

  3. Optional: Disable enhanced secure mode:

    no boot config flags enhancedsecure-mode

  4. Optional: Configure the enhanced secure mode to the default value:

    default boot config flags enhancedsecure-mode

  5. Save the configuration:

    save config

    Note

    Note

    The save config command saves the configuration file with the filename configured as the primary configuration filename in boot config. Use the command show boot config choice to view the current primary and backup configuration filenames.

  6. Restart the switch:

    boot [config WORD<1–99>][-y]

    Note

    Note

    If you enter the boot command with no arguments, you cause the switch to start using the current boot choices defined by the boot config choice command.

    If you enter a boot command and the configuration filename without the directory, the device uses the configuration file from /intflash/.

Example

Enable the enhanced secure non-JITC sub-mode:

Switch:1>enable
Switch:1#configure terminal
Switch:1(config)#boot config flags enhancedsecure-mode non-jitc
Switch:1(config)#save config
Switch:1(config)#exit
Switch:1(config)#boot config /intflash/config.cfg -y

Enable the enhanced secure JITC sub-mode:

Switch:1>enable
Switch:1#configure terminal
Switch:1(config)#boot config flags enhancedsecure-mode jitc
Switch:1(config)#save config
Switch:1(config)#exit
Switch:1(config)#boot config /intflash/config.cfg -y

Variable definitions

Use the data in the following table to use the boot config flags enhancedsecure-mode command.

Variable

Value

jitc

Enables the JITC enhanced secure mode.

The JITC mode is more restrictive and prevents the use of some CLI commands that are commonly used for troubleshooting.

non-jitc

Enables the non-JITC enhanced secure mode.

9037588-00 Rev AA