Enable authentication services

Reference the Extreme SLX-OS Security Configuration Guide, 20.2.1 – HTTPS Certificates for specific guidance on installing certificates and enabling HTTPS.

RADIUS over TLS and LDAP over TLS are supported.

Reference the Extreme SLX-OS Security Configuration Guide, 20.2.1 – RADIUS Server Authenticationfor specific guidance on configuring RADIUS over TLS.

Reference the Extreme SLX-OS Security Configuration Guide, 20.2.1 – Lightweight Directory Access Protocol for specific guidance on configuring LDAP over TLS.

To enable secure logging using the syslog server, complete the following steps.

1. Enter the crypto import syslogca command in privileged EXEC mode to import the syslog CA certificate.

device# crypto import syslogca rbridge-id 1 protocol SCP host 10.2.2.101 directory
        /home/certs/ file chainCA02.cert.pem user admin password <password>

The CA certificate imported must be generated using RSA-2048 with SHA-256.

• Enter the logging syslog-server ip-address command in global configuration mode to configure the syslog server.

device(config)# logging syslog-server 10.20.238.120 
        secure port 1999

The device enforces certificate validation during import and TLS server certificate validation occurs during the TLS handshake according to the following rules:

• Certificate validation and the certificate path validation support a minimum path length of three certificates.
• The certificate path must terminate with a trusted CA certificate.
• The certificate path should be validated by verifying the presence of the basic Constraintsextension and that the CA flagis setto TRUE for all CA certificates.
• The revocation status of the certificate should be validated.
• For SYSLOG, the device currently requires that an IP address must be used for Common Name (CN) and Subject Alternative Name (SAN).

  The extendedKeyUsage field should be validated according to the following rules:

• Certificates used for trusted updates and executable code integrity verification should have the Code Signing purpose (id- kp 3 with OID 1.3.6.1.5.5.7.3.3) in the extended Key Usagefield.
• Server certificates presented for TLS should have the Server Authentication purpose (id-kp 1 with OID 1.3.6.1.5.5.7.3.1) in the extended Key Usage field.

• Client certificates presented for TLS should have the Client Authentication purpose (id-kp 2 with OID 1.3.6.1.5.5.7.3.2) in the extended Key Usage field.
• OCSP certificates presented for OCSP responses should have the OCSP Signing purpose (id-kp 9 withOID 1.3.6.1.5.5.7.3.9) in the extended Key Usage field.

• A certificate should only be treated as a CA certificate if the basic Constraints extensionis present and the CA flag is set to TRUE.