System information

Cisco Cat3K ST 6 June 2012

to authenticate access to user EXEC and privileged EXEC command modes. All users

wanting to use TOE services are identified and authenticated prior to being allowed

access to any of the services. Once a user attempts to access the management

functionality of the TOE (via EXEC mode), the TOE prompts the user for a user name

and password. Only after the administrative user presents the correct identification and

authentication credentials will access to the TOE functionality be granted.

The TOE supports use of a remote AAA server (RADIUS and TACACS+) as the

enforcement point for identifying and authenticating users, including login and password

dialog, challenge and response, and messaging support. Encryption of the packet body is

provided through the use of RADIUS (note RADIUS only encrypts the password within

the packet body), while TACACS+ encrypts the entire packet body except the header).

supports authentication by transmission of MD5-hashed password strings, which each

neighbor router uses to authenticate others. It is noted that per the FIPS Security Policy,

that MD5 is not a validated algorithm during FIPS mode of operation. For additional

security, it is recommended router protocol traffic also be isolated to separate VLANs.

The TOE provides secure administrative services for management of general TOE

configuration and the security functionality provided by the TOE. All TOE

administration occurs either through a secure session via SSHv2, a terminal server

directly connected to the Catalysis Switch (RJ45), or a local console connection (serial

port). The TOE provides the ability to perform the following actions: