Manualshelf

User manual

ManualsBrandsRedline Communications ManualsComputer equipmentAN-50e
121122123124125126127128129130
AN-80i User Manual
70-00072-01-10 Proprietary Redline Communications © 2011 Page 128 of 152 March 2, 2011
Example
Use the TFTP server at IP address 192.168.25.1 to load certificate and key files generated for the
AN-80i with MAC address 00 09 02 01 C1 9A.
192.168.25.2# load file 192.168.25.1 usr_wacert_00-09-02-01-C1-9A.der fips tftp
192.168.25.2# load file 192.168.25.1 usr_wcert_00-09-02-01-C1-9A.der fips tftp
192.168.25.2# load file 192.168.25.1 usr_wkey_00-09-02-01-C1-9A.der fips tftp
192.168.25.2# show files fips
dsa_key.pem size=672 md5=fa9bd7a1f465fd7e9fed30150b0608c4
usr_ssl_key.der size=1194 md5=1c5c5ddd0f08604a3b48cf41a8570557
usr_ssl_cert.der size=1144 md5=ff0ce6923fc67a02d1e7bc6fa4856f94
192.168.25.2# reboot
...
192.168.25.2# set x509auth on
8.3.3 FIPS: AES Encryption
AES 256 bit wireless encryption is a standard feature with the FIPS option. AES
encryption is not
supported on AN-50e systems.
Out-of-Box Operation
AES encryption in FIPS mode is not
supported out of box. Each AN-80i system to use
AES encryption in FIPS mode must meet the following requirements:
1. AN-80i software with FIPS support is loaded and operational.
2. An options key enabled for FIPS operation must be purchased, loaded on the AN-
80i, and be the currently active options key.
3. FIPS mode must be active (see FIPS Mode Out-of-Box Operation).
4. X.509 certificate and key files for wireless authentication must be loaded in the fips
table (see FIPS: Wireless Authentication).
Enable AES Encryption
Choose the same AES encryption setting on both AN-80i systems.
CLI: set encmode: n
(where: 0 - None, 1 - (Redline) 64-Bit, 2 - AES 128, 3 - AES 192, 4 - AES 256)
Web: Configuration screen -> Wireless Security Configuration
Encryption Type: None, (Redline) 64-Bit, AES 128, AES 192, AES 256
Important: A data link can be established only between systems with identical encryption
settings.
8.3.4 FIPS: SSH for Secure CLI
SSH is a standard feature that provides secure access when using the command line
interface (CLI) to manage AN-80i equipment. SSH uses public-key cryptography to
authenticate users and provide secure access over an unsecured network. Use an SSH
client (e.g., OpenSSH, Putty, etc) to access an AN-80i using SSH. When SSH is
required, TELNET (unsecured access) should be disabled.
It is recommended that system operators use a commercially available tool to generate a
unique DSA key, and to load the private key into the FIPS (fips) table before
using the
SSH feature in a production environment.
Out-of-Box Operation
The AN-80i provides out-of-box SSH in FIPS mode. At reboot, the AN-80i checks the
FIPS (fips) table SSH DSA key (dsa_key_<mac>.pem) entry, and if this entry is empty
(no key), the AN-80i automatically generates a new temporary DSA key that is used until
the next reboot.
4Gon www.4Gon.co.uk info@4gon.co.uk Tel: +44 (0)1245 808295 Fax: +44 (0)1245 808299