16. Disable the EZ-Server using the configure command:
configure
Not all options will be available on an enabled switch.
To disable the switch, use the "switchDisable" command.
Configure...
Fabric parameters (yes, y, no, n): [no]
D-Port Parameters (yes, y, no, n): [no]
RDP Polling Cycle(hours)[0 = Disable Polling]: (0..24) [1]
System services (yes, y, no, n): [no]
ssl attributes (yes, y, no, n): [no]
cfgload attributes (yes, y, no, n): [no]
webtools attributes (yes, y, no, n): [no] y
Basic User Enabled (yes, y, no, n): [no]
Perform License Checking and Warning (yes, y, no, n): [yes]
Allow Fabric Event Collection (yes, y, no, n): [yes]
Login Session Timeout (in secs): (60..432000) [7200]
EZserver Enabled (yes, y, no, n): [yes] no
17. Disable IP security for the management interface using the ipsecconfig --disable command.
18. Disable Inight Encryption using the portcfgencrypt --disable portnumber command.
19. Congure the PEAP MS-CHAPv2 extension authentication protocol on the RADIUS server and obfuscate the RADIUS shared
secret using the following command:
aaaconfig –-add 10.10.10.1 –conf radius –s sharedsecret –e aes256 –a peap-mschapv2
NOTE
Use of either a RADIUS or LDAP authentication server is allowed, but is not required in the evaluated conguration.
If an LDAP server is used for authentication, it can be congured using the following CLI command:
aaaconfig --add padl12r2.la12security.brocade.com -conf ldap -d la12security.brocade.com
20. If an LDAP server or a RADIUS server is used for authentication and authorization, it is desirable to import a CA certicate that
has a 2048 key and is signed with SHA256 for the complete chain of CA certicates:
seccertmgmt import -ca -server ldap -protocol scp -ipaddr <remote-ip> -remotedir <remote path> -
login <remote username> -certname <LDAP CA cert filename>
seccertmgmt import -ca -server radius -protocol scp -ipaddr <remote-ip> -remotedir <remote-path> -
login <remote-username> -certname <RADIUS CA cert filename>
NOTE
• For all TLS connections, RSA certicates with 2048 bits and signed with SHA256 must be used both on the
server and also on the TOE.
• Certicates imported into the TOE should be from trustworthy sources.
• Certicates and keys based on Elliptical-curve cryptography must not be congured or used for TLS or SSH
sessions.
Draft: Broadcom Condential
Brocade Fabric OS BSI User Guide, 8.2.0x
16 FOS-820X-BSI-UG100