Cisco Systems IE 2000 Switch for Secure Socket Layer HTTP

12-22

Cisco IE 2000 Switch Software Configuration Guide

OL-25866-01

Chapter 12 Configuring Switch-Based Authentication

Information About Configuring Switch-Based Authentication

These limitations apply to SSH:

• The switch supports Rivest, Shamir, and Adelman (RSA) authentication.

• SSH supports only the execution-shell application.

• The SSH server and the SSH client are supported only on DES (56-bit) and 3DES (168-bit) data

encryption software.

• The switch supports the Advanced Encryption Standard (AES) encryption algorithm with a 128-bit

key, 192-bit key, or 256-bit key. However, symmetric cipher AES to encrypt the keys is not

supported.

Follow these guidelines when configuring the switch as an SSH server or SSH client:

• An RSA key pair generated by a SSHv1 server can be used by an SSHv2 server, and the reverse.

• If you get CLI error messages after entering the crypto key generate rsa global configuration

command, an RSA key pair has not been generated. Reconfigure the hostname and domain, and then

enter the crypto key generate rsa command. For more information, see the “Setting Up the Switch

to Run SSH” section on page 12-40.

• When generating the RSA key pair, the message No host name specified might appear. If it does,

you must configure a hostname by using the hostname global configuration command.

• When generating the RSA key pair, the message No domain specified might appear. If it does, you

must configure an IP domain name by using the ip domain- name global configuration command.

• When configuring the local authentication and authorization authentication method, make sure that

AAA is disabled on the console.

Switch for Secure Socket Layer HTTP

Secure Socket Layer (SSL) version 3.0 supports the HTTP 1.1 server and client. SSL provides server

authentication, encryption, and message integrity, as well as HTTP client authentication, to allow secure

HTTP communications. To use this feature, the cryptographic (encrypted) software image must be

installed on your switch. You must obtain authorization to use this feature and to download the

cryptographic software files from Cisco.com. For more information about the crypto image, see the

release notes for this release.

On a secure HTTP connection, data to and from an HTTP server is encrypted bef ore being sent over the

Internet. HTTP with SSL encryption provides a secure connection to allow such functions as configuring

a switch from a Web browser. Cisco's implementation of the secure HTTP server and secure HTTP client

uses an implementation of SSL Version 3.0 with application-layer encryption. HTTP over SSL is

abbreviated as HTTPS; the URL of a secure connection begins with https:// instead of http://.

The primary role of the HTTP secure server (the switch) is to listen for HTTPS re quests on a designated

port (the default HTTPS port is 443) and pass the request to the H TTP 1.1 Web server. The HTTP 1.1

server processes requests and passes responses (pages) back to the HTTP secure server, which responds

to the original request.