Ldap in fips mode, Table 88 – Dell POWEREDGE M1000E User Manual

Page 618

Advertising
background image

618

Fabric OS Administrator’s Guide

53-1002745-02

FIPS mode configuration

B

LDAP in FIPS mode

You can configure your Microsoft Active Directory server to use the Lightweight Directory Access
Protocol (LDAP) while in FIPS mode. There is no option provided on the switch to configure TLS
ciphers for LDAP in FIPS mode. However, the LDAP client checks if FIPS mode is set on the switch
and uses the FIPS-compliant TLS ciphers for LDAP. If the FIPS mode is not set and the Microsoft
Active Directory server is configured for FIPS ciphers, it uses FIPS-compliant ciphers.

Table 88

lists the differences between FIPS and non-FIPS modes of operation.

IPsec

Usage of AES-XCBC, MD5, and DH group 1
are blocked.

No restrictions

LDAP CA

CA certificate must be available.

CA certificate is optional.

Common certificate for FCAP and
HTTPS authentication

Not supported

Supported

Radius auth protocols

PEAP-MSCHAPv2

CHAP, PAP, PEAP-MSCHAPv2

Root account

Disabled

Enabled

Secure RPC protocols

TLS/AES128 cipher suite

SSL and TLS – all cipher suites

Signed firmware download

Mandatory firmware signature validation
(SCP only)

Optional firmware signature
validation (FTP and SCP)

SNMP

Read-only operations

Read and write operations

SSH algorithms

HMAC-SHA1 (mac)
3DES-CBC, AES128-CBC, AES192-CBC,
AES256-CBC (cipher suites)

No restrictions

SSH public keys

RSA 1024 bit keys and RSA 2048 bit keys

RSA 1024 bit keys, RSA 2048
bit keys, and DSA 1024 bit keys

TACACS + authentication

Not supported

Supported

Telnet/SSH access

Only SSH

Telnet and SSH

TABLE 88

FIPS and non-FIPS modes of operation

FIPS mode

non-FIPS mode

The certificate of the CA that issued the Microsoft Active
Directory server certificate must be installed on the switch.

There is no mandatory CA certificate installation on
the switch.

Configure FIPS-compliant TLS ciphers [TDES-168, SHA1
and RSA-1024] on the Microsoft Active Directory server.
The host needs a reboot for the changes to take effect.

On the Microsoft Active Directory server, there is no
configuration of the FIPS-compliant TLS ciphers.

The switch uses FIPS-compliant ciphers regardless of the
Microsoft Active Directory server configuration. If the
Microsoft Active Directory server is not configured for FIPS
ciphers, authentication will still succeed.

The Microsoft Active Directory server certificate is
validated if the CA certificate is found on the switch.

The Microsoft Active Directory server certificate is validated
by the LDAP client. If the CA certificate is not present on the
switch then user authentication will fail.

If the Microsoft Active Directory server is configured
for FIPS ciphers and the switch is in non-FIPS mode,
then user authentication will succeed.

TABLE 87

FIPS mode restrictions (Continued)

Features

FIPS mode

Non-FIPS mode

Advertising
Popular Brands
Popular manuals