Cisco Cisco TelePresence Video Communication Server Expressway Maintenance Manual
3. Set Advanced account security mode to On.
4. Click Save.
5. Reboot the VCS (
Maintenance > Reboot
).
VCS functionality: changes and limitations
When in secure mode, the following changes and limitations to standard VCS functionality apply:
n
access over SSH and through the serial port is disabled and cannot be turned on (the pwrec password
recovery function is also unavailable)
recovery function is also unavailable)
n
access over HTTPS is enabled and cannot be turned off
n
the command line interface (CLI) and API access are unavailable
n
the root account, the admin account and any other local administrator accounts are disabled
n
administrator account authentication source is set to Remote only and cannot be changed
n
if there are three consecutive failed attempts to log in (by the same or different users), login access to the
VCS is blocked for 60 seconds
VCS is blocked for 60 seconds
n
immediately after logging in, the current user is shown statistics of when they previously logged in and
details of any failed attempts to log in using that account
details of any failed attempts to log in using that account
n
administrator accounts with read-only or read-write access levels cannot view the Event Log, Configuration
Log and Network Log pages (these pages can be viewed only by accounts with Auditor access level)
Log and Network Log pages (these pages can be viewed only by accounts with Auditor access level)
n
the
Upgrade
page only displays the System platform component
n
downgrades to version X5.0 or below are not allowed
The Event Log, Configuration Log, Network Log, call history, search history and registration history are
cleared whenever the VCS is taken out of advanced account security mode. Note that if
cleared whenever the VCS is taken out of advanced account security mode. Note that if
is enabled, this will cause any existing blocked addresses to become unblocked.
Configuring FIPS140-2 cryptographic mode
FIPS140 is a U.S. and Canadian government standard that specifies security requirements for cryptographic
modules. FIPS140-1 became a mandatory standard for the protection of sensitive data in 1994 and was
superseded by FIPS140-2 in 2001.
modules. FIPS140-1 became a mandatory standard for the protection of sensitive data in 1994 and was
superseded by FIPS140-2 in 2001.
VCS X8.1 or later implements FIPS140-2 compliant features. When in FIPS140-2 cryptographic mode,
system performance may be affected due to the increased cryptographic workload.
system performance may be affected due to the increased cryptographic workload.
Prerequisites
Before FIPS140-2 mode can be enabled:
n
Ensure that the system is not using NTLM protocol challenges with a direct Active Directory Service
connection for device authentication; NTLM cannot be used while in FIPS140-2 mode.
connection for device authentication; NTLM cannot be used while in FIPS140-2 mode.
n
If login authentication via a remote LDAP server is configured, ensure that it uses TLS encryption if it is
using SASL binding.
using SASL binding.
n
The Advanced Account Security option key must be installed.
FIPS140-2 compliance also requires the following configuration settings:
Cisco TelePresence Video Communication Server Administrator Guide (X8.5.1)
Page 336 of 563
Maintenance
Advanced security