topic Re: Queries about enhanced secure mode in ExtremeSwitching (VSP/Fabric Engine)

Queries about enhanced secure mode

gaurav-pandya — Fri, 25 Apr 2025 10:13:47 GMT

Hi,

We have VOSS fabric switches and we want to enable password complexity rule on all switches. I have faced some issues after enabling enhanced secure mode in 1 switch.

1. All user account deleted, I have logged in with default credential (admin/password) and luckily it asked me to create new user.

2. Now I want to create another user with privilege access but it says that you can not create it with telnet/ssh session. I can create users in operator or auditor mode but not with privilege

3. I read in user guide that when you migrate from enhanced secure mode disabled to enabled mode, configuration file can not guaranteed to be transferred. I have many more switches in which enhanced secure mode needs to be enabled. What will be best way to enable it without loosing config?

Re: Queries about enhanced secure mode

nipo535darly — Tue, 29 Apr 2025 06:51:06 GMT

Hello,

safely enable Enhanced Secure Mode on VOSS switches without losing config:

Back up the config first.

Prepare a secure-mode-compatible config (adjust passwords, users).

Use console access to enable secure mode — not SSH/Telnet.

Immediately create a new admin user via console.

Reload the modified config after secure mode is enabled.

Re: Queries about enhanced secure mode

gaurav-pandya — Tue, 29 Apr 2025 12:22:22 GMT

Thanks for the reply.

I will follow suggested procedure for remaining switches. I am facing issue for couple of switches for which I have already enabled enhanced secure mode. Switches are not accessible through credentials which I have created first time after enabling enhanced secure mode.

Re: Queries about enhanced secure mode

Dinesh_Rego — Thu, 01 May 2025 15:15:13 GMT

Hi Gaurav,

1. All user account deleted, I have logged in with default credential (admin/password) and luckily it asked me to create new user.

Response: This is expected behavior - for Enhanced Secured mode we have different users to meet security requirements of various certifications like FIPS, Common Criteria etc.

2. Now I want to create another user with privilege access but it says that you can not create it with telnet/ssh session. I can create users in operator or auditor mode but not with privilege

Response: Again, due to the same security requirements, Privilege user can only access the switch via the serial console.

Response: It is true, the security related config and user accounts are not preserved - again this is due to security requirements to zeroize them in case of change Enhanced Secured Mode. Layer 2/Layer 3 and the other config not security related is preserved. The recommendation is to log in via console after you change to Enhanced Secured Mode, admin/admin is the default admin password and you will be asked to change at the first login as you've seen already.

I also noticed a follow-on question - if you are trying to login as a privileged user, you can only do this through the serial console.

Hope this helps!