Contents

Configuring CSG·· 1

About CSG·· 1

Restrictions and guidelines: CSG configuration· 1

Entering CSG mode· 2

About this task· 2

Restrictions and guidelines· 2

Prerequisites· 2

Procedure· 2

Exiting CSG mode· 2

CSG configuration examples· 3

Example: Entering CSG mode· 3

Example: Exiting CSG mode· 5

 

Configuring CSG

About CSG

The China Southern Power Grid (CSG) mode is a custom cryptographic standard tailored to the information security requirements of the Southern Power Grid. It outlines the security requirements for the cryptographic module in the security system of the Southern Power Grid.

Restrictions and guidelines: CSG configuration

CSG password requirements

The password used to log in to the device in CSG mode must be compliant with the password control policy. The password control policy limits the password length, complexity, and aging time.

Once the password of a user exceeds its aging time, the system prompts the user to change the password promptly when the user logs in to the device. Factory-set system time is usually outdated. Make sure the system time is correct before entering CSG mode. If you adjust the system time after entering CSG mode, the password might expire the next time you log in.

Configuration rollback

·     Configuration rollback is supported in CSG mode as well as between CSG and non-CSG modes. After performing a configuration rollback between CSG and non-CSG modes, you must restart the device. The rolled-back configuration takes effect after the restart. During the device restart process, do not exit the system or perform any other operations. If you do so, subsequent device logins might fail.

·     To ensure a successful rollback from CSG to non-CSG mode, save the configuration first. To ensure a successful rollback from non-CSG mode entered automatically after a device restart to CSG mode, save the configuration first.

CSG mode and IRF

·     As a best practice, do not set up an IRF fabric using devices in different CSG modes.

·     If you switch the CSG mode in an IRF fabric, the switchover takes effect after you restart the entire IRF fabric.

Feature changes after entering CSG mode

·     Only the user login authentication method of the scheme mode is supported.

·     Support for the FTP/TFTP/SCP/SFTP server and client functions depends on the device model.

·     You can upload files with specific suffixes to the device through FTP, TFTP, SCP, or SFTP. The supported file suffixes vary by device model.

·     You cannot disable the global password control feature. The undo password-control enable command does not take effect even if executed.

·     The password control policy limits both the passwords of device management local users and the role authentication passwords. Make sure the passwords meet the following requirements:

¡     The value range of the minimum password length is changed from 4 to 32 in non-CSG mode to 8 to 32 with a default value of 10.

¡     The value range of the minimum character types in a password is changed from 1 to 4 in non-CSG mode to 2 to 4 with a default value of 2.

Entering CSG mode

About this task

After you enable the CSG mode, the system restarts automatically and enters CSG mode. It first prompts you to configure the username and password for the next login. Then, the system automatically creates a default CSG configuration file (named csg-startup.cfg), sets the file as the next-startup configuration file, and restarts using this default configuration file.

Restrictions and guidelines

When the system prompts whether to enter CSG mode through auto restart, you can enter y to select auto restart. If you want to exit the configuration process after entering y, press Ctrl+C to interrupt the process. After you interrupt the process, the csg mode enable command is not executed.

Prerequisites

To avoid login password expiration caused by password control limit after the device enters CSG mode, make sure the system time is correct before executing the csg mode enable command.

Procedure

1.     Enter system view.

system-view

2.     Enable the CSG mode.

csg mode enable

By default, the CSG mode is disabled.

The system prompts whether to enter CSG mode through auto restart, enter y in 30 seconds. The device then starts the auto configuration process automatically.

 

CAUTION: Restating the device might cause service interruption. Please be cautious.

 

The device automatically restarts and enters CSG mode.

In CSG mode, you can only use the username and password in the system default configuration file to log in to the device.

The service type of the default device management local user is terminal and the user role is network-admin or mdc-admin. The user becomes the security administrator in CSG mode and its password must meet the password length and complexity requirements in CSG mode.

Exiting CSG mode

About this task

After you disable the CSG mode, the system restarts automatically and returns to non-CSG mode. After you disable the CSG mode, the system automatically creates a default non-CSG configuration file (named non-csg-startup.cfg), and sets the file as the next-startup configuration file. The system then uses the file to restart. After the restart, you can log in to the system in non-CSG mode without entering any information.

Procedure

1.     Enter system view.

system-view

2.     Disable the CSG mode.

undo csg mode enable

By default, the CSG mode is disabled.

The system prompts whether to exit CSG mode through auto restart, enter y in 30 seconds. The device then starts the auto configuration process automatically.

 

CAUTION: Restating the device might cause service interruption. Please be cautious.

 

CSG configuration examples

Example: Entering CSG mode

Network configuration

Configure the device to restart automatically and enter CSG mode and use the console, AUX, or async port to log in to the device in CSG mode.

Procedure

# (Optional.) Execute the save command to save the configuration.

# Enable the CSG mode and configure the device to enter CSG mode through auto restart.

<Sysname> system-view

[Sysname] csg mode enable

CSG mode change requires a device reboot. Continue? [Y/N]:y

The system will create a new startup configuration file for the CSG mode and automatically reboot the device for the configuration to take effect. Continue? [Y/N]:y

Waiting for reboot... After reboot, the device will enter CSG mode.

Verifying the configuration

Use the username and password to log in to the device. The default username is admin and the default password is CSG@Admin. At first-time login, the system prompts you to reset the password. After the password is reset, verify that you can enter the system in CSG mode. The reset password must contain characters from a minimum of two categories: uppercase letters, lowercase letters, digits, and special characters. The default minimum password length is 10, and the new password must be different from the old password. For more information about password requirements, see the system prompt.

Press ENTER to get started.

login: admin

Password:

First login or password reset. For security reason, you need to change your password. Please enter your password.

old password:

new password:

confirm:

Updating user information. Please wait ... ...

Current login succeeded at: Tue Jun 25 16:26:04 2024

Last successful login: Tue Jun 25 15:14:18 2024 from console

Password remaining lifetime: 90 days 0 hours 0 minutes 0 seconds

<Sysname> 

# Display the content of the default configuration file.

<Sysname> more csg-startup.cfg

#

csg mode enable

#

undo ip icmp name timestamp-request receive enable

#

undo ip icmp type 17 code 0 receive enable

#

management-port isolate enable

#

stp global enable

#

stp port-log all

#

configuration reauthentication enable

#

password-control enable

password-control login idle-time 0

password-control update-interval 0

undo password-control aging enable

undo password-control history enable

password-control change-password first-login enable

#

local-user admin class manage

 service-type terminal

 authorization-attribute user-role network-admin

 password hash $h$6$jCteikk5jezwlx72$K7rEhT6MefZqltZOcAXOPSbmJMrPpzwWxdYQ4dk89ctWMXc57sS7Yw2/wvL121vevt/BRhNfr6kJBMBluAR0dw==

#

line con 0

 authentication-mode scheme

 user-role network-admin

#

line con 1

 authentication-mode scheme

 user-role network-admin

#

undo password-recovery enable

#

return

<Sysname>

Example: Exiting CSG mode

Network configuration

The user has logged in to the device in CSG mode through the console, AUX, or async port. Configure the device to exit CSG mode through auto restart.

Procedure

# Disable the CSG mode.

<Sysname> system-view

[Sysname] undo csg mode enable

CSG mode change requires a device reboot. Continue? [Y/N]:y

The system will create a new startup configuration file for the non-CSG mode and automatically reboot the device for the configuration to take effect. Continue? [Y/N]:y

Waiting for reboot ...After reboot, the device will enter non-CSG mode.

Verifying the configuration

Verify that you can log in to the system directly after the device restarts.

<Sysname>