After you have enabled Common Criteria Administrative mode on the device, you can display the information with the fips show command.
Device#fips show
FIPS Validated Cryptographic Module
MP FIPS Version: EXTR-NI-MP-CRYPTO-VER-4.0
LP FIPS Version: EXTR-NI-LP-CRYPTO-VER-2.0
LP IPsec FPGA FIPS Version: EXTR-NI-LP-FPGA-CRYPTO-VER-1.0
FIPS mode : Administrative status ON: Operational status OFF
FIPS CC mode: Administrative status ON: Operational status OFF
System Specific:
OS monitor access status is: Disabled
Management Protocol Specific:
Telnet server : Disabled
Telnet client : Disabled
TFTP client : Disabled
HTTPS SSL 3.0 TLS 1.0 : Disabled
SNMP v1, v2c, v3 : Disabled
SNMP Access to security objects: Disabled
Password Display : Disabled
Any AAA server (including :
TACACS, None) : Disabled
Critical security Parameter updates across FIPS boundary:
(i.e. during "fips zeroize" ..., or "no fips enable") :
Protocol Shared secret and host passwords: Clear
SSH RSA Host keys : Clear
HTTPS RSA Host Keys and Signature : Clear
Note
The HTTPS RSA host keys and signature are for the MLXe chassis only; not available for the NetIron CER device.device# fips show
FIPS Validated Cryptographic Module
MP FIPS Version: EXTR-NI-MP-CRYPTO-VER-4.0
LP FIPS Version: EXTR-NI-LP-CRYPTO-VER-2.0
LP IPsec FPGA FIPS Version: EXTR-NI-LP-FPGA-CRYPTO-VER-1.0
FIPS mode : Administrative status ON: Operational status ON
FIPS CC mode: Administrative status ON: Operational status ON
System Specific:
OS monitor access status is: Disabled
Management Protocol Specific:
Telnet server : Disabled
Telnet client : Disabled
TFTP client : Disabled
HTTPS SSL 3.0 TLS 1.0 : Disabled
SNMP v1, v2c, v3 : Disabled
SNMP Access to security objects: Disabled
Password Display : Disabled
Any AAA server (including :
TACACS, None) : Disabled
Critical security Parameter updates across FIPS boundary:
(i.e. during "fips zeroize" ..., or "no fips enable") :
Protocol Shared secret and host passwords: Clear
SSH RSA Host keys : Clear
HTTPS RSA Host Keys and Signature : Clear
| Field | Description |
|---|---|
| OS monitor access status is |
The following policy allows full access to the OS monitor mode. This includes read, write access for debug purposes: fips policy allow monitor-full-access. |
| Telnet server | Telnet client and server are always disabled in FIPS CC Operational mode. |
| Telnet client | Telnet client and server are always disabled in FIPS CC Operational mode. |
| TFTP client | To allow TFTP access in FIPS mode, use fips policy allow tftp-access. |
| HTTPS SSL 3.0 TLS 1.0 | Always disabled in FIPS mode. |
| SNMP v1, v2c, v3 |
Always disabled in FIPS CC mode. |
| SNMP |
SNMP Access is disabled in FIPS CC mode. |
| Password Display | Disabled in FIPS CC mode. |
| Any AAA server |
To allow any AAA server (including RADIUS and TLS support for TACACS+ servers) to be used in FIPS CC mode, use fips policy allow common-criteria aaa-server-any. |
| Protocol shared secret and host passwords |
To retain the protocol shared secrets and host access passwords between FIPS mode and non-FIPS mode, use fips policy retain shared-secrets. |
| HTTPS DSA Host keys |
To retain the SSH RSA host keys between FIPS mode and non-FIPS mode, use fips policy retain rsa-host-keys (for MLX platform only). |
Note
Making changes to the default FIPS security policy weakens the security of the device and makes the device non-compliant with FIPS 140-2. The default security policy defined in the FIPS Security Policy document ensures that the device complies with all FIPS 140-2 specifications. Commands to alter the default security policy are available to the Crypto-officer; however, Extreme does not recommend making changes to the default security policy at any time.