Modifying the FIPS policy

After the device is administratively in FIPS mode, you can modify the default FIPS policy.

Note

Making changes to the default FIPS policy on the device is not recommended and weakens the security of the device. Any modification of the default FIPS policy places the device in a state that is not in compliance with FIPS 140-2.

The output of the fips enable command displays which protocols that constitute the FIPS policy are set in compliance with FIPS standards by default and can be adjusted to set a more flexible policy. The remaining protocols that constitute the FIPS policy are set to the appropriate status automatically during reload due to the fips enable command. The default FIPS policy is detailed in How FIPS works.

When you make no changes to the FIPS policy, the default FIPS policy is applied on the device and the device operates in strict FIPS mode upon reload, in full compliance with FIPS 140-2 specifications.

To set a more flexible FIPS policy on the Extreme device, use the following commands as desired to modify the default FIPS policy.

• Allow TFTP access:
  

  device(config)# fips policy allow tftp-access

  Syntax: [no] fips policy allow tftp-access

• Allow SNMP access to the critical security parameter (CSP) MIB objects:
  

  device(config)# fips policy allow snmp-csp-access

  Syntax: [no] fips policy allow snmp-csp-access

• Allow access to monitor mode for debugging both from application and boot prompts:
  

  device(config)# fips policy allow monitor-full-access

  Syntax: [no] fips policy allow monitor-full-access

  

  Note

  During an application reset, monitor access is restored to allow debugging. Refer to Access to monitor mode.
  • Allow display of secrets and passwords in encrypted or clear text format:
    

    device(config)# fips policy allow password-display

    Syntax:[no] fips policy allow password-display

    

    Note

    In the FIPS default mode of operation, enable password-display cannot be configured. The various show commands will always mask the secret or password with "…..".

    To override this behavior, the Crypto-officer can configure this policy, by using the fips policy password-display command, which allows enable password-display to be configured. The various show commands will display the secret or password in either encrypted or clear text form, depending on the implementation.

• Retain the shared secret keys for all protocols and the host passwords:
  

  device(config)# fips policy retain shared-secrets

  Syntax: [no] fips policy retain shared-secrets

• Retain the HTTPS RSA host keys and the HTTPS server digital certificate:
  

  device(config)# fips policy retain rsa-host-keys

  Syntax: [no] fips policy retain rsa-host-keys