Perform the following steps to enable FIPS mode.
device(config)# fips show
The fips show command lists the current configuration of the device and can be run in both FIPS mode and non-FIPS mode to establish whether the device is truly in FIPS mode.
Note
If the Extreme device is in JITC mode, then you cannot enable FIPS on the device.The following example shows the output of the fips show command before the fips enable command is entered, and administrative status is off and operational status is off:
For MLX device:
device# fips show FIPS Validated Cryptographic Module MP FIPS Version: EXTR-NI-IP-CRYPTO-VER-4.0 LP FIPS Version: EXTR-NI-LP-CRYPTO-VER-2.0 LP IPsec FPGA FIPS Version: EXTR-NI-LP-FPGA-CRYPTO-VER-1.0
For Extreme NetIron CER device:
device# fips show FIPS Validated Cryptographic Module MP FIPS Version: EXTR-NI-IP-CRYPTO-VER-4.0 LP FIPS Version: EXTR-NI-LP-CRYPTO-VER-2.0
If the device is already in administrative FIPS mode, you can modify the FIPS policy. Refer to Modifying the FIPS policy.
device(config)# fips enable WARNING: This will enable FIPS on this device. Please refer : to the NetIron Federal Information Processing Standards Guide for : more details. Also, be advised that Software/Firmware Integrity checks : will always be performed on this device on subsequent reloads, even : if FIPS or Common Criteria is disabled in the future. Are you sure? (enter 'y' or 'n'): y
device(config)# fips enable
Syntax: [no] fips enable
The following example shows the output of the fips enable command on MLX Series devices.
device(config)# fips enable
WARNING: This will enable FIPS on this device. Please refer
: to the NetIron Federal Information Processing Standards Guide for
: more details. Also, be advised that Software/Firmware Integrity checks
: will always be performed on this device on subsequent reloads, even
: if FIPS or Common Criteria is disabled in the future.
Are you sure? (enter 'y' or 'n'): y
This device is now running in FIPS administrative mode.
At this time you can alter this system's FIPS default security policy
and then enter FIPS operational mode.
Note: Making changes to the default FIPS security policy weakens
the security of the device and makes the device non-compliant with
FIPS 140-2 Level 2, design assurance Level 3
The default security policy defined in the FIPS
Security Policy Document ensures that the device complies with all
FIPS 140-2 specifications. Commands to alter the default security policy
are available to the crypto-officer; however, <ph varref="Company_Name">Extreme</ph> does not recommend
making changes to the default security policy at any time.
=====================================
To enter FIPS mode, complete the following steps:
1. Optionally, configure FIPS policy commands that meets your network
requirements. You must explicitly configure the following services if you
want to use them when the device is operational in FIPS mode:
- Allow TFTP access.
Current status: Enabled
- Allow SNMP Access to the Critical Security Parameter (CSP) MIB objects.
Current status: Disabled
- Allow access to all commands within the monitor mode.
Current status: Disabled
- Allow cleartext password display in some commands.
Current status: Disabled
- Retention of shared secret keys for all protocols and the host passwords.
Current status: Retain
- Retention of SSH RSA host keys.
Current status: Clear
- Retention of HTTPS RSA host keys and certificate.
Current status: Clear
2. Enter the "fips zeroize all" command, which zeroes out the shared secrets
used by various networking protocols, including the host access passwords,
SSH and HTTPS host-keys with the digital signature based on the configured
FIPS Security Policy.
3. Save the running configuration.
4. Reload the device.
5. Enter the "fips show" command to verify that the device entered
FIPS or CC operational mode.
=====================================
In FIPS mode, the system will disable the following services or commands after
reload:
FIPS. Telnet server will be disabled.
The "telnet server" command will be removed.
FIPS. SSL Client will be enabled.
FIPS. TLS version 1.0 will be disabled.(Applicable for MLX & CER devices)
FIPS. SCP will be enabled.
The "ip ssh scp disable" command will be removed.
FIPS. FIPS Configuration "boot system {slot1|slot2} <file>" will be removed
as FIPS mode does not allow system to boot from Storage Card.
FIPS. Configuration "lp boot system {slot1|slot2} <file> <slot>" will be
removed as FIPS mode does not allow system to boot from Storage Card.
FIPS. Configuration "boot system tftp <ip> <file>" will be removed as FIPS
mode does not allow system to boot from TFTP.
FIPS. Configuration "enable password-display" will be removed.
FIPS. HTTP server will be disabled. The "web-management http" command will
be removed.
FIPS. HTTPS server will change as follows:
-SSL 3.0 and TLS 1.0 will be disabled.
-TLS version 1.1 and greater will be used.(Applicable only for MLX devices)
-RC4 cipher will be disabled.
-Passwords will be required; the "web-management allow-no-password"
command will be removed.
FIPS. SNMP server will change as follows:
-SNMP support for v1 and v2 versions will be disabled.
-For SNMPv3 version authentication and privacy is mandatory,
and MD5 authentication key and DES privacy password will be disabled.
FIPS. NTP md5 authentication will be disabled.
FIPS. HTTP Client will be disabled.
FIPS. Passwords/Keys which don't comply with FIPS standards will be removed
on reload.
FIPS. Please see FIPS config guide for complete details.
FIPS. Configuration "enable aaa console" will be disabled temporarily to
allow console access to configure SSH parameters. It can be
re-enabled after SSH is confirmed operational
Current status of "enable aaa console" is: Disabled
=====================================
Additionally, in FIPS only operational mode, the system will have the
following restrictions
FIPS. Configuration for CLI logging "logging cli-command" will be removed.
The following example shows the output of the fips enable command on the Extreme NetIron CER devices.
device(config)# fips enable
WARNING: This will enable FIPS on this device. Please refer
: to the NetIron Federal Information Processing Standards Guide for
: more details. Also, be advised that Software/Firmware Integrity checks
: will always be performed on this device on subsequent reloads, even
: if FIPS or Common Criteria is disabled in the future.
Are you sure? (enter 'y' or 'n'): y
This device is now running in FIPS administrative mode.
At this time you can alter this system's FIPS default security policy
and then enter FIPS operational mode.
Note: Making changes to the default FIPS security policy weakens
the security of the device and makes the device non-compliant with
FIPS 140-2 Level 2, design assurance Level 3
The default security policy defined in the FIPS
Security Policy Document ensures that the device complies with all
FIPS 140-2 specifications. Commands to alter the default security policy
are available to the crypto-officer; however, <ph varref="Company_Name">Extreme</ph> does not recommend
making changes to the default security policy at any time.
=====================================
To enter FIPS mode, complete the following steps:
1. Optionally, configure FIPS policy commands that meets your network
requirements. You must explicitly configure the following services if you
want to use them when the device is operational in FIPS mode:
- Allow TFTP access.
Current status: Enabled
- Allow SNMP Access to the Critical Security Parameter (CSP) MIB objects.
Current status: Enabled
- Allow access to all commands within the monitor mode.
Current status: Enabled
- Allow cleartext password display in some commands.
Current status: Disabled
- Retention of shared secret keys for all protocols and the host passwords.
Current status: Retain
- Retention of SSH RSA host keys.
Current status: Retain
2. Enter the "fips zeroize all" command, which zeroes out the shared secrets
used by various networking protocols, including the host access passwords,
SSH and HTTPS host-keys with the digital signature based on the configured
FIPS Security Policy.
3. Save the running configuration.
4. Reload the device.
5. Enter the "fips show" command to verify that the device entered
FIPS or CC operational mode.
=====================================
In FIPS mode, the system will disable the following services or commands after
reload:
FIPS. Telnet server will be disabled.
The "telnet server" command will be removed.
FIPS. SSL Client will be enabled.
FIPS. SCP will be enabled.
The "ip ssh scp disable" command will be removed.
FIPS. SNMP server will change as follows:
-SNMP support for v1 and v2 versions will be disabled.
-For SNMPv3 version authentication and privacy is mandatory,
and MD5 authentication key and DES privacy password will be disabled.
FIPS. NTP md5 authentication will be disabled.
FIPS. HTTP Client will be disabled.
FIPS. Passwords/Keys which don‘t comply FIPS standards will be removed
on reload.
FIPS. Please see FIPS config guide for complete details.
FIPS. Configuration "enable aaa console" will be disabled temporarily to
allow console access to configure SSH parameters. It can be
re-enabled after SSH is confirmed operational
Current status of "enable aaa console" is: Disabled
=====================================
Additionally, in FIPS only operational mode, the system will have the
following restrictions
FIPS. Configuration for CLI logging "logging cli-command" will be removed.
device#
device# fips show FIPS Validated Cryptographic Module MP FIPS Version: EXTR-NI-IP-CRYPTO-VER-4.0 LP FIPS Version: EXTR-NI-LP-CRYPTO-VER-2.0 FIPS mode : Administrative status ON: Operational status ON FIPS CC mode: Administrative status OFF: Operational status OFF System Specific: OS monitor access status is: Disabled Management Protocol Specific: Telnet server : Disabled Telnet client : Disabled TFTP client : Enabled HTTPS SSL 3.0 : Disabled SNMP v1, v2, v2c : Disabled SNMP Access to security objects: Disabled Password Display : Disabled Critical security Parameter updates across FIPS boundary: (i.e. during "fips zeroize" ..., or "no fips enable") : Protocol Shared secret and host passwords: Retain SSH RSA Host keys : Clear HTTPS RSA Host Keys and Signature : Clear
The following example shows the output of the fips show command on an Extreme NetIron CER device after the fips enable command is entered and administrative status is on and operational status is off:
device# fips show FIPS Validated Cryptographic Module MP FIPS Version: EXTR-NI-IP-CRYPTO-VER-4.0 FIPS mode : Administrative status ON: Operational status ON FIPS CC mode: Administrative status OFF: Operational status OFF System Specific: OS monitor access status is: Disabled Management Protocol Specific: Telnet server : Disabled Telnet client : Disabled TFTP client : Enabled SNMP v1, v2, v2c : Disabled SNMP Access to security objects: Disabled Password Display : Disabled Critical security Parameter updates across FIPS boundary: (i.e. during "fips zeroize" ..., or "no fips enable") : Protocol Shared secret and host passwords: Clear SSH RSA Host keys : Clear