User roles in FIPS mode

Configuring FIPS mode on the Extreme devices complies with the standards established by the United States government and the National Institute of Standards and Technology (NIST).

An Extreme device in FIPS mode supports three user roles:

• Crypto-officer role: The Crypto-officer role on the device in FIPS mode is equivalent to the administrator role, or the super-user role in non-FIPS mode.
• Port Configuration Administrator role: The Port Configuration Administrator on the device in FIPS mode is equivalent to the port configuration user in non-FIPS mode and has write access to the interface configuration mode only.
• User role: The User role on the device in FIPS mode has read-only privileges and no configuration mode access.

Concurrent operators are supported, but no limit is enforced. The number of concurrent users is only limited by the system resources.

In addition to the user roles, the following roles support specific protocols:

• MACsec Peer role: The MACsec Peer role is available on the device. It allows MACsec Key Agreement (MKA) protocol sessions to be established with a remote peer based on the MACsec configuration on the Extreme NetIron device. Once the Secure Association Keys (SAK) are obtained, the MACsec peer role will install the keys on the PHY and start MACsec communication with the peer.

• IKEv2/ IPsec Peer role: The IKEv2 Peer role is available on the IPsec-supported line cards. It allows Internet Key Exchange (IKE) and IPsec sessions to be established with a remote peer based on the IPsec configuration on the Extreme NetIron device

• NTP Peer role: This role performs the Network Time Protocol (NTP) operation.