Restrictions and guidelines: FIPS
Requirements for key pairs and passwords
Before you reboot the device to enter FIPS mode, the system automatically removes all key pairs configured in non-FIPS mode and all FIPS-incompliant digital certificates. FIPS-incompliant digital certificates are MD5-based certificates with a key modulus length less than 2048 bits. You cannot log in to the device through SSH after the device enters FIPS mode. To log in to the device in FIPS mode through SSH, log in to the device through a console port and create a key pair for the SSH server.
The password for entering the device in FIPS mode must comply with the password control policies, such as password length, complexity, and aging policy. When the aging timer for a password expires, the system prompts you to change the password. If you adjust the system time after the device enters FIPS mode, the login password might expire before the next login, because the original system time is typically much earlier than the actual time.
Configuration rollback guidelines
Configuration rollback is supported in FIPS mode and also during a switch between FIPS mode and non-FIPS mode. After a configuration rollback between FIPS mode and non-FIPS mode, perform the following tasks:
Delete the local user and configure a new local user. Local user attributes include password, user role, and service type.
Save the current configuration file.
Specify the current configuration file as the startup configuration file.
Reboot the device. The new configuration takes effect after the reboot. During this process, do not exit the system or perform other operations.
If a device enters FIPS or non-FIPS mode through automatic reboot, configuration rollback fails. To support configuration rollback, you must execute the save command after the device enters FIPS or non-FIPS mode.
IRF compatibility
All devices in an IRF fabric must be operating in the same mode, whether in FIPS mode or non-FIPS mode.
To enable FIPS mode for an IRF fabric, you must reboot the entire IRF fabric.
Feature changes in FIPS mode
After the system enters FIPS mode, the following feature changes occur:
The user login authentication mode can only be scheme.
The FTP/TFTP server and client are disabled.
The Telnet server and client are disabled.
The HTTP server is disabled.
SNMPv1 and SNMPv2c are disabled. Only SNMPv3 is available.
The SSL server supports only TLS1.0, TLS1.1, and TLS1.2.
The SSH server does not support SSHv1 clients or DSA key pairs.
The generated RSA and DSA key pairs must have a modulus length of 2048 bits.
When the device acts as a server to authenticate a client through the public key, the key pair for the client must also have a modulus length of 2048 bits.
The generated ECDSA key pairs must have a modulus length of more than 256 bits.
When the device acts as a server to authenticate a client through the public key, the key pair for the client must also have a modulus length of more than 256 bits.
SSH, SNMPv3, IPsec, and SSL do not support DES, 3DES, RC4, or MD5.
The password control feature cannot be disabled globally. The undo password-control enable command does not take effect.
An AAA shared key, IKE pre-shared key, or SNMPv3 authentication key must have at least 15 characters and must contain uppercase and lowercase letters, digits, and special characters.
The password for a device management local user and password for switching user roles must comply with the password control policies. By default, the password must have at least 15 characters and must contain uppercase and lowercase letters, digits, and special characters.