Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

Configuring Security Administrator and FIPS User Identification and Access

 

Crypto Officers and FIPS users perform all configuration tasks for Junos OS in FIPS mode and issue all Junos OS in FIPS mode statements and commands. Security Administrator and FIPS user configurations must follow Junos OS in FIPS mode guidelines.

Configuring Security Administrator Login Access

Junos OS in FIPS mode offers a finer granularity of user permissions than those mandated by FIPS 140-2.

For FIPS 140-2 compliance, any FIPS user with the secret, security, maintenance, and control permission bits set is a Security Administrator. In most cases the super-user class suffices for the Security Administrator.

To configure login access for a Security Administrator:

  1. Log in to the switch with the root password if you have not already done so, and enter configuration mode:
  2. Name the user “crypto-officer” and assign the Security Administrator a user ID (for example, 6400) and a class (for example, super-user). When you assign the class, you assign the permissions—for example, secret, security, maintenance, and control.

    For a list of permissions, see Understanding Junos OS Access Privilege Levels.

  3. Following the guidelines in Understanding Password Specifications and Guidelines for Junos OS in FIPS Mode, assign the Security Administrator a plain-text password for login authentication. Set the password by typing a password after the prompts New password and Retype new password.
  4. Optionally, display the configuration:
  5. If you are finished configuring the switch, commit the configuration and exit:

    Otherwise, go on to Configuring FIPS User Login Access.

Configuring FIPS User Login Access

A fips-user is defined as any FIPS user that does not have the secret, security, maintenance, and control permission bits set. As the Security Administrator, you set up FIPS users.

To configure login access for a FIPS user:

  1. Log in to the switch with your Security Administrator password if you have not already done so, and enter configuration mode:
  2. Give the user a username, assign the FIPS user a user ID (for example, 6401) and a class (for example , read-only). When you assign the class, you assign the permissions—for example, clear, configure, network, resetview, and view-configuration.

    For a list of permissions, see Understanding Junos OS Access Privilege Levels.

  3. Following the guidelines in Understanding Password Specifications and Guidelines for Junos OS in FIPS Mode, assign the FIPS a plain-text password for login authentication. Set the password by typing a password after the prompts New password and Retype new password.
  4. Optionally, display the configuration:
  5. If you are finished configuring the switch, commit the configuration and exit: