Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

 
ON THIS PAGE
 

Configure Security Administrator and FIPS User Identification and Access

Security Administrator and FIPS users perform all configuration tasks for Junos OS in FIPS mode and issue all Junos OS in FIPS mode statements and commands. Security Administrator and FIPS user configurations must follow Junos OS in FIPS mode guidelines.

Configure Security Administrator Access

Junos OS in FIPS mode offers a finer granularity of user permissions than those mandated by FIPS 140-3.

For FIPS 140-3 compliance, any FIPS user with the secret, security, maintenance, and control permission bits set is a Security Administrator. In most cases the super-user class suffices for the Security Administrator.

To configure login access for a Security Administrator:

  1. Log in to the device with the root password if you have not already done so, and enter configuration mode:
  2. Name the user security-administrator and assign the Security Administrator a user ID (for example, 6400, which must be a unique number associated with the login account in the range of 100 through 64000) and a class (for example, super-user). When you assign the class, you assign the permissions—for example, secret, security, maintenance, and control.
  3. Configure the hashed algorithm for plain-text passwords as sha512.
  4. Following the guidelines in Password Specifications and Guidelines for Junos OS in CC Evaluated Configuration, assign the Security Administrator a plain-text password for login authentication. Set the password by typing a password after the prompts New password and Retype new password.

    For example:

  5. Load an SSH key file that was previously generated using ssh-keygen. This command loads RSA (SSH version 2), or ECDSA (SSH version 2).
  6. Set the log-key-changes configuration statement to log when SSH authentication keys are added or removed.
    Note:

    When the log-key-changes configuration statement is enabled and committed (with the commit command in configuration mode), Junos OS Evolved logs the changes to the set of authorized SSH keys for each user (including the keys that were added or removed). Junos OS Evolved logs the differences since the last time the log-key-changes configuration statement was enabled. If the log-key-changes configuration statement was never enabled, then Junos OS Evolved logs all the authorized SSH keys.
  7. Optionally, display the configuration:
  8. If you are finished configuring the device, commit the configuration and exit:

Configure FIPS User Login Access

A FIPS user is defined as any user that does not have the secret, security, maintenance, and control permission bits set.

As the Security Administrator you set up FIPS users. FIPS users cannot be granted permissions normally reserved for the Security Administrator—for example, permission to zeroize the system.

To configure login access for a FIPS user:

  1. Log in to the device with your Security Administrator password if you have not already done so, and enter configuration mode:
  2. Give the user, a username, and assign the user a user ID (for example, 6401, which must be a unique number in the range of 1 through 64000) and a class. When you assign the class, you assign the permissions—for example, clear, network, resetview, and view-configuration.
  3. Following the guidelines in Password Specifications and Guidelines for Junos OS in CC Evaluated Configuration, assign the FIPS user a plain-text password for login authentication. Set the password by typing a password after the prompts New password and Retype new password.

    For example:

  4. Optionally, display the configuration:
  5. If you are finished configuring the device, commit the configuration and exit:

    You can use the delete system login user username command to delete the user.

Related Documentation