Administering Avaya G430 Branch Gateway

Disabling FIPS Approved Mode

Last Updated : May 10, 2023 |

About this task

The gateway’s current configuration will be zeroized anytime FIPS Approved Mode is enabled or disabled.

Procedure

The Cryptographic Officer must log in to the gateway using a user login account that has administrative privileges.
For example:
```
Login:root
Password: ****
Password accepted 
```
Note:
The gateway’s serial console or IP services port can be used when logging onto the gateway to disable FIPS mode. The gateway’s serial console or IP services port is required to login to the gateway for the first time after FIPS approved mode is disabled because the zeroization that accompanies the disabling of FIPS mode erases all network configuration.

Run the set fips-mode disable command to disable FIPS mode.

G4xx(super)# set fips-mode disable

WARNING: This Gateway will be ZEROIZED and RESET if you continue to disable FIPS mode.
Do you want to continue (Y/N)? Y

Disabling FIPS Mode.

The Gateway will now be Zeroized and Reset…

The gateway will reset and perform a variety of FIPS related Power On Self Tests (POST) as shown below.

FIPS POST TEST - STARTED

NVRAM  POST Integrity Test OK
E2PROM POST Integrity Test OK
FIPS Object Module POST Started
        Integrity Test OK     
        DRBG AES-256-CTR DF Test OK     
        DRBG AES-256-CTR Test OK     
        Digest SHA1 Test OK     
        Digest SHA1 Test OK     
        Digest SHA1 Test OK     
        Digest SHA256 Test OK     
        Digest SHA256 Test OK     
        Digest SHA256 Test OK     
        Digest SHA512 Test OK     
        Digest SHA512 Test OK     
        Digest SHA512 Test OK     
        HMAC SHA1 Test OK     
        HMAC SHA224 Test OK     
        HMAC SHA256 Test OK     
        HMAC SHA384 Test OK     
        HMAC SHA512 Test OK     
        Cipher AES-128-ECB Test OK     
        GCM Test OK     
        Cipher DES-EDE3-ECB Test OK     
        Cipher DES-EDE3-ECB Test OK     
        Signature RSA 2048 SHA256 PKCS#1 Test OK     
        Signature RSA 3072 SHA256 PKCS#1 Test OK     
        Signature ECDSA P-256 Test OK     
        Signature ECDSA P-384 Test OK     
        Signature ECDSA P-521 Test OK     
FIPS Object Module POST Success
SW/FW POST Integrity Test OK
VoIP DSP0 FIPS POST Started
        Core0 AES  Test OK
        Core0 HMAC Test OK
        Core0 SHA1 Test OK
        Core1 AES  Test OK
        Core1 HMAC Test OK
        Core1 SHA1 Test OK
        Core2 AES  Test OK
        Core2 HMAC Test OK
        Core2 SHA1 Test OK
        Core3 AES  Test OK
        Core3 HMAC Test OK
        Core3 SHA1 Test OK
VoIP DSP0 FIPS POST Success
VoIP DSP1 FIPS POST Started
        Core0 AES  Test OK
        Core0 HMAC Test OK
        Core0 SHA1 Test OK
        Core1 AES  Test OK
        Core1 HMAC Test OK
        Core1 SHA1 Test OK
        Core2 AES  Test OK
        Core2 HMAC Test OK
        Core2 SHA1 Test OK
        Core3 AES  Test OK
        Core3 HMAC Test OK
        Core3 SHA1 Test OK
VoIP DSP1 FIPS POST Success
Generating RSA key, This command may take a few minutes...
.............
Key was created!
Key version: SSH2, RSA
Key Fingerprint: SHA256:X31EqBa0+ikMUASGS0zbFVcjFUCkKzw+U3OGYY/aI/o

FIPS POST TEST - COMPLETED

Enabling External Data Ports

After verifying successful completion of the Power-On Self Tests (POST), the Cryptographic Officer must log in to the gateway using the root login account and default root password as shown below.
```
G4xx Login: root
Password: ****
Response accepted

Password accepted
```
Note:
Only the root user login can be initially used after disabling FIPS approved mode since all other administrative accounts are deleted during zeroization.
The Cryptographic Officer must change the root password from the default password to a new, more secure password as shown below.
```
Enter new password: 
Confirm new password:
```

The Cryptographic Officer must confirm whether Enhanced Access Security Access (EASG) is to be enabled or disabled as shown below.

*****************************************************
Enhanced Access Security Gateway (EASG) Confirmation.
*****************************************************
Please confirm whether Avaya is granted login access to this system.
You may change this setting any time after confirmation is completed.

Enable EASG: (Recommended)
By enabling Avaya Logins you are granting Avaya access to your system.
This is necessary to maximize the performance and value of your Avaya support
entitlements, allowing Avaya to resolve product issues in a timely manner.

In addition to enabling the Avaya Logins, this product should be registered
with Avaya and technically onboarded for remote connectivity and alarming.
Please see the Avaya support site (support.avaya.com/registration) for
additional information for registering products and establishing remote
access and alarming.

Disable EASG:
By disabling Avaya Logins you are preventing Avaya access to your system.
This is not recommended, as it impacts Avaya's ability to provide support
for the product.  Unless the customer is well versed in managing the
product themselves, Avaya Logins should not be disabled.

Enter 1 to Enable EASG (Recommended) or 2 to Disable EASG? 1

You have requested Avaya Logins be Enabled.
Do you want to continue (Y/N)? Y


Avaya Logins have been Enabled.

If you use the Gateway Configuration script to complete basic configuration of the gateway complete the required process as shown below. The gateway will then reset.

--- Gateway Configuration Script ---
The script will provide you basic gateway connectivity configuration.
Configuration Script - do you want to continue (Y/N)? Y

Default settings are in square brackets '[]'.
Vlan [1] :
IPv4 Enabled (Y/N)? [Y] : 

IPv4 address [169.254.0.2] :172.16.1.230
IPv4 Subnet mask [255.255.255.0] :255.255.254.0
IPv4 Default gateway [172.16.1.1] :172.16.1.254
IPv6 Enabled (Y/N)? [N] : 

MGC controllers [0.0.0.0] :172.16.1.168
Hostname [G430] :G430
Enable Spanning Tree on LAN ports (Y/N/Help)? [Y] : 

The following parameters are about to be configured:
Vlan                   : 1
IPv4 address           : 172.16.1.230
Subnet mask            : 255.255.254.0
Default gateway        : 172.16.1.254
MGC controllers        : 172.16.1.168
Hostname               : G430
Spanning Tree Protocol : enabled
The gateway will save those parameters in startup-config and then reset
 - do you want to continue (Y/N)? Y

Please connect your gateway to the network via any Ethernet port
Saving configuration...
Resetting the device...

The Cryptographic Officer must log in to the gateway using a user login account that has administrative privileges as shown below.
```
Login: root 
Password: **** 
Password accepted
```
Run the show fips-mode command to verify if FIPS-mode is disabled.
```
G4xxG4xx(super)# show fips
FIPS Mode:  Disabled
```

Run the username command to define new user logins for Cryptographic officer, administrators and users as shown below.

G450(super)# username crypto-officer access-type admin
Enter new password: *********
Confirm password  : *********
User account added.

Run the show username command to verify the successful addition of users as shown below.

G4xx-???(super)# show username 

User                              Access       Account     Active
account                           level        type 
--------------------------------  -----------  ----------  ----------------
root                              admin        local       yes     
crypto-officer                    admin        local       yes

If you have saved a copy of your previous configuration before disabling FIPS approved mode, refer to it to perform any additional configuration as needed. For more information, see Configuration changes and backup.

Send Feedback

AVAYA DOCUMENTATION CENTER

No results found