Administering Avaya G430 Branch Gateway

Enabling FIPS Approved Mode

Last Updated : May 10, 2023 |

About this task

The gateway’s current configuration will be zeroized anytime FIPS Approved Mode is enabled or disabled.

Procedure

Log in to the gateway using a user login account that has administrative privileges.
For example:
```
Login:root
Password: ****
Password accepted 
```
Note:
The gateway’s serial console or IP services port can be used when logging onto the gateway to enable FIPS mode. This way FIPS related test results and error states that occur during boot-up can be viewed when the gateway attempts to first enter FIPS mode. The gateway’s serial console or IP services port is also required to login to the gateway for the first time after FIPS approved mode is enabled because the zeroization that accompanies the enabling of FIPS mode erases all network configuration.
Verify that both firmware banks contain FIPS-approved firmware images using the show image version command as shown below.
To verify that the version(s) you have installed is certified for FIPS 140-2 compliance, see the Certificate Module Validation Program (CMVP) lists on the NIST website at http://www.nist.gov.
```
G4xx-001(super)# show image version
Bank         Version
-----------  -------
A            39.27.0
B (current)  41.9.0
```
Note:
Banks that do not have a FIPS-approved firmware image must be upgraded.

To review the impact FIPS Approved Mode will have on the existing configuration, run the show fips-mode command as shown below.

G4xx(super)# show fips-mode

FIPS Mode:  Disabled

These configuration settings are not FIPS-compliant and
will be automatically disabled if FIPS-mode is enabled:
  set link-encryption h248reg unencrypted yes
  set allow-unencrypted rtp yes

Run the show running-config command and make a copy of its output since the current gateway configuration will be erased after FIPS approved mode is enabled.
```
G4xx(super)# show running-config
```
Note:
Alternatively, the gateway’s current running configuration can be saved to an external text file for later viewing by using the copy running-config command.

Run the set fips-mode enable command to enable FIPS mode as shown below.

G4xx(super)# set fips-mode enable

WARNING: This Gateway will be ZEROIZED and RESET if you continue to enable FIPS mode.
Do you want to continue (Y/N)? Y

Enabling FIPS Mode.

The Gateway will now be Zeroized and Reset…

The gateway will reset and perform a variety of FIPS related Power On Self Tests (POST) as shown below.

FIPS POST TEST - STARTED

NVRAM  POST Integrity Test OK
E2PROM POST Integrity Test OK
FIPS Object Module POST Started
        Integrity Test OK     
        DRBG AES-256-CTR DF Test OK     
        DRBG AES-256-CTR Test OK     
        Digest SHA1 Test OK     
        Digest SHA1 Test OK     
        Digest SHA1 Test OK     
        Digest SHA256 Test OK     
        Digest SHA256 Test OK     
        Digest SHA256 Test OK     
        Digest SHA512 Test OK     
        Digest SHA512 Test OK     
        Digest SHA512 Test OK     
        HMAC SHA1 Test OK     
        HMAC SHA224 Test OK     
        HMAC SHA256 Test OK     
        HMAC SHA384 Test OK     
        HMAC SHA512 Test OK     
        Cipher AES-128-ECB Test OK     
        GCM Test OK     
        Cipher DES-EDE3-ECB Test OK     
        Cipher DES-EDE3-ECB Test OK     
        Signature RSA 2048 SHA256 PKCS#1 Test OK     
        Signature RSA 3072 SHA256 PKCS#1 Test OK     
        Signature ECDSA P-256 Test OK     
        Signature ECDSA P-384 Test OK     
        Signature ECDSA P-521 Test OK     
FIPS Object Module POST Success
SW/FW POST Integrity Test OK
VoIP DSP0 FIPS POST Started
        Core0 AES  Test OK
        Core0 HMAC Test OK
        Core0 SHA1 Test OK
        Core1 AES  Test OK
        Core1 HMAC Test OK
        Core1 SHA1 Test OK
        Core2 AES  Test OK
        Core2 HMAC Test OK
        Core2 SHA1 Test OK
        Core3 AES  Test OK
        Core3 HMAC Test OK
        Core3 SHA1 Test OK
VoIP DSP0 FIPS POST Success
VoIP DSP1 FIPS POST Started
        Core0 AES  Test OK
        Core0 HMAC Test OK
        Core0 SHA1 Test OK
        Core1 AES  Test OK
        Core1 HMAC Test OK
        Core1 SHA1 Test OK
        Core2 AES  Test OK
        Core2 HMAC Test OK
        Core2 SHA1 Test OK
        Core3 AES  Test OK
        Core3 HMAC Test OK
        Core3 SHA1 Test OK
VoIP DSP1 FIPS POST Success
Generating RSA key, This command may take a few minutes...
.............
Key was created!
Key version: SSH2, RSA
Key Fingerprint: SHA256:X31EqBa0+ikMUASGS0zbFVcjFUCkKzw+U3OGYY/aI/o

FIPS POST TEST - COMPLETED

Enabling External Data Ports

After verifying successful completion of the Power-On Self Tests (POST), the Cryptographic Officer must log in to the gateway using the root login account and default root password as shown below.
```
G450 Login: root
Password: ****
Response accepted

Password accepted
```
Note:
The root user login can be initially used after enabling FIPS approved mode since all other administrative accounts are deleted during zeroization.
The Cryptographic Officer must change the root password from the default password to a new, more secure password as shown below.
```
Enter new password: 
Confirm new password:
```

The Cryptographic Officer must confirm whether Enhanced Access Security Access (EASG) is to be enabled or disabled as shown below.

*****************************************************
Enhanced Access Security Gateway (EASG) Confirmation.
*****************************************************
Please confirm whether Avaya is granted login access to this system.
You may change this setting any time after confirmation is completed.

Enable EASG:
By enabling Avaya Logins you are granting Avaya access to your system.
This is necessary to maximize the performance and value of your Avaya support
entitlements, allowing Avaya to resolve product issues in a timely manner.

In addition to enabling the Avaya Logins, this product should be registered
with Avaya and technically onboarded for remote connectivity and alarming.
Please see the Avaya support site (support.avaya.com/registration) for
additional information for registering products and establishing remote
access and alarming.

Disable EASG:
By disabling Avaya Logins you are preventing Avaya access to your system.

Enter 1 to Enable EASG or 2 to Disable EASG? 2

You have requested Avaya Logins be Disabled.
Do you want to continue (Y/N)? Y

Avaya Logins have been Disabled.

If you use the Gateway Configuration script to complete basic configuration of the gateway complete the required process as shown below. The gateway will then reset.

--- Gateway Configuration Script ---
The script will provide you basic gateway connectivity configuration.
Configuration Script - do you want to continue (Y/N)? Y

Default settings are in square brackets '[]'.
Vlan [1] :
IPv4 Enabled (Y/N)? [Y] : 

IPv4 address [169.254.0.2] :172.16.1.230
IPv4 Subnet mask [255.255.255.0] :255.255.254.0
IPv4 Default gateway [172.16.1.1] :172.16.1.254
IPv6 Enabled (Y/N)? [N] : 

MGC controllers [0.0.0.0] :172.16.1.168
Hostname [G430] :G430
Enable Spanning Tree on LAN ports (Y/N/Help)? [Y] : 

The following parameters are about to be configured:
Vlan                   : 1
IPv4 address           : 172.16.1.230
Subnet mask            : 255.255.254.0
Default gateway        : 172.16.1.254
MGC controllers        : 172.16.1.168
Hostname               : G430
Spanning Tree Protocol : enabled
The gateway will save those parameters in startup-config and then reset
 - do you want to continue (Y/N)? Y

Please connect your gateway to the network via any Ethernet port
Saving configuration...
Resetting the device...

The Cryptographic Officer must log in to the gateway using a user login account that has administrative privileges as shown below.
```
Login: root 
Password: **** 
Password accepted
```
Run the show fips-mode command to verify if FIPS-mode and any non-recommended commands are enabled as shown below.
```
G4xx(super)# show fips

FIPS Mode:  Enabled
```

Run the username command to define new user logins for Crypto-officer, administrators, and users as required.

G4xx(super)# username crypto-officer access-type admin
Enter new password: *********
Confirm password  : *********
User account added.

Run the show username command to verify the successful addition of users.

G4xx-???(super)# show username 
User                              Access       Account     Active
account                           level        type 
--------------------------------  -----------  ----------  ----------------
root                              admin        local       yes     
crypto-officer                    admin        local       yes

To define SNMPv3 parameters for SNMPv3 users, run auth sha priv aes128.

G4xx-001(super)# snmp-server user fips_snmp_user v3ReadWriteG v3 auth sha priv aes128
Enter authentication password   : ********
Confirm authentication password : ********
Enter privacy password   : ********
Confirm privacy password : ********
Done!

Note:

Other combinations of auth-type and priv-type are not permitted in FIPS approved mode.

If you have saved a copy of your previous configuration before enabling FIPS approved mode, refer to it now to perform any additional configuration as needed. For more information, see Configuration changes and backup.

Note:
When changing the gateway’s configuration using CLI commands, the system displays an error or warning, if the entered command is not FIPS compliant. However, it is important that you consult the Security Policy when making changes to the gateway configuration to ensure FIPS compliance.

Send Feedback

AVAYA DOCUMENTATION CENTER

No results found