Configuration Guidelines
Follow these guidelines before enabling FIPS mode:
-
Make your passwords a minimum of eight characters in length.
-
Disable Telnet. Users should log in using SSH only.
-
Disable remote authentication through RADIUS/TACACS+. Only users local to the switch can be authenticated.
-
Disable SNMP v1 and v2. Any existing user accounts on the switch that have been configured for SNMPv3 should be configured only with SHA for authentication and AES/3DES for privacy.
-
Disable VRRP.
-
Do not configure FIPS and IPsec together on a switch. With FIPS enabled, if you configure IKE, then FCIP links will not come up.
-
Delete all SSH Server RSA1 keypairs.
-
Do not configure FIPS and RADIUS together on a switch.
-
FIPS cannot function when RADIUS (MD5) is enabled. Hence you need to note the following:
Before you enable FIPS you need to disable RADIUS or select other authentication protocol other than MD5.
Before you enable RADIUS you need to disable FIPS if you need to use the RADIUS (MD5) authentication protocol.