diff --git a/ansible_collections/arista/avd/examples/cv-pathfinder/documentation/devices/pf1.md b/ansible_collections/arista/avd/examples/cv-pathfinder/documentation/devices/pf1.md
index 60e6a48542f..e43752c042c 100644
--- a/ansible_collections/arista/avd/examples/cv-pathfinder/documentation/devices/pf1.md
+++ b/ansible_collections/arista/avd/examples/cv-pathfinder/documentation/devices/pf1.md
@@ -240,9 +240,9 @@ aaa authorization exec default local
### Management Security SSL Profiles
-| SSL Profile Name | TLS protocol accepted | Certificate filename | Key filename | Ciphers | CRLs |
-| ---------------- | --------------------- | -------------------- | ------------ | ------- | ---- |
-| STUN-DTLS | 1.2 | STUN-DTLS.crt | STUN-DTLS.key | - | - |
+| SSL Profile Name | TLS protocol accepted | Certificate filename | Key filename | Ciphers | CRLs | FIPS restrictions enabled |
+| ---------------- | --------------------- | -------------------- | ------------ | ------- | ---- | ------------------------- |
+| STUN-DTLS | 1.2 | STUN-DTLS.crt | STUN-DTLS.key | - | - | - |
### SSL profile STUN-DTLS Certificates Summary
diff --git a/ansible_collections/arista/avd/examples/cv-pathfinder/documentation/devices/pf2.md b/ansible_collections/arista/avd/examples/cv-pathfinder/documentation/devices/pf2.md
index e5e192667ce..4f04fb312c9 100644
--- a/ansible_collections/arista/avd/examples/cv-pathfinder/documentation/devices/pf2.md
+++ b/ansible_collections/arista/avd/examples/cv-pathfinder/documentation/devices/pf2.md
@@ -240,9 +240,9 @@ aaa authorization exec default local
### Management Security SSL Profiles
-| SSL Profile Name | TLS protocol accepted | Certificate filename | Key filename | Ciphers | CRLs |
-| ---------------- | --------------------- | -------------------- | ------------ | ------- | ---- |
-| STUN-DTLS | 1.2 | STUN-DTLS.crt | STUN-DTLS.key | - | - |
+| SSL Profile Name | TLS protocol accepted | Certificate filename | Key filename | Ciphers | CRLs | FIPS restrictions enabled |
+| ---------------- | --------------------- | -------------------- | ------------ | ------- | ---- | ------------------------- |
+| STUN-DTLS | 1.2 | STUN-DTLS.crt | STUN-DTLS.key | - | - | - |
### SSL profile STUN-DTLS Certificates Summary
diff --git a/ansible_collections/arista/avd/examples/cv-pathfinder/documentation/devices/site1-wan1.md b/ansible_collections/arista/avd/examples/cv-pathfinder/documentation/devices/site1-wan1.md
index 248d830e916..84414a908ee 100644
--- a/ansible_collections/arista/avd/examples/cv-pathfinder/documentation/devices/site1-wan1.md
+++ b/ansible_collections/arista/avd/examples/cv-pathfinder/documentation/devices/site1-wan1.md
@@ -239,9 +239,9 @@ aaa authorization exec default local
### Management Security SSL Profiles
-| SSL Profile Name | TLS protocol accepted | Certificate filename | Key filename | Ciphers | CRLs |
-| ---------------- | --------------------- | -------------------- | ------------ | ------- | ---- |
-| STUN-DTLS | 1.2 | STUN-DTLS.crt | STUN-DTLS.key | - | - |
+| SSL Profile Name | TLS protocol accepted | Certificate filename | Key filename | Ciphers | CRLs | FIPS restrictions enabled |
+| ---------------- | --------------------- | -------------------- | ------------ | ------- | ---- | ------------------------- |
+| STUN-DTLS | 1.2 | STUN-DTLS.crt | STUN-DTLS.key | - | - | - |
### SSL profile STUN-DTLS Certificates Summary
diff --git a/ansible_collections/arista/avd/examples/cv-pathfinder/documentation/devices/site1-wan2.md b/ansible_collections/arista/avd/examples/cv-pathfinder/documentation/devices/site1-wan2.md
index ca91d355000..5bc18f2a6cb 100644
--- a/ansible_collections/arista/avd/examples/cv-pathfinder/documentation/devices/site1-wan2.md
+++ b/ansible_collections/arista/avd/examples/cv-pathfinder/documentation/devices/site1-wan2.md
@@ -239,9 +239,9 @@ aaa authorization exec default local
### Management Security SSL Profiles
-| SSL Profile Name | TLS protocol accepted | Certificate filename | Key filename | Ciphers | CRLs |
-| ---------------- | --------------------- | -------------------- | ------------ | ------- | ---- |
-| STUN-DTLS | 1.2 | STUN-DTLS.crt | STUN-DTLS.key | - | - |
+| SSL Profile Name | TLS protocol accepted | Certificate filename | Key filename | Ciphers | CRLs | FIPS restrictions enabled |
+| ---------------- | --------------------- | -------------------- | ------------ | ------- | ---- | ------------------------- |
+| STUN-DTLS | 1.2 | STUN-DTLS.crt | STUN-DTLS.key | - | - | - |
### SSL profile STUN-DTLS Certificates Summary
diff --git a/ansible_collections/arista/avd/examples/cv-pathfinder/documentation/devices/site2-wan1.md b/ansible_collections/arista/avd/examples/cv-pathfinder/documentation/devices/site2-wan1.md
index c0cd49de3e9..6978d161799 100644
--- a/ansible_collections/arista/avd/examples/cv-pathfinder/documentation/devices/site2-wan1.md
+++ b/ansible_collections/arista/avd/examples/cv-pathfinder/documentation/devices/site2-wan1.md
@@ -236,9 +236,9 @@ aaa authorization exec default local
### Management Security SSL Profiles
-| SSL Profile Name | TLS protocol accepted | Certificate filename | Key filename | Ciphers | CRLs |
-| ---------------- | --------------------- | -------------------- | ------------ | ------- | ---- |
-| STUN-DTLS | 1.2 | STUN-DTLS.crt | STUN-DTLS.key | - | - |
+| SSL Profile Name | TLS protocol accepted | Certificate filename | Key filename | Ciphers | CRLs | FIPS restrictions enabled |
+| ---------------- | --------------------- | -------------------- | ------------ | ------- | ---- | ------------------------- |
+| STUN-DTLS | 1.2 | STUN-DTLS.crt | STUN-DTLS.key | - | - | - |
### SSL profile STUN-DTLS Certificates Summary
diff --git a/ansible_collections/arista/avd/examples/cv-pathfinder/documentation/devices/site2-wan2.md b/ansible_collections/arista/avd/examples/cv-pathfinder/documentation/devices/site2-wan2.md
index f5d04b9a5d2..9d6ab304d28 100644
--- a/ansible_collections/arista/avd/examples/cv-pathfinder/documentation/devices/site2-wan2.md
+++ b/ansible_collections/arista/avd/examples/cv-pathfinder/documentation/devices/site2-wan2.md
@@ -238,9 +238,9 @@ aaa authorization exec default local
### Management Security SSL Profiles
-| SSL Profile Name | TLS protocol accepted | Certificate filename | Key filename | Ciphers | CRLs |
-| ---------------- | --------------------- | -------------------- | ------------ | ------- | ---- |
-| STUN-DTLS | 1.2 | STUN-DTLS.crt | STUN-DTLS.key | - | - |
+| SSL Profile Name | TLS protocol accepted | Certificate filename | Key filename | Ciphers | CRLs | FIPS restrictions enabled |
+| ---------------- | --------------------- | -------------------- | ------------ | ------- | ---- | ------------------------- |
+| STUN-DTLS | 1.2 | STUN-DTLS.crt | STUN-DTLS.key | - | - | - |
### SSL profile STUN-DTLS Certificates Summary
diff --git a/ansible_collections/arista/avd/examples/cv-pathfinder/documentation/devices/site3-wan1.md b/ansible_collections/arista/avd/examples/cv-pathfinder/documentation/devices/site3-wan1.md
index 3d5d2d9c577..235045bc10c 100644
--- a/ansible_collections/arista/avd/examples/cv-pathfinder/documentation/devices/site3-wan1.md
+++ b/ansible_collections/arista/avd/examples/cv-pathfinder/documentation/devices/site3-wan1.md
@@ -238,9 +238,9 @@ aaa authorization exec default local
### Management Security SSL Profiles
-| SSL Profile Name | TLS protocol accepted | Certificate filename | Key filename | Ciphers | CRLs |
-| ---------------- | --------------------- | -------------------- | ------------ | ------- | ---- |
-| STUN-DTLS | 1.2 | STUN-DTLS.crt | STUN-DTLS.key | - | - |
+| SSL Profile Name | TLS protocol accepted | Certificate filename | Key filename | Ciphers | CRLs | FIPS restrictions enabled |
+| ---------------- | --------------------- | -------------------- | ------------ | ------- | ---- | ------------------------- |
+| STUN-DTLS | 1.2 | STUN-DTLS.crt | STUN-DTLS.key | - | - | - |
### SSL profile STUN-DTLS Certificates Summary
diff --git a/ansible_collections/arista/avd/molecule/eos_cli_config_gen/documentation/devices/host1.md b/ansible_collections/arista/avd/molecule/eos_cli_config_gen/documentation/devices/host1.md
index 708edc77ebc..5c44adc3aac 100644
--- a/ansible_collections/arista/avd/molecule/eos_cli_config_gen/documentation/devices/host1.md
+++ b/ansible_collections/arista/avd/molecule/eos_cli_config_gen/documentation/devices/host1.md
@@ -1452,18 +1452,18 @@ address locking
### Management Security SSL Profiles
-| SSL Profile Name | TLS protocol accepted | Certificate filename | Key filename | Ciphers | CRLs |
-| ---------------- | --------------------- | -------------------- | ------------ | ------- | ---- |
-| certificate-profile | - | eAPI.crt | eAPI.key | - | ca.crl
intermediate.crl |
-| cipher-list-profile | - | - | - | ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384 | - |
-| SSL_PROFILE | 1.1 1.2 | SSL_CERT | SSL_KEY | - | - |
-| test1-chain-cert | - | - | - | - | - |
-| test1-trust-cert | - | - | - | - | - |
-| test2-chain-cert | - | - | - | - | - |
-| test2-trust-cert | - | - | - | - | - |
-| tls-single-version-profile-as-float | 1.0 | - | - | - | - |
-| tls-single-version-profile-as-string | 1.1 | - | - | - | - |
-| tls-versions-profile | 1.0 1.1 | - | - | - | - |
+| SSL Profile Name | TLS protocol accepted | Certificate filename | Key filename | Ciphers | CRLs | FIPS restrictions enabled |
+| ---------------- | --------------------- | -------------------- | ------------ | ------- | ---- | ------------------------- |
+| certificate-profile | - | eAPI.crt | eAPI.key | - | ca.crl
intermediate.crl | False |
+| cipher-list-profile | - | - | - | ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384 | - | False |
+| SSL_PROFILE | 1.1 1.2 | SSL_CERT | SSL_KEY | - | - | True |
+| test1-chain-cert | - | - | - | - | - | - |
+| test1-trust-cert | - | - | - | - | - | - |
+| test2-chain-cert | - | - | - | - | - | - |
+| test2-trust-cert | - | - | - | - | - | - |
+| tls-single-version-profile-as-float | 1.0 | - | - | - | - | - |
+| tls-single-version-profile-as-string | 1.1 | - | - | - | - | - |
+| tls-versions-profile | 1.0 1.1 | - | - | - | - | True |
### SSL profile test1-chain-cert Certificates Summary
@@ -1556,6 +1556,7 @@ management security
!
ssl profile SSL_PROFILE
tls versions 1.1 1.2
+ fips restrictions
certificate SSL_CERT key SSL_KEY
!
ssl profile test1-chain-cert
@@ -1584,6 +1585,7 @@ management security
!
ssl profile tls-versions-profile
tls versions 1.0 1.1
+ fips restrictions
```
## Prompt Device Configuration
diff --git a/ansible_collections/arista/avd/molecule/eos_cli_config_gen/documentation/devices/host2.md b/ansible_collections/arista/avd/molecule/eos_cli_config_gen/documentation/devices/host2.md
index cfdfc2cb655..2fd28f89e38 100644
--- a/ansible_collections/arista/avd/molecule/eos_cli_config_gen/documentation/devices/host2.md
+++ b/ansible_collections/arista/avd/molecule/eos_cli_config_gen/documentation/devices/host2.md
@@ -335,9 +335,9 @@ aaa accounting exec default none
### Management Security SSL Profiles
-| SSL Profile Name | TLS protocol accepted | Certificate filename | Key filename | Ciphers | CRLs |
-| ---------------- | --------------------- | -------------------- | ------------ | ------- | ---- |
-| cipher-v1.0-v1.3 | - | - | - | v1.0 to v1.2: SHA256:SHA384
v1.3: TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256 | - |
+| SSL Profile Name | TLS protocol accepted | Certificate filename | Key filename | Ciphers | CRLs | FIPS restrictions enabled |
+| ---------------- | --------------------- | -------------------- | ------------ | ------- | ---- | ------------------------- |
+| cipher-v1.0-v1.3 | - | - | - | v1.0 to v1.2: SHA256:SHA384
v1.3: TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256 | - | - |
### Management Security Device Configuration
diff --git a/ansible_collections/arista/avd/molecule/eos_cli_config_gen/intended/configs/host1.cfg b/ansible_collections/arista/avd/molecule/eos_cli_config_gen/intended/configs/host1.cfg
index a392ea52dcf..2742a516cbf 100644
--- a/ansible_collections/arista/avd/molecule/eos_cli_config_gen/intended/configs/host1.cfg
+++ b/ansible_collections/arista/avd/molecule/eos_cli_config_gen/intended/configs/host1.cfg
@@ -1354,6 +1354,7 @@ management security
!
ssl profile SSL_PROFILE
tls versions 1.1 1.2
+ fips restrictions
certificate SSL_CERT key SSL_KEY
!
ssl profile test1-chain-cert
@@ -1382,6 +1383,7 @@ management security
!
ssl profile tls-versions-profile
tls versions 1.0 1.1
+ fips restrictions
!
radius-server deadtime 10
radius-server attribute 32 include-in-access-req hostname
diff --git a/ansible_collections/arista/avd/molecule/eos_cli_config_gen/inventory/host_vars/host1/management-security.yml b/ansible_collections/arista/avd/molecule/eos_cli_config_gen/inventory/host_vars/host1/management-security.yml
index 01c91089d33..20396f18e4d 100644
--- a/ansible_collections/arista/avd/molecule/eos_cli_config_gen/inventory/host_vars/host1/management-security.yml
+++ b/ansible_collections/arista/avd/molecule/eos_cli_config_gen/inventory/host_vars/host1/management-security.yml
@@ -23,15 +23,19 @@ management_security:
sequential: 7
ssl_profiles:
- name: SSL_PROFILE
+ fips_restrictions: true
tls_versions: 1.1 1.2
certificate:
file: SSL_CERT
key: SSL_KEY
- name: tls-versions-profile
+ fips_restrictions: true
tls_versions: "1.0 1.1"
- name: cipher-list-profile
+ fips_restrictions: false
cipher_list: ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384
- name: certificate-profile
+ fips_restrictions: false
certificate:
file: eAPI.crt
key: eAPI.key
diff --git a/ansible_collections/arista/avd/roles/eos_cli_config_gen/docs/tables/management-security.md b/ansible_collections/arista/avd/roles/eos_cli_config_gen/docs/tables/management-security.md
index 9600f59bd9e..f54245b4931 100644
--- a/ansible_collections/arista/avd/roles/eos_cli_config_gen/docs/tables/management-security.md
+++ b/ansible_collections/arista/avd/roles/eos_cli_config_gen/docs/tables/management-security.md
@@ -30,6 +30,7 @@
| [ sequential](## "management_security.password.policies.[].maximum.sequential") | Integer | | | Min: 1
Max: 65535 | |
| [ ssl_profiles](## "management_security.ssl_profiles") | List, items: Dictionary | | | | |
| [ - name](## "management_security.ssl_profiles.[].name") | String | | | | |
+ | [ fips_restrictions](## "management_security.ssl_profiles.[].fips_restrictions") | Boolean | | | | Use FIPS compliant algorithms. |
| [ tls_versions](## "management_security.ssl_profiles.[].tls_versions") | String | | | | List of allowed TLS versions as string.
Examples:
- "1.0"
- "1.0 1.1"
|
| [ cipher_list](## "management_security.ssl_profiles.[].cipher_list") | String | | | | cipher_list syntax follows the openssl cipher strings format.
Colon (:) separated list of allowed ciphers as a string.
Not supported on EOS version starting 4.32.0F, use the `ciphers` setting instead.
|
| [ ciphers](## "management_security.ssl_profiles.[].ciphers") | Dictionary | | | | This setting is applicable to EOS versions 4.32.0F and later. |
@@ -108,6 +109,9 @@
ssl_profiles:
- name:
+ # Use FIPS compliant algorithms.
+ fips_restrictions:
+
# List of allowed TLS versions as string.
# Examples:
# - "1.0"
diff --git a/python-avd/pyavd/_eos_cli_config_gen/j2templates/documentation/management-security.j2 b/python-avd/pyavd/_eos_cli_config_gen/j2templates/documentation/management-security.j2
index f410338f78c..6fbe0edaedc 100644
--- a/python-avd/pyavd/_eos_cli_config_gen/j2templates/documentation/management-security.j2
+++ b/python-avd/pyavd/_eos_cli_config_gen/j2templates/documentation/management-security.j2
@@ -34,8 +34,8 @@
### Management Security SSL Profiles
-| SSL Profile Name | TLS protocol accepted | Certificate filename | Key filename | Ciphers | CRLs |
-| ---------------- | --------------------- | -------------------- | ------------ | ------- | ---- |
+| SSL Profile Name | TLS protocol accepted | Certificate filename | Key filename | Ciphers | CRLs | FIPS restrictions enabled |
+| ---------------- | --------------------- | -------------------- | ------------ | ------- | ---- | ------------------------- |
{% set ssl_profiles_certs = [] %}
{% for ssl_profile in management_security.ssl_profiles | arista.avd.natural_sort %}
{% set crls = "-" %}
@@ -53,7 +53,7 @@
{% elif ssl_profile.cipher_list is arista.avd.defined %}
{% set ciphers = [ssl_profile.cipher_list] %}
{% endif %}
-| {{ ssl_profile.name | arista.avd.default('-') }} | {{ ssl_profile.tls_versions | arista.avd.default('-') }} | {{ ssl_profile.certificate.file | arista.avd.default('-') }} | {{ ssl_profile.certificate.key | arista.avd.default('-') }} | {{ ciphers | arista.avd.default(['-']) | join('
') }} | {{ crls }} |
+| {{ ssl_profile.name | arista.avd.default('-') }} | {{ ssl_profile.tls_versions | arista.avd.default('-') }} | {{ ssl_profile.certificate.file | arista.avd.default('-') }} | {{ ssl_profile.certificate.key | arista.avd.default('-') }} | {{ ciphers | arista.avd.default(['-']) | join('
') }} | {{ crls }} | {{ ssl_profile.fips_restrictions | arista.avd.default('-') }} |
{% set tmp_cert = {} %}
{% if ssl_profile.trust_certificate is arista.avd.defined %}
{% set tmp_cert = {'trust_certificate': ssl_profile.trust_certificate} %}
diff --git a/python-avd/pyavd/_eos_cli_config_gen/j2templates/eos/management-security.j2 b/python-avd/pyavd/_eos_cli_config_gen/j2templates/eos/management-security.j2
index 7c54cb9cff3..60656eb8e5d 100644
--- a/python-avd/pyavd/_eos_cli_config_gen/j2templates/eos/management-security.j2
+++ b/python-avd/pyavd/_eos_cli_config_gen/j2templates/eos/management-security.j2
@@ -90,6 +90,9 @@ management security
{% if ssl_profile.tls_versions is arista.avd.defined %}
tls versions {{ ssl_profile.tls_versions }}
{% endif %}
+{% if ssl_profile.fips_restrictions is arista.avd.defined(true) %}
+ fips restrictions
+{% endif %}
{% if ssl_profile.ciphers.v1_0 is arista.avd.defined %}
cipher v1.0 {{ ssl_profile.ciphers.v1_0 }}
{% elif ssl_profile.cipher_list is arista.avd.defined %}
diff --git a/python-avd/pyavd/_eos_cli_config_gen/schema/__init__.py b/python-avd/pyavd/_eos_cli_config_gen/schema/__init__.py
index f224ee8115e..4fea0874c1f 100644
--- a/python-avd/pyavd/_eos_cli_config_gen/schema/__init__.py
+++ b/python-avd/pyavd/_eos_cli_config_gen/schema/__init__.py
@@ -21592,6 +21592,7 @@ class CertificateRevocationLists(AvdList[str]):
_fields: ClassVar[dict] = {
"name": {"type": str},
+ "fips_restrictions": {"type": bool},
"tls_versions": {"type": str},
"cipher_list": {"type": str},
"ciphers": {"type": Ciphers},
@@ -21602,6 +21603,8 @@ class CertificateRevocationLists(AvdList[str]):
"_custom_data": {"type": dict},
}
name: str | None
+ fips_restrictions: bool | None
+ """Use FIPS compliant algorithms."""
tls_versions: str | None
"""
List of allowed TLS versions as string.
@@ -21647,6 +21650,7 @@ def __init__(
self,
*,
name: str | None | UndefinedType = Undefined,
+ fips_restrictions: bool | None | UndefinedType = Undefined,
tls_versions: str | None | UndefinedType = Undefined,
cipher_list: str | None | UndefinedType = Undefined,
ciphers: Ciphers | UndefinedType = Undefined,
@@ -21664,6 +21668,7 @@ def __init__(
Args:
name: name
+ fips_restrictions: Use FIPS compliant algorithms.
tls_versions:
List of allowed TLS versions as string.
Examples: # fmt: skip
diff --git a/python-avd/pyavd/_eos_cli_config_gen/schema/eos_cli_config_gen.schema.yml b/python-avd/pyavd/_eos_cli_config_gen/schema/eos_cli_config_gen.schema.yml
index 5acc5cf0cb0..b93103d0029 100644
--- a/python-avd/pyavd/_eos_cli_config_gen/schema/eos_cli_config_gen.schema.yml
+++ b/python-avd/pyavd/_eos_cli_config_gen/schema/eos_cli_config_gen.schema.yml
@@ -7517,6 +7517,9 @@ keys:
keys:
name:
type: str
+ fips_restrictions:
+ type: bool
+ description: Use FIPS compliant algorithms.
tls_versions:
type: str
description: "List of allowed TLS versions as string.\nExamples:\n -
diff --git a/python-avd/pyavd/_eos_cli_config_gen/schema/schema_fragments/management_security.schema.yml b/python-avd/pyavd/_eos_cli_config_gen/schema/schema_fragments/management_security.schema.yml
index 529b494c844..127141b64a2 100644
--- a/python-avd/pyavd/_eos_cli_config_gen/schema/schema_fragments/management_security.schema.yml
+++ b/python-avd/pyavd/_eos_cli_config_gen/schema/schema_fragments/management_security.schema.yml
@@ -101,6 +101,9 @@ keys:
keys:
name:
type: str
+ fips_restrictions:
+ type: bool
+ description: Use FIPS compliant algorithms.
tls_versions:
type: str
description: |