Solved: ISE FIPS mode authentication with headless endpoints

jideji · ‎04-16-2018

We have a customer that would like to authenticate headless endpoints e.g printers , phones etc attached to Juniper switch with host lookup after FIPS is enabled. I currently have device profile configured for Juniper switch in ISE, and host lookup. Please is there a better way to authenticate headless devices with Juniper device profile configured in ISE with FIPS mode enabled ? . Any pointers will be greatly appreciated.

Craig Hyps · ‎04-16-2018

My point is that you may get it to work using the host lookup option--specific NAD Profile will depend on switch model and config. Cisco switches set Service-Type = Call-Check which is the signal to ISE to treat the flow as a simple MAC lookup in the endpoint database. We use different parameter matches for Juniper (default uses Service-Type = Framed) with optional protocol matches for further checking Calling Station ID and password values. Even then, it may not be deemed FIPS compliant without compensating controls.

View solution in original post

Craig Hyps · ‎04-16-2018

Jacob, since multiple questions related to same topic, I am flagging this as a duplicate of MAB with Juniper devices in FIPS mode.

I have not found a definitive reference related to FIPS compliance with MAC Authentication other than typical statements that unencrypted passwords or weak ciphers/hashes such as EAP-MD5, PAP, CHAP, and MSCHAPv1/v2 are explicitly not supported. Even though these protocols are disabled in FIPS mode, the basic host lookup function can still authenticate endpoints based on their MAC address.

Most references state that MAC Auth by its nature is easily spoofed since L2 headers appear in clear, but use of EAP-MD5 or other context does offer better security and a next best choice over simple cleartext. I would check with your security officer for more official statement. There may also be the option to implement compensating controls such as MACsec along the link. I don't think Juniper switches support, but ISE also supports DTLS and IPsec for encryption between NAD and PSN. IPsec may be sufficient for this connection, but client to NAD is still in clear.

On a related note, I did find this useful post: cisco - Are RADIUS and TACACS+ Ever Allowed in FIPS 140-2 Compliant Scenarios? - Information Security Stack Exchange

In short, I think it is best to confirm with your security team/auditor as to best approach where endpoints do not support more secure auth protocols. There is obviously a difference between "will it work" versus "does it sufficiently protect" versus "compliance checkbox".

Craig

jideji · ‎04-16-2018

Thanks sir. Authenticating the endpoints with their MAC address is exactly what we would like to accomplish under FIPS mode. However we can't find any clear documentation to get this done via host lookup on any type of devices either Cisco switch any other vendor. Thanks again.

Craig Hyps · ‎04-16-2018

My point is that you may get it to work using the host lookup option--specific NAD Profile will depend on switch model and config. Cisco switches set Service-Type = Call-Check which is the signal to ISE to treat the flow as a simple MAC lookup in the endpoint database. We use different parameter matches for Juniper (default uses Service-Type = Framed) with optional protocol matches for further checking Calling Station ID and password values. Even then, it may not be deemed FIPS compliant without compensating controls.

jideji · ‎04-17-2018

Thanks.

hslai · ‎04-16-2018

If Juniper network devices support it, you might want to consider IPSec instead of FIPS mode. For an example, see Configure ISE 2.2 IPSEC to Secure NAD (IOS) Communication - Cisco

jideji · ‎04-17-2018

Thanks.