Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
751
Views
0
Helpful
1
Replies

NEAT configuration help - ISE with FIPS enabled

jujj
Level 1
Level 1

‎02-16-2023 05:13 PM

I have been trying to do research on NEAT configurations while ISE has FIPS enabled. I have found configuration guides for EAP-MD5, but this is disabled with FIPS. Does anyone have any experience with this configuration?

I am willing to test any other method, but I am unsure how to go about it.

Thanks in advance for any advice.

Labels:
0 Helpful
1 Reply 1

srigovi2
Cisco Employee
Cisco Employee

‎03-17-2023 03:01 AM - edited ‎03-17-2023 03:02 AM

Hi,


When FIPS is enabled, the cryptographic algorithms used for authentication and encryption must meet specific FIPS requirements. EAP-MD5 is not a FIPS-approved algorithm, so it cannot be used when FIPS is enabled.

One option for NEAT configuration with FIPS enabled is to use a FIPS-approved EAP method, such as EAP-TLS (Transport Layer Security) or PEAP (Protected Extensible Authentication Protocol). These methods use FIPS-approved cryptographic algorithms for authentication and encryption.

The certificates that are installed in Cisco ISE must be re-issued if the encryption method that is used in the certificates is not supported by FIPS.

When you enable the FIPS mode, the following functions are affected:

Lightweight Directory Access Protocol (LDAP) over SSL

Cisco ISE enables FIPS 140 compliance via RADIUS shared secret and key management measures. When the FIPS mode is enabled, any function that uses a non-FIPS-compliant algorithm fails.

When you enable the FIPS mode:

All non-FIPS-compliant cipher suites are disabled for EAP-TLS, PEAP, and EAP-FAST.

All non-FIPS-compliant cipher suites are disabled in SSH.

Certificates and private keys must use only FIPS-compliant hash and encryption algorithms.

RSA private keys must be 2048 bits or greater.

ECDSA private keys must be 224 bits or greater.

ECDSA server certificate works with only TLS 1.2.

DHE ciphers work with DH parameters of 2048 bits or greater for all ISE TLS clients.

3DES ciphers are not allowed for Cisco ISE as a server

SHA-1 is not allowed for generating certificates.

SHA-1 is not allowed in client certificates.

The anonymous PAC provisioning option in EAP-FAST is disabled.

The local SSH server operates in FIPS mode.

The following protocols are not supported for RADIUS:

EAP-MD5

PAP

CHAP

MS-CHAPv1

MS-CHAPv2

LEAP

Once the FIPS Mode is enabled, all the nodes in the deployment are rebooted automatically. Cisco ISE performs a rolling restart by first restarting the primary PAN and then restarting each secondary node, one at a time. Hence, it is recommended that you plan for the downtime before changing the configuration

Another option is to use a non-EAP method, such as MAC Authentication Bypass (MAB), which does not require cryptographic algorithms and can be used with FIPS enabled.

 

-----------------------------------------
If you find my reply solved your question or issue, kindly click the 'Accept as Solution' button and vote it as helpful.

You can also learn more about Cisco Secure Email through our live Ask the Experts (ATXs) session. Check out this ATXs Resources [https://community.cisco.com/t5/security-knowledge-base/cisco-endpoint-security-ask-the-experts-resources/ta-p/4394492] to view the latest schedule for upcoming sessions, as well as the useful references, e.g. online guides, FAQs
-----------------------------------------

 

Thanks,
G.Srinivasan

0 Helpful
Customers Also Viewed These Support Documents