https://community.cisco.com/t5/network-access-control/radsec-in-fips-mode/m-p/5028467#M587777 <P>This space is intended for questions related to Cisco NAC platforms, like ISE.</P> <P>Is this the switch offering the cipher or the RADIUS server (Cisco ISE)? If it's the switch, your question would likely be better posted to the <A href="https://community.cisco.com/t5/switching/bd-p/6016-discussions-lan-switching-routing" target="_blank" rel="noopener">Switching</A> Community space.</P> <P>It would also be important to include the exact model of the switch and any other relevant details on your setup.</P> Thu, 29 Feb 2024 00:36:45 GMT Greg Gibbs 2024-02-29T00:36:45Z https://community.cisco.com/t5/network-access-control/radsec-in-fips-mode/m-p/5019058#M587375 <P>We are running a switch in FIPS mode with RADSEC configured.&nbsp; When the&nbsp;RADSEC client on the switch attempts to establish a connection to the RADIUS server over 2083/tcp, it offers only TLS_RSA_WITH_AES_128_CBC_SHA, TLS_EMPTY_RENEGOTIATION_INFO_SCSV as cipher suites.&nbsp; This is not expected behavoir as FIPS mode should disable SHA1 and ends up failing the TLS connection with "no shared cipher".&nbsp; The switch has Cisco IOS XE Version 17.13.01 installed.</P><P>Has anyone has seen this behavior? Why would it offer a cipher with a SHA1 hash if it is in FIPS mode?&nbsp; Is there a way to configure FIPS validated ciphers for the RADSEC client?</P><P><FONT size="3"><STRONG>RADSEC ClientHello</STRONG></FONT></P><P><FONT size="3"><EM>Header:</EM></FONT><BR /><FONT size="3"><EM>Version = TLS 1.0 (0x301)</EM></FONT><BR /><FONT size="3"><EM>Content Type = Handshake (22)</EM></FONT><BR /><FONT size="3"><EM>Length = 103</EM></FONT><BR /><FONT size="3"><EM>ClientHello, Length=99</EM></FONT><BR /><FONT size="3"><EM>client_version=0x303 (TLS 1.2)</EM></FONT><BR /><FONT size="3"><EM>Random:</EM></FONT><BR /><FONT size="3"><EM>random_bytes (len=28): 503D6BA9AED31898AFBACDDE8A4AA6F6B737FD8BBD95C4D82D9E1588</EM></FONT><BR /><FONT size="3"><EM>session_id (len=0): </EM></FONT><BR /><FONT size="3"><EM>cipher_suites (len=4)</EM></FONT><BR /><FONT size="3"><EM>{0x00, 0x2F} TLS_RSA_WITH_AES_128_CBC_SHA</EM></FONT><BR /><FONT size="3"><EM>{0x00, 0xFF} TLS_EMPTY_RENEGOTIATION_INFO_SCSV</EM></FONT><BR /><FONT size="3"><EM>compression_methods (len=1)</EM></FONT><BR /><FONT size="3"><EM>No Compression (0x00)</EM></FONT><BR /><FONT size="3"><EM>extensions, length = 54</EM></FONT><BR /><FONT size="3"><EM>extension_type=session_ticket(35), length=0</EM></FONT><BR /><FONT size="3"><EM>extension_type=encrypt_then_mac(22), length=0</EM></FONT><BR /><FONT size="3"><EM>extension_type=extended_master_secret(23), length=0</EM></FONT><BR /><FONT size="3"><EM>extension_type=signature_algorithms(13), length=38</EM></FONT><BR /><FONT size="3"><EM>ecdsa_secp256r1_sha256 (0x0403)</EM></FONT><BR /><FONT size="3"><EM>ecdsa_secp384r1_sha384 (0x0503)</EM></FONT><BR /><FONT size="3"><EM>ecdsa_secp521r1_sha512 (0x0603)</EM></FONT><BR /><FONT size="3"><EM>ed25519 (0x0807)</EM></FONT><BR /><FONT size="3"><EM>ed448 (0x0808)</EM></FONT><BR /><FONT size="3"><EM>rsa_pss_pss_sha256 (0x0809)</EM></FONT><BR /><FONT size="3"><EM>rsa_pss_pss_sha384 (0x080a)</EM></FONT><BR /><FONT size="3"><EM>rsa_pss_pss_sha512 (0x080b)</EM></FONT><BR /><FONT size="3"><EM>rsa_pss_rsae_sha256 (0x0804)</EM></FONT><BR /><FONT size="3"><EM>rsa_pss_rsae_sha384 (0x0805)</EM></FONT><BR /><FONT size="3"><EM>rsa_pss_rsae_sha512 (0x0806)</EM></FONT><BR /><FONT size="3"><EM>rsa_pkcs1_sha256 (0x0401)</EM></FONT><BR /><FONT size="3"><EM>rsa_pkcs1_sha384 (0x0501)</EM></FONT><BR /><FONT size="3"><EM>rsa_pkcs1_sha512 (0x0601)</EM></FONT><BR /><FONT size="3"><EM>ecdsa_sha224 (0x0303)</EM></FONT><BR /><FONT size="3"><EM>ecdsa_sha1 (0x0203)</EM></FONT><BR /><FONT size="3"><EM>rsa_pkcs1_sha224 (0x0301)</EM></FONT><BR /><FONT size="3"><EM>rsa_pkcs1_sha1 (0x0201)</EM></FONT></P> Fri, 16 Feb 2024 00:57:28 GMT https://community.cisco.com/t5/network-access-control/radsec-in-fips-mode/m-p/5019058#M587375 stevej3295 2024-02-16T00:57:28Z https://community.cisco.com/t5/network-access-control/radsec-in-fips-mode/m-p/5028396#M587772 <P>I've never had a customer ask about this and I have never seen this implemented in the wild. Which possibly means that there are not many eyes on this, and when things don't work as expected, then it will be up to pioneers, such as yourself, *smiley face* to report that to TAC.&nbsp;</P> <P>&nbsp;</P> Wed, 28 Feb 2024 23:36:25 GMT https://community.cisco.com/t5/network-access-control/radsec-in-fips-mode/m-p/5028396#M587772 Arne Bier 2024-02-28T23:36:25Z https://community.cisco.com/t5/network-access-control/radsec-in-fips-mode/m-p/5028467#M587777 <P>This space is intended for questions related to Cisco NAC platforms, like ISE.</P> <P>Is this the switch offering the cipher or the RADIUS server (Cisco ISE)? If it's the switch, your question would likely be better posted to the <A href="https://community.cisco.com/t5/switching/bd-p/6016-discussions-lan-switching-routing" target="_blank" rel="noopener">Switching</A> Community space.</P> <P>It would also be important to include the exact model of the switch and any other relevant details on your setup.</P> Thu, 29 Feb 2024 00:36:45 GMT https://community.cisco.com/t5/network-access-control/radsec-in-fips-mode/m-p/5028467#M587777 Greg Gibbs 2024-02-29T00:36:45Z