topic Re: creating a new vmware repository for ISE 3.2 - FIPS 140 compliant? in Network Access Control

creating a new vmware repository for ISE 3.2 - FIPS 140 compliant?

NatalieNDeGennaro72244 — Thu, 20 Jun 2024 13:05:19 GMT

asking for my group to create a new vmware repository for our ISE 3.2 cluster (4 nodes = primary PAN/MnT & PSN and secondary PAN/MnT & PSN) and I see this note on Cisco Docs under "Create Repositories":

"Cisco ISE initiates outbound SSH or SFTP connections in FIPS mode even if FIPS mode is not enabled on ISE. Ensure that the remote SSH or SFTP servers that communicate with ISE allow FIPS 140 approved cryptographic algorithms. Cisco ISE uses embedded FIPS 140 validated cryptographic modules."

Anyone know if I need to request anything special in getting my vmware team to create my new repository? This cluster is being used for our PCI (payment card industry) environment and only does AAA but no NAC. Our vmware vsphere is version 8.0.2.00300

Thanks in advance!

Re: creating a new vmware repository for ISE 3.2 - FIPS 140 compliant?

Torbjørn — Thu, 20 Jun 2024 13:39:44 GMT

From a technology perspective your ISE node will not be able to establish a SSH/SFTP connection to a repository if it doesn't support FIPS 140 compliant ciphers/algorithms. So as long as your VMware team sets up a repository which is FIPS 140 compliant itself you should be within compliance.

EDIT: Note that I am not a compliance guru. If in doubt, check with your Cisco contact/account manager.

Re: creating a new vmware repository for ISE 3.2 - FIPS 140 compliant?

NatalieNDeGennaro72244 — Thu, 20 Jun 2024 17:53:39 GMT

Thank you Torbjorn, but I am looking for any direction I need to give my vmware team as to how the repository vm needs to be created and if any certain settings need to be configured on the new vm.

Re: creating a new vmware repository for ISE 3.2 - FIPS 140 compliant?

adamscottmaster2013 — Thu, 20 Jun 2024 20:22:46 GMT

In order to meet this requirements, you will need to setup the external SFTP server with the followings:

debug2: KEX algorithms: ecdh-sha2-nistp521
debug2: host key algorithms: ecdsa-sha2-nistp256
debug2: ciphers ctos: aes256-ctr,aes256-gcm@openssh.com
debug2: ciphers stoc: aes256-ctr,aes256-gcm@openssh.com
debug2: MACs ctos: hmac-sha2-256,hmac-sha2-512

Assuming the external server is a Ubuntu Linux server, you need to modify the /etc/ssh/sshd_config to:

Kexalgorithms ecdh-sha2-nistp384,ecdh-sha2-nistp521
HostKeyAlgorithms rsa-sha2-512,rsa-sha2-256
MACs hmac-sha2-256,hmac-sha2-512
Ciphers aes256-ctr,aes256-gcm@openssh.com

To make sure that your ISE server can only use these parameters, you need to open a TAC case with Cisco and have cisco "root" into the ISE and modify the /etc/ssh/ssh_config file to set it up so that it only uses the parameters.

By default, Cisco ISE can connect to external 140-2 FIPS sFTP server without any issues but let say someone changes the settings on the external sFTP server to make it NOT 140-2 FIPS compliant. Well, Cisco ISE can still connect to the external SFTP server and nobody would know unless you run debug on on sshd. By locking the ISE ssh client on the ise via /etc/ssh/ssh_config, you make sure that BOTH sides are FIPS 140-2.

Hope that help.

Re: creating a new vmware repository for ISE 3.2 - FIPS 140 compliant?

NatalieNDeGennaro72244 — Mon, 24 Jun 2024 12:14:31 GMT

Thanks adamscottmaster2013! This information is exactly what I was looking for. I can now request the vm be created and then once it is I will put in a TAC case to get our ISE cluster configured. Thanks!

Re: creating a new vmware repository for ISE 3.2 - FIPS 140 compliant?

NatalieNDeGennaro72244 — Mon, 24 Jun 2024 12:39:14 GMT

Actually, the new repository will be RHEL 8.2