Showing results for 
Search instead for 
Did you mean: 

Can I enable FIPS 140-2 with ACI and TACACS+ on my APICs?

To be STIG compliant with the new infrastructure I'm looking to implement, FIPS mode has to be enabled on my APICs. The problem is that with FIPS mode, TACACS doesn't work. This puts us in a bind as we use RSA tokens. We looked at the idea of using LDAP as well. The issue with that is that we don't want to use password and and LDAP setup would have to involve the sysadmins in doing as little work as possible. We also looked at cutting out our TACACS server and using RSA to authenticate against groups created in the APICs, but RSA uses RADIUS which is also blocked by FIPS mode.


1. Is there a way to enable FIPS mode on only certain ports? The configuration guide says there isn't, so I'm guessing there definitely isn't.

2. Has anyone used LDAP authentication with RSA?

3. What other options do we have so that we can still utilize RSA tokens?

Cisco Employee

I'm familiar with your struggle. With FIPS mode enabled, there's no way to use TACACS+ since it is not a FIPS-compliant protocol. I think your options are going to be limited to either using the built-in smartcard authentication (which, admittedly, has not yet been very well fleshed out, but it satisfies inspectors), or to use Active Directory Federated Services. ADFS will be an additional server/service that has to be run, but it's a more robust solution that supports both smartcard auth and RSA tokens with the right plugin/agent. That said, I haven't seen any customers in these kinds of environments deploy ADFS yet; the one's I have supported either use the native x509 auth or eat the finding on local auth.

The APIC has built in smartcard authentication? Do you have a resource for this?

It was added in 4.0(1).  A quick search didn't turn up any external resources, but the gist of it is:


1)  Import the CA certificate (Admin > AAA > Security > Public Key Management > Certificate Authorities).


2)  Map the desired field on the smartcard to the user's local account (User Certificate Attribute field; for matching on just the Common Name, you would enter something like CN=TIM.R)


3)  Assign the CA as the trustpoint for client cert auth at Fabric > Fabric Policies > Policies > Pod > Management Access > default (Client Certificate TP dropdown).


4)  Turn on certificate authentication by toggling Client Certificate Authentication State to Enabled.


I'll caveat this by saying that when you enable CAC auth, it only works over HTTPS, and it won't let you use any other kind of auth for HTTPS.  This means if you had multiple domains set up, or if you are unable to log in with your smartcard for some reason, you have to log into CLI with your regular user/pass and disable certificate authentication.