To be STIG compliant with the new infrastructure I'm looking to implement, FIPS mode has to be enabled on my APICs. The problem is that with FIPS mode, TACACS doesn't work. This puts us in a bind as we use RSA tokens. We looked at the idea of using LDAP as well. The issue with that is that we don't want to use password and and LDAP setup would have to involve the sysadmins in doing as little work as possible. We also looked at cutting out our TACACS server and using RSA to authenticate against groups created in the APICs, but RSA uses RADIUS which is also blocked by FIPS mode.
1. Is there a way to enable FIPS mode on only certain ports? The configuration guide says there isn't, so I'm guessing there definitely isn't.
2. Has anyone used LDAP authentication with RSA?
3. What other options do we have so that we can still utilize RSA tokens?
It was added in 4.0(1). A quick search didn't turn up any external resources, but the gist of it is:
1) Import the CA certificate (Admin > AAA > Security > Public Key Management > Certificate Authorities).
2) Map the desired field on the smartcard to the user's local account (User Certificate Attribute field; for matching on just the Common Name, you would enter something like CN=TIM.R)
3) Assign the CA as the trustpoint for client cert auth at Fabric > Fabric Policies > Policies > Pod > Management Access > default (Client Certificate TP dropdown).
4) Turn on certificate authentication by toggling Client Certificate Authentication State to Enabled.
I'll caveat this by saying that when you enable CAC auth, it only works over HTTPS, and it won't let you use any other kind of auth for HTTPS. This means if you had multiple domains set up, or if you are unable to log in with your smartcard for some reason, you have to log into CLI with your regular user/pass and disable certificate authentication.