Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
564
Views
0
Helpful
1
Replies

AAA ISE 2.3 - FIPS Compliance & Default Device Admin Allowed Protocols

Renzo_Orezzoli
Level 1
Level 1

‎02-28-2018 11:33 AM - edited ‎02-21-2020 10:46 AM

I upgraded a SNS-3415-K9 to ISE 2.3 and I'm trying to enable FIPS but I can't because only the "Default Device Admin" is allowed in policy.

 

I tried deleting the Migrated_Default Device Admin but I get: "Error: This object is referenced by Rule-2,"

 

If I disable the "migrated default device admin allowed protocols none of my devices (IE3k, IE4k, 2960, 3750, c6500) authenticate. This does allow FIPS to be enabled though.

 

I've tried reading manuals, but I can't figure it out.

Labels:
0 Helpful
1 Reply 1

Renzo_Orezzoli
Level 1
Level 1

‎03-02-2018 06:24 AM

I figured it out.

 

Under: Work Centers > Device Administration > Device Admin Policy Sets > Rule-2

 

I changed the "allowed Protocols/server sequence-

TO: "Default Device Admin"

FROM:"Migrated_Default Device Admin"

 

This allowed me to delete the migrated Allowed Protocols Services group.

 

I now only allow PAP/ASCII via the default device admin & FIPS is applied. I tested this on ISE2 (secondary) prior to changing ISE1 (primary) [for clarity, they are both in primary mode - the devices see ISE1 first].

 

Hope this helps someone in the future.

0 Helpful
Customers Also Viewed These Support Documents