06-20-2024 06:05 AM
asking for my group to create a new vmware repository for our ISE 3.2 cluster (4 nodes = primary PAN/MnT & PSN and secondary PAN/MnT & PSN) and I see this note on Cisco Docs under "Create Repositories":
"Cisco ISE initiates outbound SSH or SFTP connections in FIPS mode even if FIPS mode is not enabled on ISE. Ensure that the remote SSH or SFTP servers that communicate with ISE allow FIPS 140 approved cryptographic algorithms. Cisco ISE uses embedded FIPS 140 validated cryptographic modules."
Anyone know if I need to request anything special in getting my vmware team to create my new repository? This cluster is being used for our PCI (payment card industry) environment and only does AAA but no NAC. Our vmware vsphere is version 8.0.2.00300
Thanks in advance!
06-20-2024 06:37 AM - edited 06-20-2024 06:39 AM
From a technology perspective your ISE node will not be able to establish a SSH/SFTP connection to a repository if it doesn't support FIPS 140 compliant ciphers/algorithms. So as long as your VMware team sets up a repository which is FIPS 140 compliant itself you should be within compliance.
EDIT: Note that I am not a compliance guru. If in doubt, check with your Cisco contact/account manager.
06-20-2024 10:53 AM
Thank you Torbjorn, but I am looking for any direction I need to give my vmware team as to how the repository vm needs to be created and if any certain settings need to be configured on the new vm.
06-20-2024 01:22 PM
In order to meet this requirements, you will need to setup the external SFTP server with the followings:
debug2: KEX algorithms: ecdh-sha2-nistp521
debug2: host key algorithms: ecdsa-sha2-nistp256
debug2: ciphers ctos: aes256-ctr,aes256-gcm@openssh.com
debug2: ciphers stoc: aes256-ctr,aes256-gcm@openssh.com
debug2: MACs ctos: hmac-sha2-256,hmac-sha2-512
Assuming the external server is a Ubuntu Linux server, you need to modify the /etc/ssh/sshd_config to:
Kexalgorithms ecdh-sha2-nistp384,ecdh-sha2-nistp521
HostKeyAlgorithms rsa-sha2-512,rsa-sha2-256
MACs hmac-sha2-256,hmac-sha2-512
Ciphers aes256-ctr,aes256-gcm@openssh.com
To make sure that your ISE server can only use these parameters, you need to open a TAC case with Cisco and have cisco "root" into the ISE and modify the /etc/ssh/ssh_config file to set it up so that it only uses the parameters.
By default, Cisco ISE can connect to external 140-2 FIPS sFTP server without any issues but let say someone changes the settings on the external sFTP server to make it NOT 140-2 FIPS compliant. Well, Cisco ISE can still connect to the external SFTP server and nobody would know unless you run debug on on sshd. By locking the ISE ssh client on the ise via /etc/ssh/ssh_config, you make sure that BOTH sides are FIPS 140-2.
Hope that help.
06-24-2024 05:14 AM
Thanks adamscottmaster2013! This information is exactly what I was looking for. I can now request the vm be created and then once it is I will put in a TAC case to get our ISE cluster configured. Thanks!
06-24-2024 05:39 AM
Actually, the new repository will be RHEL 8.2
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide