Solved: Enable FIPS on ISE new lab

AFlack20 · ‎08-25-2022

I need to test some functionality of FIPS mode and am trying to enable it in a new lab of ISE 3.1 But when I go to admin>system>settings>FIPS Mode>Enabled and try to save I get a error message about needing to use "Default Device Admin" policy in Default Network Access (see screen shot below).

When I navigate to Work centers>Device Admin>Device Admin Policy Sets the default device admin is already set as the allowed protocols (see screen shot below).

This is a relatively fresh build of a lab and doesn't have much configuration. I'm also not very familiar with ISE in terms of TACACS configuration so any help would be appreciated.

ammahend · ‎08-25-2022

Seems very similar to this but it’s on old code, but you can try the workaround since it’s a lab and let us know

https://bst.cisco.com/bugsearch/bug/CSCvs70863

-hope this helps-

View solution in original post

ammahend · ‎08-25-2022

Seems very similar to this but it’s on old code, but you can try the workaround since it’s a lab and let us know

https://bst.cisco.com/bugsearch/bug/CSCvs70863

-hope this helps-

AFlack20 · ‎08-29-2022

This was the case I followed the instructions as listed within the workaround and was able to get FIPS enabled. Appears this bug is still affecting versions all the way to ISE 3.1 which i have installed on my lab.

ammahend · ‎08-29-2022

Good that walk around work for you, it’s not very uncommon for older bugs to re surface in new version, I have had a few experiences like this in past

-hope this helps-

thegornthisisarchaic · ‎09-05-2023

In version 3.2 of ISE this solution does not work either. The bug in question is apparently getting worse instead of better. lol

Walker · ‎08-26-2022

TACACS is not a FIPS compliant protocol. I am assuming you are going to run into issues when attempting to use it with the FIPS checkbox enabled.