Solved: FIPS Enabled ISE SSH Authentication with RADIUS

matthew.rand · ‎12-19-2022

Hello,

I have not been able to find a solution to my problem. Hopefully someone will be able to assist or point me in the right direction.

I am needing to use RADIUS as my SSH authentication using an ISE server running 3.1 and is FIPS enabled. So, TACACS is not an option and I am not allowed to use PAP/ASCII authentication. I have EAP-FAST, EAP-TLS, and everything else allowed under Policy > Results.

Everything I have read and researched indicates that my ISE server is configured correctly, however, when I try to login using a C3850-48T running 16.12 - the ISE Operations > RADIUS > Live Logs show

Overview: Event 5400 Authentication failed

Authentication Details:
Event - 5400 Authentication Failed
Failure Reason - 15024 PAP is not allowed
Resolution - Enable PAP/ASCII protocol for the selected service
Root Cause - PAP is not allowed

My switch aaa configuration:
aaa group server radius iseLocalLogin
server name ISE
key-wrap enable
ip radius source-interface Vlan985
deadtime 10
!
aaa authentication login Auth_User_List group iseLocalLogin local
aaa authentication enable default group iseLocalLogin group radius
aaa authentication eou Auth_User_List group iseLocalLogin local
aaa authorization exec Auth_User_List group iseLocalLogin if-authenticated
aaa accounting exec Auth_User_List start-stop group iseLocalLogin
!
radius server ISE
address ipv4 192.16.34.32 auth-port 1231 acct-port 1232
timeout 10
key-wrap encryption-key 7 ascii16 message-auth-code-key 7 ascii20 format ascii
key 7 ascii2432

Debug Logs:

AAA/AUTHEN/LOGIN (0000139D): Pick method list 'Auth_User_List'
RADIUS/ENCODE(0000139D): ask "Password: "
RADIUS/ENCODE(0000139D): send packet; GET_PASSWORD
RADIUS/ENCODE(0000139D):Orig. component type = Exec
Unsupported AAA attribute clid
RADIUS(0000139D): Config NAS IP:192.16.55.17
vrfid: [65535] ipv6 tableid : [0]
idb is NULL
RADIUS(0000139D): Config NAS IPv6: ::
%SEC_LOGIN-4-LOGIN_FAILED: Login failed [user: ad_username] [Source: 192.16.75.72] [localport: 22] [Reason: Login Authentication Failed] at 14:11:04 EST Mon Dec 19 2022

Any assistance will be greatly appreciated.

Rodrigo Diaz · ‎12-20-2022

hello @matthew.rand , as you mentioned when you enable FIPS ISE this will disable a set of protocols and among them you will not be allowed to use PAP-ASCII and TACACS , unfortunately those are the only ways in which you can use ISE to manage access within your network devices , hence such deployment is not possible .

View solution in original post

Rodrigo Diaz · ‎12-20-2022

hello @matthew.rand , as you mentioned when you enable FIPS ISE this will disable a set of protocols and among them you will not be allowed to use PAP-ASCII and TACACS , unfortunately those are the only ways in which you can use ISE to manage access within your network devices , hence such deployment is not possible .

matthew.rand · ‎12-20-2022

Thanks @Rodrigo Diaz for the update. I was getting the picture that it wasn't going to be possible.

What are some alternatives to get authentication working with FIPS enabled devices?

Rodrigo Diaz · ‎12-20-2022

@matthew.rand , the only viable options that I see are either configure local password authentication in such NAD with the model you have with FIPS, or in its defect to have a dedicated ISE set of nodes without the FIPS enabled to use TACACS or Radius based authentication with PAP to grant access to the device .

H

matthew.rand · ‎12-20-2022

@Rodrigo Diaz , I have looked into the STIG requirement to have FIPS enabled on the ISE server. If you don't have it enabled on the ISE server but configure a FIPS 140-2/3 validated HMAC or other FIPS 140-2/3 approved methods, the finding is lowered by 1 category/severity level.

So, I am going to disable FIPS and move forward.

Thanks for your assistance. Much appreciated.

Matt