Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2427
Views
0
Helpful
1
Replies

FIPS Radius Key-Wrap configuration for Switch

AFlack20
Level 1
Level 1

‎09-07-2022 02:42 PM

From my understanding of FIPS mode on ISE in order for radius to function on the network access device, it must be configured to utilize AES Key Wrapping. From the guides I've found online to configure the key-wrap the following commands are necessary;

 

aaa group server radius ISE_radius
 server name ISE1
 server name ISE2
 key-wrap enable
radius server ISE1
 address ipv4 X.X.254.224 auth-port 1812 acct-port 1813
key-wrap encryption-key 0 serverISE1Asdf01 message-auth-code-key 0 serverISE1serverISE1 format ascii
radius server ISE2
 address ipv4 X.X.254.225 auth-port 1812 acct-port 1813
key-wrap encryption-key 0 serverISE1Asdf01 message-auth-code-key 0 serverISE1serverISE1 format ascii

 

 But looking at the show radius server-group all command it looks like authentications are passing but authorizations are failing.

 

sw1#show radius server-group all 
Server group radius
    Sharecount = 1  sg_unconfigured = FALSE
    Type = standard  Memlocks = 1
    Server(X.X.254.224:1812,1813,ISE1) Transactions:
    Authen: 3   Author: 3       Acct: 305
    Server_auto_test_enabled: FALSE
     Keywrap enabled: FALSE
    Server(X.X.254.225:1812,1813,ISE2) Transactions:
    Authen: 0   Author: 0       Acct: 297
    Server_auto_test_enabled: FALSE
     Keywrap enabled: FALSE
Server group ISE_radius
    Sharecount = 1  sg_unconfigured = FALSE
    Type = standard  Memlocks = 1
    Server(X.X.254.224:1812,1813,ISE1) Transactions:
    Authen: 402 Author: 0       Acct: 181
    Server_auto_test_enabled: FALSE
     Keywrap enabled: TRUE
    Server(X.X.254.225:1812,1813,ISE2) Transactions:
    Authen: 291 Author: 0       Acct: 35
    Server_auto_test_enabled: FALSE
     Keywrap enabled: TRUE

 

sw1#show authentication sessions interface gi1/0/5 details 
            Interface:  GigabitEthernet1/0/5
               IIF-ID:  0x18C8245F
          MAC Address:  1111.aaaa.bbbb
         IPv6 Address:  fe80::1
         IPv4 Address:  X.X.200.51
            User-Name:  host/1
               Status:  Authorized
               Domain:  UNKNOWN
       Oper host mode:  multi-domain
     Oper control dir:  both
      Session timeout:  N/A
    Common Session ID:  37100113000002FA19777735
      Acct Session ID:  0x000002cb
               Handle:  0x370002f0
       Current Policy:  POLICY_Gi1/0/5


Local Policies:
        Service Template: DEFAULT_CRITICAL_VOICE_TEMPLATE (priority 150)
           Voice Vlan:  Vlan: 200

Server Policies:


Method status list:
       Method           State
        dot1x           Authc Failed

radiuskeywrap.png

Any thoughts as to why key wrap isn't working?

1 person had this problem
0 Helpful
1 Reply 1

poongarg
Cisco Employee
Cisco Employee

‎02-23-2023 12:00 AM - edited ‎02-23-2023 12:01 AM

Can you provide the aaa config on this switch. It seems "aaa authorization network default group xxxx " command might be missing in the configuration. Debug Radius/aaa authorization will also help to figure out authorization issue.

0 Helpful
Customers Also Viewed These Support Documents