02-15-2024 04:57 PM
We are running a switch in FIPS mode with RADSEC configured. When the RADSEC client on the switch attempts to establish a connection to the RADIUS server over 2083/tcp, it offers only TLS_RSA_WITH_AES_128_CBC_SHA, TLS_EMPTY_RENEGOTIATION_INFO_SCSV as cipher suites. This is not expected behavoir as FIPS mode should disable SHA1 and ends up failing the TLS connection with "no shared cipher". The switch has Cisco IOS XE Version 17.13.01 installed.
Has anyone has seen this behavior? Why would it offer a cipher with a SHA1 hash if it is in FIPS mode? Is there a way to configure FIPS validated ciphers for the RADSEC client?
RADSEC ClientHello
Header:
Version = TLS 1.0 (0x301)
Content Type = Handshake (22)
Length = 103
ClientHello, Length=99
client_version=0x303 (TLS 1.2)
Random:
random_bytes (len=28): 503D6BA9AED31898AFBACDDE8A4AA6F6B737FD8BBD95C4D82D9E1588
session_id (len=0):
cipher_suites (len=4)
{0x00, 0x2F} TLS_RSA_WITH_AES_128_CBC_SHA
{0x00, 0xFF} TLS_EMPTY_RENEGOTIATION_INFO_SCSV
compression_methods (len=1)
No Compression (0x00)
extensions, length = 54
extension_type=session_ticket(35), length=0
extension_type=encrypt_then_mac(22), length=0
extension_type=extended_master_secret(23), length=0
extension_type=signature_algorithms(13), length=38
ecdsa_secp256r1_sha256 (0x0403)
ecdsa_secp384r1_sha384 (0x0503)
ecdsa_secp521r1_sha512 (0x0603)
ed25519 (0x0807)
ed448 (0x0808)
rsa_pss_pss_sha256 (0x0809)
rsa_pss_pss_sha384 (0x080a)
rsa_pss_pss_sha512 (0x080b)
rsa_pss_rsae_sha256 (0x0804)
rsa_pss_rsae_sha384 (0x0805)
rsa_pss_rsae_sha512 (0x0806)
rsa_pkcs1_sha256 (0x0401)
rsa_pkcs1_sha384 (0x0501)
rsa_pkcs1_sha512 (0x0601)
ecdsa_sha224 (0x0303)
ecdsa_sha1 (0x0203)
rsa_pkcs1_sha224 (0x0301)
rsa_pkcs1_sha1 (0x0201)
02-28-2024 03:36 PM
I've never had a customer ask about this and I have never seen this implemented in the wild. Which possibly means that there are not many eyes on this, and when things don't work as expected, then it will be up to pioneers, such as yourself, *smiley face* to report that to TAC.
02-28-2024 04:36 PM
This space is intended for questions related to Cisco NAC platforms, like ISE.
Is this the switch offering the cipher or the RADIUS server (Cisco ISE)? If it's the switch, your question would likely be better posted to the Switching Community space.
It would also be important to include the exact model of the switch and any other relevant details on your setup.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide