Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
286
Views
0
Helpful
2
Replies

RADSEC in FIPS Mode

stevej3295
Level 1
Level 1

‎02-15-2024 04:57 PM

We are running a switch in FIPS mode with RADSEC configured.  When the RADSEC client on the switch attempts to establish a connection to the RADIUS server over 2083/tcp, it offers only TLS_RSA_WITH_AES_128_CBC_SHA, TLS_EMPTY_RENEGOTIATION_INFO_SCSV as cipher suites.  This is not expected behavoir as FIPS mode should disable SHA1 and ends up failing the TLS connection with "no shared cipher".  The switch has Cisco IOS XE Version 17.13.01 installed.

Has anyone has seen this behavior? Why would it offer a cipher with a SHA1 hash if it is in FIPS mode?  Is there a way to configure FIPS validated ciphers for the RADSEC client?

RADSEC ClientHello

Header:
Version = TLS 1.0 (0x301)
Content Type = Handshake (22)
Length = 103
ClientHello, Length=99
client_version=0x303 (TLS 1.2)
Random:
random_bytes (len=28): 503D6BA9AED31898AFBACDDE8A4AA6F6B737FD8BBD95C4D82D9E1588
session_id (len=0):
cipher_suites (len=4)
{0x00, 0x2F} TLS_RSA_WITH_AES_128_CBC_SHA
{0x00, 0xFF} TLS_EMPTY_RENEGOTIATION_INFO_SCSV
compression_methods (len=1)
No Compression (0x00)
extensions, length = 54
extension_type=session_ticket(35), length=0
extension_type=encrypt_then_mac(22), length=0
extension_type=extended_master_secret(23), length=0
extension_type=signature_algorithms(13), length=38
ecdsa_secp256r1_sha256 (0x0403)
ecdsa_secp384r1_sha384 (0x0503)
ecdsa_secp521r1_sha512 (0x0603)
ed25519 (0x0807)
ed448 (0x0808)
rsa_pss_pss_sha256 (0x0809)
rsa_pss_pss_sha384 (0x080a)
rsa_pss_pss_sha512 (0x080b)
rsa_pss_rsae_sha256 (0x0804)
rsa_pss_rsae_sha384 (0x0805)
rsa_pss_rsae_sha512 (0x0806)
rsa_pkcs1_sha256 (0x0401)
rsa_pkcs1_sha384 (0x0501)
rsa_pkcs1_sha512 (0x0601)
ecdsa_sha224 (0x0303)
ecdsa_sha1 (0x0203)
rsa_pkcs1_sha224 (0x0301)
rsa_pkcs1_sha1 (0x0201)

Labels:
0 Helpful
2 Replies 2

Arne Bier
VIP
VIP

‎02-28-2024 03:36 PM

I've never had a customer ask about this and I have never seen this implemented in the wild. Which possibly means that there are not many eyes on this, and when things don't work as expected, then it will be up to pioneers, such as yourself, *smiley face* to report that to TAC. 

 

0 Helpful

Greg Gibbs
Cisco Employee
Cisco Employee

‎02-28-2024 04:36 PM

This space is intended for questions related to Cisco NAC platforms, like ISE.

Is this the switch offering the cipher or the RADIUS server (Cisco ISE)? If it's the switch, your question would likely be better posted to the Switching Community space.

It would also be important to include the exact model of the switch and any other relevant details on your setup.

0 Helpful
Customers Also Viewed These Support Documents