03-08-2023 02:56 PM - edited 03-08-2023 09:05 PM
We have FIPS 140-2 requirement for our Nexus 9300 Switches.
We use Cisco ISE for AAA with TACACS+ for SSH connections. When we enforce FIPS on the Nexus 9300 switches we lose SSH connectivity.
Documentation also states in the configuration guide....
Prerequisite for FIPS: Disable Telnet. Users should log in using Secure Shell (SSH) only.
Guidelines and Limitation for FIPS: Disable Radius and TACACS+ when FIPS mode is on. This is enforced due to OpenSSL in FIPS mode.
I'm looking for a solution(s) that will allow me to Enable FIPS, and maintain AAA and SSH access to our NEXUS 9500 switches.
Assistance would be greatly appreciated.
03-09-2023 05:39 AM
- The problem is that the Radius protocol uses MD5 hashes. The use of MD5 hashes is not FIPS-compliant.
M.
03-12-2023 06:28 PM
Thank your for your reply. That's correct. What I am looking / hoping for is that the might be another solution that would 1. Allow us to enable FIBS, 2. Allow us to access the devices once FIPS is enable. I have not researched in detail yet but I heard and read a bit that options like OPEN SSH with windows or ANSIBIL might allow a potential solution using 2048 ssh keys. I'm wondering if there might be other, better, options out there. Maybe someone might have found a reasonable solution. Thank you.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide