FIPS 140-2 On Nexus 9300 Swtiches disabling SSH

Drew15 · ‎03-08-2023

We have FIPS 140-2 requirement for our Nexus 9300 Switches.
We use Cisco ISE for AAA with TACACS+ for SSH connections. When we enforce FIPS on the Nexus 9300 switches we lose SSH connectivity.

Documentation also states in the configuration guide....

Prerequisite for FIPS: Disable Telnet. Users should log in using Secure Shell (SSH) only.

Guidelines and Limitation for FIPS: Disable Radius and TACACS+ when FIPS mode is on. This is enforced due to OpenSSL in FIPS mode.

I'm looking for a solution(s) that will allow me to Enable FIPS, and maintain AAA and SSH access to our NEXUS 9500 switches.

Assistance would be greatly appreciated.

marce1000 · ‎03-09-2023

- The problem is that the Radius protocol uses MD5 hashes. The use of MD5 hashes is not FIPS-compliant.

M.

-- Each morning when I wake up and look into the mirror I always say ' Why am I so brilliant ? '
When the mirror will then always repond to me with ' The only thing that exceeds your brilliance is your beauty! '

Drew15 · ‎03-12-2023

Thank your for your reply. That's correct. What I am looking / hoping for is that the might be another solution that would 1. Allow us to enable FIBS, 2. Allow us to access the devices once FIPS is enable. I have not researched in detail yet but I heard and read a bit that options like OPEN SSH with windows or ANSIBIL might allow a potential solution using 2048 ssh keys. I'm wondering if there might be other, better, options out there. Maybe someone might have found a reasonable solution. Thank you.