Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1793
Views
1
Helpful
7
Replies

Nexus 93180YC-FX and FIPS mode enabled and Disabled for Radius Hosts

Go to solution
pm.tinney
Level 1
Level 1

‎11-15-2023 02:08 PM

I am hoping someone can help me with something very annoying. We have a 4 Nexus 93180YC-FX switches running code version 10.3.3. In our environment, we must run FIPS and we must also run ISE 3.1 with Radius DTLS. I've discovered if the switch is running FIPS mode, there can be no radius-server host x.x.x.x statements. I get that. So I disabled FIPS and rebooted the switch. I still get the error that my radius-server host statements cannot be applied. The last time I ran into this, I backed up my config and did a write erase / reload. Then, my configuration for radius-server worked fine. The ultimate goal is to move from Radius, to radius DTLS using ISE and then enabling FIPS. My fear is, if I enable FIPS, I may never be able to make changes to my Radius-server hosts without having to do write erase / reload. What am I missing? Why is it when FIPS mode is Disabled, still causes issues when trying to modify or add/remove radius server hosts? Is there something else in the config that's causing this? Thanks...

1 person had this problem
Labels:
0 Helpful
4 Accepted Solutions

Accepted Solutions

Go to solution
balaji.bandi
Hall of Fame
Hall of Fame

‎11-15-2023 02:21 PM

have you checked the guide lines and Limitations :

https://www.cisco.com/c/en/us/td/docs/switches/datacenter/nexus9000/sw/93x/security/configuration/guide/b-cisco-nexus-9000-nx-os-security-configuration-guide-93x/m-configuring-fips.html

when you disable FIPS mode make sure you check the status - show fips status

Note : Since i have not deployed any FIPS based Image, since most of the use case for US Govt related, are you using this in US Govt and Military ?

 

 

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

View solution in original post

0 Helpful

Go to solution
pm.tinney
Level 1
Level 1
In response to balaji.bandi

‎11-15-2023 04:11 PM

I do have this very same guide, but it was written for 10.3.x code. We are a Govt facility so FIPS is mandatory.

View solution in original post

0 Helpful

Go to solution
MHM Cisco World
VIP
VIP
In response to pm.tinney

‎11-15-2023 04:17 PM

It costumer requirement, if he need fips then you need to make your network device run fips. 

These requirements is almost in USA. 

View solution in original post

0 Helpful

Go to solution
balaji.bandi
Hall of Fame
Hall of Fame
In response to pm.tinney

‎11-16-2023 01:28 AM

if you are deploying in USA and FIPS has some Limitation as mentioned on the document, somehow you need to choose A vs B.

contact Cisco TAC better suggestion.

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

View solution in original post

0 Helpful
7 Replies 7

Go to solution
balaji.bandi
Hall of Fame
Hall of Fame

‎11-15-2023 02:21 PM

have you checked the guide lines and Limitations :

https://www.cisco.com/c/en/us/td/docs/switches/datacenter/nexus9000/sw/93x/security/configuration/guide/b-cisco-nexus-9000-nx-os-security-configuration-guide-93x/m-configuring-fips.html

when you disable FIPS mode make sure you check the status - show fips status

Note : Since i have not deployed any FIPS based Image, since most of the use case for US Govt related, are you using this in US Govt and Military ?

 

 

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

0 Helpful

Go to solution
pm.tinney
Level 1
Level 1
In response to balaji.bandi

‎11-15-2023 04:11 PM

I do have this very same guide, but it was written for 10.3.x code. We are a Govt facility so FIPS is mandatory.

0 Helpful

Go to solution
MHM Cisco World
VIP
VIP
In response to pm.tinney

‎11-15-2023 04:17 PM

It costumer requirement, if he need fips then you need to make your network device run fips. 

These requirements is almost in USA. 

0 Helpful

Go to solution
balaji.bandi
Hall of Fame
Hall of Fame
In response to pm.tinney

‎11-16-2023 01:28 AM

if you are deploying in USA and FIPS has some Limitation as mentioned on the document, somehow you need to choose A vs B.

contact Cisco TAC better suggestion.

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

0 Helpful

Go to solution
MHM Cisco World
VIP
VIP

‎11-15-2023 03:06 PM

Not for FIPS for many network secuirty feature there is limitations. Include md5. 

0 Helpful

Go to solution
Teddy Hartman
Level 1
Level 1

‎03-18-2024 08:34 AM

Has anyone been able to figure out how to reapply RADIUS after disabling FIPS without wiping the entire switch.  I disabled FIPS and rebooted and that doesn't work.

0 Helpful

Go to solution
pm.tinney
Level 1
Level 1
In response to Teddy Hartman

‎03-18-2024 08:44 AM

I was never able to reapply my Radius or Radius DTLS configuration with FIPS enabled or disabled. It required a full factory reset and then restore from a configuration that was backed up prior to the wipe of the switch. Cisco Security technical folks told me that it's a bug in the software. I have 6 Nexus 9000 switches and three needed factory reloads. But, once that's done, all works fine now. 

Customers Also Viewed These Support Documents