Solved: FMC Admin Auth to ISE, using RADIUS, w/ ISE in FIPS Mode. No Worky?

eric.free · ‎04-11-2023

Just wondering if anyone else has encountered this hurdle and if anyone bound a fix. Unlike most Cisco devices FMC doesn't support the TACACS+ protocol for admin authentication. You must choose between RADIUS or LDAP(S). My organization has been utilizing LDAPS querying an MS AD domain controller. This has worked well enough for my FPR9300 hosted FTD devices. However, it's been really finicky with my FPR2100 series devices.

To better align with our organizational norm for "network devices", I'd like to point FMC and our FTD devices to ISE. Since TACACS+ is off the table my only option to communicate to ISE is RADIUS. However, (it's better all the time!) our organization's ISE servers are deployed in FIPS mode. As you may know FIPS mode limits the particular cryptographic algorithms that can be used on the ISE appliance. While testing in production this would not work and I was left with the feeling that the problem was that the particular flavor of RADIUS used by FMC/FTD wasn't "good enough" to be permitted to communicate to an ISE box running in FIPS mode.

Because I was limited on what I could do in production I deployed a new instance of ISE in a home lab along with FMC and a couple FTDs all in 90-day eval mode. With this lab I was able to confirm that:
1. When ISE was in the default (non-FIPS) mode, authentication from FMC worked just fine.
2. Once I put the ISE box into FIPS mode authentication from FMC fails.

I played with some ISE settings (e.g. allowed protocols) but was never able to get this to work when ISE was in FIPS mode. I'm just wondering if any of you Cisco Firepower/Secure Firewall experts out there have run into this issue and if you found any workarounds. Thanks in advance.

Eric R. Jones · ‎04-11-2023

So here is the section I'm speaking about. We use RADIUS and LDAP for connection to the FMC/FTD's. Unchecking "Allow PAP/ASCII" broke our connections for us.

View solution in original post

Eric R. Jones · ‎04-11-2023

We have a STIG requirement to use FIPS where we can. Unfortunately, FIPS doesn't play well with devices using PAP. When we disabled our PAP we were no longer able to access our RADIUS managed devices. We re-enabled PAP and it worked just fine. If you are using PAP then this may be what your are experiencing.

Eric R. Jones · ‎04-11-2023

So here is the section I'm speaking about. We use RADIUS and LDAP for connection to the FMC/FTD's. Unchecking "Allow PAP/ASCII" broke our connections for us.

Nerd_Herd · ‎06-28-2024

I'm running into the same issue. Did you find a way to use ISE or did you have to switch to LDAP?

eric.free · ‎07-01-2024

Nope, couldn't get this to work. The flavor of RADIUS used by FMC is PAP/ASCII and this is not allowed on an ISE box running in FIPS mode. We definitely couldn't take ISE out of FIPS mode for just a few devices. With no other options, I stuck with LDAP. After working thru a few quirks, that's been working fine. To be as secure as possible, we're running one of the encrypted versions. FYI, FMC allows two options for TLS encrypted LDAP. Would be super awesome if Cisco upgraded the particulars of the RADIUS protocol implementation on FMC/FTD devices in some future release. I will admit that I haven't looked into this in over a year. So, I suppose it's possible they already have. However, if you're running into the same problem, and assuming you're running a new'ish version of FTD code, I assume they have not.