This document describes the Federal Information Processing Standards (FIPS) compliant protocols on the Identity Servce Engine (ISE) and the common problems encountered while enabling FIPS. FIPS are the standards that are developed by the United States Federal Government for use in computer systems by non-military government agencies and government contactors.
There are no specific requirements for this document.
The information in this document is based on ISE 2.1 version.
The information in this document was created from the devices in a specific lab environment. All of the devices used in this document started with a cleared (default) configuration. If your network is live, make sure that you understand the potential impact of any command.
Configure FIPS Mode on ISE
In order to ensure the ISE deployment is FIPS compliant, there is an option in ISE to turn on FIPS mode, navigate to Administration > System > Settings > FIPS.
In this mode, only the few selected protocols listed here are allowed to be used for authentications.
Note: EAP-TLS L-bit Protocol is not FIPS compliant and is not allowed in FIPS mode.
Note: The anonymous PAC provisioning option in EAP-FAST is not allowed in FIPS mode.
Note: Certificates and private keys must use only FIPS compliant hash and encryption algorithms. The private keys should be larger than 1024 bytes in length.
Common problems while enabling FIPS mode
Allowed protocols using non-FIPS compliant protocols.
Error Message: 'The following "Allowed Protocols" are configured to use non-FIPS compliant protocols. FIPS can not be enabled until these "Allowed Protocols" are deleted or they are edited to use only FIPS compliant protocols.'
Edit allowed protocols to disable non-compliant protocols.
Navigate to Policy > Policy Elements > Results > Authentication > Allowed Protocols.
These services can either be deleted or edited to not use FIPS non-compliant protocols.
The greyed out check-boxes of the protocols in this image are not FIPS compliant. Only the ones which are not greyed out can be used in FIPS mode.
FIPS cannot be enabled if there are pxGrid nodes in deployment.
Disable PxGrid persona on all nodes
PxGrid service is not compliant with FIPS standards. Hence, pxGrid cannot be enabled on any of the nodes in the deployment.
In order to disable the pxGrid Service, navigate to Administration > System > Deployment. Select the nodes mentioned in the error and uncheck the pxGrid persona for that node and save the configuration as shown in the image.