Hi,
When FIPS is enabled, the cryptographic algorithms used for authentication and encryption must meet specific FIPS requirements. EAP-MD5 is not a FIPS-approved algorithm, so it cannot be used when FIPS is enabled.
One option for NEAT configuration with FIPS enabled is to use a FIPS-approved EAP method, such as EAP-TLS (Transport Layer Security) or PEAP (Protected Extensible Authentication Protocol). These methods use FIPS-approved cryptographic algorithms for authentication and encryption.
The certificates that are installed in Cisco ISE must be re-issued if the encryption method that is used in the certificates is not supported by FIPS.
When you enable the FIPS mode, the following functions are affected:
Lightweight Directory Access Protocol (LDAP) over SSL
Cisco ISE enables FIPS 140 compliance via RADIUS shared secret and key management measures. When the FIPS mode is enabled, any function that uses a non-FIPS-compliant algorithm fails.
When you enable the FIPS mode:
All non-FIPS-compliant cipher suites are disabled for EAP-TLS, PEAP, and EAP-FAST.
All non-FIPS-compliant cipher suites are disabled in SSH.
Certificates and private keys must use only FIPS-compliant hash and encryption algorithms.
RSA private keys must be 2048 bits or greater.
ECDSA private keys must be 224 bits or greater.
ECDSA server certificate works with only TLS 1.2.
DHE ciphers work with DH parameters of 2048 bits or greater for all ISE TLS clients.
3DES ciphers are not allowed for Cisco ISE as a server
SHA-1 is not allowed for generating certificates.
SHA-1 is not allowed in client certificates.
The anonymous PAC provisioning option in EAP-FAST is disabled.
The local SSH server operates in FIPS mode.
The following protocols are not supported for RADIUS:
EAP-MD5
PAP
CHAP
MS-CHAPv1
MS-CHAPv2
LEAP
Once the FIPS Mode is enabled, all the nodes in the deployment are rebooted automatically. Cisco ISE performs a rolling restart by first restarting the primary PAN and then restarting each secondary node, one at a time. Hence, it is recommended that you plan for the downtime before changing the configuration
Another option is to use a non-EAP method, such as MAC Authentication Bypass (MAB), which does not require cryptographic algorithms and can be used with FIPS enabled.
-----------------------------------------
If you find my reply solved your question or issue, kindly click the 'Accept as Solution' button and vote it as helpful.
You can also learn more about Cisco Secure Email through our live Ask the Experts (ATXs) session. Check out this ATXs Resources [https://community.cisco.com/t5/security-knowledge-base/cisco-endpoint-security-ask-the-experts-resources/ta-p/4394492] to view the latest schedule for upcoming sessions, as well as the useful references, e.g. online guides, FAQs
-----------------------------------------
Thanks,
G.Srinivasan
