Security

last person joined: an hour ago 

Enterprise security using ClearPass Policy Management, ClearPass Security Exchange, IntroSpect, VIA, 360 Security Exchange, Extensions and Policy Enforcement Firewall (PEF).
Expand all | Collapse all

NON-FIPS to FIPs mode

Jump to Best Answer
  • 1.  NON-FIPS to FIPs mode

    Posted Jun 24, 2020 01:56 PM
    Spoiler
    This was done I have posted recording at the end of the thread!

     

    Requirement : move production clearpass from non Fips to fips

     

    My knowledge is not much on this only thing I know it will wipe off all config and anything present on clearpass so my questions are:

     

    1) how do I start planning

    2) what all information would I need to gather 

    3) how can config be moved from non Fips to fips 

    4) certificates, identity sources, ?? What else I need to map out

     

    Basically I have no information how to start working and get this done  



  • 2.  RE: NON-FIPS to FIPs mode
    Best Answer

    Posted Jun 25, 2020 07:49 AM

    Anyone? 



  • 3.  RE: NON-FIPS to FIPs mode
    Best Answer

    Posted Jun 25, 2020 08:17 AM
    You won’t be able to restore into a fips from a nonfips full backup but you should be able to import the existing services (including auth sources)

    You should be able to import the existing certificates



    Thank you

    Victor Fabian

    Pardon typos sent from Mobile


  • 4.  RE: NON-FIPS to FIPs mode
    Best Answer

    Posted Jun 25, 2020 08:23 AM

    Hi Victor,

     

    So how should i start planning this. What all tings that i should look for? When we say import existing service does that mean can import or needs to be reconfigured?

     

    how about policies etc. 



  • 5.  RE: NON-FIPS to FIPs mode
    Best Answer

    Posted Jun 25, 2020 09:55 AM
    Are you planning on standing up a new virtual ClearPass in fips mode ? Or new HW ?



    Thank you

    Victor Fabian

    Pardon typos sent from Mobile


  • 6.  RE: NON-FIPS to FIPs mode
    Best Answer

    Posted Jun 27, 2020 11:06 PM

    its hardware 500 and not in HA so need to change and rebuilt, any suggestion what all planning to do what i know:

     

    1) Auth - Wired// EAP-TLS internal CA 

    2) minimal users 

    3) no external sources other than AD 



  • 7.  RE: NON-FIPS to FIPs mode
    Best Answer

    Posted Jun 28, 2020 12:29 AM

    The database is reset when you enable the FIPS mode in CPPM. Configuration backup file from non-FIPS mode cannot be restored in FIPS mode. You may want to try to export services, authentication methods and sources, posture and enforcement policies and network devices under configuration and import back once FIPS is enabled.

    The legacy authentication method such as EAP-MD5 and MD5 digest algorithm are not supported in FIPS mode. You cannot import the certificates that are created with the MD5 authentication type to the Certificates Trust List. The server reboots when you enable FIPS mode. You need to log in again to the Admin UI.

    I'd recommend to work with Aruba TAC. 



  • 8.  RE: NON-FIPS to FIPs mode

    Posted Jun 29, 2020 05:47 AM

    Please double-check that you absolutely require, and also can ClearPass to run in FIPS mode.

     

    As Anish mentioned MD5 and EAP-MD5 are disabled in FIPS mode, and some wired IP phones and other older devices are known to do EAP-MD5 only. Also, I have seen that the default for MAC authentication in Juniper switches is to use MD5. It seems that you can use PAP and EAP-PEAP in recent versions, but please be aware of that before switching on FIPS.



  • 9.  RE: NON-FIPS to FIPs mode

    Posted Jul 23, 2020 03:40 AM

    Hi Team,

     

    Just to update thank you for information, I was able to change mode and restore config. 

     

    For detailed information I will post the document that i prepared. One must do LAB before doing in production. 

     

    It was a success!! 



  • 10.  RE: NON-FIPS to FIPs mode

    Posted Aug 19, 2020 08:26 AM

    We're having to go through the same exercise where I work. If you're up for posting the document you were mentioning aakagarw, I'd love to have a better idea what we're in for. 



  • 11.  RE: NON-FIPS to FIPs mode

    Posted Aug 23, 2020 09:33 PM

    Hi,

     

    Sorry had been busy i will post today. 

     

    _Aakash



  • 12.  RE: NON-FIPS to FIPs mode

    Posted Aug 25, 2020 12:09 AM

    HI Team,

     

    I have uploaded Videos:

     

    Pre-Plan - https://www.youtube.com/watch?v=wa-CRhTZkh4 

     

    FIPS Mode Change - https://www.youtube.com/watch?v=o8G-Du6K0_c 

     

    Notes are in video. 

     



  • 13.  RE: NON-FIPS to FIPs mode

    Posted Aug 25, 2020 12:12 AM

     

    FIPS Mode Prep:

    • We took screenshots of most tabs in cppm
    • We took server backup of cppm
    • We backed up certificates
    • !! IMPORTANT !!Backup xml using password (if you don’t backup using password then you will have to reconfigure Network devices/NAD or Username/pass- basically anything with password will fail when you import unless you backup with password)
    • You may need to check Join AD back so have Join AD information ready hand like Administrator service account
    • You will need to re-create authentication source as it will have issue from screenshots (!!IMPORTANT!! Create exactly as old one with exactly same name as rest of the XML import will be dependent on it)
    • Have PSK handy between NAD and CPPM (may not be needed) but have it
    •  Lets start and see