Security

Reply
Highlighted
Occasional Contributor II

NON-FIPS to FIPs mode

Requirement : move production clearpass from non Fips to fips

 

My knowledge is not much on this only thing I know it will wipe off all config and anything present on clearpass so my questions are:

 

1) how do I start planning

2) what all information would I need to gather 

3) how can config be moved from non Fips to fips 

4) certificates, identity sources, ?? What else I need to map out

 

Basically I have no information how to start working and get this done  


Accepted Solutions
Highlighted
Aruba Employee

Re: NON-FIPS to FIPs mode

The database is reset when you enable the FIPS mode in CPPM. Configuration backup file from non-FIPS mode cannot be restored in FIPS mode. You may want to try to export services, authentication methods and sources, posture and enforcement policies and network devices under configuration and import back once FIPS is enabled.

The legacy authentication method such as EAP-MD5 and MD5 digest algorithm are not supported in FIPS mode. You cannot import the certificates that are created with the MD5 authentication type to the Certificates Trust List. The server reboots when you enable FIPS mode. You need to log in again to the Admin UI.

I'd recommend to work with Aruba TAC. 

View solution in original post


All Replies
Highlighted
Occasional Contributor II

Re: NON-FIPS to FIPs mode

Anyone? 

Highlighted
MVP Expert

Re: NON-FIPS to FIPs mode

You won’t be able to restore into a fips from a nonfips full backup but you should be able to import the existing services (including auth sources)

You should be able to import the existing certificates



Thank you

Victor Fabian

Pardon typos sent from Mobile
Thank you

Victor Fabian
Lead Mobility Architect @WEI
AMFX | ACMX | ACDX | ACCX | CWAP | CWDP | CWNA
Highlighted
Occasional Contributor II

Re: NON-FIPS to FIPs mode

Hi Victor,

 

So how should i start planning this. What all tings that i should look for? When we say import existing service does that mean can import or needs to be reconfigured?

 

how about policies etc. 

Highlighted
MVP Expert

Re: NON-FIPS to FIPs mode

Are you planning on standing up a new virtual ClearPass in fips mode ? Or new HW ?



Thank you

Victor Fabian

Pardon typos sent from Mobile
Thank you

Victor Fabian
Lead Mobility Architect @WEI
AMFX | ACMX | ACDX | ACCX | CWAP | CWDP | CWNA
Highlighted
Occasional Contributor II

Re: NON-FIPS to FIPs mode

its hardware 500 and not in HA so need to change and rebuilt, any suggestion what all planning to do what i know:

 

1) Auth - Wired// EAP-TLS internal CA 

2) minimal users 

3) no external sources other than AD 

Highlighted
Aruba Employee

Re: NON-FIPS to FIPs mode

The database is reset when you enable the FIPS mode in CPPM. Configuration backup file from non-FIPS mode cannot be restored in FIPS mode. You may want to try to export services, authentication methods and sources, posture and enforcement policies and network devices under configuration and import back once FIPS is enabled.

The legacy authentication method such as EAP-MD5 and MD5 digest algorithm are not supported in FIPS mode. You cannot import the certificates that are created with the MD5 authentication type to the Certificates Trust List. The server reboots when you enable FIPS mode. You need to log in again to the Admin UI.

I'd recommend to work with Aruba TAC. 

View solution in original post

Highlighted
MVP Guru

Re: NON-FIPS to FIPs mode

Please double-check that you absolutely require, and also can ClearPass to run in FIPS mode.

 

As Anish mentioned MD5 and EAP-MD5 are disabled in FIPS mode, and some wired IP phones and other older devices are known to do EAP-MD5 only. Also, I have seen that the default for MAC authentication in Juniper switches is to use MD5. It seems that you can use PAP and EAP-PEAP in recent versions, but please be aware of that before switching on FIPS.

--
If you have urgent issues, please contact your Aruba partner or Aruba TAC (click for contact details).
Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: