topic ISE selects weak ciphers for EAP-TLS in Network Access Control

ISE selects weak ciphers for EAP-TLS

tom.barat@dimensiondata.com — Fri, 21 Feb 2020 19:12:14 GMT

Hello,

I am facing a strange issue on ISE 2.6 deployment (latest patch installed).

I have windows clients (7 & 10) authentication through EAP-TLS. They offer 14 ciphers during the TLS handshake, with TLS_ECDHE_RSA_AES256_CBC_SHA being the strongest one, and TLS_RSA_RC4_128_MD5 being the weakest one.

I have two different behaviors depending on what i configure on ISE side :

- If weak ciphers is disabled in the allowed protocols for the matched policy => ISE rejects the client saying it has no common cipher / the client only supports weak ciphers.

- If weak ciphers is enabled => ISE selects the weakest possible cipher in its server hello.

I was not able to find relevent information in the doumentation or bug search tool.

I am wondering whether this could be a misconfiguration on ISE or maybe a bug.

Unfortunately i can't share packet captures as they include client identity and customer name in EAP packets.

Any help is welcome.

Re: ISE selects weak ciphers for EAP-TLS

Arne Bier — Mon, 02 Dec 2019 23:43:49 GMT

it sounds like you have done a wireshark analysis of the TLS handshake. You have listed 14 offered ciphers (from the client side) - what is the ISE response to that? You should be able to see that in the wireshark too. Are you using a hardened version of Win7/10 by any chance?

Re: ISE selects weak ciphers for EAP-TLS

hslai — Sat, 07 Dec 2019 21:06:16 GMT

If using ISE 2.6+, the settings needed are Allow SHA1 ciphers and "Allow only TLS_RSA_WITH_AES_128_CBC_SHA" as shown below. The other weak cipher option is to support RC4 for some legacy devices.

Re: ISE selects weak ciphers for EAP-TLS

tom.barat@dimensiondata.com — Tue, 10 Dec 2019 10:26:18 GMT

Hello,

A great thank you, this was indeed the missing setting. Thank you for explaining the difference between weak ciphers and sha1 options.

Have a nice day.