topic Does Cisco have any updates in Network Access Control

Fixes planned for bug CSCuv21820?

joshobean — Mon, 11 Mar 2019 05:56:54 GMT

Our Cisco ISE infrastructure is impacted by this bug. Any admin user trying to go to the company sponsor portal or a guest re-directed to the web auth page for guest authentication will now receive the weak key message detailed in the bug description.

Are there any planned fixes? The two work-arounds suggested are not ideal for us. We are using internet explorer to get by for now, but this could negatively impact our guest wireless users who have Firefox.

As of Chrome 45, Chrome will

fields.james — Fri, 31 Jul 2015 10:46:09 GMT

As of Chrome 45, Chrome will now error out on this.

https://www.chromium.org/administrators/err_ssl_weak_server_ephemeral_dh_key

Need a fix, not a browser-side workaround.

Does Cisco have any updates

joshobean — Tue, 04 Aug 2015 13:12:29 GMT

Does Cisco have any updates on this? Currently we are on ISE 1.2, patch 14. I am planning on upgrading to the latest patch level soon, but I would like to hold out in case a fix is around the corner. I saw another forum that said ISE 1.4 was not impacted. We plan on moving to that later this fall, but I would like to remedy this before that.

https://supportforums.cisco.com/discussion/12550791/ise-guestportal-and-diffie-hellman-key-exchange

We asked TAC about a fix for

Matthias Tietze — Thu, 06 Aug 2015 07:27:41 GMT

We asked TAC about a fix for 1.2. They replied that it's not planned to provide a fix for this in version 1.2. TAC recommend the use of the browser based workaround or update ISE to 1.3 or 1.4. Sadly, that's not possible in a hotspot environment to provide the users a fix which weaks TLS/SSL configuration.

From our customer point of view, we cannot understand Cisco in this case - 1.2. isn't EOS, a patch for 1.2 should be self-evident.

Thanks for the reply Matthias

joshobean — Thu, 06 Aug 2015 12:56:07 GMT

Thanks for the reply Matthias. The response you received is unacceptable from my point of view. If this is a current supported version it should be patched, I would think the complaints from customers would be significant for some organizations, not to mention the possible security vulnerabilities from using a weaker DH key type for encryption.

I would make a bigger deal of this but since we should be upgrading and moving to newer equipment soon I will probably just move on.

I'm using 1.2.1.198 and was

Petrus van de Sande — Fri, 21 Aug 2015 09:30:50 GMT

I'm using 1.2.1.198 and was told this was to be fixed in the forthcoming patch level 7 and I'm awaiting a release date for that.

The actual problem is just in the configuration of Tomcat, so it should be a real simple fix...

Are they patching 1.2.0.899?

joshobean — Fri, 21 Aug 2015 12:50:24 GMT

Are they patching 1.2.0.899?

Dunno mate, I'd recommend you

Petrus van de Sande — Fri, 21 Aug 2015 12:57:28 GMT

Dunno mate, I'd recommend you ask Cisco...

Open a TAC case and inquire, you know the Bug ID so it should be fairly simple for them to look at the road maps and tell you.

For Chrome, use this shortcut

Leo Laohoo — Wed, 09 Sep 2015 03:18:00 GMT

For Chrome, use this shortcut:

C:\Program Files (x86)\Google\Chrome\Application\chrome.exe&quot; --cipher-suite-blacklist=0x0088,0x0087,0x0039,0x0038,0x0044,0x0045,0x0066,0x0032,0x0033,0x0016,0x0013

It is solved in version 1.2.1

Javier Campos — Wed, 09 Sep 2015 04:17:45 GMT

It is solved in version 1.2.1 Patch 7

It looks like 1.2.1 Patch 7

bonomichael — Wed, 09 Sep 2015 14:16:21 GMT

It looks like 1.2.1 Patch 7 does fix this per release notes. (released 8/28/15)
I am also wanting to inquire about a fix for 1.2.1 ?? Anyone out there at Cisco listening here?

correct, the patch 7 is the

Javier Campos — Wed, 09 Sep 2015 14:27:45 GMT

correct, the patch 7 is the solution to version 1.2.1 , I've implemented on 2 customers

they should be fixing 1.2.0

bonomichael — Wed, 09 Sep 2015 14:58:46 GMT

they should be fixing 1.2.0 too. No reason something that is not EOL/EOS shouldn't have a patch

Sadly this does not appear to

joshobean — Wed, 09 Sep 2015 15:25:04 GMT

Sadly this does not appear to be the case. The issue is escalating in our environment, and we are likely going to be forced to upgrade ISE, which other than this bug is working perfectly and is very stable. I'm not happy to say the least.

I got this response from TAC this morning:

*****

Josh,

Unfortunately the 1.2.0 code train is at the end of it’s software life cycle for new patches. However, the mostly recent (and also final) patch on 1.2.1, patch 7, includes the fix. Basically, to resolve the behavior an upgrade to 1.2.1 Patch 7 is the minimum requirement.

*****

Not sure i understand how

bonomichael — Wed, 09 Sep 2015 15:34:56 GMT

Not sure i understand how this could be "1.2.0 code train is at the end of it’s software life cycle for new patches. " given the fact that there has been no EOL announcement.

I will be escalating this with my account team.

Anyway you can provide your TAC case # so that I can add ammo when reporting to my AM?

Happy to provide that info:

joshobean — Wed, 09 Sep 2015 15:46:07 GMT

Happy to provide that info: SR 636260175.

Let me know if you get any traction with your account rep. I know a major code upgrade is coming for my environment eventually, but if a patch would get us through the end of this year on code 1.2.0 that would help tremendously.

Hi there.Yes Cisco should

turklandbank — Fri, 18 Sep 2015 12:41:49 GMT

Hi there.

Yes Cisco should find a fix for their devices as soon as possible. I agree.

BUT,

We should complain to Google too. Their approach on forcing security is not quite true i beleive. They must consider to mask the Internal SSL certificated web servers of some specific devices with private IP adresses. Corporate Captive portals, corporate guest portals and corporate sponsor portals are not a thread to mobile phones.

Cisco may not fix the problem on every type of devices quickly.

worked through my account

bonomichael — Fri, 18 Sep 2015 13:26:44 GMT

worked through my account team. Cisco does not publish EOL for software. but ISE 1.2.0 is no longer updated. As easy as it would be to create a patch for 1.2.0 for this issue, they wont. 1.2.1 Patch 7 is minimum.

in the mean time, direct users to IE or safari. they are currently unaffected as far as i know. having users (mostly guest in my case) disable ciphers in their browsers is just not going to happen.

Dittos...we applied 1.2.1.x

Nickolus Looper — Fri, 18 Sep 2015 13:39:20 GMT

Dittos...we applied 1.2.1.x Patch 7 a few days ago, and it was quick and painless...services restarted but there was no full ISE reboot. We went from tons of guest complaints daily to smooth sailing. As always read all caveats and know your own environment to the extent possible, but seems that it's this patch, upgrade to 1.3, or have a ton of unsatisfied customers.

Did you upgraded from 1.2 to

joshobean — Fri, 18 Sep 2015 13:44:49 GMT

Did you upgraded from 1.2 to 1.2.1 for this fix? Or just apply Patch 7 while already on 1.2.1 code? I have a distributed ISE deployment, and I didn't think going from any version to another was a simple matter with ISE, although I agree applying a patch is usually no sweat if it is to existing code.