topic Sellect different ciphers in ISE 2.3 and forward for EAP-TLS for different rules in Network Access Control

Sellect different ciphers in ISE 2.3 and forward for EAP-TLS for different rules

henrikj — Fri, 21 Feb 2020 18:41:14 GMT

I want to be able to enable or disable specific ciphers or TLS versions for a specific authentication protocol definition
Policy -> Policy elements -> Authentication -> Allowed protocols

Currently all I can do is enable or disable weak ciphers (see attached picture), or enable or disable TLS1.0/TLS1.1 installation-wide (Admin -> System -> Settings -> Protocols -> Security settings).

Are there any plans for doing this in the future ?

If not, then please add options to enable or disable these already-existing settings to the auth protocol definition settings.

For cipher suite selections, I don't need a fancy cipher suite selection UI - a simple string field for cipher suites (as input to OpenSSL) would be fine. But a simple "enable weak ciphers" is not good enough, if I for some reason need to disable a specific cipher set.

Regards Henrik

Re: Sellect different ciphers in ISE 2.3 and forward for EAP-TLS for different rules

surasky — Sat, 16 Dec 2017 08:11:38 GMT

Hello Henrik,

My name is Tal Surasky and I'm one of ISE's product manager.

Currently changing protocols settings is something we can do in a deployment-wide settings only and not as you requested, per policy.

Can you please elaborate on the use case and why do you need this option?

Thanks

Tal

Re: Sellect different ciphers in ISE 2.3 and forward for EAP-TLS for different rules

henrikj — Tue, 02 Jan 2018 14:06:23 GMT

The use cases for changing TLS cipher/protocol settings per policy, and not deployment-wide, are the following:

Enabling enterprise clients to use more strict cryptographic settings, than BYOD/non-enterprise devices

Deprecating weak ciphers faster
Only using the newest protocol versions
Synchronized security policy with Group Policies for Windows clients, etc.

Possibility to act fast on enterprise clients and change cipher and protocol settings with a better granularity, based on risk assessment and vulnerability reports etc.
Possibility to differentiate clients based on cryptographic settings

Placing clients without updated GPO with missing settings in a “high-risk” network or in network for remediation / GPO update, opposed to dealing with disconnected clients after security settings have been strengthened

Might even want to use very weak ciphers for special devices (printers, phones, etc) instead of MAB – as security is still higher. But do NOT want to use weak crypto settings on enterprise devices. Need to have separate policies for the two.

Eg. Use EAP-PEAP-MD5 or similar as replacement for MAB, for devices that support EAP – but will most certainly have devices that only support older protocol versions and weaker ciphers

Re: Sellect different ciphers in ISE 2.3 and forward for EAP-TLS for different rules

vusandlovu — Thu, 18 Apr 2019 10:32:01 GMT

Hi henrikj

Did you get a response on this? l need to do the same too.

Thanks

Vusa

Re: Sellect different ciphers in ISE 2.3 and forward for EAP-TLS for different rules

henrikj — Wed, 01 May 2019 10:34:50 GMT

No 😞

Re: Sellect different ciphers in ISE 2.3 and forward for EAP-TLS for different rules

hslai — Sun, 12 May 2019 00:11:48 GMT

How to Ask The Community for Help outlines,

...

No Comment on Roadmaps or Fixes
New Features and Feedback

...