topic Re: Cisco ISE 3.x Supported Ciphers in Network Access Control

Cisco ISE 3.x Supported Ciphers

P333EVS1 — Tue, 20 Sep 2022 11:57:25 GMT

Hi,

I'm having issues getting some IoT devices authenitcating with Cisco ISE. We are running ver 3.1.

The supplier says his devices support

TLS_RSA_WITH_AES_256_CBC_SHA256
TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256
TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
TLS_ECDHE_ECDSA_WITH_AES_128_CCM_8

In Cisco ISE > Settings > Security Settings

i have disabled TLS 1.0 and disabled SHA1 ciphers.

if i enable both of those settings the device is able to auth ok. Is there a list somewhere of which ciphers cisco ISE supports? Cant understand why enabling SHA1 allows the above to work.

Re: Cisco ISE 3.x Supported Ciphers

balaji.bandi — Tue, 20 Sep 2022 12:16:54 GMT

Look at release notes : - due to security reason those ciphers are disabled by default.

https://www.cisco.com/c/en/us/td/docs/security/ise/3-1/release_notes/b_ise_31_RN.html

supported matrix :

https://www.cisco.com/c/en/us/td/docs/security/ise/3-1/compatibility_doc/b_ise_sdt_31.html#id_89206

Re: Cisco ISE 3.x Supported Ciphers

P333EVS1 — Tue, 20 Sep 2022 12:32:05 GMT

thanks - TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 is enabled by default.

In Cisco ISE Radius logs. is there a way to see what cipher was used? If the authentication fails, it says. but if it succeeds there's no mention of the cipher userd.

Failed Auth

Successful Auth

Re: Cisco ISE 3.x Supported Ciphers

thomas — Sun, 02 Oct 2022 17:27:44 GMT

You may submit that as an enhancement request @ https://cs.co/ise-wish