https://community.cisco.com/t5/network-access-control/cisco-ise-how-to-disable-weak-ciphers/m-p/4862214#M582478 <P><a href="https://community.cisco.com/t5/user/viewprofilepage/user-id/194407">@Viru_Rajapur</a> you can disable these ciphers, but this feature is only available from ISE 3.3, this has been announced and soon to be released.</P> <P><A href="https://www.cisco.com/c/en/us/td/docs/security/ise/3-3/admin_guide/b_ise_admin_3_3/new_and_changed_info.html" target="_blank" rel="noopener">https://www.cisco.com/c/en/us/td/docs/security/ise/3-3/admin_guide/b_ise_admin_3_3/new_and_changed_info.html</A></P> <P><A href="https://www.cisco.com/c/en/us/td/docs/security/ise/3-3/admin_guide/b_ise_admin_3_3/b_ISE_admin_33_segmentation.html#task_55FD724D084D4C4485B8E25B4560A79E" target="_blank" rel="noopener">https://www.cisco.com/c/en/us/td/docs/security/ise/3-3/admin_guide/b_ise_admin_3_3/b_ISE_admin_33_segmentation.html#task_55FD724D084D4C4485B8E25B4560A79E</A></P> <P>&nbsp;</P> Mon, 26 Jun 2023 12:08:09 GMT Rob Ingram 2023-06-26T12:08:09Z https://community.cisco.com/t5/network-access-control/cisco-ise-how-to-disable-weak-ciphers/m-p/4862194#M582477 <P><STRONG>Problem Statement:</STRONG> The vulnerability below were found in our ISE,&nbsp; would like to know&nbsp;<STRONG><U>if there are any methods to disable them.</U></STRONG> If not, is there <STRONG><U>any roadmap from Cisco to get them fixed</U></STRONG>.</P> <P><STRONG><U>ssl-static-key-ciphers</U></STRONG> (TCP 443, 8443, 8444)</P> <P>- TLS_RSA_WITH_AES_128_CBC_SHA</P> <P>- TLS_RSA_WITH_AES_128_CBC_SHA256</P> <P>- TLS_RSA_WITH_AES_256_CBC_SHA</P> <P>- TLS_RSA_WITH_AES_256_CBC_SHA256</P> <P>- TLS_DHE_RSA_WITH_AES_128_CBC_SHA</P> <P>- TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA</P> <P>- TLS_RSA_WITH_AES_128_CBC_SHA</P> <P>- TLS_RSA_WITH_AES_256_CBC_SHA</P> <P><STRONG><U>ssh-weak-message-authentication-code-algorithms</U></STRONG> (TCP 22)</P> <P>- hmac-sha1</P> <P>&nbsp;</P> <P>Cisco ISE Version 3.0 patch 5</P> Mon, 26 Jun 2023 08:10:42 GMT https://community.cisco.com/t5/network-access-control/cisco-ise-how-to-disable-weak-ciphers/m-p/4862194#M582477 Viru_Rajapur 2023-06-26T08:10:42Z https://community.cisco.com/t5/network-access-control/cisco-ise-how-to-disable-weak-ciphers/m-p/4862214#M582478 <P><a href="https://community.cisco.com/t5/user/viewprofilepage/user-id/194407">@Viru_Rajapur</a> you can disable these ciphers, but this feature is only available from ISE 3.3, this has been announced and soon to be released.</P> <P><A href="https://www.cisco.com/c/en/us/td/docs/security/ise/3-3/admin_guide/b_ise_admin_3_3/new_and_changed_info.html" target="_blank" rel="noopener">https://www.cisco.com/c/en/us/td/docs/security/ise/3-3/admin_guide/b_ise_admin_3_3/new_and_changed_info.html</A></P> <P><A href="https://www.cisco.com/c/en/us/td/docs/security/ise/3-3/admin_guide/b_ise_admin_3_3/b_ISE_admin_33_segmentation.html#task_55FD724D084D4C4485B8E25B4560A79E" target="_blank" rel="noopener">https://www.cisco.com/c/en/us/td/docs/security/ise/3-3/admin_guide/b_ise_admin_3_3/b_ISE_admin_33_segmentation.html#task_55FD724D084D4C4485B8E25B4560A79E</A></P> <P>&nbsp;</P> Mon, 26 Jun 2023 12:08:09 GMT https://community.cisco.com/t5/network-access-control/cisco-ise-how-to-disable-weak-ciphers/m-p/4862214#M582478 Rob Ingram 2023-06-26T12:08:09Z https://community.cisco.com/t5/network-access-control/cisco-ise-how-to-disable-weak-ciphers/m-p/4862418#M582482 <P><A href="https://www.youtube.com/watch?v=HXt2cjUFcp8&amp;t=1s" target="_blank">https://www.youtube.com/watch?v=HXt2cjUFcp8&amp;t=1s</A></P> Mon, 26 Jun 2023 12:30:26 GMT https://community.cisco.com/t5/network-access-control/cisco-ise-how-to-disable-weak-ciphers/m-p/4862418#M582482 ahollifield 2023-06-26T12:30:26Z https://community.cisco.com/t5/network-access-control/cisco-ise-how-to-disable-weak-ciphers/m-p/4862450#M582485 <P>Regarding&nbsp;</P><P><STRONG><U>ssh-weak-message-authentication-code-algorithms</U></STRONG><SPAN>&nbsp;</SPAN>(TCP 22)</P><P>- hmac-sha1</P><P>You can open a TAC case with Cisco and have a TAC engineer to root into the ISE and modidied the /etc/ssh/sshd_config file as follows:</P><P>Kexalgorithms curve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group14-sha256</P><P>MACs umac-64-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,umac-64@openssh.com,umac-128@openssh.com,hmac-sha2-256,hmac-sha2-512</P><P>Ciphers chacha20-poly1305@openssh.com,aes128-ctr,aes192-ctr,aes256-ctr,aes128-gcm@openssh.com,aes256-gcm@openssh.com,aes128-cbc,aes</P><P>BEFORE modifying /etc/ssh/sshd_config:<BR />debug2: peer server KEXINIT proposal<BR />debug2: KEX algorithms: curve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group16-sha512,diffie-hellman-group14-sha256,diffie-hellman-group14-sha1<BR />debug2: host key algorithms: ssh-rsa,rsa-sha2-256,rsa-sha2-512<BR />debug2: ciphers ctos: aes128-gcm@openssh.com,chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-ctr,aes256-ctr<BR />debug2: ciphers stoc: aes128-gcm@openssh.com,chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-ctr,aes256-ctr<BR />debug2: MACs ctos: hmac-sha2-512,hmac-sha2-256,<STRONG>hmac-sha1</STRONG><BR />debug2: MACs stoc: hmac-sha2-512,hmac-sha2-256,<STRONG>hmac-sha1</STRONG><BR />debug2: compression ctos: none,zlib@openssh.com<BR />debug2: compression stoc: none,zlib@openssh.com</P><P>After modifying /etc/ssh/sshd_config:<BR />debug2: peer server KEXINIT proposal<BR />debug2: KEX algorithms: curve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group14-sha256<BR />debug2: host key algorithms: ssh-rsa,rsa-sha2-512,rsa-sha2-256,ecdsa-sha2-nistp256,ssh-ed25519<BR />debug2: ciphers ctos: chacha20-poly1305@openssh.com,aes128-ctr,aes192-ctr,aes256-ctr,aes128-gcm@openssh.com,aes256-gcm@openssh.com,aes128-cbc,aes192-cbc,aes256-cbc<BR />debug2: ciphers stoc: chacha20-poly1305@openssh.com,aes128-ctr,aes192-ctr,aes256-ctr,aes128-gcm@openssh.com,aes256-gcm@openssh.com,aes128-cbc,aes192-cbc,aes256-cbc<BR />debug2: MACs ctos: umac-64-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,umac-64@openssh.com,umac-128@openssh.com,hmac-sha2-256,hmac-sha2-512<BR />debug2: MACs stoc: umac-64-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,umac-64@openssh.com,umac-128@openssh.com,hmac-sha2-256,hmac-sha2-512<BR />debug2: compression ctos: none,zlib@openssh.com<BR />debug2: compression stoc: none,zlib@openssh.com</P><P>Don't forget to restart sshd service with "service sshd restart".&nbsp; Simple, right?</P> Mon, 26 Jun 2023 12:46:55 GMT https://community.cisco.com/t5/network-access-control/cisco-ise-how-to-disable-weak-ciphers/m-p/4862450#M582485 adamscottmaster2013 2023-06-26T12:46:55Z https://community.cisco.com/t5/network-access-control/cisco-ise-how-to-disable-weak-ciphers/m-p/4862536#M582491 <P>Thank you All for your generous help and letting me know the fix for this.&nbsp;</P> Mon, 26 Jun 2023 14:22:01 GMT https://community.cisco.com/t5/network-access-control/cisco-ise-how-to-disable-weak-ciphers/m-p/4862536#M582491 Viru_Rajapur 2023-06-26T14:22:01Z