topic Re: TLS v1.2 Weak Cipher suites on PSN in Network Access Control

TLS v1.2 Weak Cipher suites on PSN

oumodom — Fri, 10 Jan 2025 08:28:11 GMT

Dear Cisco ISE,

Currently we have vulnerability scan within our lab and found the weak cipher suites as below:

Please let us know if we are running the weak cipher suites above or not?
Does ISE only use the CBC or GCM if we are running EAP-TLS and MSCHAPv2?
If the supplicant is Windows 11 with Secure Client, so it automatically runs TLS v1.2?

Re: TLS v1.2 Weak Cipher suites on PSN

Rob Ingram — Fri, 10 Jan 2025 08:34:31 GMT

@oumodom from ISE 3.3 you can select ciphers to enable/disable. The guide below has a list of supported ciphers and describes how to select the ciphers to use.

https://www.cisco.com/c/en/us/support/docs/security/identity-services-engine-33/221570-configure-ciphers-in-ise-3-3-and-later.html

Re: TLS v1.2 Weak Cipher suites on PSN

Arne Bier — Fri, 10 Jan 2025 21:46:52 GMT

Out of curiosity, what version of ISE are you using? Are you able to configure TLS 1.3 for your test? It appears that you can't disable TLS 1.2 though.

What Security Settings are in place during your test?

You can also manually configure the ciphers if needed ...

Re: TLS v1.2 Weak Cipher suites on PSN

Arne Bier — Fri, 10 Jan 2025 22:20:11 GMT

Regarding the EAP Server component in ISE, you asked the questions:

Does ISE only use the CBC or GCM if we are running EAP-TLS and MSCHAPv2?
If the supplicant is Windows 11 with Secure Client, so it automatically runs TLS v1.2?

I ran a wpa_supplicant eapol_test (version 2.10) test against ISE 3.4 p1 and captured the Server Hello from ISE. By default, the eapol_test client will try TLS 1.2 during the Client-Hello (which is consistent with most OS supplicants) - and ISE responds accordingly:

In ISE Live Logs Details pane:

With eapol_test, you can force TLS versions to test the EAP server support. I did that by disabling all TLS versions except 1.3 and ISE supports it (ISE 3.4 p1) - whether Windows/iOS/MAC/SecureClient supplicants support this, is not clear to me:

Here is my eapol_test config file

eapol_version=3 network={ phase1="tls_disable_tlsv1_0=1 tls_disable_tlsv1_1=1 tls_disable_tlsv1_2=1 tls_disable_tlsv1_3=0" ssid="example" bssid=00:11:22:33:44:55 proto=WPA key_mgmt=WPA-EAP eap=TLS identity="host/demopc.rnlab.local" #ca_cert="/home/abier/wpa/RNLAB-ROOTCA.pem" client_cert="/home/abier/wpa/demopc.cert" private_key="/home/abier/wpa/demopc.key" eapol_flags=3 }

Re: TLS v1.2 Weak Cipher suites on PSN

oumodom — Mon, 13 Jan 2025 09:18:16 GMT

So helpful for my inquiry @Arne Bier as our ISE LAB, running v3.1 P9.
I can see mine is using TLS v1.2 with TLSCipher ECDHE-RSA-AES256-GCM-SHA384

So how to list all cipher suites which cisco ise in CLI ? and how to disable such weak cipher suites below?

Re: TLS v1.2 Weak Cipher suites on PSN

Arne Bier — Sat, 18 Jan 2025 21:18:45 GMT

You can't manage the TLS ciphers through the ISE CLI. You must do that through the GUI (please see the screenshots I posted earlier). The ISE CLI allows you to manage the SSH protocols a bit better.

Re: TLS v1.2 Weak Cipher suites on PSN

oumodom — Wed, 22 Jan 2025 04:44:46 GMT

As from lab I configured, as noticed Ciphersuite depend on supplicant selective which from Client hello message, not from Cisco ISE selective.

If so if there any standard workflow/document from cisco to be selected the best one on ciphersuite between endpoint and ISE? and any mentioned on endpoint which running secure client agent is require TLS v1.2 mandatory for cipher suite?

I raised up this idea because in case, endpoint/supplicant having hello message with weak cipher suite, there will be breakable for attacker.

what is your idea @Arne Bier @Rob Ingram for above concern?

please refer to figure below.
There are 21 cipher suites from endpoint on Client Hello.

While Server Hello provided the highest one to endpoint on cipher.

Re: TLS v1.2 Weak Cipher suites on PSN

Arne Bier — Wed, 22 Jan 2025 05:51:37 GMT

I don't know what the RFC says (maybe need to research that a bit) but it was my understanding that it's the Authenticating Server (ISE) that has the final say, after it compares the Client Hello capabilities against its own - and in the ISE code there must be some ranking that takes the best of the available ciphers. All we can do in the ISE GUI is to deselect the ones we don't want to use (even if the client supports them). Whatever ciphers remain in the list of candidates will determine the winner - and I don't know how ISE selects - I would hope it's following some industry standard that e.g. prefers GCM over CBC etc.

Are you satisfied with what you see in the Server Hello, or did you expect a different result?

I don't think TLS 1.2 is susceptible to a downgrade attack. If you want an excellent guide on TLS, you should check out the work by Ed Harmoush. He has some great videos and podcast appearances and also offers paid for training on TLS (for the ultimate TLS nerds). Check out his talk on TLS 1.3 on this packet pushers podcast episode. He would know the answer to this instantly.

Re: TLS v1.2 Weak Cipher suites on PSN

oumodom — Wed, 22 Jan 2025 06:29:18 GMT

I have no objection on your idea and would make scenes on decision making from ise, not from endpoint.
What the priority/order on cipher suites is key to be documented from cisco vendor.

Re: TLS v1.2 Weak Cipher suites on PSN

Arne Bier — Wed, 22 Jan 2025 20:54:22 GMT

The best we have is what's mentioned in Admin Guide under Cipher Suites. But the order in selection is not mentioned. Perhaps it's obvious that 384 will be chosen over 256 etc. And also, you can elect to disable RSA and use ECDSA instead - so by constraining the ISE supported ciphers to suit your organization's needs. This of course will only work if your end devices supports what ISE supports. It looks like ISE has a very good and up to date cipher suite.

Regarding the documentation, at the very top of the link I posted above, you can give Cisco direct feedback to please clarify this process

Re: TLS v1.2 Weak Cipher suites on PSN

mbuzaglo — Tue, 28 Jan 2025 14:31:16 GMT

Please note that currently this configuration not relevant for ISE as EAP server

Re: TLS v1.2 Weak Cipher suites on PSN

oumodom — Wed, 29 Jan 2025 04:54:10 GMT

@mbuzaglo Could you elaborate more with your idea?