Re: CSCwb77915 - Toggle to enable/disable RSA PSS cipher

jan.murin · ‎03-23-2023

Hi everyone,

was the toggle implemented? Trying to find it, but no luck.

Thanks

LordOfThePings · ‎04-20-2023

Bump... I am not seeing it either. We had the work-around applied and I am trying to figure out if P6 ignores it based on the new configuration before applying it.

Thanks

AndersM · ‎05-03-2023

Another Bump.

We have the same problem. We are doing a POC on Cisco ISE and Meraki WIFI. Part of our PC fleet can`t connect to WIFI.
If i remove RSS PSA cipher on device, it will connect.

We are running ISE 3.1 Patch 5.

LordOfThePings · ‎05-03-2023

So this is what we discovered... The original work-around for this had to be applied by TAC because it required root access to each PSN. If you had that implemented previously and then applied P6, it would revert those changes back to the baseline. To "reimplement" the work-around, you have to do it via the CLI. Use "app configure ise" and select option "[33] Enable/Disable/Current_status of RSA_PSS signature for EAP-TLS". From what I gathered from TAC, once this is implemented, it should stay implemented for future patches...but we shall see. Cisco's documentation / release notes suck... (shocker, I know).

In Cisco's defense, this isn't to fix any bug in ISE - the bug is actually in the TPM. They are just creating a work-around for customers.

Matt

LordOfThePings · ‎05-03-2023

Anders... I guess to answer your question, just apply P6 and use the CLI work-around above and you will be fixed.

Matt

AndersM · ‎05-03-2023

Hi Matt,

Thanks alot for your respones. We will give it a go.

AndersM · ‎05-04-2023

Hi Matt,

Just wanted to let you know that the issue is now resolved. Thanks for the fix