Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
386
Views
0
Helpful
0
Replies

ISE: PEAPv0 key derivation bug if cryptobinding is enabled

eddiewu
Level 1
Level 1

‎01-23-2023 08:25 PM

This is a bug report for ISE from a VPN developer. I do not have a contract.

Symptom:

In ISE if Require cryptobinding TLV is checked in the PEAP options (Policy > Policy Elements > Allowed Protocols), ISE will perform cryptobinding verification. The verification per se may succeed but the MPPE keys derived from the PEAP channel are wrong in this scenario.

This issue causes Windows VPN clients to fail to connect to Windows RAS servers which forwards authentication to ISE.


Explanation:

MS-PEAP requires that if cryptobinding TLV is exchanged between client and server, the inner session key should be derived from the inner EAP method. However ISE fails to do that. It always derives the key from the outer method (i.e. PEAP).

This bug is not noticeable from the ISE log because authentication and cryptobinding has succeeded, only the keys exported to the NAS are wrong, leading to VPN sessions cut off forcibly by the NAS.

Labels:
0 Helpful
0 Replies 0
Customers Also Viewed These Support Documents