cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements
Announcements
Choose one of the topics below to view our ISE Resources to help you on your journey with ISE

This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC! We will not comment or assist with your TAC case in these forums.
Please see How to Ask the Community for Help for other best practices.

111
Views
0
Helpful
1
Replies

ISE selects weak ciphers for EAP-TLS

Hello,

 

I am facing a strange issue on ISE 2.6 deployment (latest patch installed).

 

I have windows clients (7 & 10) authentication through EAP-TLS. They offer 14 ciphers during the TLS handshake, with TLS_ECDHE_RSA_AES256_CBC_SHA being the strongest one, and TLS_RSA_RC4_128_MD5 being the weakest one.

I have two different behaviors depending on what i configure on ISE side :

- If weak ciphers is disabled in the allowed protocols for the matched policy => ISE rejects the client saying it has no common cipher / the client only supports weak ciphers.

- If weak ciphers is enabled => ISE selects the weakest possible cipher in its server hello.

 

I was not able to find relevent information in the doumentation or bug search tool.

 

I am wondering whether this could be a misconfiguration on ISE or maybe a bug.

 

Unfortunately i can't share packet captures as they include client identity and customer name in EAP packets.

Any help is welcome.

1 REPLY 1
Highlighted
VIP Advocate

Re: ISE selects weak ciphers for EAP-TLS

Hi

 

it sounds like you have done a wireshark analysis of the TLS handshake.  You have listed 14 offered ciphers (from the client side) - what is the ISE response to that? You should be able to see that in the wireshark too.  Are you using a hardened version of Win7/10 by any chance?