04-18-2017 04:26 AM - edited 03-11-2019 12:38 AM
Hi board,
assuming you want to harden your RADIUS/802.1X solution and you want to disable legacy SSL ciphers (disabled ISE setting: "Allow Weak
Ciphers for EAP") like RSA_RC4_128_SHA or RSA_RC4_128_MD5.
How do you know without testing each 802.1X capable end device, if these legacy ciphers are currently used by some clients? How can you check in advance if all your client are compatible with the newer SSL ciphers?
This question is for ACS and for ISE: Is there any report, which outlines the used SSL ciphers? At least it's not in the RADIUS authentication or accouting report. How do you know if you can disable the weak ciphers in you ACS or ISE settings?
I guess the "hard" way would be to capture the RADIUS packets towards an ISE or ACS node and filter for the "SSL server hello" packets. These packets contains the negotiated cipher. From my point of view, an appropriate wireshark display filter would be:
ssl.handshake.type == 2 && (ssl.handshake.ciphersuite == 0x0004 || ssl.handshake.ciphersuite == 0x0005)
"ssl.handshake.type == 2" is the filter for SSL server hello packets
"ssl.handshake.ciphersuite == 0x0004" is the ID for RSA_RC4_128_MD5
"ssl.handshake.ciphersuite == 0x0005" is the ID for RSA_RC4_128_SHA
(Of course the display and/or preferably the capture filter is set the RADIUS packets)
But there has to be a simpler way than this, right?!
Solved! Go to Solution.
04-08-2019 12:41 PM
Any update on this query ?
04-09-2019 09:38 AM
If ISE, ISE RADIUS auth details report has the info on TLS Cipher and Version; e.g.
TLSCipher | ECDHE-RSA-AES256-GCM-SHA384 |
TLSVersion | TLSv1.2 |
No separate reports on these fields solely. We may, however, send syslog to an external logging target (e.g. Splunk), if needed.
04-08-2019 12:41 PM
Any update on this query ?
04-09-2019 06:54 AM
i asked our experts to take a look
04-09-2019 09:08 AM
Until Jason gets back to you with a formal response, I'd like to point out that you can perform a tcpdump remotely for any PSN node via:
Operations>Troubleshoots > Diagnostic Tools > TCP Dump
It also allows you to use capture filters. You can let it run for a few hours with whichever filters you need.
04-09-2019 09:38 AM
If ISE, ISE RADIUS auth details report has the info on TLS Cipher and Version; e.g.
TLSCipher | ECDHE-RSA-AES256-GCM-SHA384 |
TLSVersion | TLSv1.2 |
No separate reports on these fields solely. We may, however, send syslog to an external logging target (e.g. Splunk), if needed.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide