02-24-2016 10:13 PM - edited 03-10-2019 11:31 PM
Hi all,
I recently deployed ISE 2.0 as part of a wireless BYOD solution using Central Web Authentication. When accessing the Admin and Sponsor Portal (Internal CA certificate) or Guest Portal (Public CA certificate) the browser gets a warning that the site is using an obsolete cipher suite.
'Your connection to <site> is encrypted using an obsolete cyper suite. The connection uses TLS 1.2. The connection is encrypted using AES_256_CBC, with HMAC-SHA1 for message authentication and DHE_RSA as the key exchange mechanism'. See attached.
Now, the client browsers trust the SSL certificate and there is a green padlock indicating a secure connection, however my client is a large organisation with very tight security policies and wants to remove the message. They have advised that their IIS based web servers have the option to remove insecure protocols.
Is there any way to resolve this in ISE 2.0?
Regards,
-Brett
02-24-2016 10:43 PM
I'm not sure, but try going to "Administration > System > Settings > Protocols > Security Settings", and un-select SHA1.
03-01-2016 07:33 PM
Hi Phil,
It seems that the option is only valid for EAP authentication. I logged a TAC case; they have advised that there is no option to disable TLS 1.0 or obsolete cipher suite for portal connections.
I find it concerning that a security appliance has no option to disable protocols that have known vulnerabilities. All tested client devices are all capable of negotiating TLS 1.2. I have been told that that ISE 2.0 supports TLS 1.2.
Regards,
Brett
03-13-2016 07:25 PM
Brett - I completely agree. It should be configurable. Even when it's not, standard procedure should be that client-server negotiate the most secure mutually supported method.
I had a customer pen test their ISE 1.4 a while back. A couple of vulnerabilities re the web interface were identified and Cisco accepted them as bugs (a few already identified and a few new).
It was over the course of 2015 until they were finally all remedied. Stick to your guns and insist the TAC press the business unit (development engineers) to admit these are bugs. Make them give you the BugID - even if they don't make it customer facing (pet peeve of mine).
03-13-2016 06:02 PM
So I got some mixed responses from different channels withing Cisco. This was the most informative one...
"The government certification requirement to not allow TLSv1.0 is for administrative connections only so the end-user facing portals are allowing it because many endpoint devices are not supporting TLSv1.1/1.2. It might be possible to disable it via root access but that is not what we are supporting."
TAC have escalated with the ISE dev teams to figure out why clients might only be negotiating TLS1.0 connections.
-Brett
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide