Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1497
Views
10
Helpful
4
Replies

Cisco ISE 2.0 - 'Obsolete Cipher Suite on SSL certificate'

Brett Verney
Level 1
Level 1

‎02-24-2016 10:13 PM - edited ‎03-10-2019 11:31 PM

Hi all,

I recently deployed ISE 2.0 as part of a wireless BYOD solution using Central Web Authentication. When accessing the Admin and Sponsor Portal (Internal CA certificate) or Guest Portal (Public CA certificate) the browser gets a warning that the site is using an obsolete cipher suite.

'Your connection to <site> is encrypted using an obsolete cyper suite. The connection uses TLS 1.2. The connection is encrypted using AES_256_CBC, with HMAC-SHA1 for message authentication and DHE_RSA as the key exchange mechanism'. See attached.

Now, the client browsers trust the SSL certificate and there is a green padlock indicating a secure connection, however my client is a large organisation with very tight security policies and wants to remove the message. They have advised that their IIS based web servers have the option to remove insecure protocols.

Is there any way to resolve this in ISE 2.0?

Regards,

-Brett

Labels:
Preview file
798 KB
0 Helpful
4 Replies 4

Philip D'Ath
VIP Alumni
VIP Alumni

‎02-24-2016 10:43 PM

I'm not sure, but try going to "Administration > System > Settings > Protocols > Security Settings", and un-select SHA1.

0 Helpful

Brett Verney
Level 1
Level 1
In response to Philip D'Ath

‎03-01-2016 07:33 PM

Hi Phil,

It seems that the option is only valid for EAP authentication. I logged a TAC case; they have advised that there is no option to disable TLS 1.0 or obsolete cipher suite for portal connections.

I find it concerning that a security appliance has no option to disable protocols that have known vulnerabilities. All tested client devices are all capable of negotiating TLS 1.2. I have been told that that ISE 2.0 supports TLS 1.2.

Regards,

Brett

0 Helpful

Marvin Rhoads
Hall of Fame
Hall of Fame
In response to Brett Verney

‎03-13-2016 07:25 PM

Brett - I completely agree. It should be configurable. Even when it's not, standard procedure should be that client-server negotiate the most secure mutually supported method.

I had a customer pen test their ISE 1.4 a while back. A couple of vulnerabilities re the web interface were identified and Cisco accepted them as bugs (a few already identified and a few new).

It was over the course of 2015 until they were finally all remedied. Stick to your guns and insist the TAC press the business unit (development engineers) to admit these are bugs. Make them give you the BugID - even if they don't make it customer facing (pet peeve of mine).

Brett Verney
Level 1
Level 1

‎03-13-2016 06:02 PM

So I got some mixed responses from different channels withing Cisco. This was the most informative one...

"The government certification requirement to not allow TLSv1.0 is for administrative connections only so the end-user facing portals are allowing it because many endpoint devices are not supporting TLSv1.1/1.2. It might be possible to disable it via root access but that is not what we are supporting."

TAC have escalated with the ISE dev teams to figure out why clients might only be negotiating TLS1.0 connections.

-Brett

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents