Solved: Cisco ISE 3.x Supported Ciphers

P333EVS1 · ‎09-20-2022

Hi,

I'm having issues getting some IoT devices authenitcating with Cisco ISE. We are running ver 3.1.

The supplier says his devices support

TLS_RSA_WITH_AES_256_CBC_SHA256
TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256
TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
TLS_ECDHE_ECDSA_WITH_AES_128_CCM_8

In Cisco ISE > Settings > Security Settings

i have disabled TLS 1.0 and disabled SHA1 ciphers.

if i enable both of those settings the device is able to auth ok. Is there a list somewhere of which ciphers cisco ISE supports? Cant understand why enabling SHA1 allows the above to work.

balaji.bandi · ‎09-20-2022

Look at release notes : - due to security reason those ciphers are disabled by default.

https://www.cisco.com/c/en/us/td/docs/security/ise/3-1/release_notes/b_ise_31_RN.html

supported matrix :

https://www.cisco.com/c/en/us/td/docs/security/ise/3-1/compatibility_doc/b_ise_sdt_31.html#id_89206

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

View solution in original post

balaji.bandi · ‎09-20-2022

Look at release notes : - due to security reason those ciphers are disabled by default.

https://www.cisco.com/c/en/us/td/docs/security/ise/3-1/release_notes/b_ise_31_RN.html

supported matrix :

https://www.cisco.com/c/en/us/td/docs/security/ise/3-1/compatibility_doc/b_ise_sdt_31.html#id_89206

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

P333EVS1 · ‎09-20-2022

thanks - TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 is enabled by default.

In Cisco ISE Radius logs. is there a way to see what cipher was used? If the authentication fails, it says. but if it succeeds there's no mention of the cipher userd.

Failed Auth

Successful Auth

thomas · ‎10-02-2022

You may submit that as an enhancement request @ https://cs.co/ise-wish