Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
Bookmark
|
Subscribe
|
1430
Views
10
Helpful
2
Replies

Cisco-ISE, EAP-TLS, remove RootCA from server validation chain

Go to solution
Malex
Level 1
Level 1

‎04-01-2022 07:24 AM

Hello experts,

 

is there a possibility to influence the length/number of certificates for server validation in Cisco-ISE?

My tests with Cisco-ISE ver 2.7 and 3.1 have shown that Cisco-ISE always sends out the full chain of trust in the TLS "Hello Server" message to the supplicant for EAP-TLS authentication.

I.e. in only one TLS message everything is transferred from RootCA to server certificate.

 

In a concrete scenario, this message is 9199 Bytes long and is unfortunately a bit too long for an IoT radio modul.

 

Is there a way to instruct Cisco-ISE to send a shortened chain for server validation for certain supplicants, without RootCA (and IntermediateCA) certificate for example?

The IoT Radio module has a copy of the server RootCA (and IntermediateCA) certificate in its memory anyway for validation purposes. 

 

Unfortunately, I cannot change anything in the existing PKI.

 

Thanks in advance

0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Arne Bier
VIP
VIP

‎04-03-2022 01:46 PM

Hello @Malex 

 

I can't see any option in ISE to influence this low level behaviour.

Does the IoT radio module report an exact error message that the size of the certificate exchange during TLS establishment is too much for it to handle? How much can it handle?

 

I have seen TLS exchanges fail because of MTU configuration issues too. The issue was that if the Layer 3 router interface with which ISE communicates (i.e. the router's SVI) had an MTU > 1500 bytes then the cert exchange would fail. The solution was to configure MTU of 1500 on the router MTU. The result seen in Wireshark is that the large cert PDU was broken into smaller, multiple packets.

 

ISE support the standardised "Session Resume" feature for EAP-TLS and EAP-PEAP that will short-circuit the TLS song & dance with a shortened version - but it will only do this once it has an existing session which has been established using the full TLS exchange.

 

 

 

 

View solution in original post

2 Replies 2

Go to solution
Arne Bier
VIP
VIP

‎04-03-2022 01:46 PM

Hello @Malex 

 

I can't see any option in ISE to influence this low level behaviour.

Does the IoT radio module report an exact error message that the size of the certificate exchange during TLS establishment is too much for it to handle? How much can it handle?

 

I have seen TLS exchanges fail because of MTU configuration issues too. The issue was that if the Layer 3 router interface with which ISE communicates (i.e. the router's SVI) had an MTU > 1500 bytes then the cert exchange would fail. The solution was to configure MTU of 1500 on the router MTU. The result seen in Wireshark is that the large cert PDU was broken into smaller, multiple packets.

 

ISE support the standardised "Session Resume" feature for EAP-TLS and EAP-PEAP that will short-circuit the TLS song & dance with a shortened version - but it will only do this once it has an existing session which has been established using the full TLS exchange.

 

 

 

 

Go to solution
Malex
Level 1
Level 1
In response to Arne Bier

‎04-04-2022 04:04 AM

Thanks for your answer Arne,

 

the IoT module has a receive buffer of 8K and obviously cannot load the "hello-server" message in one piece into its memory for server validation.
If I remove from server certificate chain (simulated with FreeRadius) the RootCA cert, then everything fits and the login takes place.

My hope was that with Cisco-ISE I can influence the length of the server certificate chain similar to FreeRadius.

 

Now I was told several times that it was not possible. 

0 Helpful
Top