Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
4599
Views
8
Helpful
4
Replies

Cisco ISE - How to disable Weak Ciphers

Go to solution
Viru_Rajapur
Level 1
Level 1

‎06-26-2023 01:10 AM

Problem Statement: The vulnerability below were found in our ISE,  would like to know if there are any methods to disable them. If not, is there any roadmap from Cisco to get them fixed.

ssl-static-key-ciphers (TCP 443, 8443, 8444)

- TLS_RSA_WITH_AES_128_CBC_SHA

- TLS_RSA_WITH_AES_128_CBC_SHA256

- TLS_RSA_WITH_AES_256_CBC_SHA

- TLS_RSA_WITH_AES_256_CBC_SHA256

- TLS_DHE_RSA_WITH_AES_128_CBC_SHA

- TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA

- TLS_RSA_WITH_AES_128_CBC_SHA

- TLS_RSA_WITH_AES_256_CBC_SHA

ssh-weak-message-authentication-code-algorithms (TCP 22)

- hmac-sha1

 

Cisco ISE Version 3.0 patch 5

Labels:
0 Helpful
2 Accepted Solutions

Accepted Solutions

Go to solution
ahollifield
VIP
VIP

‎06-26-2023 05:30 AM

https://www.youtube.com/watch?v=HXt2cjUFcp8&t=1s

View solution in original post

What's New in ISE 3.3
What's New in ISE 3.3
youtube.com/watch?v=HXt2cjUFcp8&t=1s
Cisco ISE TME Charlie Moreton gives us a rundown of the new features coming in ISE 3.3. 00:16 ISE 3.3 Release Highlights 00:54 ISE 3.3 Navigation Improvements 01:20 Demo: Navigation Improvements 03:24 ISE Ciphers Control 03:45 Demo: ISE Ciphers Control 05:26 ISE Controlled Application Restart ...
4 Replies 4

Go to solution
ahollifield
VIP
VIP

‎06-26-2023 05:30 AM

https://www.youtube.com/watch?v=HXt2cjUFcp8&t=1s

What's New in ISE 3.3
What's New in ISE 3.3
youtube.com/watch?v=HXt2cjUFcp8&t=1s
Cisco ISE TME Charlie Moreton gives us a rundown of the new features coming in ISE 3.3. 00:16 ISE 3.3 Release Highlights 00:54 ISE 3.3 Navigation Improvements 01:20 Demo: Navigation Improvements 03:24 ISE Ciphers Control 03:45 Demo: ISE Ciphers Control 05:26 ISE Controlled Application Restart ...

Go to solution
adamscottmaster2013
Level 3
Level 3

‎06-26-2023 05:46 AM - edited ‎06-26-2023 05:46 AM

Regarding 

ssh-weak-message-authentication-code-algorithms (TCP 22)

- hmac-sha1

You can open a TAC case with Cisco and have a TAC engineer to root into the ISE and modidied the /etc/ssh/sshd_config file as follows:

Kexalgorithms curve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group14-sha256

MACs umac-64-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,umac-64@openssh.com,umac-128@openssh.com,hmac-sha2-256,hmac-sha2-512

Ciphers chacha20-poly1305@openssh.com,aes128-ctr,aes192-ctr,aes256-ctr,aes128-gcm@openssh.com,aes256-gcm@openssh.com,aes128-cbc,aes

BEFORE modifying /etc/ssh/sshd_config:
debug2: peer server KEXINIT proposal
debug2: KEX algorithms: curve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group16-sha512,diffie-hellman-group14-sha256,diffie-hellman-group14-sha1
debug2: host key algorithms: ssh-rsa,rsa-sha2-256,rsa-sha2-512
debug2: ciphers ctos: aes128-gcm@openssh.com,chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-ctr,aes256-ctr
debug2: ciphers stoc: aes128-gcm@openssh.com,chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-ctr,aes256-ctr
debug2: MACs ctos: hmac-sha2-512,hmac-sha2-256,hmac-sha1
debug2: MACs stoc: hmac-sha2-512,hmac-sha2-256,hmac-sha1
debug2: compression ctos: none,zlib@openssh.com
debug2: compression stoc: none,zlib@openssh.com

After modifying /etc/ssh/sshd_config:
debug2: peer server KEXINIT proposal
debug2: KEX algorithms: curve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group14-sha256
debug2: host key algorithms: ssh-rsa,rsa-sha2-512,rsa-sha2-256,ecdsa-sha2-nistp256,ssh-ed25519
debug2: ciphers ctos: chacha20-poly1305@openssh.com,aes128-ctr,aes192-ctr,aes256-ctr,aes128-gcm@openssh.com,aes256-gcm@openssh.com,aes128-cbc,aes192-cbc,aes256-cbc
debug2: ciphers stoc: chacha20-poly1305@openssh.com,aes128-ctr,aes192-ctr,aes256-ctr,aes128-gcm@openssh.com,aes256-gcm@openssh.com,aes128-cbc,aes192-cbc,aes256-cbc
debug2: MACs ctos: umac-64-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,umac-64@openssh.com,umac-128@openssh.com,hmac-sha2-256,hmac-sha2-512
debug2: MACs stoc: umac-64-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,umac-64@openssh.com,umac-128@openssh.com,hmac-sha2-256,hmac-sha2-512
debug2: compression ctos: none,zlib@openssh.com
debug2: compression stoc: none,zlib@openssh.com

Don't forget to restart sshd service with "service sshd restart".  Simple, right?

Go to solution
Viru_Rajapur
Level 1
Level 1

‎06-26-2023 07:22 AM

Thank you All for your generous help and letting me know the fix for this. 

0 Helpful
Customers Also Viewed These Support Documents