Solved: It is solved in version 1.2.1 - Page 2

joshobean · ‎07-30-2015

Our Cisco ISE infrastructure is impacted by this bug. Any admin user trying to go to the company sponsor portal or a guest re-directed to the web auth page for guest authentication will now receive the weak key message detailed in the bug description.

Are there any planned fixes? The two work-arounds suggested are not ideal for us. We are using internet explorer to get by for now, but this could negatively impact our guest wireless users who have Firefox.

turklandbank · ‎09-18-2015

1- It is simply, technically impossible to force the guests change their browsers on their mobile phones. I M P O S S I B L E

2- On chrome on mobile phones and tablets, disabling chipers is not issue, there is no option in settings to disable or enabe that. It is hard coded in mobile Chrome.

3- Cisco must find a way to patch 1.2.0899 in some time as well. It is not etchical to force users upgrade to 1.2.1.

By the way, Google Chrome is here guilty at the first place i beleive. It is also not ethical Chrome to force us upgrade our internal web servers. Our mobile guest users cannot login just because of chrome 's arbitrary decisions. At least we must have been given a period of time to make preparations.

Nickolus Looper · ‎09-18-2015

Dittos...we applied 1.2.1.x Patch 7 a few days ago, and it was quick and painless...services restarted but there was no full ISE reboot. We went from tons of guest complaints daily to smooth sailing. As always read all caveats and know your own environment to the extent possible, but seems that it's this patch, upgrade to 1.3, or have a ton of unsatisfied customers.

joshobean · ‎09-18-2015

Did you upgraded from 1.2 to 1.2.1 for this fix? Or just apply Patch 7 while already on 1.2.1 code? I have a distributed ISE deployment, and I didn't think going from any version to another was a simple matter with ISE, although I agree applying a patch is usually no sweat if it is to existing code.

Nickolus Looper · ‎09-18-2015

We were actually already on 1.2.1 code, so good point. Guess if you have to upgrade from 1.2.0.x, would be a little more work.

Javier Campos · ‎09-08-2015

It is solved in version 1.2.1 Patch 7

Leo Laohoo · ‎09-08-2015

For Chrome, use this shortcut:

C:\Program Files (x86)\Google\Chrome\Application\chrome.exe&quot; --cipher-suite-blacklist=0x0088,0x0087,0x0039,0x0038,0x0044,0x0045,0x0066,0x0032,0x0033,0x0016,0x0013

turklandbank · ‎09-18-2015

Hi there.

Yes Cisco should find a fix for their devices as soon as possible. I agree.

BUT,

We should complain to Google too. Their approach on forcing security is not quite true i beleive. They must consider to mask the Internal SSL certificated web servers of some specific devices with private IP adresses. Corporate Captive portals, corporate guest portals and corporate sponsor portals are not a thread to mobile phones.

Cisco may not fix the problem on every type of devices quickly.

lmediavilla · ‎10-02-2015

There is a bug that is fixed on patch 7
https://tools.cisco.com/bugsearch/bug/CSCuv21820/?referring_site=bugquickviewredir

regards

joshobean · ‎10-07-2015

For anyone still using ISE 1.2.0, There is a special fix that has now been created for this, although it is not an official patch. You have to be on Patch 16 to have it applied.

I worked with TAC yesterday and we applied the fix to all of our ISE nodes. I'm happy to report the browser issues are now gone. No more complaints! Hopefully this helps some of you out. You will need to involve TAC as the root patch is required to apply the fix. The only impact is a services restart for each ISE node.

We have a distributed deployment, so we were able to apply the fix during the work-day with no impact to our customers.

bonomichael · ‎10-07-2015

I heard about this from my account team, its great news. Currently waiting on a maint window to apply it. Glad to hear it was easy.

fkosmacki · ‎10-19-2015

Patch 17 for version 1.2.0.899 was just released on Friday.

It fixes the browser bug CSCuv21820.

Matthias Tietze · ‎10-27-2015

Hi,

about Patch 17: Has anyone deployed Patch 17 after the TAC has fixed the SSLv3 issue manually?

Did the Patch 17 installation work?

Best Regards,

Matthias

bonomichael · ‎10-27-2015

I received and installed a tomcat configuration jar file that had to manually be installed after accessing root shell with the root patch. installed and working fine. TAC is supposed to do all the configuration and installation for that one.

Matthias Tietze · ‎10-27-2015

You are on Patch 16 right now?

bonomichael · ‎10-27-2015

patch 16 plus special config file. solves problem related to weak DH ephemeral key.

Fixes planned for bug CSCuv21820?