Does Cisco have any updates on this? Currently we are on ISE 1.2, patch 14. I am planning on upgrading to the latest patch level soon, but I would like to hold out in case a fix is around the corner. I saw another forum that said ISE 1.4 was not impacted. We plan on moving to that later this fall, but I would like to remedy this before that.

https://supportforums.cisco.com/discussion/12550791/ise-guestportal-and-diffie-hellman-key-exchange

We asked TAC about a fix for 1.2. They replied that it's not planned to provide a fix for this in version 1.2. TAC recommend the use of the browser based workaround or update ISE to 1.3 or 1.4. Sadly, that's not possible in a hotspot environment to provide the users a fix which weaks TLS/SSL configuration.

From our customer point of view, we cannot understand Cisco in this case - 1.2. isn't EOS, a patch for 1.2 should be self-evident.

Thanks for the reply Matthias. The response you received is unacceptable from my point of view. If this is a current supported version it should be patched, I would think the complaints from customers would be significant for some organizations, not to mention the possible security vulnerabilities from using a weaker DH key type for encryption.

I would make a bigger deal of this but since we should be upgrading and moving to newer equipment soon I will probably just move on.

I'm using 1.2.1.198 and was told this was to be fixed in the forthcoming patch level 7 and I'm awaiting a release date for that.

The actual problem is just in the configuration of Tomcat, so it should be a real simple fix...

Are they patching 1.2.0.899?

Dunno mate, I'd recommend you ask Cisco...

Open a TAC case and inquire, you know the Bug ID so it should be fairly simple for them to look at the road maps and tell you.

It looks like 1.2.1 Patch 7 does fix this per release notes. (released 8/28/15)
I am also wanting to inquire about a fix for 1.2.1 ?? Anyone out there at Cisco listening here?

correct, the patch 7 is the solution to version 1.2.1 , I've implemented on 2 customers

they should be fixing 1.2.0 too. No reason something that is not EOL/EOS shouldn't have a patch 

Sadly this does not appear to be the case. The issue is escalating in our environment, and we are likely going to be forced to upgrade ISE, which other than this bug is working perfectly and is very stable. I'm not happy to say the least.

I got this response from TAC this morning:

*****

Josh, 

Unfortunately the 1.2.0 code train is at the end of it’s software life cycle for new patches. However, the mostly recent (and also final) patch on 1.2.1, patch 7, includes the fix. Basically, to resolve the behavior an upgrade to 1.2.1 Patch 7 is the minimum requirement. 

*****

Not sure i understand how this could be "1.2.0 code train is at the end of it’s software life cycle for new patches. " given the fact that there has been no EOL announcement. 

I will be escalating this with my account team. 

Anyway you can provide your TAC case # so that I can add ammo when reporting to my AM?

Happy to provide that info: SR 636260175.

Let me know if you get any traction with your account rep. I know a major code upgrade is coming for my environment eventually, but if a patch would get us through the end of this year on code 1.2.0  that would help tremendously.

worked through my account team. Cisco does not publish EOL for software. but ISE 1.2.0 is no longer updated. As easy as it would be to create a patch for 1.2.0 for this issue, they wont. 1.2.1 Patch 7 is minimum. 

in the mean time, direct users to IE or safari. they are currently unaffected as far as i know. having users (mostly guest in my case) disable ciphers in their browsers is just not going to happen.