cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
3407
Views
10
Helpful
16
Replies

ISE Guestportal and Diffie-Hellman Key Exchange

acontes
Level 1
Level 1

Hi,

with Firefox 39 it is no longer possible to access the guestportal login page when using CWA because Firefox 39 rejects the page with a diffie hellman key exchange error message. Reason is, that FF expects a minimum key length of 512 bits (RSA) or 1023 bits (DH). Otherwise it will reject the page.

https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS/NSS_3.19.2_release_notes

With Chrome 45 we will have the same issue. 

 

Does anyone know when there will be a fix available for that?

16 Replies 16

jan.nielsen
Level 7
Level 7

I would think this is completely up to the way the certificate you have loaded for the guest portal on ise has been created, and not really anything ISE can "fix". I don't see how using something over a 512b RSA key would be a problem in this day and age, most CA's won't even issue a cert below 1024b today.

My https certificates are SHA256RSA with 2048Bit. So I think this might be some other kind of problem.

What ISE version are you on? With Firefox 39, can you also not connect to the admin portal ?
 

ISE 1.2.1.198 Patch 6

 

With FF39 I can't connect to admin portal - same error.

Well, i'm not sure when this was fixed, but my ISE 1.4 lab server works fine with FF39. You should definately consider upgrading.

Maybe when 1.4.1 is available or a higher patch level.

 

Nevertheless, it would be nice to hear something from Cisco regarding this issue.

The issue is described here: CSCuv21820

I hope for a patch solution for ISE 1.2, 1.3 and 1.4 are not affected.

Matthias,

Thanks for the update with the confirmed BugID.

I can also confirm no issues of this nature with ISE 1.4.

I've used both Admin and guest portals at two different 1.4 deployments without issue.

Browsers FF39 and 40, Chrome  43.0.2357.132 m (64-bit) and IE 11.0.9600.17843.

All failed on an older ISE portal (@ Cisco office - I believe ISE 1.2.1-based) and succeeded with the 1.4-based ones.

The issue is not with the certificate length, but with the server's DH public key key.  On ICE 1.2 it looks like it is only 768-bits.

Try the fix in the link below, it breaks Cisco Finesse and UCCX login as well

 

http://www.runtrocks.com/firefox-39-breaks-cisco-finesse-and-uccx-login/

If this posts answers your question or is helpful, please consider rating it and/or marking as answered.

I already know this "fix". But we are talking about a guest portal. So no way to "fix" someone elses browser :-)

Thanks Christopher - I had the same problem as a guest at a Cisco office last week using their ISE-controlled Internet Only Network (ION).

I ended up using my mobile hotspot as a work around. I didn't have time then to research the Internet for the obscure browser tweak; but I've bookmarked it for the next time I encounter this.

Matt Nickerson
Level 1
Level 1

Same issue with our UC systems.  Would really like to see this patched soon.