What ISE version are you on?

acontes · ‎07-06-2015

Hi,

with Firefox 39 it is no longer possible to access the guestportal login page when using CWA because Firefox 39 rejects the page with a diffie hellman key exchange error message. Reason is, that FF expects a minimum key length of 512 bits (RSA) or 1023 bits (DH). Otherwise it will reject the page.

https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS/NSS_3.19.2_release_notes

With Chrome 45 we will have the same issue.

Does anyone know when there will be a fix available for that?

jan.nielsen · ‎07-07-2015

I would think this is completely up to the way the certificate you have loaded for the guest portal on ise has been created, and not really anything ISE can "fix". I don't see how using something over a 512b RSA key would be a problem in this day and age, most CA's won't even issue a cert below 1024b today.

acontes · ‎07-07-2015

My https certificates are SHA256RSA with 2048Bit. So I think this might be some other kind of problem.

jan.nielsen · ‎07-08-2015

What ISE version are you on? With Firefox 39, can you also not connect to the admin portal ?

acontes · ‎07-08-2015

ISE 1.2.1.198 Patch 6

With FF39 I can't connect to admin portal - same error.

jan.nielsen · ‎07-08-2015

Well, i'm not sure when this was fixed, but my ISE 1.4 lab server works fine with FF39. You should definately consider upgrading.

acontes · ‎07-08-2015

Maybe when 1.4.1 is available or a higher patch level.

Nevertheless, it would be nice to hear something from Cisco regarding this issue.

Matthias Tietze · ‎07-20-2015

The issue is described here: CSCuv21820

I hope for a patch solution for ISE 1.2, 1.3 and 1.4 are not affected.

Marvin Rhoads · ‎07-20-2015

Matthias,

Thanks for the update with the confirmed BugID.

Marvin Rhoads · ‎07-13-2015

I can also confirm no issues of this nature with ISE 1.4.

I've used both Admin and guest portals at two different 1.4 deployments without issue.

Browsers FF39 and 40, Chrome 43.0.2357.132 m (64-bit) and IE 11.0.9600.17843.

All failed on an older ISE portal (@ Cisco office - I believe ISE 1.2.1-based) and succeeded with the 1.4-based ones.

fields.james · ‎08-04-2015

The issue is not with the certificate length, but with the server's DH public key key. On ICE 1.2 it looks like it is only 768-bits.

Christopher Bell · ‎07-07-2015

Try the fix in the link below, it breaks Cisco Finesse and UCCX login as well

http://www.runtrocks.com/firefox-39-breaks-cisco-finesse-and-uccx-login/

If this posts answers your question or is helpful, please consider rating it and/or marking as answered.

acontes · ‎07-07-2015

I already know this "fix". But we are talking about a guest portal. So no way to "fix" someone elses browser :-)

Marvin Rhoads · ‎07-08-2015

Thanks Christopher - I had the same problem as a guest at a Cisco office last week using their ISE-controlled Internet Only Network (ION).

I ended up using my mobile hotspot as a work around. I didn't have time then to research the Internet for the obscure browser tweak; but I've bookmarked it for the next time I encounter this.

Matt Nickerson · ‎07-13-2015

Same issue with our UC systems. Would really like to see this patched soon.

ISE Guestportal and Diffie-Hellman Key Exchange