Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
Bookmark
|
Subscribe
|
5922
Views
10
Helpful
3
Replies

ISE selects weak ciphers for EAP-TLS

Go to solution
tom.barat@dimensiondata.com
Level 1
Level 1

‎11-29-2019 12:15 AM - edited ‎02-21-2020 11:12 AM

Hello,

 

I am facing a strange issue on ISE 2.6 deployment (latest patch installed).

 

I have windows clients (7 & 10) authentication through EAP-TLS. They offer 14 ciphers during the TLS handshake, with TLS_ECDHE_RSA_AES256_CBC_SHA being the strongest one, and TLS_RSA_RC4_128_MD5 being the weakest one.

I have two different behaviors depending on what i configure on ISE side :

- If weak ciphers is disabled in the allowed protocols for the matched policy => ISE rejects the client saying it has no common cipher / the client only supports weak ciphers.

- If weak ciphers is enabled => ISE selects the weakest possible cipher in its server hello.

 

I was not able to find relevent information in the doumentation or bug search tool.

 

I am wondering whether this could be a misconfiguration on ISE or maybe a bug.

 

Unfortunately i can't share packet captures as they include client identity and customer name in EAP packets.

Any help is welcome.

0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
hslai
Cisco Employee
Cisco Employee

‎12-07-2019 01:06 PM

If using ISE 2.6+, the settings needed are Allow SHA1 ciphers and "Allow only TLS_RSA_WITH_AES_128_CBC_SHA" as shown below. The other weak cipher option is to support RC4 for some legacy devices.

Screen Shot 2019-12-07 at 1.02.52 PM.png

View solution in original post

3 Replies 3

Go to solution
Arne Bier
VIP
VIP

‎12-02-2019 03:43 PM

Hi

 

it sounds like you have done a wireshark analysis of the TLS handshake.  You have listed 14 offered ciphers (from the client side) - what is the ISE response to that? You should be able to see that in the wireshark too.  Are you using a hardened version of Win7/10 by any chance?

 

 

0 Helpful

Go to solution
hslai
Cisco Employee
Cisco Employee

‎12-07-2019 01:06 PM

If using ISE 2.6+, the settings needed are Allow SHA1 ciphers and "Allow only TLS_RSA_WITH_AES_128_CBC_SHA" as shown below. The other weak cipher option is to support RC4 for some legacy devices.

Screen Shot 2019-12-07 at 1.02.52 PM.png

Go to solution
tom.barat@dimensiondata.com
Level 1
Level 1
In response to hslai

‎12-10-2019 02:26 AM

Hello,

A great thank you, this was indeed the missing setting. Thank you for explaining the difference between weak ciphers and sha1 options.

Have a nice day.
0 Helpful
Customers Also Viewed These Support Documents
li.common.scroll-to.top