Solved: ISE selects weak ciphers for EAP-TLS

tom.barat@dimensiondata.com · ‎11-29-2019

Hello,

I am facing a strange issue on ISE 2.6 deployment (latest patch installed).

I have windows clients (7 & 10) authentication through EAP-TLS. They offer 14 ciphers during the TLS handshake, with TLS_ECDHE_RSA_AES256_CBC_SHA being the strongest one, and TLS_RSA_RC4_128_MD5 being the weakest one.

I have two different behaviors depending on what i configure on ISE side :

- If weak ciphers is disabled in the allowed protocols for the matched policy => ISE rejects the client saying it has no common cipher / the client only supports weak ciphers.

- If weak ciphers is enabled => ISE selects the weakest possible cipher in its server hello.

I was not able to find relevent information in the doumentation or bug search tool.

I am wondering whether this could be a misconfiguration on ISE or maybe a bug.

Unfortunately i can't share packet captures as they include client identity and customer name in EAP packets.

Any help is welcome.

hslai · ‎12-07-2019

If using ISE 2.6+, the settings needed are Allow SHA1 ciphers and "Allow only TLS_RSA_WITH_AES_128_CBC_SHA" as shown below. The other weak cipher option is to support RC4 for some legacy devices.

View solution in original post

Arne Bier · ‎12-02-2019

Hi

it sounds like you have done a wireshark analysis of the TLS handshake. You have listed 14 offered ciphers (from the client side) - what is the ISE response to that? You should be able to see that in the wireshark too. Are you using a hardened version of Win7/10 by any chance?

hslai · ‎12-07-2019

If using ISE 2.6+, the settings needed are Allow SHA1 ciphers and "Allow only TLS_RSA_WITH_AES_128_CBC_SHA" as shown below. The other weak cipher option is to support RC4 for some legacy devices.

tom.barat@dimensiondata.com · ‎12-10-2019

Hello,

A great thank you, this was indeed the missing setting. Thank you for explaining the difference between weak ciphers and sha1 options.

Have a nice day.