Solved: Re: Microsoft no longer supporting sha-1

John Vierra · ‎01-09-2017

I’m trying to figure out how/if this would effect a customer with a ISE deployment using EAP-TLS using the native supplicant and guest access.

Craig Hyps · ‎01-09-2017

You should sign your ISE node portal certificates using a stronger algorithm like SHA-256 so that it will be trusted when using browser that requires stronger hash. For 802.1X, I suspect you are referring to EAP-TLS certificates using SHA-1. It is recommended to sign both client and server certs with stronger hash, but provided each end trusts the signing certificate, then mutual authentication can complete. More info on impact of Microsoft deprecation of SHA-1 can be found here: https://social.technet.microsoft.com/wiki/contents/articles/32288.windows-enforcement-of-sha1-certificates.aspx

View solution in original post

Craig Hyps · ‎01-09-2017

You should sign your ISE node portal certificates using a stronger algorithm like SHA-256 so that it will be trusted when using browser that requires stronger hash. For 802.1X, I suspect you are referring to EAP-TLS certificates using SHA-1. It is recommended to sign both client and server certs with stronger hash, but provided each end trusts the signing certificate, then mutual authentication can complete. More info on impact of Microsoft deprecation of SHA-1 can be found here: https://social.technet.microsoft.com/wiki/contents/articles/32288.windows-enforcement-of-sha1-certificates.aspx

gian.ro · ‎01-19-2017

What will happen if a Windows native supplicant should validate an ISE system certificate signed with sha-1 by a CA that is part of Microsoft Trusted Root Program after February 14th? I am referring to the EAP-TLS authentication, should that fail?

hslai · ‎01-20-2017

If you or your customers are using a CA following CA/Forum SHA-1 Sunset, which state,

Effective 16 January 2015, CAs SHOULD NOT issue Subscriber Certificates utilizing the SHA-1 algorithm with an Expiry Date greater than 1 January 2017 because Application Software Providers are in the process of deprecating and/or removing the SHA-1 algorithm from their software, and they have communicated that CAs and Subscribers using such certificates do so at their own risk.

then, the chance is small, due to most CAs issue end-entity certificates good for 2 years.

If I were you, I would be much concerned about the ISE system certificate(s) designed for HTTPS, either for ISE admin portal or various end-user facing portals. Not only Microsoft IE 11 and Edge will mark it invalid, both Mozilla Firefox and Google Chrome are phasing out SHA-1 as well.

Regarding EAP authentication, it does not seems impacted yet. If you have an ISE server with EAP server certificate issued that way and if you have no immediate plan to renew it yet, it would be best for you to try it out by following the FAQ entry How can I determine how my environment will be impacted by the February 2017 TLS deprecation? in Windows Enforcement of SHA1 Certificates - TechNet Articles - United States (English) - TechNet Wiki

gian.ro · ‎01-20-2017

Thanks for the answer and useful information about the CA. We have tested the impact following the procedure in the FAQ you mentioned. With both Windows 7 and 10 native supplicants the EAP authentication completes successfully although the usage of a SHA-1 signed certificate is logged.