Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1175
Views
5
Helpful
1
Replies

Questions regarding ISE Key Wrap functionality

coolsaurabh.hrc
Level 1
Level 1

‎03-14-2022 11:10 PM

Hi Team,

 
Could someone please provide details on how ISE calculates message-authentication-code AVP and insert into Access-accept packet when Key Wrap is enabled?
 
The problem we have is that the HMAC calculation on the Access-accept received from ISE does not match with inserted 20 bytes of hmac sha1 value in AVP.

Note: ISE sends access-accept, so ISE likes access-request packet (from us) and ISE’s hmac validation on access-request packet is correct.
 
Regards,
Saurabh
1 Reply 1

Arne Bier
VIP
VIP

‎03-20-2022 02:39 PM

Hello @coolsaurabh.hrc 

 

I haven't used key wrap feature. Just curious, why you're using it, and whether you have discovered a weakness in the existing MPPE key exchange?

 

It sounds like the Access-Accept is being returned to the NAS, and all is well? Perhaps the HMAC in the Access-Accept should not match that sent in the Access-Request. Have you tried analysing this in Wireshark? 

0 Helpful
Customers Also Viewed These Support Documents