cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
3292
Views
0
Helpful
5
Replies

Sellect different ciphers in ISE 2.3 and forward for EAP-TLS for different rules

henrikj
Beginner
Beginner

Hi

I want to be able to enable or disable specific ciphers or TLS versions for a specific authentication protocol definition
Policy -> Policy elements -> Authentication -> Allowed protocols

Currently all I can do is enable or disable weak ciphers (see attached picture), or enable or disable TLS1.0/TLS1.1 installation-wide (Admin -> System -> Settings -> Protocols -> Security settings).

Are there any plans for doing this in the future ?

If not, then please add options to enable or disable these already-existing settings to the auth protocol definition settings.

For cipher suite selections, I don't need a fancy cipher suite selection UI - a simple string field for cipher suites (as input to OpenSSL) would be fine. But a simple "enable weak ciphers" is not good enough, if I for some reason need to disable a specific cipher set.

 

Regards Henrik

5 Replies 5

surasky
Cisco Employee
Cisco Employee

Hello Henrik,

My name is Tal Surasky and I'm one of ISE's product manager.

Currently changing protocols settings is something we can do in a deployment-wide settings only and not as you requested, per policy.

Can you please elaborate on the use case and why do you need this option? 

Thanks

Tal

The use cases for changing TLS cipher/protocol settings per policy, and not deployment-wide, are the following:

  • Enabling enterprise clients to use more strict cryptographic settings, than BYOD/non-enterprise devices
    • Deprecating weak ciphers faster
    • Only using the newest protocol versions
    • Synchronized security policy with Group Policies for Windows clients, etc.
  • Possibility to act fast on enterprise clients and change cipher and protocol settings with a better granularity, based on risk assessment and vulnerability reports etc.
  • Possibility to differentiate clients based on cryptographic settings
    • Placing clients without updated GPO with missing settings in a “high-risk” network or in network for remediation / GPO update, opposed to dealing with disconnected clients after security settings have been strengthened
  • Might even want to use very weak ciphers for special devices (printers, phones, etc) instead of MAB – as security is still higher. But do NOT want to use weak crypto settings on enterprise devices. Need to have separate policies for the two.

Eg. Use EAP-PEAP-MD5 or similar as replacement for MAB, for devices that support EAP – but will most certainly have devices that only support older protocol versions and weaker ciphers

Hi henrikj

 

Did you get a response on this? l need to do the same too.

 

Thanks

 

Vusa

No :-(

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: