Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
3830
Views
0
Helpful
5
Replies

Sellect different ciphers in ISE 2.3 and forward for EAP-TLS for different rules

henrikj
Level 1
Level 1

‎12-12-2017 01:40 AM - edited ‎02-21-2020 10:41 AM

Hi

I want to be able to enable or disable specific ciphers or TLS versions for a specific authentication protocol definition
Policy -> Policy elements -> Authentication -> Allowed protocols

Currently all I can do is enable or disable weak ciphers (see attached picture), or enable or disable TLS1.0/TLS1.1 installation-wide (Admin -> System -> Settings -> Protocols -> Security settings).

Are there any plans for doing this in the future ?

If not, then please add options to enable or disable these already-existing settings to the auth protocol definition settings.

For cipher suite selections, I don't need a fancy cipher suite selection UI - a simple string field for cipher suites (as input to OpenSSL) would be fine. But a simple "enable weak ciphers" is not good enough, if I for some reason need to disable a specific cipher set.

 

Regards Henrik

3 people had this problem
Labels:
Preview file
9 KB
0 Helpful
5 Replies 5

surasky
Cisco Employee
Cisco Employee

‎12-16-2017 12:11 AM

Hello Henrik,

My name is Tal Surasky and I'm one of ISE's product manager.

Currently changing protocols settings is something we can do in a deployment-wide settings only and not as you requested, per policy.

Can you please elaborate on the use case and why do you need this option? 

Thanks

Tal

0 Helpful

henrikj
Level 1
Level 1
In response to surasky

‎01-02-2018 06:06 AM

The use cases for changing TLS cipher/protocol settings per policy, and not deployment-wide, are the following:

  • Enabling enterprise clients to use more strict cryptographic settings, than BYOD/non-enterprise devices
    • Deprecating weak ciphers faster
    • Only using the newest protocol versions
    • Synchronized security policy with Group Policies for Windows clients, etc.
  • Possibility to act fast on enterprise clients and change cipher and protocol settings with a better granularity, based on risk assessment and vulnerability reports etc.
  • Possibility to differentiate clients based on cryptographic settings
    • Placing clients without updated GPO with missing settings in a “high-risk” network or in network for remediation / GPO update, opposed to dealing with disconnected clients after security settings have been strengthened
  • Might even want to use very weak ciphers for special devices (printers, phones, etc) instead of MAB – as security is still higher. But do NOT want to use weak crypto settings on enterprise devices. Need to have separate policies for the two.

Eg. Use EAP-PEAP-MD5 or similar as replacement for MAB, for devices that support EAP – but will most certainly have devices that only support older protocol versions and weaker ciphers

0 Helpful

vusandlovu
Level 1
Level 1
In response to henrikj

‎04-18-2019 03:32 AM

Hi henrikj

 

Did you get a response on this? l need to do the same too.

 

Thanks

 

Vusa

0 Helpful

henrikj
Level 1
Level 1
In response to vusandlovu

‎05-01-2019 03:34 AM

No :-(

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents