01-10-2025 12:28 AM
Dear Cisco ISE,
Currently we have vulnerability scan within our lab and found the weak cipher suites as below:
Please let us know if we are running the weak cipher suites above or not?
Does ISE only use the CBC or GCM if we are running EAP-TLS and MSCHAPv2?
If the supplicant is Windows 11 with Secure Client, so it automatically runs TLS v1.2?
Solved! Go to Solution.
01-10-2025 01:46 PM
Out of curiosity, what version of ISE are you using? Are you able to configure TLS 1.3 for your test? It appears that you can't disable TLS 1.2 though.
What Security Settings are in place during your test?
You can also manually configure the ciphers if needed ...
01-10-2025 12:34 AM
@oumodom from ISE 3.3 you can select ciphers to enable/disable. The guide below has a list of supported ciphers and describes how to select the ciphers to use.
01-10-2025 01:46 PM
Out of curiosity, what version of ISE are you using? Are you able to configure TLS 1.3 for your test? It appears that you can't disable TLS 1.2 though.
What Security Settings are in place during your test?
You can also manually configure the ciphers if needed ...
01-28-2025 06:31 AM
Please note that currently this configuration not relevant for ISE as EAP server
01-28-2025 08:54 PM
@mbuzaglo Could you elaborate more with your idea?
01-10-2025 02:20 PM
Regarding the EAP Server component in ISE, you asked the questions:
I ran a wpa_supplicant eapol_test (version 2.10) test against ISE 3.4 p1 and captured the Server Hello from ISE. By default, the eapol_test client will try TLS 1.2 during the Client-Hello (which is consistent with most OS supplicants) - and ISE responds accordingly:
In ISE Live Logs Details pane:
With eapol_test, you can force TLS versions to test the EAP server support. I did that by disabling all TLS versions except 1.3 and ISE supports it (ISE 3.4 p1) - whether Windows/iOS/MAC/SecureClient supplicants support this, is not clear to me:
Here is my eapol_test config file
eapol_version=3
network={
phase1="tls_disable_tlsv1_0=1 tls_disable_tlsv1_1=1 tls_disable_tlsv1_2=1 tls_disable_tlsv1_3=0"
ssid="example"
bssid=00:11:22:33:44:55
proto=WPA
key_mgmt=WPA-EAP
eap=TLS
identity="host/demopc.rnlab.local"
#ca_cert="/home/abier/wpa/RNLAB-ROOTCA.pem"
client_cert="/home/abier/wpa/demopc.cert"
private_key="/home/abier/wpa/demopc.key"
eapol_flags=3
}
01-13-2025 01:18 AM
So helpful for my inquiry @Arne Bier as our ISE LAB, running v3.1 P9.
I can see mine is using TLS v1.2 with TLSCipher ECDHE-RSA-AES256-GCM-SHA384
So how to list all cipher suites which cisco ise in CLI ? and how to disable such weak cipher suites below?
01-18-2025 01:18 PM
You can't manage the TLS ciphers through the ISE CLI. You must do that through the GUI (please see the screenshots I posted earlier). The ISE CLI allows you to manage the SSH protocols a bit better.
01-21-2025 08:44 PM
As from lab I configured, as noticed Ciphersuite depend on supplicant selective which from Client hello message, not from Cisco ISE selective.
If so if there any standard workflow/document from cisco to be selected the best one on ciphersuite between endpoint and ISE? and any mentioned on endpoint which running secure client agent is require TLS v1.2 mandatory for cipher suite?
I raised up this idea because in case, endpoint/supplicant having hello message with weak cipher suite, there will be breakable for attacker.
what is your idea @Arne Bier @Rob Ingram for above concern?
please refer to figure below.
There are 21 cipher suites from endpoint on Client Hello.
While Server Hello provided the highest one to endpoint on cipher.
01-21-2025 09:51 PM
I don't know what the RFC says (maybe need to research that a bit) but it was my understanding that it's the Authenticating Server (ISE) that has the final say, after it compares the Client Hello capabilities against its own - and in the ISE code there must be some ranking that takes the best of the available ciphers. All we can do in the ISE GUI is to deselect the ones we don't want to use (even if the client supports them). Whatever ciphers remain in the list of candidates will determine the winner - and I don't know how ISE selects - I would hope it's following some industry standard that e.g. prefers GCM over CBC etc.
Are you satisfied with what you see in the Server Hello, or did you expect a different result?
I don't think TLS 1.2 is susceptible to a downgrade attack. If you want an excellent guide on TLS, you should check out the work by Ed Harmoush. He has some great videos and podcast appearances and also offers paid for training on TLS (for the ultimate TLS nerds). Check out his talk on TLS 1.3 on this packet pushers podcast episode. He would know the answer to this instantly.
01-21-2025 10:29 PM
I have no objection on your idea and would make scenes on decision making from ise, not from endpoint.
What the priority/order on cipher suites is key to be documented from cisco vendor.
01-22-2025 12:54 PM
The best we have is what's mentioned in Admin Guide under Cipher Suites. But the order in selection is not mentioned. Perhaps it's obvious that 384 will be chosen over 256 etc. And also, you can elect to disable RSA and use ECDSA instead - so by constraining the ISE supported ciphers to suit your organization's needs. This of course will only work if your end devices supports what ISE supports. It looks like ISE has a very good and up to date cipher suite.
Regarding the documentation, at the very top of the link I posted above, you can give Cisco direct feedback to please clarify this process
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide