Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1385
Views
0
Helpful
4
Replies

ACS and ISE: Report over used 802.1X EAP-TLS or PEAP SSL ciphers

Go to solution
Johannes Luther
Level 4
Level 4

‎04-18-2017 04:26 AM - edited ‎03-11-2019 12:38 AM

Hi board,

assuming you want to harden your RADIUS/802.1X solution and you want to disable legacy SSL ciphers (disabled ISE setting: "Allow Weak
Ciphers for EAP") like RSA_RC4_128_SHA or RSA_RC4_128_MD5.

How do you know without testing each 802.1X capable end device, if these legacy ciphers are currently used by some clients? How can you check in advance if all your client are compatible with the newer SSL ciphers?

This question is for ACS and for ISE: Is there any report, which outlines the used SSL ciphers? At least it's not in the RADIUS authentication or accouting report. How do you know if you can disable the weak ciphers in you ACS or ISE settings?

I guess the "hard" way would be to capture the RADIUS packets towards an ISE or ACS node and filter for the "SSL server hello" packets. These packets contains the negotiated cipher. From my point of view, an appropriate wireshark display filter would be:

ssl.handshake.type == 2 && (ssl.handshake.ciphersuite == 0x0004 || ssl.handshake.ciphersuite == 0x0005)

"ssl.handshake.type == 2"  is the filter for SSL server hello packets

"ssl.handshake.ciphersuite == 0x0004" is the ID for RSA_RC4_128_MD5

"ssl.handshake.ciphersuite == 0x0005" is the ID for RSA_RC4_128_SHA

(Of course the display and/or preferably the capture filter is set the RADIUS packets)

But there has to be a simpler way than this, right?!

1 person had this problem
Labels:
0 Helpful
2 Accepted Solutions

Accepted Solutions

Go to solution
Jinkle Jose
Cisco Employee
Cisco Employee

‎04-08-2019 12:41 PM

Any update on this query ?

View solution in original post

0 Helpful

Go to solution
hslai
Cisco Employee
Cisco Employee

‎04-09-2019 09:38 AM

If ISE, ISE RADIUS auth details report has the info on TLS Cipher and Version; e.g.

TLSCipher ECDHE-RSA-AES256-GCM-SHA384
TLSVersion TLSv1.2

 

No separate reports on these fields solely. We may, however, send syslog to an external logging target (e.g. Splunk), if needed.

View solution in original post

0 Helpful
4 Replies 4

Go to solution
Jinkle Jose
Cisco Employee
Cisco Employee

‎04-08-2019 12:41 PM

Any update on this query ?

0 Helpful

Go to solution
Jason Kunst
Cisco Employee
Cisco Employee
In response to Jinkle Jose

‎04-09-2019 06:54 AM

i asked our experts to take a look

0 Helpful

Go to solution
Nadav
Level 7
Level 7

‎04-09-2019 09:08 AM

Until Jason gets back to you with a formal response, I'd like to point out that you can perform a tcpdump remotely for any PSN node via:

 

Operations>Troubleshoots > Diagnostic Tools > TCP Dump

 

It also allows you to use capture filters. You can let it run for a few hours with whichever filters you need. 

 

 

0 Helpful

Go to solution
hslai
Cisco Employee
Cisco Employee

‎04-09-2019 09:38 AM

If ISE, ISE RADIUS auth details report has the info on TLS Cipher and Version; e.g.

TLSCipher ECDHE-RSA-AES256-GCM-SHA384
TLSVersion TLSv1.2

 

No separate reports on these fields solely. We may, however, send syslog to an external logging target (e.g. Splunk), if needed.

0 Helpful
Customers Also Viewed These Support Documents