cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
12717
Views
10
Helpful
4
Replies

ISE legacy cipher suites

Johannes Luther
Level 4
Level 4

Hello board,

I'm a little bit confused regarding the legacy SSL cipher settings within Cisco ISE.

My question is regarding the settings in the ISE GUI under: Administration > System > Settings / Protocols > Security Settings:

Enable TLS 1.0 only for legacy clients

Enable SHA-1 only for legacy clients

In the ISE GUI, the tooltip states:

Enable [TLS 1.0 | SHA-1 cipher suites] only for legacy clients for EAP-TLS, PEAP, EAP-FAST and EAP-TTLS protocols and for legacy secure services

--> So the tooltip states, that this setting acutally affects EAP protocols, which use SSL/TLS (e.g EAP-TLS and PEAP)

   

Contratory to this, the ISE 2.2  admin guide documentation states:

The following workflow is not affected by the Security Settings:
Cisco ISE acts as an EAP-TLS, EAP-TTLS, PEAP, or EAP-FAST server that authenticates clients to
provide them access to the network

--> The admin guide states, that these settings does not affect EAP protocols, which use SSL/TLS (e.g EAP-TLS and PEAP)

So, which statement is correct?

Some background information and what I did so far:

Testing

The main problem is, that I cannot test or verify this in a lab, because I didn't find a way to force the ISE to tell me the cipher suites. There are tools for that (simple openssl), but these tools typically only supports the application HTTPs and not EAP :)

Capturing a EAP over RADIUS communication does not help as well, because the client offers a list of supported ciphers in the SSL CLIENT HELLO message. The server (ISE) just answers in the SSL SERVER HELLO message with the used / proposed cipher (typically highest common cipher supported for client / server).

Last thing: I don't have a legacy client, that only supports SHA-1 and/or TLS 1.0 ciphers.

RFC

The EAP-TLS RFC states:

   EAP-TLS implementations MUST support TLS v1.0.

(source: https://tools.ietf.org/html/rfc5216#section-2.4)

EAP-TTLS inherits this section from the EAP-TLS RFC. I didn't check if for PEAP or FAST

So I guess the security settings cannot influence the EAP protocols, because otherwise you'll end up in a non-RFC compliant state for the Cisco ISE. But this is only a guess.

Additional ISE settings?

More confusion is added with the "Allow Weak Ciphers for EAP" setting in the allowed protocols, which enables RSA_RC4_128_SHA and RSA_RC4_128_MD5 if checked. These ciphers are both TLS 1.0 ciphers and would also be disabled with the global security settings.

So take home message and a question list:

  • Is the web GUI or the admin guide correct?
  • Anybody knows a tool to probe the supported ciphers for EAP protocols relying on SSL/TLS

My conclusion is, that the admin guide is correct, because otherwise the ISE becomes a RFC non-compliant RADIUS server for EAP-TLS and PEAP. And that's something that nobody wants :)

But that's only a guess and from my point of view only.

4 Replies 4

Hi Johannes

In Cisco ISE 2.x train gives you the option to enable or disable TLS 1.0 (which is considered insecure because of some vulnerabilities discovered for the same including the BEAST attack) which also affect TLS 1.1.

The recommended TLS version (Security wise) is TLS 1.2 because of its strings Security and cipher suites.

Also the option to enable or disable SHA1 is there as it is also considered insecure (with the recent practical collision attack against SHA1 announced by Google)

this affects both the ciphers suites offered during the TLS tunnel establishment and the certificate hashing algorithms if Mutual Cettificate Authentication is being used (client side certificates )

Given the fact that ISE is acting as the Authentication servers for TLS, it will first have to accept the TLS version offered by the client (TLS1.0 vs TLS1.1 vs TSL1.2) during the first TLS client hello message if accepted it will then selects the highest cipher suites offered by the client if ISE accepted the particular TLS version proposed.

With that in Mind, So the negotiations of which TLS version is depending on some regard on the DOT1X Supllicant you are using so if you are using Cisco anyconnect NAM version 4.x it will support TLS1.2 and some cipher suites if you are using Windows native supplicant it would depend on the Windows OS versions ( I think since Windows 7 SP1, Windows 8 and Windows 10)  support TLS1.2 

But some legacy Clients (like I have in some customers which are using PEAP for authenticating network Printers ) these printer support only TLS 1.0 and few cipher suites so if they tries to establish the TLS tunnel proposing TLS1.0 the ISE would reject them and tear down the tunnel.

(Cisco ISE 1.4 for example doesn't have this option of enabling/disabling TLS1.0 for legacy client) as it is accepting it by default.

I think since Cisco ISE 2.x they disabled TLS 1.0 (for security reasons) and gave you the option to enable that if you have legacy clients that only support TLS1.0 (instead of relying on MAB )

Now how this affects PEAP and EAP-TLS and even EAP-FAST, I would say from my prospective since all of the above protocols are using TLS tunnel for the outer methods they will be affected if you enable TLS 1.0 as if the supplicant proposed TLS1.0 during the client hello ISE would treat them as legacy client and accept that establishment.

Mostly by default all supplicant would propose the highest TLS version during tunnel establishment.

Unfortuantely there is no way to know (through ISE) which TLS version was used for Authenticating a particular client.(at least till Cisco ISE 1.4 I'm using)

The last setting about weaker cipher suites (RSA_RC4_128_SHA and RSA_RC4_128_MD5) i think since RC4 encryption is considered broken long time ago it should not be accepted even if the client proposed a legacy TLS1.0 

So if you need to test, I would say if you configure one test windows machine using Windows Native supplicant and tweak the registry to enforce using only TLS1.0 ( I don't remember the registry key for this but google is there :) 

and keep that option of enabling TLS 1.0 off and see if you get authentication failure in ISE and see the details ( you can configure the windows native supplicant to use PEAP or EAP-TLS or EAP-FAST for this test).

I would say you never enable this option TLS 1.0 unless you see some enpoints having authentication failure related to TLS errors and check the supplicant settings and documentations to see which TLS version it support.

As if you enable such option you would not know which client negotiates which TLS Version.

This is my opinion and I maybe wrong in some aspects  

Hi Mohamed,

thank you for your very detailed answer. I'm aware of the fact why one should disable TLS1.0, SHA-1, RC-4 and so on. The question was if these config options in the ISE actually influence the EAP protocols or not (because there's a difference between the web UI and the documentation).

I'm also aware of the fact, that there might by legacy clients out there. See also the following post for a proposal how to find out these clients in ACS or ISE:

https://supportforums.cisco.com/discussion/13276331/acs-and-ise-report-over-used-8021x-eap-tls-or-peap-ssl-ciphers)

In ISE 2.1 you can see the used TLS version and cipher in the authentication details of a single client. However, there is no suitable report or ERS attribute to get this information in a bulky way for all endpoints - pity ;)

However this hint is very interesting:

So if you need to test, I would say if you configure one test windows machine using Windows Native supplicant and tweak the registry to enforce using only TLS1.0 ( I don't remember the registry key for this but google is there :) 

I was not aware that you can tweak the used ciphers in the windows supplicant. I try to find out the right keys and test this right away.

Keep you posted.

Hi Johannes

After reading the admin guide section Security settings which says 

Allow TLS 1.0 for Legacy Servers—Check this check box to enable TLS 1.0 only for legacy servers. This option is enabled by default.
The following workflows are affected by this option:
Cisco ISE downloads CRL from HTTPS or secure LDAP server.
Cisco ISE is configured as secure syslog client.
Cisco ISE is configured as secure LDAP client.

Which indicates that these settings are not affecting your 802.1X authentication against your dot1X capable endpoints.

This is emphasized at the end on the paragraph by indicating that :

The following workflow is not affected by the Security Settings:
Cisco ISE acts as an EAP-TLS, EAP-TTLS, PEAP, or EAP-FAST server that authenticates clients to provide them access to the network.

Which means that I was wrong thinking this option is actually affecting or hardening your Authentication Protocols (Allowed Protocols) used in the Authentication Policy.

Which could mean that our legacy client could still negotiate TLS 1.0 and still Cisco ISE 2.2 accepts that and proceeds into selecting the appropriate Cipher suites.

So I think this could actually answer your confusion regarding the GUI and admin guide but this would raise another interesting question that till Cisco ISE 2.2 in 2017 there is no way to disable TLS 1.0 or TLS 1.1 in the allowed Protocols.

Regarding my point:

So if you need to test, I would say if you configure one test windows machine using Windows Native supplicant and tweak the registry to enforce using only TLS1.0 ( I don't remember the registry key for this but google is there :) 

I don't mean you can manipulate or edit the cipher suites  but i mean you can enforce Windows when for example using EAP-TLS or PEAP to use a particular TLS version but within that particular version the supported cipher suites will be proposed during the TLS Tunnel establishment.

This is how to modify this using the Registry 

https://support.microsoft.com/en-us/help/3121002/windows-10-devices-can-t-connect-to-an-802.1x-environment

But if you want to prioritize or manipulating the cipher suites then you have to edit the SCHANNLE in Windows (Which does affect everything in Windows that use TLS such as the browsers and not only EAP-TLS)

https://support.microsoft.com/en-us/help/245030/how-to-restrict-the-use-of-certain-cryptographic-algorithms-and-protocols-in-schannel.dll

This is a useful link for all Windows versions supported cipher suites:

https://msdn.microsoft.com/en-us/library/windows/desktop/aa374757(v=vs.85).aspx

This is actually a very interesting thing to know (Since I don't have a live ISE 2.1 or 2.2 to test with) So please if you test it, share with us your findings.

Johannes Luther
Level 4
Level 4

There was an answer to my question here:

https://communities.cisco.com/message/255310

(Thanks for posting it there Roland)

Long story short: The admin guide is correct

The settings do not affect SSL-based EAP types (like PEAP or EAP-TLS)

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: