According to this bug, it stated: When user authentication initiates from ISE, ISE will connect and send the encryption types that are supported (RC4, AES128, and AES256). This enhancement is for AD tuning to only send AES 256
This is exactly what I am seeing between my Cisco ISE version 3.1 patch-5 (latest patch) and Microsoft Windows Active Directory (AD). My Cisco ISE is integrated with AD for user authentication. In other words, the ISE has to communicate with AD for username and password. When I capture the traffic on the ISE, I can clearly see the ISE sent RC4 to AD and AD responded back with RC4 with the RPC_Netlogon protocol, as seen below:
Cisco ISE to AD request:
Auth Info: NETLOGON Secure Channel, Packet privacy, AuthContextId(186703)
Auth type: NETLOGON Secure Channel (68)
Auth level: Packet privacy (6)
Auth pad len: 4
Auth Rsrvd: 0
Auth Context ID: 186703
Secure Channel Verifier
Sign algorithm: HMAC-MD5 (0x0077)
Seal algorithm: RC4 (0x007a)
Flags: 0000
This is the response from Active Directory:
Auth Info: NETLOGON Secure Channel, Packet privacy, AuthContextId(186703)
Auth type: NETLOGON Secure Channel (68)
Auth level: Packet privacy (6)
Auth pad len: 0
Auth Rsrvd: 0
Auth Context ID: 186703
Secure Channel Verifier
Sign algorithm: HMAC-MD5 (0x0077)
Seal algorithm: RC4 (0x007a)
Flags: 0000
The problem is that come April 2023, Microsoft will release a patch, AD CVE-2022-38023 patch, to start removing RC4 from Active Directory. Does it mean the communication between Cisco ISE and Microsoft Active Directory will be broken?
The Cisco bug ID CSCvo604 listed the following Known Affected Releases Cisco ISE versions:
003.002(000.542) --> version 3.2
003.001(000.518) --> version 3.1
003.000(000.458) --> version 3.0
002.007(000.356) --> version 2.7
002.006(000.903) --> version 2.6
... and more versions after this.
The bug ID also does NOT list any known fixes releases. Does that mean that I will have an outage when RC4 is removed from Active Directory in April with the Microsoft AD CVE-2022-38023 patch ?
TIA
