RE: [WIRELESS-LAN] Cisco ISE 2.0 Warning
Thanks for the intel. I was told to wait for ISE 2.0 Patch 1 (which will now be patch 2, because of that emergency patch). Any other issues you are experiencing? Did you get the TACACS license for it? Thanks, Jeff Obrizok Marist College From: The EDUCAUSE Wireless Issues Constituent Group Listserv <WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU> [mailto:The EDUCAUSE Wireless Issues Constituent Group Listserv <WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>] On Behalf Of Ciesinski, Nick <ciesi...@uww.edu> Sent: Tuesday, December 1, 2015 10:58 AM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: [WIRELESS-LAN] Cisco ISE 2.0 Warning For those of you who are using the Cisco Identity Service Engine (ISE) product I wanted to provide some warnings to anyone thinking about moving to the 2.0 release. There are several EAP device connectivity issues that could impact your site. First, when ISE 2.0 was released it added support for TLS 1.2 in EAP messages. Somehow with all the summer news from Google about them adding TLS 1.2 in Android 6.0 (Marshmallow) Cisco missed testing Android 6.0 before ISE 2.0 release and as such Android 6.0 clients couldn�t connect. To make matters worse the Windows 10 big November update either added or modified its EAP TLS 1.2 support and machines that upgraded had the same fate as the Android 6.0 clients; not able to connect. The good news is Cisco released a patch last week for ISE 2.0 to fix the TLS 1.2 problems for these devices, so make sure you install that patch right away, it is the only thing the patch fixes. The Cisco bug on this issue is CSCuw88770 In addition to the issues with Android 6.0 and Windows 10, ISE 2.0 removed all legacy RC4 and DES ciphers. This causes issues with any device that does not support newer more secure ciphers in their EAP messages. The devices will not be able to connect with any EAP method as they can�t complete the handshake. In our testing this impacted all Cisco Wireless 792X phones in addition to some Windows Point Of Sale Embedded OS machines. For the Windows POS devices we where able to find a update from Microsoft to add newer cipher support. I am sure there are more devices then this that will have issue but these are the devices we found in testing. This issue is not fixed yet. The Cisco bug on this issue is CSCux27365. Hope this helps anyone thinking about going to ISE 2.0! Nick Ciesinski University of Wisconsin - Whitewater ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. <http://www.educause.edu/groups/> ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
Re: [WIRELESS-LAN] Cisco ISE 2.0 Warning
Jeff, I have run into a bunch of other issues, I would say none are service impacting like the ones I mentioned earlier. The rumor I heard is the second issue about ciphers will be resolved in patch 2 and the plan is they will add the old ciphers back in as they work through a long term plan. Some of the other issues I have seen are license usage counts are all messed up, it isn’t acknowledging the accounting stop. Some high load alarms on monitoring nodes (seems to be fixed with TAC making some changes on the oracle setup on the boxes), and sometimes the live log screen is slow to load (still working through this one). We did get the TACACS license and plan to start working on the migration of TACACS stuff from our ACS deployment. Working through the issues put TACACS in the backseat for a little bit. Nick On Dec 3, 2015, at 9:12 AM, Jeff Obrizok <jeff.obri...@marist.edu<mailto:jeff.obri...@marist.edu>> wrote: Thanks for the intel. I was told to wait for ISE 2.0 Patch 1 (which will now be patch 2, because of that emergency patch). Any other issues you are experiencing? Did you get the TACACS license for it? Thanks, Jeff Obrizok Marist College From: The EDUCAUSE Wireless Issues Constituent Group Listserv <WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>> [mailto:The EDUCAUSE Wireless Issues Constituent Group Listserv <WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>>] On Behalf Of Ciesinski, Nick <ciesi...@uww.edu<mailto:ciesi...@uww.edu>> Sent: Tuesday, December 1, 2015 10:58 AM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU> Subject: [WIRELESS-LAN] Cisco ISE 2.0 Warning For those of you who are using the Cisco Identity Service Engine (ISE) product I wanted to provide some warnings to anyone thinking about moving to the 2.0 release. There are several EAP device connectivity issues that could impact your site. First, when ISE 2.0 was released it added support for TLS 1.2 in EAP messages. Somehow with all the summer news from Google about them adding TLS 1.2 in Android 6.0 (Marshmallow) Cisco missed testing Android 6.0 before ISE 2.0 release and as such Android 6.0 clients couldn’t connect. To make matters worse the Windows 10 big November update either added or modified its EAP TLS 1.2 support and machines that upgraded had the same fate as the Android 6.0 clients; not able to connect. The good news is Cisco released a patch last week for ISE 2.0 to fix the TLS 1.2 problems for these devices, so make sure you install that patch right away, it is the onl y thing the patch fixes. The Cisco bug on this issue is CSCuw88770 In addition to the issues with Android 6.0 and Windows 10, ISE 2.0 removed all legacy RC4 and DES ciphers. This causes issues with any device that does not support newer more secure ciphers in their EAP messages. The devices will not be able to connect with any EAP method as they can’t complete the handshake. In our testing this impacted all Cisco Wireless 792X phones in addition to some Windows Point Of Sale Embedded OS machines. For the Windows POS devices we where able to find a update from Microsoft to add newer cipher support. I am sure there are more devices then this that will have issue but these are the devices we found in testing. This issue is not fixed yet. The Cisco bug on this issue is CSCux27365. Hope this helps anyone thinking about going to ISE 2.0! Nick Ciesinski University of Wisconsin - Whitewater ** Participation and subscription inform ation for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.<http://www.educause.edu/groups/> ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
Cisco ISE 2.0 Warning
For those of you who are using the Cisco Identity Service Engine (ISE) product I wanted to provide some warnings to anyone thinking about moving to the 2.0 release. There are several EAP device connectivity issues that could impact your site. First, when ISE 2.0 was released it added support for TLS 1.2 in EAP messages. Somehow with all the summer news from Google about them adding TLS 1.2 in Android 6.0 (Marshmallow) Cisco missed testing Android 6.0 before ISE 2.0 release and as such Android 6.0 clients couldn’t connect. To make matters worse the Windows 10 big November update either added or modified its EAP TLS 1.2 support and machines that upgraded had the same fate as the Android 6.0 clients; not able to connect. The good news is Cisco released a patch last week for ISE 2.0 to fix the TLS 1.2 problems for these devices, so make sure you install that patch right away, it is the only thing the patch fixes. The Cisco bug on this issue is CSCuw88770 In addition to the issues with Android 6.0 and Windows 10, ISE 2.0 removed all legacy RC4 and DES ciphers. This causes issues with any device that does not support newer more secure ciphers in their EAP messages. The devices will not be able to connect with any EAP method as they can’t complete the handshake. In our testing this impacted all Cisco Wireless 792X phones in addition to some Windows Point Of Sale Embedded OS machines. For the Windows POS devices we where able to find a update from Microsoft to add newer cipher support. I am sure there are more devices then this that will have issue but these are the devices we found in testing. This issue is not fixed yet. The Cisco bug on this issue is CSCux27365. Hope this helps anyone thinking about going to ISE 2.0! Nick Ciesinski University of Wisconsin - Whitewater ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
