Field Notice: FN - 70357 - Cisco Identity Services Engine Fails to Authenticate Endpoints When Using EAP-FAST with TLS 1.2 - Software Upgrade Recommended

Available Languages

Updated:April 15, 2019

Document ID:FN70357

Bias-Free Language

The documentation set for this product strives to use bias-free language. For the purposes of this documentation set, bias-free is defined as language that does not imply discrimination based on age, disability, gender, racial identity, ethnic identity, sexual orientation, socioeconomic status, and intersectionality. Exceptions may be present in the documentation due to language that is hardcoded in the user interfaces of the product software, language used based on RFP documentation, or language that is used by a referenced third-party product. Learn more about how Cisco is using Inclusive Language.

Notice

THIS FIELD NOTICE IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTY OF MERCHANTABILITY. YOUR USE OF THE INFORMATION ON THE FIELD NOTICE OR MATERIALS LINKED FROM THE FIELD NOTICE IS AT YOUR OWN RISK. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE THIS FIELD NOTICE AT ANY TIME.

Revision History

Revision	Publish Date	Comments
1.0	10-Jan-19	Initial Release
1.1	12-Apr-19	Updated the Problem Description and Problem Symptom Sections
1.2	15-Apr-19	Updated the Workaround/Solution Section

Products Affected

Affected OS Type	Affected Software Product	Affected Release	Affected Release Number	Comments
NON-IOS	Identity Services Engine System Software	2	2.0, 2.0.1, 2.1.0, 2.2.0, 2.3.0, 2.4.0	ISE 2.0 & 2.0.1 - up to and including Patch 7 ISE 2.1 - up to and including Patch 7 ISE 2.2 - up to and including Patch 12 ISE 2.3 - up to and including Patch 5 ISE 2.4 - up to and including Patch 4

Defect Information

Defect ID	Headline
CSCvm03681	EAP-FAST doesn't support correct key generation in TLS 1.2

Problem Description

Cisco Identity Services Engine (ISE) fails to authenticate endpoint devices when using Extensible Authentication Protocol-Flexible Authentication via Secure Tunneling (EAP-FAST) with Transport Layer Security (TLS) 1.2. This issue occurs with these Cisco products and versions and might occur with other supplicants that add TLS 1.2 support:

Cisco AnyConnect Secure Mobility Client Release 4.7
Cisco IP Phone 8821 Firmware Release 11.0(5)

Background

With EAP-FAST and Microsoft Challenge Handshake Authentication Protocol Version 2 (MSCHAPv2), the Authenticator/Peer negotiation for Anonymous Protected Access Credential (PAC) provisioning is computed from the pseudo-random function (PRF). For this issue, the PRFs differ and, as a result, the inner MSCHAP authentication will fail with a wrong password error message.

Problem Symptom

When EAP-FAST is used with any affected ISE releases and the supplicant attempts to use TLS 1.2, authentication will fail and endpoints will not have access to the network.

Workaround/Solution

In order to resolve this issue, upgrade the ISE software as shown for these releases:

ISE Release 2.4 Patch 5 or later.
ISE Release 2.3 Patch 6 or later.
ISE Release 2.2 Patch 13 or later.
ISE Release 2.1 Patch 8 or later.
ISE Releases 2.0 and 2.0.1 - It is required to install the Struts2-CVE-2018-11776 PSIRT fix, which can be obtained on Cisco.com from the ISE Software Download page, before you apply the hot patch.

Note: In order to obtain the hot patches for ISE releases 2.0 and 2.0.1, contact the Cisco Technical Assistance Center (TAC). Ensure the ISE software has the latest patch applied before you apply the hot patch.

For More Information

If you require further assistance, or if you have any further questions regarding this field notice, please contact the Cisco Systems Technical Assistance Center (TAC) by one of the following methods:

Receive Email Notification For New Field Notices

Cisco Notification Service—Set up a profile to receive email updates about reliability, safety, network security, and end-of-sale issues for the Cisco products you specify.