For those of you who are using the Cisco Identity Service Engine (ISE) product I wanted to provide some warnings to anyone thinking about moving to the 2.0 release. There are several EAP device connectivity issues that could impact your site.
First, when ISE 2.0 was released it added support for TLS 1.2 in EAP messages. Somehow with all the summer news from Google about them adding TLS 1.2 in Android 6.0 (Marshmallow) Cisco missed testing Android 6.0 before ISE 2.0 release and as such Android 6.0 clients couldn’t connect. To make matters worse the Windows 10 big November update either added or modified its EAP TLS 1.2 support and machines that upgraded had the same fate as the Android 6.0 clients; not able to connect. The good news is Cisco released a patch last week for ISE 2.0 to fix the TLS 1.2 problems for these devices, so make sure you install that patch right away, it is the only thing the patch fixes. The Cisco bug on this issue is CSCuw88770 In addition to the issues with Android 6.0 and Windows 10, ISE 2.0 removed all legacy RC4 and DES ciphers. This causes issues with any device that does not support newer more secure ciphers in their EAP messages. The devices will not be able to connect with any EAP method as they can’t complete the handshake. In our testing this impacted all Cisco Wireless 792X phones in addition to some Windows Point Of Sale Embedded OS machines. For the Windows POS devices we where able to find a update from Microsoft to add newer cipher support. I am sure there are more devices then this that will have issue but these are the devices we found in testing. This issue is not fixed yet. The Cisco bug on this issue is CSCux27365. Hope this helps anyone thinking about going to ISE 2.0! Nick Ciesinski University of Wisconsin - Whitewater ********** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
