While playing around with the new Cisco Identity Service Engine (ISE) v2.6 (patch2) I stumbled upon a security feature while testing Wireless 802.1x access with an Acer Chromebook (ChromeOS v75.0.3770.144). When connecting to the 802.1x enabled SSID the connection failed, while other devices (Windows 10, Apple iOS and MacOS) connected just fine.
The problem is the client EAP handshake and usually this relates to untrusted server certificates. This happens to me a lot since I use different RADIUS services for my testing SSID’s.
So after clearing the SSID settings (forget) on the Chromebook it should work, but it didn’t.
The logging showed that the EAP handshake failed because the client didn’t offer a suitable cipher to the ISE server.
Turns out that Cisco ISE v2.6 has SHA1 disabled by default, and you need to enable it in:
Administration -> System -> Settings -> Security Settings
With the setting ‘Allow SHA1 Ciphers’, and ‘Allow only TLS_RSA_WITH_AES_128_CBC_SHA’ the Chromebook was able to connect to the 802.1x enabled SSID using old/depricated ciphers.
Now I wonder why the Chromebook still uses SHA1 based ciphers for secure communications, since Google Chrome started to abandon SHA1 as one of the first browsers….
Even installing the ‘Powerwash for added security’ feature in ChromeOS didn’t enable or add stronger ciphers on the Chromebook.