Security

 View Only
last person joined: 7 hours ago 

Forum to discuss Enterprise security using HPE Aruba Networking NAC solutions (ClearPass), Introspect, VIA, 360 Security Exchange, Extensions, and Policy Enforcement Firewall (PEF).
Back to discussions
Expand all | Collapse all

How to disable the TLS 1.2 Cipher in Aruba ClearPass

This thread has been viewed 27 times

  • 1.  How to disable the TLS 1.2 Cipher in Aruba ClearPass

    Posted 20 days ago

    Hi All,

    Is there anyway to disable below Ciphers in  the ClearPass.

    The ClearPass version :6.9.13

    | ssl-enum-ciphers:
    |   TLSv1.2:
    |     ciphers:
    |       TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (secp521r1) - A
    |       TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (secp521r1) - A
    |       TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (secp521r1) - A
    |       TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (secp521r1) - A
    |       TLS_RSA_WITH_AES_256_CBC_SHA256 (rsa 2048) - A
    |       TLS_RSA_WITH_AES_128_CBC_SHA256 (rsa 2048) - A
    |       TLS_RSA_WITH_AES_256_CBC_SHA (rsa 2048) - A
    |       TLS_RSA_WITH_AES_128_CBC_SHA (rsa 2048) - A
    |       TLS_RSA_WITH_AES_128_GCM_SHA256 (rsa 2048) - A
    |       TLS_RSA_WITH_AES_256_GCM_SHA384 (rsa 2048) - A
    |       TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 (secp521r1) - A
    |       TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 (secp521r1) - A

    Thank you.

    Sri



  • 2.  RE: How to disable the TLS 1.2 Cipher in Aruba ClearPass

    Posted 19 days ago

    Why would you want to disable TLS 1.2?

    https://www.arubanetworks.com/techdocs/ClearPass/CP_ReleaseNotes_6.9.0/Content/SystemRequirements/EndOfSupport.htm


    Original Message


  • 3.  RE: How to disable the TLS 1.2 Cipher in Aruba ClearPass

    Posted 19 days ago

    Hi,

    Thank you for your reply, security team ask us to disable as these ciphers are not allowed in network.

    Regards,

    Sri


    Original Message


  • 4.  RE: How to disable the TLS 1.2 Cipher in Aruba ClearPass

    Posted 19 days ago
    Why? What’s wrong with them?


    Original Message


  • 5.  RE: How to disable the TLS 1.2 Cipher in Aruba ClearPass

    Posted 19 days ago

    Hi,

    That's our security requirements.

    Regards,


    Original Message


  • 6.  RE: How to disable the TLS 1.2 Cipher in Aruba ClearPass

    EMPLOYEE
    Posted 19 days ago

    Are you sure that you are not mixing up with SSLv2? That is considered insecure.

    TLSv1.2 is considered strong and its successor TLSv1.3 has still limited support, so disabling TLSv1.2 would probably break a lot of things. Expect WLAN Enterprise authentications (EAP) to fail as those depend on TLSv1.2 for secure operations.

    If you really want to disable TLSv1.2, then you would need to open an Aruba Innovation Zone request through your Aruba Partner as it's not possible to my knowledge.



    ------------------------------
    Herman Robers
    ------------------------
    If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

    In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.
    ------------------------------

    Original Message


  • 7.  RE: How to disable the TLS 1.2 Cipher in Aruba ClearPass

    Posted 18 days ago

    Why though?  TLS 1.2 isn't broken from an encryption standpoint?  That's like saying we don't want any Windows 11 computers, only Windows 10 and 7.  Maybe time for a new security team?


    Original Message


  • 8.  RE: How to disable the TLS 1.2 Cipher in Aruba ClearPass

    Posted 8 days ago

    Sri is not asking to remove TLS1.2 altogether rather to remove certain suites as they are being flagged - particularly RSA. I am running into this same thing now where vulnerability scans are flagging the ability to negotiate with TLS 1.2 cipher suites including RSA.

    Example:
    Out of all approved TLS 1.2 Ciphers - remove all RSA options. No where was it asked to remove TLS 1.2 entirely. 

    List of Approved TLS 1.2 Ciphers

    • TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
    • TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
    • TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256
    • TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384
    • TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256
    • TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384
    • TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
    • TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
    • TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
    • TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384
    • TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
    • TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384
    • TLS_DHE_RSA_WITH_AES_128_GCM_SHA256
    • TLS_DHE_RSA_WITH_AES_256_GCM_SHA384
    • TLS_DHE_RSA_WITH_AES_128_CBC_SHA
    • TLS_DHE_RSA_WITH_AES_256_CBC_SHA
    • TLS_DHE_RSA_WITH_AES_128_CBC_SHA256
    • TLS_DHE_RSA_WITH_AES_256_CBC_SHA256
    • TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256
    • TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305
    • TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256
    • TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305

      Hope this clarifies and Sri's company can keep their security staff.

    Original Message


  • 9.  RE: How to disable the TLS 1.2 Cipher in Aruba ClearPass

    Posted 7 days ago

    Hi All,

    Finally I got update from TAC, saying that we cannot disable the ciphers because that feature is yet to be introduced in CPPM versions.

    Thank you all for your valuable suggestions and reply.

    Regards,

    Sri 


    Original Message