Security

 View Only
last person joined: yesterday 

Forum to discuss Enterprise security using HPE Aruba Networking NAC solutions (ClearPass), Introspect, VIA, 360 Security Exchange, Extensions, and Policy Enforcement Firewall (PEF).
Expand all | Collapse all

How to disable the TLS 1.2 Cipher in Aruba ClearPass

This thread has been viewed 34 times
  • 1.  How to disable the TLS 1.2 Cipher in Aruba ClearPass

    Posted Nov 08, 2023 03:55 AM

    Hi All,

    Is there anyway to disable below Ciphers in  the ClearPass.

    The ClearPass version :6.9.13

    | ssl-enum-ciphers:
    |   TLSv1.2:
    |     ciphers:
    |       TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (secp521r1) - A
    |       TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (secp521r1) - A
    |       TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (secp521r1) - A
    |       TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (secp521r1) - A
    |       TLS_RSA_WITH_AES_256_CBC_SHA256 (rsa 2048) - A
    |       TLS_RSA_WITH_AES_128_CBC_SHA256 (rsa 2048) - A
    |       TLS_RSA_WITH_AES_256_CBC_SHA (rsa 2048) - A
    |       TLS_RSA_WITH_AES_128_CBC_SHA (rsa 2048) - A
    |       TLS_RSA_WITH_AES_128_GCM_SHA256 (rsa 2048) - A
    |       TLS_RSA_WITH_AES_256_GCM_SHA384 (rsa 2048) - A
    |       TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 (secp521r1) - A
    |       TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 (secp521r1) - A

    Thank you.

    Sri



  • 2.  RE: How to disable the TLS 1.2 Cipher in Aruba ClearPass

    Posted Nov 08, 2023 08:50 AM

    Why would you want to disable TLS 1.2?

    https://www.arubanetworks.com/techdocs/ClearPass/CP_ReleaseNotes_6.9.0/Content/SystemRequirements/EndOfSupport.htm




  • 3.  RE: How to disable the TLS 1.2 Cipher in Aruba ClearPass

    Posted Nov 08, 2023 08:11 PM

    Hi,

    Thank you for your reply, security team ask us to disable as these ciphers are not allowed in network.

    Regards,

    Sri




  • 4.  RE: How to disable the TLS 1.2 Cipher in Aruba ClearPass

    Posted Nov 08, 2023 10:04 PM
    Why? What’s wrong with them?




  • 5.  RE: How to disable the TLS 1.2 Cipher in Aruba ClearPass

    Posted Nov 08, 2023 10:11 PM

    Hi,

    That's our security requirements.

    Regards,




  • 6.  RE: How to disable the TLS 1.2 Cipher in Aruba ClearPass

    Posted Nov 09, 2023 02:58 AM

    Are you sure that you are not mixing up with SSLv2? That is considered insecure.

    TLSv1.2 is considered strong and its successor TLSv1.3 has still limited support, so disabling TLSv1.2 would probably break a lot of things. Expect WLAN Enterprise authentications (EAP) to fail as those depend on TLSv1.2 for secure operations.

    If you really want to disable TLSv1.2, then you would need to open an Aruba Innovation Zone request through your Aruba Partner as it's not possible to my knowledge.



    ------------------------------
    Herman Robers
    ------------------------
    If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

    In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.
    ------------------------------



  • 7.  RE: How to disable the TLS 1.2 Cipher in Aruba ClearPass

    Posted Nov 09, 2023 06:55 AM

    Why though?  TLS 1.2 isn't broken from an encryption standpoint?  That's like saying we don't want any Windows 11 computers, only Windows 10 and 7.  Maybe time for a new security team?




  • 8.  RE: How to disable the TLS 1.2 Cipher in Aruba ClearPass

    Posted Nov 19, 2023 08:56 PM

    Sri is not asking to remove TLS1.2 altogether rather to remove certain suites as they are being flagged - particularly RSA. I am running into this same thing now where vulnerability scans are flagging the ability to negotiate with TLS 1.2 cipher suites including RSA.

    Example:
    Out of all approved TLS 1.2 Ciphers - remove all RSA options. No where was it asked to remove TLS 1.2 entirely. 

    List of Approved TLS 1.2 Ciphers

    • TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
    • TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
    • TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256
    • TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384
    • TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256
    • TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384
    • TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
    • TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
    • TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
    • TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384
    • TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
    • TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384
    • TLS_DHE_RSA_WITH_AES_128_GCM_SHA256
    • TLS_DHE_RSA_WITH_AES_256_GCM_SHA384
    • TLS_DHE_RSA_WITH_AES_128_CBC_SHA
    • TLS_DHE_RSA_WITH_AES_256_CBC_SHA
    • TLS_DHE_RSA_WITH_AES_128_CBC_SHA256
    • TLS_DHE_RSA_WITH_AES_256_CBC_SHA256
    • TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256
    • TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305
    • TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256
    • TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305

      Hope this clarifies and Sri's company can keep their security staff.



  • 9.  RE: How to disable the TLS 1.2 Cipher in Aruba ClearPass

    Posted Nov 20, 2023 10:04 PM

    Hi All,

    Finally I got update from TAC, saying that we cannot disable the ciphers because that feature is yet to be introduced in CPPM versions.

    Thank you all for your valuable suggestions and reply.

    Regards,

    Sri