Intel vPro® Platform
Intel Manageability Forum for Intel® EMA, AMT, SCS & Manageability Commander
2931 Discussions

802.1x Cipher

JRüeg
New Contributor I
‎04-06-2022 03:23 AM
4,918 Views
Solved Jump to solution

Dear Intel

We are experimenting with 802.1X wired lan authentication. The Cisco ISE will authenticate using a certificate from our CA and EAP-TLS protocol.

The certificate template is configured for SHA256 and the issued certificate in AMT (can be viewed using MeshCommander) is SHA256.

But authentication fails logging "Client didn't provide suitable ciphers". Authentication works if we enable SHA1-ciphers on the ISE, choosing AES128-SHA as TLSCipher. But obviously we do not want to enable insecure SHA1 ciphers. 

The client has FW 11.8.79.

Is SHA1 really required to use 802.1X for AMT? Does a newer firmware support secure ciphers? Will it make a difference to use Intel EMA instead of Intel SCS for provisioning?

Thank you

Jasmin

Preview file
25 KB
Preview file
91 KB
Preview file
90 KB
0 Kudos
1 Solution
Victor_G_Intel
Employee
‎05-04-2022 08:36 AM
4,567 Views
Solved Jump to solution

Hello JRüeg,


Thank you for patiently waiting for our response.


We were able to verify some details with our development team and we have identified that AMT 11.8 specifically does not offer all EAP-TLS ciphers. The good news is that the Intel development team is scoping the inclusion of the ciphers now. Unfortunately, we do not know Lenovo’s product plans to update AMT 11.8, the update must come from the OEM after they have released it from validation. Please work with Lenovo to understand their roadmap for releasing the update for this specific product. 


Regards,


Victor G.

Intel Technical Support Technician


View solution in original post

0 Kudos
Copy link

Link Copied

8 Replies
Victor_G_Intel
Employee
‎04-07-2022 11:06 AM
4,789 Views
Solved Jump to solution

Hello JRüeg,

 

Thank you for posting on the Intel® communities.

 

Please let me review this information internally, and kindly wait for an update.

 

Once we have more information to share, we will post it on this thread.

 

Regards,

 

Victor G.

Intel Technical Support Technician  


0 Kudos
Copy link
Victor_G_Intel
Employee
‎04-07-2022 01:40 PM
4,781 Views
Solved Jump to solution

Hello JRüeg,

​​

Thank you for your patience.


In this case, you will need to update your AMT version to the latest available firmware and then you can try again, this should allow you to disable SHA1 ciphers in ISE.


Additionally, in regard to your question “Will it make a difference to use Intel EMA instead of Intel SCS for provisioning?” We wouldn’t be able to recommend an Intel SCS provisioning since the software will be reaching its end-of-life status later this year; however, provisioning with EMA won’t change the available cipher suites for AMT 11; therefore, the best way to handle this is by updating the firmware.


Regards,


Victor G.

Intel Technical Support Technician 


0 Kudos
Copy link
JRüeg
New Contributor I
‎04-08-2022 07:52 AM
4,757 Views
Solved Jump to solution

The newest firmware available for this Lenovo T470 is 11.8.90.3987 and it apparently doesnt support newer ciphers. But the newer T14 Gen1 model worked with a sha256 cipher. Do you know what FW is required?

0 Kudos
Copy link
Paul_R_Intel
Moderator
‎04-08-2022 08:26 PM
4,725 Views
Solved Jump to solution

Hello JRüeg,

​​

Thank you for your reply, in this case, we recommend you to contact Lenovo so they can provide the correct firmware to use. Please let us know if there is anything else that we can do for you.


Regards,


Paul R.

Intel Technical Support Technician 


0 Kudos
Copy link
JRüeg
New Contributor I
‎04-11-2022 12:39 AM
4,686 Views
Solved Jump to solution
In response to Paul_R_Intel

Which version firmware supports the newer ciphers?

In response to Paul_R_Intel
0 Kudos
Copy link
Victor_G_Intel
Employee
‎04-12-2022 02:28 PM
4,670 Views
Solved Jump to solution

Hello JRüeg,

 

Thank you for your response.

 

Please let me review this information internally, and kindly wait for an update.

 

Once we have more information to share we will post it on this thread.

 

Regards,

 

Victor G.

Intel Technical Support Technician  


0 Kudos
Copy link
JRüeg
New Contributor I
‎05-04-2022 01:17 AM
4,582 Views
Solved Jump to solution

Hi Victor G.

Were you able to identify the fw version necessary for sha256 ciphers for dot1x?

With 12.0.68 it used a SHA1 cipher, after updating to 12.0.85 it used a sha256. Is there an update for each major release or will each version >= 12.0.85 work?

0 Kudos
Copy link
Victor_G_Intel
Employee
‎05-04-2022 08:36 AM
4,568 Views
Solved Jump to solution

Hello JRüeg,


Thank you for patiently waiting for our response.


We were able to verify some details with our development team and we have identified that AMT 11.8 specifically does not offer all EAP-TLS ciphers. The good news is that the Intel development team is scoping the inclusion of the ciphers now. Unfortunately, we do not know Lenovo’s product plans to update AMT 11.8, the update must come from the OEM after they have released it from validation. Please work with Lenovo to understand their roadmap for releasing the update for this specific product. 


Regards,


Victor G.

Intel Technical Support Technician


0 Kudos
Copy link
Reply

Community support is provided Monday to Friday. Other contact methods are available here.

Intel does not verify all solutions, including but not limited to any file transfers that may appear in this community. Accordingly, Intel disclaims all express and implied warranties, including without limitation, the implied warranties of merchantability, fitness for a particular purpose, and non-infringement, as well as any warranty arising from course of performance, course of dealing, or usage in trade.

For more complete information about compiler optimizations, see our Optimization Notice.