Intel vPro® Platform
Intel Manageability Forum for Intel® EMA, AMT, SCS & Manageability Commander

802.1x Cipher

JRüeg
New Contributor I
4,919 Views

Dear Intel

We are experimenting with 802.1X wired lan authentication. The Cisco ISE will authenticate using a certificate from our CA and EAP-TLS protocol.

The certificate template is configured for SHA256 and the issued certificate in AMT (can be viewed using MeshCommander) is SHA256.

But authentication fails logging "Client didn't provide suitable ciphers". Authentication works if we enable SHA1-ciphers on the ISE, choosing AES128-SHA as TLSCipher. But obviously we do not want to enable insecure SHA1 ciphers. 

The client has FW 11.8.79.

Is SHA1 really required to use 802.1X for AMT? Does a newer firmware support secure ciphers? Will it make a difference to use Intel EMA instead of Intel SCS for provisioning?

Thank you

Jasmin

0 Kudos
1 Solution
Victor_G_Intel
Employee
4,568 Views

Hello JRüeg,


Thank you for patiently waiting for our response.


We were able to verify some details with our development team and we have identified that AMT 11.8 specifically does not offer all EAP-TLS ciphers. The good news is that the Intel development team is scoping the inclusion of the ciphers now. Unfortunately, we do not know Lenovo’s product plans to update AMT 11.8, the update must come from the OEM after they have released it from validation. Please work with Lenovo to understand their roadmap for releasing the update for this specific product. 


Regards,


Victor G.

Intel Technical Support Technician


View solution in original post

0 Kudos
8 Replies
Victor_G_Intel
Employee
4,790 Views

Hello JRüeg,

 

Thank you for posting on the Intel® communities.

 

Please let me review this information internally, and kindly wait for an update.

 

Once we have more information to share, we will post it on this thread.

 

Regards,

 

Victor G.

Intel Technical Support Technician  


0 Kudos
Victor_G_Intel
Employee
4,782 Views

Hello JRüeg,

​​

Thank you for your patience.


In this case, you will need to update your AMT version to the latest available firmware and then you can try again, this should allow you to disable SHA1 ciphers in ISE.


Additionally, in regard to your question “Will it make a difference to use Intel EMA instead of Intel SCS for provisioning?” We wouldn’t be able to recommend an Intel SCS provisioning since the software will be reaching its end-of-life status later this year; however, provisioning with EMA won’t change the available cipher suites for AMT 11; therefore, the best way to handle this is by updating the firmware.


Regards,


Victor G.

Intel Technical Support Technician 


0 Kudos
JRüeg
New Contributor I
4,758 Views

The newest firmware available for this Lenovo T470 is 11.8.90.3987 and it apparently doesnt support newer ciphers. But the newer T14 Gen1 model worked with a sha256 cipher. Do you know what FW is required?

0 Kudos
Paul_R_Intel
Moderator
4,726 Views

Hello JRüeg,

​​

Thank you for your reply, in this case, we recommend you to contact Lenovo so they can provide the correct firmware to use. Please let us know if there is anything else that we can do for you.


Regards,


Paul R.

Intel Technical Support Technician 


0 Kudos
JRüeg
New Contributor I
4,687 Views

Which version firmware supports the newer ciphers?

0 Kudos
Victor_G_Intel
Employee
4,671 Views

Hello JRüeg,

 

Thank you for your response.

 

Please let me review this information internally, and kindly wait for an update.

 

Once we have more information to share we will post it on this thread.

 

Regards,

 

Victor G.

Intel Technical Support Technician  


0 Kudos
JRüeg
New Contributor I
4,583 Views

Hi Victor G.

Were you able to identify the fw version necessary for sha256 ciphers for dot1x?

With 12.0.68 it used a SHA1 cipher, after updating to 12.0.85 it used a sha256. Is there an update for each major release or will each version >= 12.0.85 work?

0 Kudos
Victor_G_Intel
Employee
4,569 Views

Hello JRüeg,


Thank you for patiently waiting for our response.


We were able to verify some details with our development team and we have identified that AMT 11.8 specifically does not offer all EAP-TLS ciphers. The good news is that the Intel development team is scoping the inclusion of the ciphers now. Unfortunately, we do not know Lenovo’s product plans to update AMT 11.8, the update must come from the OEM after they have released it from validation. Please work with Lenovo to understand their roadmap for releasing the update for this specific product. 


Regards,


Victor G.

Intel Technical Support Technician


0 Kudos
Reply