Intel vPro® Platform
Intel Manageability Forum (Intel® EMA, AMT & Manageability Commander)

802.1x Cipher

JRüeg
New Contributor I
1,685 Views

Dear Intel

We are experimenting with 802.1X wired lan authentication. The Cisco ISE will authenticate using a certificate from our CA and EAP-TLS protocol.

The certificate template is configured for SHA256 and the issued certificate in AMT (can be viewed using MeshCommander) is SHA256.

But authentication fails logging "Client didn't provide suitable ciphers". Authentication works if we enable SHA1-ciphers on the ISE, choosing AES128-SHA as TLSCipher. But obviously we do not want to enable insecure SHA1 ciphers. 

The client has FW 11.8.79.

Is SHA1 really required to use 802.1X for AMT? Does a newer firmware support secure ciphers? Will it make a difference to use Intel EMA instead of Intel SCS for provisioning?

Thank you

Jasmin

0 Kudos
1 Solution
Victor_G_Intel
Moderator
1,334 Views

Hello JRüeg,


Thank you for patiently waiting for our response.


We were able to verify some details with our development team and we have identified that AMT 11.8 specifically does not offer all EAP-TLS ciphers. The good news is that the Intel development team is scoping the inclusion of the ciphers now. Unfortunately, we do not know Lenovo’s product plans to update AMT 11.8, the update must come from the OEM after they have released it from validation. Please work with Lenovo to understand their roadmap for releasing the update for this specific product. 


Regards,


Victor G.

Intel Technical Support Technician


View solution in original post

8 Replies
Victor_G_Intel
Moderator
1,556 Views

Hello JRüeg,

 

Thank you for posting on the Intel® communities.

 

Please let me review this information internally, and kindly wait for an update.

 

Once we have more information to share, we will post it on this thread.

 

Regards,

 

Victor G.

Intel Technical Support Technician  


Victor_G_Intel
Moderator
1,548 Views

Hello JRüeg,

​​

Thank you for your patience.


In this case, you will need to update your AMT version to the latest available firmware and then you can try again, this should allow you to disable SHA1 ciphers in ISE.


Additionally, in regard to your question “Will it make a difference to use Intel EMA instead of Intel SCS for provisioning?” We wouldn’t be able to recommend an Intel SCS provisioning since the software will be reaching its end-of-life status later this year; however, provisioning with EMA won’t change the available cipher suites for AMT 11; therefore, the best way to handle this is by updating the firmware.


Regards,


Victor G.

Intel Technical Support Technician 


JRüeg
New Contributor I
1,524 Views

The newest firmware available for this Lenovo T470 is 11.8.90.3987 and it apparently doesnt support newer ciphers. But the newer T14 Gen1 model worked with a sha256 cipher. Do you know what FW is required?

Paul_R_Intel
Moderator
1,492 Views

Hello JRüeg,

​​

Thank you for your reply, in this case, we recommend you to contact Lenovo so they can provide the correct firmware to use. Please let us know if there is anything else that we can do for you.


Regards,


Paul R.

Intel Technical Support Technician 


JRüeg
New Contributor I
1,453 Views

Which version firmware supports the newer ciphers?

Victor_G_Intel
Moderator
1,437 Views

Hello JRüeg,

 

Thank you for your response.

 

Please let me review this information internally, and kindly wait for an update.

 

Once we have more information to share we will post it on this thread.

 

Regards,

 

Victor G.

Intel Technical Support Technician  


JRüeg
New Contributor I
1,349 Views

Hi Victor G.

Were you able to identify the fw version necessary for sha256 ciphers for dot1x?

With 12.0.68 it used a SHA1 cipher, after updating to 12.0.85 it used a sha256. Is there an update for each major release or will each version >= 12.0.85 work?

Victor_G_Intel
Moderator
1,335 Views

Hello JRüeg,


Thank you for patiently waiting for our response.


We were able to verify some details with our development team and we have identified that AMT 11.8 specifically does not offer all EAP-TLS ciphers. The good news is that the Intel development team is scoping the inclusion of the ciphers now. Unfortunately, we do not know Lenovo’s product plans to update AMT 11.8, the update must come from the OEM after they have released it from validation. Please work with Lenovo to understand their roadmap for releasing the update for this specific product. 


Regards,


Victor G.

Intel Technical Support Technician


Reply