topic Re: Cisco ISE 2.1 - TLS 1.2 in Network Access Control

Cisco ISE 2.1 - TLS 1.2

PedroDias1994 — Tue, 14 Apr 2020 10:19:26 GMT

Hi,

I have Cisco ISE 2.1 implemented and after I ran a vulnerability scan, I found that ISE is using TLS 1.0 and TLS 1.1. I pretend to disable both and enable TLS 1.2, but before I proceed, I have a few questions:

1. Is TLS 1.2 supported on Cisco ISE 2.1?

2. If yes, can I only have TLS 1.2 running?

3. To enable TLS 1.2, I only need to uncheck 'Allow TLS 1.0' and 'Allow TLS 1.1' on Administration > System > Settings > Security Settings?

Thank you for your help 🙂

Re: Cisco ISE 2.1 - TLS 1.2

Mark Elsen — Tue, 14 Apr 2020 10:23:53 GMT

- From the 2.1 Release Notes it seems that TLS 1.2 is supported :

https://www.cisco.com/c/en/us/td/docs/security/ise/2-1/release_notes/ise21_rn.html#pgfId-627732

Re: Cisco ISE 2.1 - TLS 1.2

Mike.Cifelli — Tue, 14 Apr 2020 12:12:25 GMT

Adding additional info:
Not sure what types of hosts you manage in your environment, but this may potentially help you if you face issues once making changes:

Change tls version on windows host:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\RasMan\PPP\EAP\13

TLS version DWORD value
TLS 1.0 0xC0
TLS 1.1 0x300
TLS 1.2 0xC00

https://support.microsoft.com/en-us/help/3121002/windows-10-devices-can-t-connect-to-an-802-1x-environment. HTH!

Re: Cisco ISE 2.1 - TLS 1.2

PedroDias1994 — Tue, 14 Apr 2020 12:54:47 GMT

And it is possible to run TLS 1.2 with TLS 1.0 and TLS 1.1 disabled?

I can't find this information anywhere...

Re: Cisco ISE 2.1 - TLS 1.2

Mark Elsen — Tue, 14 Apr 2020 12:56:47 GMT

Yes ,

Re: Cisco ISE 2.1 - TLS 1.2

PedroDias1994 — Tue, 14 Apr 2020 12:57:41 GMT

Thank you for the information!

We have Windows 10 devices in our tech park, so it is good to know 🙂

Re: Cisco ISE 2.1 - TLS 1.2

Greg Gibbs — Wed, 15 Apr 2020 00:11:08 GMT

Another important thing to note before disabling TLS 1.0 and 1.1 support in ISE... as noted in the Security Settings section in ISE, disabling support for those legacy TLS ciphers affects the following functions:

Cisco ISE is configured as EAP server
Cisco ISE downloads CRL from HTTPS or secure LDAP server
Cisco ISE is configured as secure syslog client
Cisco ISE is configured as secure LDAP client

If you use any of these functions and the associated systems use legacy TLS ciphers, disabling the legacy TLS cipher support in ISE will break them.

I have seen this first-hand with a customer that decided to disable support for legacy ciphers (TLS 1.1, SHA-1, etc) before verifying that their external systems (like the CA that signed their client certificates) did not use them. Disabling the legacy ciphers in ISE resulted in mass outages due to their 802.1x client authentication failing.

Re: Cisco ISE 2.1 - TLS 1.2

pnowikow — Tue, 09 Feb 2021 18:31:36 GMT

@Greg Gibbs Is rolling back as simple as enabling the TLS 1.0 and 1.1 check boxes again? I keep getting EAP(PEAP) issues on my Win10 machines since update 1909 where MS monkeyed with 802.1x again. I'm using the reg key to force TLS 1.2 that Mike referenced to get some of them working but it's not consistent. Would disabling TLS 1.0/1.1 force ISE to use 1.2 and in combination with that reg key solve my issue? We use AD for LDAP and a publicly signed CA multi-use cert.