topic Re: ISE integrated with AD, if disable TLS1.0 on ISE , won't affect the communication, right? in Network Access Control

ISE integrated with AD, if disable TLS1.0 on ISE , won't affect the communication, right?

Herman2018 — Tue, 04 Aug 2020 09:28:38 GMT

Hi , ISE is integrated with AD and used for authentication users and device access admin, normally it use TLS 1.2 for the communication between ISE2.4 and AD 2016, right? anyone can please advise, thanks.

Re: ISE integrated with AD, if disable TLS1.0 on ISE , won't affect the communication, right?

Mohammed al Baqari — Tue, 04 Aug 2020 10:10:40 GMT

Hi, no it should not have a problem

Re: ISE integrated with AD, if disable TLS1.0 on ISE , won't affect the communication, right?

Herman2018 — Thu, 06 Aug 2020 07:13:20 GMT

Thanks @Mohammed al Baqari . I also don't think it will be an issue, just try to get advice from expert.

Re: ISE integrated with AD, if disable TLS1.0 on ISE , won't affect the communication, right?

Mohammed al Baqari — Thu, 06 Aug 2020 07:55:05 GMT

Good 🙂 Just remember to rate useful posts

Re: ISE integrated with AD, if disable TLS1.0 on ISE , won't affect the communication, right?

Greg Gibbs — Thu, 06 Aug 2020 08:03:56 GMT

You should be very cautious about disabling it in production without prior testing. I had a customer disable TLS 1.0 support and it immediately broke EAP-TLS machine authentication used by all of their clients.

They immediately re-enabled it to regain connectivity so we're not sure whether they were still using TLS 1.0 for their CRL or something else that was causing a problem. You should test this in a non-production environment that mirrors your production environment first if possible or at least perform extensive testing after disabling it and be prepared to rollback the change.

Re: ISE integrated with AD, if disable TLS1.0 on ISE , won't affect the communication, right?

Herman2018 — Thu, 06 Aug 2020 08:56:59 GMT

Thanks @Greg Gibbs . Can you advise when your customer encountered the issue? For recently mobile devices all can support TLS1.2, the server also.

Re: ISE integrated with AD, if disable TLS1.0 on ISE , won't affect the communication, right?

Greg Gibbs — Thu, 06 Aug 2020 23:02:18 GMT

As I said, it happened immediately after disabling TLS 1.0 in ISE. The next Windows PC that needed to authenticate using EAP-TLS failed.

If you disable TLS 1.0, you should do it in a change window and be sure to test any features you are using that are indicated as affected in the information bubble next to this setting in ISE (EAP, CRL, TCP Syslog, REST API, etc).