topic Re: Cisco ISE-PIC: How to Disable TLS 1.0 (and possibly TLS 1.1)? in Network Access Control

Cisco ISE-PIC: How to Disable TLS 1.0 (and possibly TLS 1.1)?

Brandon1 — Wed, 10 Mar 2021 19:31:45 GMT

I have recently introduced Cisco ISE-PIC 2.7 into my infrastructure for the sole purpose of providing user identity management for Firepower access control. This is because the Firepower User Agent is no longer supported and ISE-PIC is now a requirement.

My vulnerability management solutions (Nessus/Tenable) is scanning the ISE-PIC host and reporting the use of TLS 1.0. I need to figure out how to disable this and ideally only allow TLS 1.2 for any possible connection. I have been thoroughly through the web GUI and CLI and have found no means to resolve this. My "Google" skills have also failed me. The six open TCP ports that accept TLS 1.0 connections all appear to be Java related.

Does anyone have any knowledge on how to accomplish this task?

I am providing the six open ports accepting TLS 1.0 and the process information for each as retrieved from the ISE-PIC CLI

Nessus reports TCP 9095

Process : java (1805)
tcp: :::9095, :::8095

iseadmi+ 1805 ? 1 Mon Jan 18 15:02:44 2021 /opt/CSCOcpm/jre/bin/java - 05:49:42

Nessus reports TCP 8443
Nessus reports TCP 8444
Nessus reports TCP 8445
Nessus reports TCP 8910

Process : jsvc.exec (26698)
tcp: 127.0.0.1:8888, :::9061, :::9063, :::8905, :::8009, :::5514, :::9002, :::1099, :::2030, :::8910, :::8911, :::80, :::2035, :::9080, 10.0.0.60:8443, :::443, 10.0.0.60:8444, 10.0.0.60:8445, :::9085, :::29249, :::9090, 127.0.0.1:2020, :::9060
udp: 0.0.0.2:56564, 10.0.0.60:15648, 169.254.2.1:25735, 169.254.0.228:17931, 0.0.0.0:28750, 169.254.2.1:28972, 0.0.0.0:53916, 10.0.0.60:62150, 169.254.0.228:54512, :::33453, :::10335, :::44664, :::29927

iseadmi+ 26698 ? 26697 Mon Jan 18 15:00:50 2021 jsvc.exec -java-home /opt/C 1-04:59:43

Nessus reports TCP 9094

Process : java (968)
tcp: :::9094, :::8092

iseadmi+ 968 ? 1 Mon Jan 18 15:02:39 2021 /opt/CSCOcpm/jre/bin/java - 05:32:15

Re: Cisco ISE-PIC: How to Disable TLS 1.0 (and possibly TLS 1.1)?

Marcelo Morais — Thu, 11 Mar 2021 02:21:16 GMT

Hi @Brandon1 ,

please take a look at: CSCvv02086 Add ability to disable TLS 1.0 and 1.1 on ISE PIC node.

Last Modified: Feb 9,2021
Status: Open
Severity: 6 Enhancement
Known Affected Releases: 2.4(0.357), 2.6(0.156), 2.7(0.356)

Hope this helps !!!

Re: Cisco ISE-PIC: How to Disable TLS 1.0 (and possibly TLS 1.1)?

Brandon1 — Thu, 11 Mar 2021 14:43:45 GMT

Marcelo,

Thank you very much for the reply! I did come across this at some point but didn't and still don't want to believe that such a premier organization as Cisco and a foundational platform that has a core function of supporting security, such as ISE (although it is the PIC branch, I believe it to run on the same platform because it notifies me that simply upgrading with a new license will unlock the full ISE features), lacks the means to disable a 20+ year old security protocol that has been depreciated.

I'm sure the proper response from me would be to open a TAC case and let that process play out, but Cisco TAC is not what it once was. I just recently had a TAC case close that had been open roughly a year, with most of my cases being 3 - 6 months old prior to closing ( and sometimes not resolved). I understand it's partially related to the relatively young age of the Firepower platform and new bugs, I accepted that concept when adopting the platform. But what does that say when someone wants to avoid using a support asset they pay a bill for...

Anyways, I am hoping someone knows of an non-documented method of turning off TLS 1.0/1.1 for the processes I listed.

Thanks,

Brandon

Re: Cisco ISE-PIC: How to Disable TLS 1.0 (and possibly TLS 1.1)?

thomas — Sat, 13 Mar 2021 20:23:40 GMT

Regular ISE offers the ability to disable TLS 1.0 if you decide that is your best path forward.

Re: Cisco ISE-PIC: How to Disable TLS 1.0 (and possibly TLS 1.1)?

Brandon1 — Tue, 13 Apr 2021 19:21:31 GMT

Thomas,

Thank you for your response. However, I would prefer not to purchase the full ISE platform for the sole purpose of fixing a security weakness in an already purchased (required to use for user based access control after Firepower User Agent was discontinued) product that has a core function of assisting with security.

Not sure how your response and the previous from Marcelo got selected as the solution to my question, but I went ahead and fixed that. For note, the only solution to my question would involve the ability to disable TLS 1.0 (and TLS 1.1) in ISE-PIC 2.7+.

Have a great day!

Brandon