topic Re: Cisco ISE 3.X and TLS 1.2 in Network Access Control

Cisco ISE 3.X and TLS 1.2

brazju — Thu, 17 Nov 2022 16:49:05 GMT

Due to a vulnerability scan, I am tasked with upgrading the TLS version on multiple hosts, one being ISE. Does ISE 3.1 support TLS version 1.2 or 1.3? I can see in the security setting in ISE I am only given the options to allow TLS 1.0 and TLS 1.1

This is all new to me so bear with me 🙂

Re: Cisco ISE 3.X and TLS 1.2

Milos_Jovanovic — Thu, 17 Nov 2022 20:18:44 GMT

Hi @brazju,

Starting from ISE v2.x (I believe even from 1.x), there is a support for TLSv1.2. With newer releases (e.g. v3.x) TLSv1.2 is default version. You can enable older protocols, if you need to do so (thus options for v1.1 and 1.0), but, if you want to use v1.2, you actually don't need to do anything.

What you should strive for is applying latest patch for your system, because these patches, quite often, are fixing security vulnerabilities as well, next to fixing bugs.

Kind regards,

Milos

Re: Cisco ISE 3.X and TLS 1.2

kakada Atada — Thu, 19 Oct 2023 06:46:05 GMT

All the Nodes require reboot after you disabled TLS v 1.0 and 1.1 on ISE GUI?

Re: Cisco ISE 3.X and TLS 1.2

kakada Atada — Thu, 19 Oct 2023 07:03:44 GMT

All the Nodes require reboot after you disabled TLS v 1.0 and 1.1 on ISE GUI?

Re: Cisco ISE 3.X and TLS 1.2

Greg Gibbs — Thu, 19 Oct 2023 21:01:50 GMT

Yes, when changing TLS settings, you will see this message.

You should ensure that all of your infrastructure also uses TLS 1.2 as well. I had a customer disable TLS 1.1 and immediately had endpoints that could no longer authenticate.

Re: Cisco ISE 3.X and TLS 1.2

kakada Atada — Fri, 20 Oct 2023 03:46:47 GMT

Dear @Greg Gibbs

Thanks for your update.

If we found endpoints are using TLS v 1.2 it will be working, still authentication?

How to resolve if some endpoint still TLS 1.0 and 1.1?

Note: if in case we disabled TLS 1.0 and 1.1 on ISE 3.X

thanks,

Re: Cisco ISE 3.X and TLS 1.2

Greg Gibbs — Fri, 20 Oct 2023 04:01:53 GMT

Endpoints supporting and configured to use TLS 1.2 should be fine.

Endpoints that only support (or are configured for) TLS 1.0/1.1 will fail and will need to be tracked down and remediated.

Due to the risks, this change should be made during a scheduled change window that is long enough to test as many different endpoints, flows, and integrated systems as possible.

Re: Cisco ISE 3.X and TLS 1.2

kakada Atada — Fri, 20 Oct 2023 04:07:30 GMT

Dear @Greg Gibbs ,

I am agree with your statement.

How to set up rollback for endpoints contain with TLS 1.0 /1.1?

Require to enable back TLS v 1.0 / 1.1 on ISE 3.x GUI or else?

thanks,

Re: Cisco ISE 3.X and TLS 1.2

Greg Gibbs — Fri, 20 Oct 2023 04:18:42 GMT

Yes. You would either have to fix the endpoints or re-enable the TLS 1.0/1.1 support on ISE (which will require another Application Server restart on all the nodes)

Re: Cisco ISE 3.X and TLS 1.2

BakerDW01 — Wed, 04 Dec 2024 17:17:13 GMT

I know this thread is old but ..
ISE 3.2 patch 5 (will be 7 shortly).
Disabling TLS 1.0 and 1.1 causes a restart.
Do we know if this is all nodes simultaneously?