https://community.cisco.com/t5/network-access-control/cisco-ise-and-tlsv1-3/m-p/5084921#M589168 <P>ISE 3.3 Patch 2 now supports TLSv1.3 for Cisco ISE Workflows (and not just for the Admin GUI).</P> Tue, 30 Apr 2024 20:07:47 GMT florian.nolting 2024-04-30T20:07:47Z https://community.cisco.com/t5/network-access-control/cisco-ise-and-tlsv1-3/m-p/4940036#M584606 <P>Anyone know when Cisco ISE will start supporting TLSv1.3?&nbsp; I am running ISE 3.2 patch-3 and it seems like TLSv1.2 is the highest it can go:</P><P>nmap --script ssl-enum-ciphers -p 443 isenode1.cisco.com<BR />Starting Nmap 7.80 ( <A href="https://nmap.org" target="_blank">https://nmap.org</A> ) at 2023-10-13 13:10 EDT<BR />Nmap scan report for isenode1 (192.168.1.1)<BR />Host is up (0.00068s latency).</P><P>PORT STATE SERVICE<BR />443/tcp open https<BR />| ssl-enum-ciphers:<BR />| TLSv1.2:<BR />| ciphers:<BR />| TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (secp256r1) - A<BR />| TLS_RSA_WITH_AES_128_GCM_SHA256 (rsa 2048) - A<BR />| TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (secp256r1) - A<BR />| TLS_RSA_WITH_AES_256_GCM_SHA384 (rsa 2048) - A<BR />| TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 (dh 2048) - A<BR />| TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 (dh 2048) - A<BR />| TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 (dh 2048) - A<BR />| TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 (secp256r1) - A<BR />| TLS_RSA_WITH_AES_128_CBC_SHA256 (rsa 2048) - A<BR />| TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 (secp256r1) - A<BR />| TLS_RSA_WITH_AES_256_CBC_SHA256 (rsa 2048) - A<BR />| TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256 (secp256r1) - A<BR />| compressors:<BR />| NULL<BR />| cipher preference: server<BR />|_ least strength: A</P><P>Nmap done: 1 IP address (1 host up) scanned in 0.53 seconds</P><P>Thoughts?</P><P>&nbsp;</P> Fri, 13 Oct 2023 17:18:40 GMT https://community.cisco.com/t5/network-access-control/cisco-ise-and-tlsv1-3/m-p/4940036#M584606 adamscottmaster2013 2023-10-13T17:18:40Z https://community.cisco.com/t5/network-access-control/cisco-ise-and-tlsv1-3/m-p/4940049#M584607 <P>I heard that ISE 3.3 support TLS 1.3 worth checking release notes and configuration guide.</P> Fri, 13 Oct 2023 17:38:56 GMT https://community.cisco.com/t5/network-access-control/cisco-ise-and-tlsv1-3/m-p/4940049#M584607 balaji.bandi 2023-10-13T17:38:56Z https://community.cisco.com/t5/network-access-control/cisco-ise-and-tlsv1-3/m-p/4940113#M584608 <P>Allow TLS 1.3: Allows TLS 1.3 for administrator HTTPS access over port 443 for:</P><P>Cisco ISE Admin GUI</P><P>APIs enabled for port 443 (Open API, ERS, MnT)</P><P>Note</P><P>&nbsp;<BR />AAA communications and all types of internode communications do not support TLS 1.3.</P><P>Enable TLS 1.3 on Cisco ISE and the relevant clients and servers for admin access over TLS 1.3.</P><P>That's not what I want.&nbsp; Can it support TLSv1.3 for things besides "administration"?</P><P>&nbsp;</P> Fri, 13 Oct 2023 19:45:41 GMT https://community.cisco.com/t5/network-access-control/cisco-ise-and-tlsv1-3/m-p/4940113#M584608 adamscottmaster2013 2023-10-13T19:45:41Z https://community.cisco.com/t5/network-access-control/cisco-ise-and-tlsv1-3/m-p/4940189#M584609 <P>What is documented is all that is currently supported. This type of enhancement requires significant development effort and regression testing, and feature roadmap is not discussed in this public forum.</P> Sat, 14 Oct 2023 02:51:29 GMT https://community.cisco.com/t5/network-access-control/cisco-ise-and-tlsv1-3/m-p/4940189#M584609 Greg Gibbs 2023-10-14T02:51:29Z https://community.cisco.com/t5/network-access-control/cisco-ise-and-tlsv1-3/m-p/4941347#M584633 <P><a href="https://community.cisco.com/t5/user/viewprofilepage/user-id/1191533">@adamscottmaster2013</a>&nbsp;have you seen operating systems that are using 802.1X supplicants capable of TLS 1.3 ?</P> <P>I have not tried this yet, but the latest WPA Supplicant has TLS 1.3 support - worth running that against ISE 3.3 to see how it handles the TLS establishment.</P> <P>&nbsp;</P> Mon, 16 Oct 2023 20:06:52 GMT https://community.cisco.com/t5/network-access-control/cisco-ise-and-tlsv1-3/m-p/4941347#M584633 Arne Bier 2023-10-16T20:06:52Z https://community.cisco.com/t5/network-access-control/cisco-ise-and-tlsv1-3/m-p/4942136#M584650 <P><a href="https://community.cisco.com/t5/user/viewprofilepage/user-id/158532">@Arne Bier</a>:&nbsp; Yes, we implement 802.1x with our Xerox copiers and Xerox devices are capable of TLSv1.3 and we want to implement TLSv1.3 on ISE but the option is not available.&nbsp; Other vendors, beside Cisco, already support TLSv1.3.&nbsp;&nbsp;</P><P>We're going to deploy ISE 3.2 patch-3 next month.&nbsp; I think we will skip version 3.3 and probably switch vendor, not Cisco, the next time around.</P> Tue, 17 Oct 2023 13:08:14 GMT https://community.cisco.com/t5/network-access-control/cisco-ise-and-tlsv1-3/m-p/4942136#M584650 adamscottmaster2013 2023-10-17T13:08:14Z https://community.cisco.com/t5/network-access-control/cisco-ise-and-tlsv1-3/m-p/4946919#M584823 <P><A href="https://learn.microsoft.com/en-us/windows-server/networking/technologies/extensible-authentication-protocol/windows-11-changes" target="_self">Here</A> Microsoft states that Windows 11 uses TLS1.3 (<STRONG><A href="https://support.microsoft.com/windows/faster-and-more-secure-wi-fi-in-windows-26177a28-38ed-1a8e-7eca-66f24dc63f09" target="_blank" rel="noopener" data-linktype="external">WiFi Security</A></STRONG>)</P> Tue, 24 Oct 2023 14:05:19 GMT https://community.cisco.com/t5/network-access-control/cisco-ise-and-tlsv1-3/m-p/4946919#M584823 JPavonM 2023-10-24T14:05:19Z https://community.cisco.com/t5/network-access-control/cisco-ise-and-tlsv1-3/m-p/5084921#M589168 <P>ISE 3.3 Patch 2 now supports TLSv1.3 for Cisco ISE Workflows (and not just for the Admin GUI).</P> Tue, 30 Apr 2024 20:07:47 GMT https://community.cisco.com/t5/network-access-control/cisco-ise-and-tlsv1-3/m-p/5084921#M589168 florian.nolting 2024-04-30T20:07:47Z