https://community.cisco.com/t5/network-access-control/disable-tls1-0-and-tls1-1-from-ise-3-2/m-p/5138527#M590358 <P><A href="https://www.cisco.com/c/en/us/td/docs/security/ise/3-3/release_notes/b_ise_33_RN.html#c_disable_ciphers" target="_blank">https://www.cisco.com/c/en/us/td/docs/security/ise/3-3/release_notes/b_ise_33_RN.html#c_disable_ciphers</A></P> Mon, 01 Jul 2024 14:57:46 GMT ahollifield 2024-07-01T14:57:46Z https://community.cisco.com/t5/network-access-control/disable-tls1-0-and-tls1-1-from-ise-3-2/m-p/5137274#M590304 <P>We have a distributed ISE deployment with PAN, MNT and PSN nodes. all the ISE nodes are running on&nbsp;&nbsp;3.2.0.542 -patch-3.We already disabled the TLS1.0 and 1.1 from the security settings but still it's listening to the tls1.0/1.1 weak cipher as per the Vulnerability report. Please see the attachment.</P><P>VM team Performed a vulnerability scan for the ISE nodes to validate TLS vulnerabilities. However, TLS 1.0 and TLS 1.1 weak ciphers are still showing. attached the vulnerability&nbsp; XML report. TLS 1.0 and 1.1 protocol matches are shown as True. TAC team was not able to figure it out this issue .. any suggestion ..</P> Thu, 27 Jun 2024 23:11:49 GMT https://community.cisco.com/t5/network-access-control/disable-tls1-0-and-tls1-1-from-ise-3-2/m-p/5137274#M590304 ajaykumar-rath 2024-06-27T23:11:49Z https://community.cisco.com/t5/network-access-control/disable-tls1-0-and-tls1-1-from-ise-3-2/m-p/5137526#M590314 <P>You are on ISE 3.2 Patch 3 which is 1 year old. Patch 6 is the latest. First try that. I have a hard time believing TAC never mentioned this to you.</P> <P>TLS is used in <EM>a lot of different services</EM> and neither you nor your vulnerability scan provide any specifics about which ports or scenarios you or the scanner were trying to use TLS.</P> Fri, 28 Jun 2024 13:11:58 GMT https://community.cisco.com/t5/network-access-control/disable-tls1-0-and-tls1-1-from-ise-3-2/m-p/5137526#M590314 thomas 2024-06-28T13:11:58Z https://community.cisco.com/t5/network-access-control/disable-tls1-0-and-tls1-1-from-ise-3-2/m-p/5137665#M590325 <P>Thanks Thomas !!</P><P>ISE messaging service is enabled in the ISE. Is it possible that , this TLS1.0 and 1.1 version vulnerabilities are related to ISE messaging service ?</P><P>Vulnerability reported-&nbsp;TLS/SSL Weak Message Authentication Code Cipher Suites</P><P>Transport Layer Security version 1.2 and earlier include support for cipher suites which use cryptographically weak Hash-based message authentication codes (HMACs), such as MD5 or SHA1.</P><P>TAC recommended to upgrade it to 3.3 in which there is an option to disable weak ciphers. But that is not available in version-3.2</P><P>NMAP output from one ISE node as below -&nbsp;</P><P>&nbsp;</P><P>PORT STATE SERVICE<BR />443/tcp open https<BR />| ssl-enum-ciphers:<BR />| TLSv1.0:<BR />| ciphers:<BR />| TLS_DHE_RSA_WITH_AES_128_CBC_SHA (dh 2048) - A<BR />| TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (secp256r1) - A<BR />| TLS_RSA_WITH_AES_128_CBC_SHA (rsa 4096) - A<BR />| TLS_RSA_WITH_AES_256_CBC_SHA (rsa 4096) - A<BR />| compressors:<BR />| NULL<BR />| cipher preference: server<BR />| warnings:<BR />| Key exchange (dh 2048) of lower strength than certificate key<BR />| Key exchange (secp256r1) of lower strength than certificate key<BR />| TLSv1.1:<BR />| ciphers:<BR />| TLS_DHE_RSA_WITH_AES_128_CBC_SHA (dh 2048) - A<BR />| TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (secp256r1) - A<BR />| TLS_RSA_WITH_AES_128_CBC_SHA (rsa 4096) - A<BR />| TLS_RSA_WITH_AES_256_CBC_SHA (rsa 4096) - A<BR />| compressors:<BR />| NULL<BR />| cipher preference: server<BR />| warnings:<BR />| Key exchange (dh 2048) of lower strength than certificate key<BR />| Key exchange (secp256r1) of lower strength than certificate key<BR />| TLSv1.2:<BR />| ciphers:<BR />| TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (secp256r1) - A<BR />| TLS_RSA_WITH_AES_128_GCM_SHA256 (rsa 4096) - A<BR />| TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (secp256r1) - A<BR />| TLS_RSA_WITH_AES_256_GCM_SHA384 (rsa 4096) - A<BR />| TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 (dh 2048) - A<BR />| TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 (dh 2048) - A<BR />| TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 (dh 2048) - A<BR />| TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 (secp256r1) - A<BR />| TLS_RSA_WITH_AES_128_CBC_SHA256 (rsa 4096) - A<BR />| TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 (secp256r1) - A<BR />| TLS_RSA_WITH_AES_256_CBC_SHA256 (rsa 4096) - A<BR />| TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256 (secp256r1) - A<BR />| TLS_DHE_RSA_WITH_AES_128_CBC_SHA (dh 2048) - A<BR />| TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (secp256r1) - A<BR />| TLS_RSA_WITH_AES_128_CBC_SHA (rsa 4096) - A<BR />| TLS_RSA_WITH_AES_256_CBC_SHA (rsa 4096) - A<BR />| compressors:<BR />| NULL<BR />| cipher preference: server<BR />| warnings:<BR />| Key exchange (dh 2048) of lower strength than certificate key<BR />| Key exchange (secp256r1) of lower strength than certificate key<BR />|_ least strength: A<BR />8443/tcp filtered https-alt<BR />8444/tcp filtered pcsync-http<BR />8905/tcp closed unknown<BR />9094/tcp filtered unknown<BR />9095/tcp filtered unknown<BR />MAC Address: 02:50:41:00:00:02 (Unknown)</P> Fri, 28 Jun 2024 17:43:25 GMT https://community.cisco.com/t5/network-access-control/disable-tls1-0-and-tls1-1-from-ise-3-2/m-p/5137665#M590325 ajaykumar-rath 2024-06-28T17:43:25Z https://community.cisco.com/t5/network-access-control/disable-tls1-0-and-tls1-1-from-ise-3-2/m-p/5138527#M590358 <P><A href="https://www.cisco.com/c/en/us/td/docs/security/ise/3-3/release_notes/b_ise_33_RN.html#c_disable_ciphers" target="_blank">https://www.cisco.com/c/en/us/td/docs/security/ise/3-3/release_notes/b_ise_33_RN.html#c_disable_ciphers</A></P> Mon, 01 Jul 2024 14:57:46 GMT https://community.cisco.com/t5/network-access-control/disable-tls1-0-and-tls1-1-from-ise-3-2/m-p/5138527#M590358 ahollifield 2024-07-01T14:57:46Z https://community.cisco.com/t5/network-access-control/disable-tls1-0-and-tls1-1-from-ise-3-2/m-p/5138605#M590363 <P>I am running ISE 3.2 patch 4 with TLS 1.0/1.1 disable and when I use nmap to scan the system, it only returns TLS v1.2:</P><P>Host is up (0.0060s latency).</P><P>PORT STATE SERVICE<BR />443/tcp open https<BR />| ssl-enum-ciphers:<BR />| TLSv1.2:<BR />| ciphers:<BR />| TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (secp256r1) - A<BR />| TLS_RSA_WITH_AES_128_GCM_SHA256 (rsa 4096) - A<BR />| TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (secp256r1) - A<BR />| TLS_RSA_WITH_AES_256_GCM_SHA384 (rsa 4096) - A<BR />| TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 (dh 2048) - A<BR />| TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 (dh 2048) - A<BR />| TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 (dh 2048) - A<BR />| TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 (secp256r1) - A<BR />| TLS_RSA_WITH_AES_128_CBC_SHA256 (rsa 4096) - A<BR />| TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 (secp256r1) - A<BR />| TLS_RSA_WITH_AES_256_CBC_SHA256 (rsa 4096) - A<BR />| TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256 (secp256r1) - A<BR />| compressors:<BR />| NULL<BR />| cipher preference: server<BR />| warnings:<BR />| Key exchange (dh 2048) of lower strength than certificate key<BR />| Key exchange (secp256r1) of lower strength than certificate key<BR />|_ least strength: A</P><P>Nmap done: 1 IP address (1 host up) scanned in 1.61 seconds</P><P>I also have ISE 3.0 patch-3 system with TLS 1.0/1.1 OFF and the scan returned only TLS 1.2.</P> Mon, 01 Jul 2024 19:44:14 GMT https://community.cisco.com/t5/network-access-control/disable-tls1-0-and-tls1-1-from-ise-3-2/m-p/5138605#M590363 adamscottmaster2013 2024-07-01T19:44:14Z