https://community.cisco.com/t5/network-access-control/ise-3-x-tls-version/m-p/5144390#M590609 <P>Perfect Answer&nbsp;</P> <P>MHM</P> Fri, 12 Jul 2024 22:15:08 GMT MHM Cisco World 2024-07-12T22:15:08Z https://community.cisco.com/t5/network-access-control/ise-3-x-tls-version/m-p/5143904#M590585 <P>Dear Community,</P> <P>While ISE 3.x versions by default use TLS 1.2, so cannot find an option to enable TLS 1.3.</P> <P>To avoid the use of weak cipher of TLS 1.2, do you have any recommend /advice to keep it secure like protocols</P> <P>CBC, RC4,DES...or else?</P> <P>In case we disabled CBC, RC4, other DES what is occur? Is there impact with ISE and endpoint devices?</P> <P>Thanks,</P> <P>&nbsp;&nbsp;</P> <P>&nbsp;</P> <P>&nbsp;</P> Fri, 12 Jul 2024 04:45:49 GMT https://community.cisco.com/t5/network-access-control/ise-3-x-tls-version/m-p/5143904#M590585 Da ICS16 2024-07-12T04:45:49Z https://community.cisco.com/t5/network-access-control/ise-3-x-tls-version/m-p/5143909#M590586 <P><a href="https://community.cisco.com/t5/user/viewprofilepage/user-id/1636457">@Da ICS16</a>&nbsp;hi, check below guide. HTH</P> <P><A href="https://www.cisco.com/c/en/us/td/docs/security/ise/3-3/admin_guide/b_ise_admin_3_3/b_ISE_admin_33_segmentation.html" target="_blank">https://www.cisco.com/c/en/us/td/docs/security/ise/3-3/admin_guide/b_ise_admin_3_3/b_ISE_admin_33_segmentation.html</A></P> Fri, 12 Jul 2024 05:21:26 GMT https://community.cisco.com/t5/network-access-control/ise-3-x-tls-version/m-p/5143909#M590586 Kasun Bandara 2024-07-12T05:21:26Z https://community.cisco.com/t5/network-access-control/ise-3-x-tls-version/m-p/5144274#M590605 <P>TLS 1.3 is available on ISE 3.3:</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="JPavonM_0-1720793309463.png" style="width: 400px;"><img src="https://community.cisco.com/t5/image/serverpage/image-id/223373iBB375CE240B58FDE/image-size/medium?v=v2&amp;px=400" role="button" title="JPavonM_0-1720793309463.png" alt="JPavonM_0-1720793309463.png" /></span></P> <P>&nbsp;</P> Fri, 12 Jul 2024 14:08:36 GMT https://community.cisco.com/t5/network-access-control/ise-3-x-tls-version/m-p/5144274#M590605 JPavonM 2024-07-12T14:08:36Z https://community.cisco.com/t5/network-access-control/ise-3-x-tls-version/m-p/5144387#M590608 <P>Don't get too excited yet about TLS 1.3 support in ISE. For most folks the only advantage of enabling this (it's disabled by default) is that the ISE Admin UI will now negotiate TLS 1.3 with your browser. Yay. But there is no TLS 1.3 for the Guest Portal - I don't remember if I checked the Sponsor Portal - I suspect it's also not running 1.3 yet.&nbsp;</P> <P>I have not tested EAP-TLS yet with TLS 1.3 enabled</P> <P>Just be aware also that if you change these settings in ISE, it will restart ALL of your nodes at the SAME TIME. This means you must plan an outage window in which your entire ISE deployment is offline for 10-15 minutes (or however long it take to restart services in your case) - if you decide to be brave (or stupid) to disable TLS 1.0/1.1 on your ISE deployment that operates 802.1X to clients, then you might be in for a bad day, because of older devices that still work with TLS 1.0 - I was bitten by this with a customer who had older Cisco deskphones that only did TLS 1.0 on EAP-TLS.&nbsp; The best course of action is to trawl your SIEM (or your entire SYSLOG database) looking for what TLS version was used - if you find 1.0 or 1.1 then find those devices and try to swap them out. Otherwise, don't disable those old protocols.</P> Fri, 12 Jul 2024 22:11:39 GMT https://community.cisco.com/t5/network-access-control/ise-3-x-tls-version/m-p/5144387#M590608 Arne Bier 2024-07-12T22:11:39Z https://community.cisco.com/t5/network-access-control/ise-3-x-tls-version/m-p/5144390#M590609 <P>Perfect Answer&nbsp;</P> <P>MHM</P> Fri, 12 Jul 2024 22:15:08 GMT https://community.cisco.com/t5/network-access-control/ise-3-x-tls-version/m-p/5144390#M590609 MHM Cisco World 2024-07-12T22:15:08Z