topic Re: ISE 3.3 - Disabling support for TLS 1.0 in Network Access Control

ISE 3.3 - Disabling support for TLS 1.0

pmcternan — Wed, 02 Jul 2025 12:58:12 GMT

I plan to disable support for TLS 1.0 under the security settings. I am using ISE 3.3 and was wondering if there is anyway to see or detect if anything is connecting to ISE is still using TLS 1.0. Weather it be pxGrid or Context visibility I'll need to verify this to satisfy CC standards. Also, if I do disable it will this cause a reboot?

Thanks in advance.

Re: ISE 3.3 - Disabling support for TLS 1.0

Mark Elsen — Wed, 02 Jul 2025 15:44:42 GMT

- @pmcternan FYI : https://testtls.com/
https://www.cdn77.com/tls-test

Changing TLS parameters (if it can be done) will not cause a reboot ,

Re: ISE 3.3 - Disabling support for TLS 1.0

MHM Cisco World — Wed, 02 Jul 2025 15:48:27 GMT

https://community.cisco.com/t5/network-access-control/cisco-ise-pic-how-to-disable-tls-1-0-and-possibly-tls-1-1/td-p/4305157

Re: ISE 3.3 - Disabling support for TLS 1.0

Arne Bier — Wed, 02 Jul 2025 21:18:43 GMT

Well done for wanting to disable TLS 1.0 (as well as TLS 1.1 I assume).

When I have done this in the past, I found that there were still clients that negotiated this old protocol and I wasn't aware of it - then had to re-enable TLS 1.0/1.1

Changing this setting will restart application services on ALL nodes at the same time - yes ... ALL ISE nodes at the same time.

In my case, the clients that were preventing me to turn off TLS 1.0 were:

DNAC / Catalyst Center - if DNAC has provisioned your devices with RADIUS settings, then PAC (Protected Access Credential) will be configured on NAD - this involves TLS 1.0 and EAP-FAST - in ISE 3.4 and IOS-XE 17.15.1 there is PAC-Less Provisioning - however, there is no version of DNAC/CatC that supports this yet
Old Cisco desk phones - workaround would be to use MAB instead of 802.1X - but that makes security even worse

How to detect what systems are reliant on using TLS when speaking to ISE? If you're talking about 802.1X clients, then you need to enable SYSLOG forwarding for successful RADIUS authentications to a SYSLOG server and check the events - they contain attributes similar to "days remaining=xxx" (I don't recall the exact string) and also TLS version and cipher details. It's very handy.

But you must configure your ISE Authorization Profiles to re-auth WIRED endpoints periodically (e.g. reauth every 65535 seconds) to get these SYSLOG events. If you don't reauth 802.1X wired clients then you might have missed the auth that could have potentially happened a long time ago when the devices was first connected to a switch.

Web-based clients should not be using TLS 1.0 (e.g. web browsers from guests) - that must be some ancient equipment I would not want on my network. The focus should be on 802.1X clients, and also DNAC (if you're using it)

Re: ISE 3.3 - Disabling support for TLS 1.0

pmcternan — Thu, 03 Jul 2025 12:01:32 GMT

Arne,

We do use DNAC and This is exactly the type of information I was hoping for when I posted this. Thanks a ton.

Re: ISE 3.3 - Disabling support for TLS 1.0

Marcelo Morais — Sat, 02 Aug 2025 05:37:21 GMT

Hi @pmcternan

please take a look at: ISE - What we need to know about TLS.

About:

" ... if there is anyway to see or detect if anything is connecting to ISE is still using TLS 1.0 ... ", search the above link for Identify the TLS version.

" ... do disable it will this cause a reboot ? ... ", search the above link for Particularities > Version and Particularities > Ciphers List.

Hope this helps !!!