cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements
 
ISE 2.4 Patch 7 is available! View the ISE 2.4 Release Notes and Download!

Choose one of the topics below for ISE Resources to help you on your journey with ISE

This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC!
We will not comment or assist with your TAC case in these forums.

113
Views
5
Helpful
2
Replies
Highlighted
Cisco Employee

ISE as a server with TLS 1.2

Hi,

 

Is server based TLS 1.2 supported on ISE 2.4?

 

The release notes mentions only about client-based TLS 1.2 : https://www.cisco.com/c/en/us/td/docs/security/ise/2-4/release_notes/b_ise_24_rn.html#id_82769

 

Regards,

Nancy

Everyone's tags (2)
2 ACCEPTED SOLUTIONS

Accepted Solutions
Hall of Fame Master

Re: ISE as a server with TLS 1.2

An ISE 2.4 server will support both TLS 1.1 and TLS 1.2 connections.

 

I confirmed this using nmap with the enum ciphers script as shown in the output below.

 

Nmap scan report for 172.31.1.12
Host is up (0.00s latency).

PORT    STATE SERVICE   VERSION
443/tcp open  ssl/https
| fingerprint-strings: 
|   DNSStatusRequestTCP, DNSVersionBindReqTCP, Help, RPCCheck, RTSPRequest, SSLSessionReq, TLSSessionReq: 
|     HTTP/1.1 400 Bad Request
|     Date: Tue, 16 Apr 2019 10:07:19 GMT
|     Connection: close
|     Server:
|   FourOhFourRequest: 
|     HTTP/1.1 302 Found
|     Strict-Transport-Security: max-age=86400
|     Location: https://localhost/admin/
|     Content-Length: 0
|     Date: Tue, 16 Apr 2019 10:07:14 GMT
|     Connection: close
|     Server:
|   GetRequest: 
|     HTTP/1.1 302 Found
|     Strict-Transport-Security: max-age=86400
|     Location: https://localhost/admin/
|     Content-Length: 0
|     Date: Tue, 16 Apr 2019 10:07:09 GMT
|     Connection: close
|     Server:
|   HTTPOptions: 
|     HTTP/1.1 405 Method Not Allowed
|     Date: Tue, 16 Apr 2019 10:07:14 GMT
|     Connection: close
|     Server:
|   tor-versions: 
|     HTTP/1.1 400 Bad Request
|     Date: Tue, 16 Apr 2019 10:07:14 GMT
|     Connection: close
|_    Server:
|_http-server-header: <empty>
|_http-trane-info: Problem with XML parsing of /evox/about
| ssl-enum-ciphers: 
|   TLSv1.1: 
|     ciphers: 
|       TLS_DHE_RSA_WITH_AES_128_CBC_SHA (dh 1024) - A
|       TLS_DHE_RSA_WITH_AES_256_CBC_SHA (dh 1024) - A
|       TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (secp256r1) - A
|       TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (secp256r1) - A
|       TLS_RSA_WITH_AES_128_CBC_SHA (rsa 2048) - A
|       TLS_RSA_WITH_AES_256_CBC_SHA (rsa 2048) - A
|     compressors: 
|       NULL
|     cipher preference: client
|     warnings: 
|       Key exchange (dh 1024) of lower strength than certificate key
|   TLSv1.2: 
|     ciphers: 
|       TLS_DHE_RSA_WITH_AES_128_CBC_SHA (dh 1024) - A
|       TLS_DHE_RSA_WITH_AES_256_CBC_SHA (dh 1024) - A
|       TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (secp256r1) - A
|       TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (secp256r1) - A
|       TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (secp256r1) - A
|       TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (secp256r1) - A
|       TLS_RSA_WITH_AES_128_CBC_SHA (rsa 2048) - A
|       TLS_RSA_WITH_AES_128_CBC_SHA256 (rsa 2048) - A
|       TLS_RSA_WITH_AES_256_CBC_SHA (rsa 2048) - A
|       TLS_RSA_WITH_AES_256_CBC_SHA256 (rsa 2048) - A
|     compressors: 
|       NULL
|     cipher preference: client
|     warnings: 
|       Key exchange (dh 1024) of lower strength than certificate key
|_  least strength: A
Cisco Employee

Re: ISE as a server with TLS 1.2

2 REPLIES 2
Hall of Fame Master

Re: ISE as a server with TLS 1.2

An ISE 2.4 server will support both TLS 1.1 and TLS 1.2 connections.

 

I confirmed this using nmap with the enum ciphers script as shown in the output below.

 

Nmap scan report for 172.31.1.12
Host is up (0.00s latency).

PORT    STATE SERVICE   VERSION
443/tcp open  ssl/https
| fingerprint-strings: 
|   DNSStatusRequestTCP, DNSVersionBindReqTCP, Help, RPCCheck, RTSPRequest, SSLSessionReq, TLSSessionReq: 
|     HTTP/1.1 400 Bad Request
|     Date: Tue, 16 Apr 2019 10:07:19 GMT
|     Connection: close
|     Server:
|   FourOhFourRequest: 
|     HTTP/1.1 302 Found
|     Strict-Transport-Security: max-age=86400
|     Location: https://localhost/admin/
|     Content-Length: 0
|     Date: Tue, 16 Apr 2019 10:07:14 GMT
|     Connection: close
|     Server:
|   GetRequest: 
|     HTTP/1.1 302 Found
|     Strict-Transport-Security: max-age=86400
|     Location: https://localhost/admin/
|     Content-Length: 0
|     Date: Tue, 16 Apr 2019 10:07:09 GMT
|     Connection: close
|     Server:
|   HTTPOptions: 
|     HTTP/1.1 405 Method Not Allowed
|     Date: Tue, 16 Apr 2019 10:07:14 GMT
|     Connection: close
|     Server:
|   tor-versions: 
|     HTTP/1.1 400 Bad Request
|     Date: Tue, 16 Apr 2019 10:07:14 GMT
|     Connection: close
|_    Server:
|_http-server-header: <empty>
|_http-trane-info: Problem with XML parsing of /evox/about
| ssl-enum-ciphers: 
|   TLSv1.1: 
|     ciphers: 
|       TLS_DHE_RSA_WITH_AES_128_CBC_SHA (dh 1024) - A
|       TLS_DHE_RSA_WITH_AES_256_CBC_SHA (dh 1024) - A
|       TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (secp256r1) - A
|       TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (secp256r1) - A
|       TLS_RSA_WITH_AES_128_CBC_SHA (rsa 2048) - A
|       TLS_RSA_WITH_AES_256_CBC_SHA (rsa 2048) - A
|     compressors: 
|       NULL
|     cipher preference: client
|     warnings: 
|       Key exchange (dh 1024) of lower strength than certificate key
|   TLSv1.2: 
|     ciphers: 
|       TLS_DHE_RSA_WITH_AES_128_CBC_SHA (dh 1024) - A
|       TLS_DHE_RSA_WITH_AES_256_CBC_SHA (dh 1024) - A
|       TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (secp256r1) - A
|       TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (secp256r1) - A
|       TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (secp256r1) - A
|       TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (secp256r1) - A
|       TLS_RSA_WITH_AES_128_CBC_SHA (rsa 2048) - A
|       TLS_RSA_WITH_AES_128_CBC_SHA256 (rsa 2048) - A
|       TLS_RSA_WITH_AES_256_CBC_SHA (rsa 2048) - A
|       TLS_RSA_WITH_AES_256_CBC_SHA256 (rsa 2048) - A
|     compressors: 
|       NULL
|     cipher preference: client
|     warnings: 
|       Key exchange (dh 1024) of lower strength than certificate key
|_  least strength: A
Cisco Employee

Re: ISE as a server with TLS 1.2