cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements
 
ISE 2.3 Patch 7 has been posted. This will be the last patch for the ISE 2.3 release!
Choose one of the topics below to view our ISE Resources to help you on your journey with ISE

This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC! We will not comment or assist with your TAC case in these forums.
Please see How to Ask the Community for Help for other best practices.

187
Views
5
Helpful
2
Replies
Highlighted
Cisco Employee

ISE as a server with TLS 1.2

Hi,

 

Is server based TLS 1.2 supported on ISE 2.4?

 

The release notes mentions only about client-based TLS 1.2 : https://www.cisco.com/c/en/us/td/docs/security/ise/2-4/release_notes/b_ise_24_rn.html#id_82769

 

Regards,

Nancy

Everyone's tags (2)
2 ACCEPTED SOLUTIONS

Accepted Solutions
Hall of Fame Master

Re: ISE as a server with TLS 1.2

An ISE 2.4 server will support both TLS 1.1 and TLS 1.2 connections.

 

I confirmed this using nmap with the enum ciphers script as shown in the output below.

 

Nmap scan report for 172.31.1.12
Host is up (0.00s latency).

PORT    STATE SERVICE   VERSION
443/tcp open  ssl/https
| fingerprint-strings: 
|   DNSStatusRequestTCP, DNSVersionBindReqTCP, Help, RPCCheck, RTSPRequest, SSLSessionReq, TLSSessionReq: 
|     HTTP/1.1 400 Bad Request
|     Date: Tue, 16 Apr 2019 10:07:19 GMT
|     Connection: close
|     Server:
|   FourOhFourRequest: 
|     HTTP/1.1 302 Found
|     Strict-Transport-Security: max-age=86400
|     Location: https://localhost/admin/
|     Content-Length: 0
|     Date: Tue, 16 Apr 2019 10:07:14 GMT
|     Connection: close
|     Server:
|   GetRequest: 
|     HTTP/1.1 302 Found
|     Strict-Transport-Security: max-age=86400
|     Location: https://localhost/admin/
|     Content-Length: 0
|     Date: Tue, 16 Apr 2019 10:07:09 GMT
|     Connection: close
|     Server:
|   HTTPOptions: 
|     HTTP/1.1 405 Method Not Allowed
|     Date: Tue, 16 Apr 2019 10:07:14 GMT
|     Connection: close
|     Server:
|   tor-versions: 
|     HTTP/1.1 400 Bad Request
|     Date: Tue, 16 Apr 2019 10:07:14 GMT
|     Connection: close
|_    Server:
|_http-server-header: <empty>
|_http-trane-info: Problem with XML parsing of /evox/about
| ssl-enum-ciphers: 
|   TLSv1.1: 
|     ciphers: 
|       TLS_DHE_RSA_WITH_AES_128_CBC_SHA (dh 1024) - A
|       TLS_DHE_RSA_WITH_AES_256_CBC_SHA (dh 1024) - A
|       TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (secp256r1) - A
|       TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (secp256r1) - A
|       TLS_RSA_WITH_AES_128_CBC_SHA (rsa 2048) - A
|       TLS_RSA_WITH_AES_256_CBC_SHA (rsa 2048) - A
|     compressors: 
|       NULL
|     cipher preference: client
|     warnings: 
|       Key exchange (dh 1024) of lower strength than certificate key
|   TLSv1.2: 
|     ciphers: 
|       TLS_DHE_RSA_WITH_AES_128_CBC_SHA (dh 1024) - A
|       TLS_DHE_RSA_WITH_AES_256_CBC_SHA (dh 1024) - A
|       TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (secp256r1) - A
|       TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (secp256r1) - A
|       TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (secp256r1) - A
|       TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (secp256r1) - A
|       TLS_RSA_WITH_AES_128_CBC_SHA (rsa 2048) - A
|       TLS_RSA_WITH_AES_128_CBC_SHA256 (rsa 2048) - A
|       TLS_RSA_WITH_AES_256_CBC_SHA (rsa 2048) - A
|       TLS_RSA_WITH_AES_256_CBC_SHA256 (rsa 2048) - A
|     compressors: 
|       NULL
|     cipher preference: client
|     warnings: 
|       Key exchange (dh 1024) of lower strength than certificate key
|_  least strength: A
Cisco Employee

Re: ISE as a server with TLS 1.2

2 REPLIES 2
Hall of Fame Master

Re: ISE as a server with TLS 1.2

An ISE 2.4 server will support both TLS 1.1 and TLS 1.2 connections.

 

I confirmed this using nmap with the enum ciphers script as shown in the output below.

 

Nmap scan report for 172.31.1.12
Host is up (0.00s latency).

PORT    STATE SERVICE   VERSION
443/tcp open  ssl/https
| fingerprint-strings: 
|   DNSStatusRequestTCP, DNSVersionBindReqTCP, Help, RPCCheck, RTSPRequest, SSLSessionReq, TLSSessionReq: 
|     HTTP/1.1 400 Bad Request
|     Date: Tue, 16 Apr 2019 10:07:19 GMT
|     Connection: close
|     Server:
|   FourOhFourRequest: 
|     HTTP/1.1 302 Found
|     Strict-Transport-Security: max-age=86400
|     Location: https://localhost/admin/
|     Content-Length: 0
|     Date: Tue, 16 Apr 2019 10:07:14 GMT
|     Connection: close
|     Server:
|   GetRequest: 
|     HTTP/1.1 302 Found
|     Strict-Transport-Security: max-age=86400
|     Location: https://localhost/admin/
|     Content-Length: 0
|     Date: Tue, 16 Apr 2019 10:07:09 GMT
|     Connection: close
|     Server:
|   HTTPOptions: 
|     HTTP/1.1 405 Method Not Allowed
|     Date: Tue, 16 Apr 2019 10:07:14 GMT
|     Connection: close
|     Server:
|   tor-versions: 
|     HTTP/1.1 400 Bad Request
|     Date: Tue, 16 Apr 2019 10:07:14 GMT
|     Connection: close
|_    Server:
|_http-server-header: <empty>
|_http-trane-info: Problem with XML parsing of /evox/about
| ssl-enum-ciphers: 
|   TLSv1.1: 
|     ciphers: 
|       TLS_DHE_RSA_WITH_AES_128_CBC_SHA (dh 1024) - A
|       TLS_DHE_RSA_WITH_AES_256_CBC_SHA (dh 1024) - A
|       TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (secp256r1) - A
|       TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (secp256r1) - A
|       TLS_RSA_WITH_AES_128_CBC_SHA (rsa 2048) - A
|       TLS_RSA_WITH_AES_256_CBC_SHA (rsa 2048) - A
|     compressors: 
|       NULL
|     cipher preference: client
|     warnings: 
|       Key exchange (dh 1024) of lower strength than certificate key
|   TLSv1.2: 
|     ciphers: 
|       TLS_DHE_RSA_WITH_AES_128_CBC_SHA (dh 1024) - A
|       TLS_DHE_RSA_WITH_AES_256_CBC_SHA (dh 1024) - A
|       TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (secp256r1) - A
|       TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (secp256r1) - A
|       TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (secp256r1) - A
|       TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (secp256r1) - A
|       TLS_RSA_WITH_AES_128_CBC_SHA (rsa 2048) - A
|       TLS_RSA_WITH_AES_128_CBC_SHA256 (rsa 2048) - A
|       TLS_RSA_WITH_AES_256_CBC_SHA (rsa 2048) - A
|       TLS_RSA_WITH_AES_256_CBC_SHA256 (rsa 2048) - A
|     compressors: 
|       NULL
|     cipher preference: client
|     warnings: 
|       Key exchange (dh 1024) of lower strength than certificate key
|_  least strength: A
Cisco Employee

Re: ISE as a server with TLS 1.2