Showing results for 
Search instead for 
Did you mean: 

ISE as a server with TLS 1.2

Nancy Saini
Cisco Employee
Cisco Employee



Is server based TLS 1.2 supported on ISE 2.4?


The release notes mentions only about client-based TLS 1.2 :




2 Accepted Solutions

Accepted Solutions

Marvin Rhoads
Hall of Fame
Hall of Fame

An ISE 2.4 server will support both TLS 1.1 and TLS 1.2 connections.


I confirmed this using nmap with the enum ciphers script as shown in the output below.


Nmap scan report for
Host is up (0.00s latency).

443/tcp open  ssl/https
| fingerprint-strings: 
|   DNSStatusRequestTCP, DNSVersionBindReqTCP, Help, RPCCheck, RTSPRequest, SSLSessionReq, TLSSessionReq: 
|     HTTP/1.1 400 Bad Request
|     Date: Tue, 16 Apr 2019 10:07:19 GMT
|     Connection: close
|     Server:
|   FourOhFourRequest: 
|     HTTP/1.1 302 Found
|     Strict-Transport-Security: max-age=86400
|     Location: https://localhost/admin/
|     Content-Length: 0
|     Date: Tue, 16 Apr 2019 10:07:14 GMT
|     Connection: close
|     Server:
|   GetRequest: 
|     HTTP/1.1 302 Found
|     Strict-Transport-Security: max-age=86400
|     Location: https://localhost/admin/
|     Content-Length: 0
|     Date: Tue, 16 Apr 2019 10:07:09 GMT
|     Connection: close
|     Server:
|   HTTPOptions: 
|     HTTP/1.1 405 Method Not Allowed
|     Date: Tue, 16 Apr 2019 10:07:14 GMT
|     Connection: close
|     Server:
|   tor-versions: 
|     HTTP/1.1 400 Bad Request
|     Date: Tue, 16 Apr 2019 10:07:14 GMT
|     Connection: close
|_    Server:
|_http-server-header: <empty>
|_http-trane-info: Problem with XML parsing of /evox/about
| ssl-enum-ciphers: 
|   TLSv1.1: 
|     ciphers: 
|       TLS_DHE_RSA_WITH_AES_128_CBC_SHA (dh 1024) - A
|       TLS_DHE_RSA_WITH_AES_256_CBC_SHA (dh 1024) - A
|       TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (secp256r1) - A
|       TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (secp256r1) - A
|       TLS_RSA_WITH_AES_128_CBC_SHA (rsa 2048) - A
|       TLS_RSA_WITH_AES_256_CBC_SHA (rsa 2048) - A
|     compressors: 
|       NULL
|     cipher preference: client
|     warnings: 
|       Key exchange (dh 1024) of lower strength than certificate key
|   TLSv1.2: 
|     ciphers: 
|       TLS_DHE_RSA_WITH_AES_128_CBC_SHA (dh 1024) - A
|       TLS_DHE_RSA_WITH_AES_256_CBC_SHA (dh 1024) - A
|       TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (secp256r1) - A
|       TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (secp256r1) - A
|       TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (secp256r1) - A
|       TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (secp256r1) - A
|       TLS_RSA_WITH_AES_128_CBC_SHA (rsa 2048) - A
|       TLS_RSA_WITH_AES_128_CBC_SHA256 (rsa 2048) - A
|       TLS_RSA_WITH_AES_256_CBC_SHA (rsa 2048) - A
|       TLS_RSA_WITH_AES_256_CBC_SHA256 (rsa 2048) - A
|     compressors: 
|       NULL
|     cipher preference: client
|     warnings: 
|       Key exchange (dh 1024) of lower strength than certificate key
|_  least strength: A

View solution in original post

2 Replies 2

Marvin Rhoads
Hall of Fame
Hall of Fame

An ISE 2.4 server will support both TLS 1.1 and TLS 1.2 connections.


I confirmed this using nmap with the enum ciphers script as shown in the output below.


Nmap scan report for
Host is up (0.00s latency).

443/tcp open  ssl/https
| fingerprint-strings: 
|   DNSStatusRequestTCP, DNSVersionBindReqTCP, Help, RPCCheck, RTSPRequest, SSLSessionReq, TLSSessionReq: 
|     HTTP/1.1 400 Bad Request
|     Date: Tue, 16 Apr 2019 10:07:19 GMT
|     Connection: close
|     Server:
|   FourOhFourRequest: 
|     HTTP/1.1 302 Found
|     Strict-Transport-Security: max-age=86400
|     Location: https://localhost/admin/
|     Content-Length: 0
|     Date: Tue, 16 Apr 2019 10:07:14 GMT
|     Connection: close
|     Server:
|   GetRequest: 
|     HTTP/1.1 302 Found
|     Strict-Transport-Security: max-age=86400
|     Location: https://localhost/admin/
|     Content-Length: 0
|     Date: Tue, 16 Apr 2019 10:07:09 GMT
|     Connection: close
|     Server:
|   HTTPOptions: 
|     HTTP/1.1 405 Method Not Allowed
|     Date: Tue, 16 Apr 2019 10:07:14 GMT
|     Connection: close
|     Server:
|   tor-versions: 
|     HTTP/1.1 400 Bad Request
|     Date: Tue, 16 Apr 2019 10:07:14 GMT
|     Connection: close
|_    Server:
|_http-server-header: <empty>
|_http-trane-info: Problem with XML parsing of /evox/about
| ssl-enum-ciphers: 
|   TLSv1.1: 
|     ciphers: 
|       TLS_DHE_RSA_WITH_AES_128_CBC_SHA (dh 1024) - A
|       TLS_DHE_RSA_WITH_AES_256_CBC_SHA (dh 1024) - A
|       TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (secp256r1) - A
|       TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (secp256r1) - A
|       TLS_RSA_WITH_AES_128_CBC_SHA (rsa 2048) - A
|       TLS_RSA_WITH_AES_256_CBC_SHA (rsa 2048) - A
|     compressors: 
|       NULL
|     cipher preference: client
|     warnings: 
|       Key exchange (dh 1024) of lower strength than certificate key
|   TLSv1.2: 
|     ciphers: 
|       TLS_DHE_RSA_WITH_AES_128_CBC_SHA (dh 1024) - A
|       TLS_DHE_RSA_WITH_AES_256_CBC_SHA (dh 1024) - A
|       TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (secp256r1) - A
|       TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (secp256r1) - A
|       TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (secp256r1) - A
|       TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (secp256r1) - A
|       TLS_RSA_WITH_AES_128_CBC_SHA (rsa 2048) - A
|       TLS_RSA_WITH_AES_128_CBC_SHA256 (rsa 2048) - A
|       TLS_RSA_WITH_AES_256_CBC_SHA (rsa 2048) - A
|       TLS_RSA_WITH_AES_256_CBC_SHA256 (rsa 2048) - A
|     compressors: 
|       NULL
|     cipher preference: client
|     warnings: 
|       Key exchange (dh 1024) of lower strength than certificate key
|_  least strength: A