cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements
 
ISE 2.3 Patch 7 has been posted. This will be the last patch for the ISE 2.3 release!
Choose one of the topics below to view our ISE Resources to help you on your journey with ISE

This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC! We will not comment or assist with your TAC case in these forums.
Please see How to Ask the Community for Help for other best practices.

1480
Views
9
Helpful
3
Replies
Highlighted
Cisco Employee

ISE legacy cipher suites

Hello team,

got the following question from my customer:

I'm a little bit confused regarding the legacy SSL cipher settings within Cisco ISE.

My question is regarding the settings in the ISE GUI under: Administration > System > Settings / Protocols > Security Settings:

Enable TLS 1.0 only for legacy clients

Enable SHA-1 only for legacy clients

In the ISE GUI, the tooltip states:

Enable [TLS 1.0 | SHA-1 cipher suites] only for legacy clients for EAP-TLS, PEAP, EAP-FAST and EAP-TTLS protocols and for legacy secure services

--> So the tooltip states, that this setting acutally affects EAP protocols, which use SSL/TLS (e.g EAP-TLS and PEAP)

   

Contratory to this, the ISE 2.2  admin guide documentation states:

The following workflow is not affected by the Security Settings:
Cisco ISE acts as an EAP-TLS, EAP-TTLS, PEAP, or EAP-FAST server that authenticates clients to
provide them access to the network

--> The admin guide states, that these settings does not affect EAP protocols, which use SSL/TLS (e.g EAP-TLS and PEAP)

So, which statement is correct?

Thanks in advance.

Roland

1 ACCEPTED SOLUTION

Accepted Solutions
Cisco Employee

Re: ISE legacy cipher suites

The ISE 2.2 admin guide is correct and we have also updated it in the ISE 2.2 admin web UI (see the video below). I believe all our ISE admin guides showing the correct info.

Video Link : 16264

3 REPLIES 3
Cisco Employee

Re: ISE legacy cipher suites

The ISE 2.2 admin guide is correct and we have also updated it in the ISE 2.2 admin web UI (see the video below). I believe all our ISE admin guides showing the correct info.

Video Link : 16264

Participant

Re: ISE legacy cipher suites

Hi Roland and "hslai",

thank you so much for bringing light into this.

There is also an open topic in the Supportforums:

https://supportforums.cisco.com/discussion/13291721/ise-legacy-cipher-suites

I'll share this finding there as well

Cisco Employee

Re: ISE legacy cipher suites

Please provide direct links to any incorrect documents so we can forward to our Docs team.