cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements
Announcements
Choose one of the topics below to view our ISE Resources to help you on your journey with ISE

This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC! We will not comment or assist with your TAC case in these forums.
Please see How to Ask the Community for Help for other best practices.

1736
Views
0
Helpful
9
Replies
Highlighted

ACS 5.3.40 is there patch available to support TLS 1.1 and 1.2 regarding SSL termination?

Hi,

We are trying to reduce our susceptibility to SSL BEAST information disclosure vulnerability regarding our ACS 5.3.40 system.

It's been suggested that we consider some  defensive measures such as cipher suite selection.
Wherever possible, we should ensure that servers and clients that support TLS/SSL are configured to support TLS versions 1.1 and 1.2, not just SSLv3 and TLSv1.0 which is often the default configuration.

Can you advise how this is done within the ACS 5.3.40 application? Is it just a case of patching to another level?

(Default SSLv3 and TLSv1.0 defaults are not deemed strong enough).

Thanks.

 
Everyone's tags (1)
9 REPLIES 9
Highlighted
Beginner

Well, ISE seems to get an

Well, ISE seems to get an update to support TLS 1.2 with ISE 2.0:

https://supportforums.cisco.com/discussion/12595216/cisco-ise-support-tls-12

Unfortunately, I still do not see any information regarding ACS.

@Cisco: There is still no EOL announcement out for ACS, so responsible business unit should really put TLS 1.2 on the roadmap for ACS. Everyone who thinks about network security is moving to TLS 1.2 for month, if not years. Please do something.

Thank you.

Highlighted
Beginner

The PCI DSS 3.1 bans the use

The PCI DSS 3.1 bans the use of TLS 1.0 as of June 2016,  PCI approved scanning vendors (ASVs) are already giving failing grades on scans that detect anything less than TLS 1.2.  This is a problem for Cisco ACS, and Cisco CSM and Cisco firepower defense center.

Highlighted
Beginner

Hello Darthnul where can i

Hello Darthnul where can i get a document that says Cisco ASC 5.7 only support TLS 1.0.

Please i need this to prof to a customer of mine which is a finical institution   

Highlighted
Beginner

John,

John,

Here is a link:

http://www.cisco.com/c/dam/en/us/solutions/collateral/enterprise/design-zone/ssl-tls-vulnerability-response.pdf

according to my Cisco account exec, Cisco has no plans to add TLS 1.1 or 1.2 support for ACS.  ISE is the replacement.  The latest version of ISE supports tacacs+ and TLS 1.2.

Highlighted
Beginner

Thanks Darthnul

Thanks Darthnul

The document didn't say anything about version 1.1?

Highlighted
Beginner

John,

John,

I don't have any info on ACS supporting TLS 1.1.  I seriously doubt Cisco will do it since it would likely mean just as much work for them as adding TLS 1.2 support.

I have to worry about PCI 3.1 compliance.  PCI also bans "some implementations"  of TLS 1.1, but they refuse to disclose which implementations are acceptable to them, so 1.2 is the only clear choice.

Highlighted
Beginner

darthnul.

darthnul.

No enhancement request to support it.? 

Thanks. 

Highlighted
Beginner

There is an enhancment

There is an enhancment request already:

https://tools.cisco.com/bugsearch/bug/CSCuu29920

Public view shows Status "Open", but I was told internally it was declined. Since ISE is near to feature parity with ACS, it (ACS) will be EOL soon (I would expect EOL notice this year). There seems to be no plans to implement any new features in ACS.

Highlighted

Thanks Tobais.

Thanks Tobais.

As we may all know Cisco bug search tool may need some work but in case if anyone is still looking for a fixed release for CSCuu29920 - Need minimum Cisco ACS 5.8 (patch 4)

Check - Cisco ACS 5.8 (patch 5) read me