Solved: Re: Cisco ISE 2.1 - TLS 1.2

PedroDias1994 · ‎04-14-2020

Hi,

I have Cisco ISE 2.1 implemented and after I ran a vulnerability scan, I found that ISE is using TLS 1.0 and TLS 1.1. I pretend to disable both and enable TLS 1.2, but before I proceed, I have a few questions:

1. Is TLS 1.2 supported on Cisco ISE 2.1?

2. If yes, can I only have TLS 1.2 running?

3. To enable TLS 1.2, I only need to uncheck 'Allow TLS 1.0' and 'Allow TLS 1.1' on Administration > System > Settings > Security Settings?

Thank you for your help :)

marce1000 · ‎04-14-2020

Yes ,

M.

-- Each morning when I wake up and look into the mirror I always say ' Why am I so brilliant ? '
When the mirror will then always repond to me with ' The only thing that exceeds your brilliance is your beauty! '

View solution in original post

marce1000 · ‎04-14-2020

- From the 2.1 Release Notes it seems that TLS 1.2 is supported :

https://www.cisco.com/c/en/us/td/docs/security/ise/2-1/release_notes/ise21_rn.html#pgfId-627732

M.

-- Each morning when I wake up and look into the mirror I always say ' Why am I so brilliant ? '
When the mirror will then always repond to me with ' The only thing that exceeds your brilliance is your beauty! '

PedroDias1994 · ‎04-14-2020

And it is possible to run TLS 1.2 with TLS 1.0 and TLS 1.1 disabled?

I can't find this information anywhere...

marce1000 · ‎04-14-2020

Yes ,

M.

-- Each morning when I wake up and look into the mirror I always say ' Why am I so brilliant ? '
When the mirror will then always repond to me with ' The only thing that exceeds your brilliance is your beauty! '

Mike.Cifelli · ‎04-14-2020

Adding additional info:
Not sure what types of hosts you manage in your environment, but this may potentially help you if you face issues once making changes:

Change tls version on windows host:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\RasMan\PPP\EAP\13

TLS version DWORD value
TLS 1.0 0xC0
TLS 1.1 0x300
TLS 1.2 0xC00

https://support.microsoft.com/en-us/help/3121002/windows-10-devices-can-t-connect-to-an-802-1x-environment. HTH!

PedroDias1994 · ‎04-14-2020

Thank you for the information!

We have Windows 10 devices in our tech park, so it is good to know :)

Greg Gibbs · ‎04-14-2020

Another important thing to note before disabling TLS 1.0 and 1.1 support in ISE... as noted in the Security Settings section in ISE, disabling support for those legacy TLS ciphers affects the following functions:

Cisco ISE is configured as EAP server
Cisco ISE downloads CRL from HTTPS or secure LDAP server
Cisco ISE is configured as secure syslog client
Cisco ISE is configured as secure LDAP client

If you use any of these functions and the associated systems use legacy TLS ciphers, disabling the legacy TLS cipher support in ISE will break them.

I have seen this first-hand with a customer that decided to disable support for legacy ciphers (TLS 1.1, SHA-1, etc) before verifying that their external systems (like the CA that signed their client certificates) did not use them. Disabling the legacy ciphers in ISE resulted in mass outages due to their 802.1x client authentication failing.

pnowikow · ‎02-09-2021

@Greg Gibbs Is rolling back as simple as enabling the TLS 1.0 and 1.1 check boxes again? I keep getting EAP(PEAP) issues on my Win10 machines since update 1909 where MS monkeyed with 802.1x again. I'm using the reg key to force TLS 1.2 that Mike referenced to get some of them working but it's not consistent. Would disabling TLS 1.0/1.1 force ISE to use 1.2 and in combination with that reg key solve my issue? We use AD for LDAP and a publicly signed CA multi-use cert.