Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
3913
Views
10
Helpful
5
Replies

Cisco ISE 2.6 security settings

Go to solution
jm.virtual01
Level 1
Level 1

‎08-08-2020 03:19 PM

I ma using Cisco ISE 2.6. I have enabled TLS 1.0 and TLS 1.1 in current deployment. Now i need to disable TLS 1.0

I wanted to know that in my network is there any end device that using TLS 1.0, how can find that?

Is there and recommendations for security setting for ISE 2.6?

0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Greg Gibbs
Cisco Employee
Cisco Employee

‎08-09-2020 04:52 PM

See a similar post here for potential impacts to disabling ciphers in ISE.

The TLS version used by EAP for a particular connected client can be found in the endpoint Attribute details in Context Visibility.

Example:

Screen Shot 2020-08-10 at 9.47.19 am.png

This information is not included in the CSV export from Context Visibility or the API, however, so you would need to pick a subset of endpoints that represents your fleet and check them individually.

If you still have Win7 PCs, you should also be aware of the registry settings required to enable TLS 1.2 as per the following document:

EAP-TLS 1.2 and Windows Clients

Best Practice would be to disable any insecure ciphers that are not in use but, as with anything, you need to find the right balance between Security and Usability.

View solution in original post

5 Replies 5

Go to solution
Greg Gibbs
Cisco Employee
Cisco Employee

‎08-09-2020 04:52 PM

See a similar post here for potential impacts to disabling ciphers in ISE.

The TLS version used by EAP for a particular connected client can be found in the endpoint Attribute details in Context Visibility.

Example:

Screen Shot 2020-08-10 at 9.47.19 am.png

This information is not included in the CSV export from Context Visibility or the API, however, so you would need to pick a subset of endpoints that represents your fleet and check them individually.

If you still have Win7 PCs, you should also be aware of the registry settings required to enable TLS 1.2 as per the following document:

EAP-TLS 1.2 and Windows Clients

Best Practice would be to disable any insecure ciphers that are not in use but, as with anything, you need to find the right balance between Security and Usability.

Go to solution
russell.sage
Level 1
Level 1
In response to Greg Gibbs

‎06-18-2021 03:53 AM

Hi do you know if disabling security settings requires any sort of reboot or restart of the ISE services.

0 Helpful

Go to solution
Marcelo Morais
VIP
VIP
In response to russell.sage

‎06-19-2021 10:54 PM

Hi @russell.sage ,

 no, only Save (please take a look at: Configure Security Settings)

 

Hope this helps !!!

0 Helpful

Go to solution
Damien Miller
VIP Alumni
VIP Alumni

‎06-20-2021 10:53 AM

It might not be applicable to you, but another thing to keep in mind is that the standard TrustSec provisioning process requires TLS 1.0, and if you disable TLS 1.0 on the deployment, that will stop working. 

IOS-XE 17.3 introduced a HTTPS API based TrustSec provisioning method that allows for you to disable TLS 1.0, but it would require all network devices to be running this new code, and all of them to be reconfigured to leverage this method. 

0 Helpful

Go to solution
russell.sage
Level 1
Level 1
In response to Damien Miller

‎06-21-2021 12:26 AM

Hi

Many thanks for that piece of information. We don't currently use TrustSec.
0 Helpful
Customers Also Viewed These Support Documents