cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1977
Views
3
Helpful
7
Replies

Cisco ISE and TLSv1.3

Anyone know when Cisco ISE will start supporting TLSv1.3?  I am running ISE 3.2 patch-3 and it seems like TLSv1.2 is the highest it can go:

nmap --script ssl-enum-ciphers -p 443 isenode1.cisco.com
Starting Nmap 7.80 ( https://nmap.org ) at 2023-10-13 13:10 EDT
Nmap scan report for isenode1 (192.168.1.1)
Host is up (0.00068s latency).

PORT STATE SERVICE
443/tcp open https
| ssl-enum-ciphers:
| TLSv1.2:
| ciphers:
| TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (secp256r1) - A
| TLS_RSA_WITH_AES_128_GCM_SHA256 (rsa 2048) - A
| TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (secp256r1) - A
| TLS_RSA_WITH_AES_256_GCM_SHA384 (rsa 2048) - A
| TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 (dh 2048) - A
| TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 (dh 2048) - A
| TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 (dh 2048) - A
| TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 (secp256r1) - A
| TLS_RSA_WITH_AES_128_CBC_SHA256 (rsa 2048) - A
| TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 (secp256r1) - A
| TLS_RSA_WITH_AES_256_CBC_SHA256 (rsa 2048) - A
| TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256 (secp256r1) - A
| compressors:
| NULL
| cipher preference: server
|_ least strength: A

Nmap done: 1 IP address (1 host up) scanned in 0.53 seconds

Thoughts?

 

7 Replies 7

balaji.bandi
Hall of Fame
Hall of Fame

I heard that ISE 3.3 support TLS 1.3 worth checking release notes and configuration guide.

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

Allow TLS 1.3: Allows TLS 1.3 for administrator HTTPS access over port 443 for:

Cisco ISE Admin GUI

APIs enabled for port 443 (Open API, ERS, MnT)

Note

 
AAA communications and all types of internode communications do not support TLS 1.3.

Enable TLS 1.3 on Cisco ISE and the relevant clients and servers for admin access over TLS 1.3.

That's not what I want.  Can it support TLSv1.3 for things besides "administration"?

 

What is documented is all that is currently supported. This type of enhancement requires significant development effort and regression testing, and feature roadmap is not discussed in this public forum.

Arne Bier
VIP
VIP

@adamscottmaster2013 have you seen operating systems that are using 802.1X supplicants capable of TLS 1.3 ?

I have not tried this yet, but the latest WPA Supplicant has TLS 1.3 support - worth running that against ISE 3.3 to see how it handles the TLS establishment.

 

@Arne Bier:  Yes, we implement 802.1x with our Xerox copiers and Xerox devices are capable of TLSv1.3 and we want to implement TLSv1.3 on ISE but the option is not available.  Other vendors, beside Cisco, already support TLSv1.3.  

We're going to deploy ISE 3.2 patch-3 next month.  I think we will skip version 3.3 and probably switch vendor, not Cisco, the next time around.

JPavonM
VIP
VIP

Here Microsoft states that Windows 11 uses TLS1.3 (WiFi Security)

florian.nolting
Level 1
Level 1

ISE 3.3 Patch 2 now supports TLSv1.3 for Cisco ISE Workflows (and not just for the Admin GUI).