Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1976
Views
3
Helpful
7
Replies

Cisco ISE and TLSv1.3

adamscottmaster2013
Level 3
Level 3

‎10-13-2023 10:18 AM

Anyone know when Cisco ISE will start supporting TLSv1.3?  I am running ISE 3.2 patch-3 and it seems like TLSv1.2 is the highest it can go:

nmap --script ssl-enum-ciphers -p 443 isenode1.cisco.com
Starting Nmap 7.80 ( https://nmap.org ) at 2023-10-13 13:10 EDT
Nmap scan report for isenode1 (192.168.1.1)
Host is up (0.00068s latency).

PORT STATE SERVICE
443/tcp open https
| ssl-enum-ciphers:
| TLSv1.2:
| ciphers:
| TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (secp256r1) - A
| TLS_RSA_WITH_AES_128_GCM_SHA256 (rsa 2048) - A
| TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (secp256r1) - A
| TLS_RSA_WITH_AES_256_GCM_SHA384 (rsa 2048) - A
| TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 (dh 2048) - A
| TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 (dh 2048) - A
| TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 (dh 2048) - A
| TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 (secp256r1) - A
| TLS_RSA_WITH_AES_128_CBC_SHA256 (rsa 2048) - A
| TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 (secp256r1) - A
| TLS_RSA_WITH_AES_256_CBC_SHA256 (rsa 2048) - A
| TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256 (secp256r1) - A
| compressors:
| NULL
| cipher preference: server
|_ least strength: A

Nmap done: 1 IP address (1 host up) scanned in 0.53 seconds

Thoughts?

 

1 person had this problem
0 Helpful
7 Replies 7

balaji.bandi
Hall of Fame
Hall of Fame

‎10-13-2023 10:38 AM

I heard that ISE 3.3 support TLS 1.3 worth checking release notes and configuration guide.

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

0 Helpful

adamscottmaster2013
Level 3
Level 3
In response to balaji.bandi

‎10-13-2023 12:45 PM

Allow TLS 1.3: Allows TLS 1.3 for administrator HTTPS access over port 443 for:

Cisco ISE Admin GUI

APIs enabled for port 443 (Open API, ERS, MnT)

Note

 
AAA communications and all types of internode communications do not support TLS 1.3.

Enable TLS 1.3 on Cisco ISE and the relevant clients and servers for admin access over TLS 1.3.

That's not what I want.  Can it support TLSv1.3 for things besides "administration"?

 

0 Helpful

Greg Gibbs
Cisco Employee
Cisco Employee
In response to adamscottmaster2013

‎10-13-2023 07:51 PM

What is documented is all that is currently supported. This type of enhancement requires significant development effort and regression testing, and feature roadmap is not discussed in this public forum.

Arne Bier
VIP
VIP

‎10-16-2023 01:06 PM

@adamscottmaster2013 have you seen operating systems that are using 802.1X supplicants capable of TLS 1.3 ?

I have not tried this yet, but the latest WPA Supplicant has TLS 1.3 support - worth running that against ISE 3.3 to see how it handles the TLS establishment.

 

0 Helpful

adamscottmaster2013
Level 3
Level 3
In response to Arne Bier

‎10-17-2023 06:08 AM

@Arne Bier:  Yes, we implement 802.1x with our Xerox copiers and Xerox devices are capable of TLSv1.3 and we want to implement TLSv1.3 on ISE but the option is not available.  Other vendors, beside Cisco, already support TLSv1.3.  

We're going to deploy ISE 3.2 patch-3 next month.  I think we will skip version 3.3 and probably switch vendor, not Cisco, the next time around.

0 Helpful

JPavonM
VIP
VIP

‎10-24-2023 07:04 AM - edited ‎10-24-2023 07:05 AM

Here Microsoft states that Windows 11 uses TLS1.3 (WiFi Security)

0 Helpful

florian.nolting
Level 1
Level 1

‎04-30-2024 01:07 PM

ISE 3.3 Patch 2 now supports TLSv1.3 for Cisco ISE Workflows (and not just for the Admin GUI).

Customers Also Viewed These Support Documents