cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC! We will not comment or assist with your TAC case in these forums.
Please see How to Ask the Community for Help for other best practices.

13985
Views
6
Helpful
8
Replies
AndrejJ
Cisco Employee

Cisco ISE TLS

Hi,

We are deploying ISE 2.3 with patch 2 at customer site. During a vulnerability test was detected that Sponsor portal (also other ISE portals) are active on TLS 1.0, also if they are not in use. Is it possible to modify (change TLS 1.0 for TLS 1.2) this setup or turn off ISE portals completely? The problem is TLS 1.0 is within our customer's environment specified as vulnerable. A solution here might be make Sponsor portal active on TLS 1.2 for instance. If this modification is not available now, is it planned for ISE 2.4 release?

Other question is also related to ISE TLS setup. On ISE management, in section Security Settings, is possibility to uncheck TLS 1.0 and TLS 1.1. Does it mean that ISE 2.3 runs with TLS 1.2 as default?

For more details, pls let me know.

KR

AJ

1 ACCEPTED SOLUTION

Accepted Solutions

There is no granular way to set this.

 

ISE 2.4 allows you to run TLS 1.2 only in a deployment if you set it that way.

https://www.cisco.com/c/en/us/td/docs/security/ise/2-4/release_notes/b_ise_24_rn.html#id_82769

 

Please work through ISE product management and sales channel if you like a feature request. You might need to run separate deployments for ISE Guest and ISE internal if you need these strict controls.

 

Screen Shot 2018-09-13 at 11.49.35 AM.png

View solution in original post

8 REPLIES 8
hslai
Cisco Employee

The security settings in ISE 2.3 do not affect ISE web portals, such as sponsor and guest. ISE 2.4 has not yet been released so please check it out at http://cs.co/ise-beta

It's not possible to turn off ISE portals completely so it's best to use an external firewall or access-list to block the access to these TCP ports.

AndrejJ
Cisco Employee

Thanks for your reply. Any clue for TLS related question?

It's confusing, in ISE management -> Security Settings we have available check/uncheck boxes for TSL 1.0 and TLS 1.1 only. Latest ISE Release notes says - Cisco ISE 2.3 supports TLS versions 1.0, 1.1, and 1.2 Cipher Suites, however there doesn't seem to be an option to choose 1.2 as primary one, or the only one, I want to use. Does it mean TLS 1.2 is native for EAP communication in ISE 2.3? When I uncheck all the other versions, do I use TLS 1.2 only?

The TLS version used is usually negotiated with the client. AFAIK the negotiation should be the ISE telling the client what TLS versions it supports and the client telling the ISE which version (should be the highest TLS version it can support first) it would like to use.

AS I understand, if ISE is configured to only use TLS 1.2, that is the only TLS version the client will be able to negotiate and use, if it supports it.

The ability to only have tls 1.2 enabled is coming in ise 2.4

Please wait for this release , cannot comment on timelines in public forum

Hi everyone,

I would like to ask you about few questions related to Cisco ISE and TLS.

1. Is there any option to active TLS version 1.2 only on Cisco ISE which is in role of EAP server?
2. Is it possible to modify TLS version for Sponsor and Guest portal only? I mean in another way than is in global settings. Guest uses TLS version 1.0 and that is not supported in customer environment from Security reasons.
3. I have a troubles with Cisco ISE 2.3 patch 2 where client is configured to support TLS 1.1 and TLS 1.2 only. It is a WIN10 client with AnyConnect 4.6. Authentication method is EAP-FAST (EAP-TLS, EAP-MSCHAPv2). When I turn off the TLS 1.0 on Cisco ISE (Administratin -> Setting -> RADIUS -> Security setting) so machine authentication stops working. Can I ask you about some advice?

Thanks in advanced.

There is no granular way to set this.

 

ISE 2.4 allows you to run TLS 1.2 only in a deployment if you set it that way.

https://www.cisco.com/c/en/us/td/docs/security/ise/2-4/release_notes/b_ise_24_rn.html#id_82769

 

Please work through ISE product management and sales channel if you like a feature request. You might need to run separate deployments for ISE Guest and ISE internal if you need these strict controls.

 

Screen Shot 2018-09-13 at 11.49.35 AM.png

I played around with TLS negotiation on ISE 2.4 a while back.

Attached are my notes.

 

I played around with TLS negotiation on ISE 2.4 a while back.

Attached are my notes.

 

Create
Recognize Your Peers
Content for Community-Ad

ISE Webinars


Miss a previous ISE webinar?
Never miss one again!

CiscoISE on YouTube