03-07-2018 08:02 AM
Hi,
We are deploying ISE 2.3 with patch 2 at customer site. During a vulnerability test was detected that Sponsor portal (also other ISE portals) are active on TLS 1.0, also if they are not in use. Is it possible to modify (change TLS 1.0 for TLS 1.2) this setup or turn off ISE portals completely? The problem is TLS 1.0 is within our customer's environment specified as vulnerable. A solution here might be make Sponsor portal active on TLS 1.2 for instance. If this modification is not available now, is it planned for ISE 2.4 release?
Other question is also related to ISE TLS setup. On ISE management, in section Security Settings, is possibility to uncheck TLS 1.0 and TLS 1.1. Does it mean that ISE 2.3 runs with TLS 1.2 as default?
For more details, pls let me know.
KR
AJ
Solved! Go to Solution.
09-13-2018 08:50 AM
There is no granular way to set this.
ISE 2.4 allows you to run TLS 1.2 only in a deployment if you set it that way.
https://www.cisco.com/c/en/us/td/docs/security/ise/2-4/release_notes/b_ise_24_rn.html#id_82769
Please work through ISE product management and sales channel if you like a feature request. You might need to run separate deployments for ISE Guest and ISE internal if you need these strict controls.
03-07-2018 08:16 AM
The security settings in ISE 2.3 do not affect ISE web portals, such as sponsor and guest. ISE 2.4 has not yet been released so please check it out at http://cs.co/ise-beta
It's not possible to turn off ISE portals completely so it's best to use an external firewall or access-list to block the access to these TCP ports.
03-15-2018 02:27 AM
Thanks for your reply. Any clue for TLS related question?
It's confusing, in ISE management -> Security Settings we have available check/uncheck boxes for TSL 1.0 and TLS 1.1 only. Latest ISE Release notes says - Cisco ISE 2.3 supports TLS versions 1.0, 1.1, and 1.2 Cipher Suites, however there doesn't seem to be an option to choose 1.2 as primary one, or the only one, I want to use. Does it mean TLS 1.2 is native for EAP communication in ISE 2.3? When I uncheck all the other versions, do I use TLS 1.2 only?
03-15-2018 03:38 AM
The TLS version used is usually negotiated with the client. AFAIK the negotiation should be the ISE telling the client what TLS versions it supports and the client telling the ISE which version (should be the highest TLS version it can support first) it would like to use.
AS I understand, if ISE is configured to only use TLS 1.2, that is the only TLS version the client will be able to negotiate and use, if it supports it.
03-15-2018 07:12 AM
The ability to only have tls 1.2 enabled is coming in ise 2.4
Please wait for this release , cannot comment on timelines in public forum
09-13-2018 05:34 AM
Hi everyone,
I would like to ask you about few questions related to Cisco ISE and TLS.
1. Is there any option to active TLS version 1.2 only on Cisco ISE which is in role of EAP server?
2. Is it possible to modify TLS version for Sponsor and Guest portal only? I mean in another way than is in global settings. Guest uses TLS version 1.0 and that is not supported in customer environment from Security reasons.
3. I have a troubles with Cisco ISE 2.3 patch 2 where client is configured to support TLS 1.1 and TLS 1.2 only. It is a WIN10 client with AnyConnect 4.6. Authentication method is EAP-FAST (EAP-TLS, EAP-MSCHAPv2). When I turn off the TLS 1.0 on Cisco ISE (Administratin -> Setting -> RADIUS -> Security setting) so machine authentication stops working. Can I ask you about some advice?
Thanks in advanced.
09-13-2018 08:50 AM
There is no granular way to set this.
ISE 2.4 allows you to run TLS 1.2 only in a deployment if you set it that way.
https://www.cisco.com/c/en/us/td/docs/security/ise/2-4/release_notes/b_ise_24_rn.html#id_82769
Please work through ISE product management and sales channel if you like a feature request. You might need to run separate deployments for ISE Guest and ISE internal if you need these strict controls.
09-13-2018 12:36 PM
09-13-2018 12:36 PM
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide