Solved: Re: Cisco ISE TLS

AndrejJ · ‎03-07-2018

Hi,

We are deploying ISE 2.3 with patch 2 at customer site. During a vulnerability test was detected that Sponsor portal (also other ISE portals) are active on TLS 1.0, also if they are not in use. Is it possible to modify (change TLS 1.0 for TLS 1.2) this setup or turn off ISE portals completely? The problem is TLS 1.0 is within our customer's environment specified as vulnerable. A solution here might be make Sponsor portal active on TLS 1.2 for instance. If this modification is not available now, is it planned for ISE 2.4 release?

Other question is also related to ISE TLS setup. On ISE management, in section Security Settings, is possibility to uncheck TLS 1.0 and TLS 1.1. Does it mean that ISE 2.3 runs with TLS 1.2 as default?

For more details, pls let me know.

KR

AJ

Jason Kunst · ‎09-13-2018

There is no granular way to set this.

ISE 2.4 allows you to run TLS 1.2 only in a deployment if you set it that way.

https://www.cisco.com/c/en/us/td/docs/security/ise/2-4/release_notes/b_ise_24_rn.html#id_82769

Please work through ISE product management and sales channel if you like a feature request. You might need to run separate deployments for ISE Guest and ISE internal if you need these strict controls.

View solution in original post

hslai · ‎03-07-2018

The security settings in ISE 2.3 do not affect ISE web portals, such as sponsor and guest. ISE 2.4 has not yet been released so please check it out at http://cs.co/ise-beta

It's not possible to turn off ISE portals completely so it's best to use an external firewall or access-list to block the access to these TCP ports.

AndrejJ · ‎03-15-2018

Thanks for your reply. Any clue for TLS related question?

It's confusing, in ISE management -> Security Settings we have available check/uncheck boxes for TSL 1.0 and TLS 1.1 only. Latest ISE Release notes says - Cisco ISE 2.3 supports TLS versions 1.0, 1.1, and 1.2 Cipher Suites, however there doesn't seem to be an option to choose 1.2 as primary one, or the only one, I want to use. Does it mean TLS 1.2 is native for EAP communication in ISE 2.3? When I uncheck all the other versions, do I use TLS 1.2 only?

Scott Gillies · ‎03-15-2018

The TLS version used is usually negotiated with the client. AFAIK the negotiation should be the ISE telling the client what TLS versions it supports and the client telling the ISE which version (should be the highest TLS version it can support first) it would like to use.

AS I understand, if ISE is configured to only use TLS 1.2, that is the only TLS version the client will be able to negotiate and use, if it supports it.

Jason Kunst · ‎03-15-2018

The ability to only have tls 1.2 enabled is coming in ise 2.4

Please wait for this release , cannot comment on timelines in public forum

Filous · ‎09-13-2018

Hi everyone,

I would like to ask you about few questions related to Cisco ISE and TLS.

1. Is there any option to active TLS version 1.2 only on Cisco ISE which is in role of EAP server?
2. Is it possible to modify TLS version for Sponsor and Guest portal only? I mean in another way than is in global settings. Guest uses TLS version 1.0 and that is not supported in customer environment from Security reasons.
3. I have a troubles with Cisco ISE 2.3 patch 2 where client is configured to support TLS 1.1 and TLS 1.2 only. It is a WIN10 client with AnyConnect 4.6. Authentication method is EAP-FAST (EAP-TLS, EAP-MSCHAPv2). When I turn off the TLS 1.0 on Cisco ISE (Administratin -> Setting -> RADIUS -> Security setting) so machine authentication stops working. Can I ask you about some advice?

Thanks in advanced.

Jason Kunst · ‎09-13-2018