Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
814
Views
0
Helpful
4
Replies

Disable certain ciphers on Cisco ISE 3.2 patch-3

adamscottmaster2013
Level 3
Level 3

‎09-08-2023 06:46 AM - edited ‎09-08-2023 06:47 AM

~ $ sudo nmap --script ssl-enum-ciphers -p 443 dlsisep001.humana.com

Starting Nmap 6.40 ( http://nmap.org ) at 2023-09-08 08:13 EDT
Nmap scan report for dlsisep001.humana.com (8.8.8.8)
Host is up (0.00061s latency).
PORT STATE SERVICE
443/tcp open https
| ssl-enum-ciphers:
| SSLv3: No supported ciphers found
| TLSv1.2:
| ciphers:
| TLS_DHE_RSA_WITH_AES_128_CBC_SHA - strong
| TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 - strong
| TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 - strong
| TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 - strong
| TLS_RSA_WITH_AES_128_CBC_SHA - strong
| TLS_RSA_WITH_AES_128_CBC_SHA256 - strong
| TLS_RSA_WITH_AES_128_GCM_SHA256 - strong
| TLS_RSA_WITH_AES_256_CBC_SHA - strong
| TLS_RSA_WITH_AES_256_CBC_SHA256 - strong
| TLS_RSA_WITH_AES_256_GCM_SHA384 - strong
| compressors:
| NULL
|_ least strength: strong

Nmap done: 1 IP address (1 host up) scanned in 0.57 seconds
~ $

How do I go about disabling these AES-128 ciphers on Cisco ISE?

| TLS_DHE_RSA_WITH_AES_128_CBC_SHA - strong
| TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 - strong
| TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 - strong
| TLS_RSA_WITH_AES_128_CBC_SHA - strong
| TLS_RSA_WITH_AES_128_CBC_SHA256 - strong
| TLS_RSA_WITH_AES_128_GCM_SHA256 - strong

 

0 Helpful
4 Replies 4

balaji.bandi
Hall of Fame
Hall of Fame

‎09-08-2023 09:27 AM - edited ‎09-08-2023 10:58 AM

You can check on the GUI :

Administration > System > Settings > Protocols > Security Settings.

admin guide for reference :

https://www.cisco.com/c/en/us/td/docs/security/ise/3-3/admin_guide/b_ise_admin_3_3/b_ISE_admin_33_segmentation.html#task_55FD724D084D4C4485B8E25B4560A79E

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

0 Helpful

adamscottmaster2013
Level 3
Level 3
In response to balaji.bandi

‎09-08-2023 10:00 AM

@balaji.bandi:  Have you ever done this yourself or you are just guessing?

I've gone through the security settings prior to posting the question in the forum and couldn't find any.

0 Helpful

balaji.bandi
Hall of Fame
Hall of Fame
In response to adamscottmaster2013

‎09-08-2023 11:01 AM

yes i do from GUI (but i am using ISE 3.3 - may be i would have mentioned in the last post).

But Older version as i remember you can modify the  Ciphers needed on the command level. ( ISE used in genereal Linux behind, so you can also change the sshd_config)

we do scan locally many Linux server ( we change that sshd_config)  and restarting the SSH deamon should fix the issue.

 

 

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

0 Helpful

adamscottmaster2013
Level 3
Level 3
In response to balaji.bandi

‎09-08-2023 11:06 AM

@balaji.bandi:  I don't know if you read my post but I was not asking about sshd, I was asking about ssl.  They are not the same.

0 Helpful
Customers Also Viewed These Support Documents