Buy or Renew
Buy or Renew
NOTICE: You can now engage in the community. Learn about the great new Cisco Umbrella content.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
520
Views
1
Helpful
4
Replies

Disable TLS1.0 and TLS1.1 from ISE 3.2

ajaykumar-rath
Level 1
Level 1

‎06-27-2024 04:11 PM

We have a distributed ISE deployment with PAN, MNT and PSN nodes. all the ISE nodes are running on  3.2.0.542 -patch-3.We already disabled the TLS1.0 and 1.1 from the security settings but still it's listening to the tls1.0/1.1 weak cipher as per the Vulnerability report. Please see the attachment.

VM team Performed a vulnerability scan for the ISE nodes to validate TLS vulnerabilities. However, TLS 1.0 and TLS 1.1 weak ciphers are still showing. attached the vulnerability  XML report. TLS 1.0 and 1.1 protocol matches are shown as True. TAC team was not able to figure it out this issue .. any suggestion ..

Preview file
52 KB
Preview file
65 KB
0 Helpful
4 Replies 4

thomas
Cisco Employee
Cisco Employee

‎06-28-2024 06:11 AM

You are on ISE 3.2 Patch 3 which is 1 year old. Patch 6 is the latest. First try that. I have a hard time believing TAC never mentioned this to you.

TLS is used in a lot of different services and neither you nor your vulnerability scan provide any specifics about which ports or scenarios you or the scanner were trying to use TLS.

ajaykumar-rath
Level 1
Level 1
In response to thomas

‎06-28-2024 10:43 AM

Thanks Thomas !!

ISE messaging service is enabled in the ISE. Is it possible that , this TLS1.0 and 1.1 version vulnerabilities are related to ISE messaging service ?

Vulnerability reported- TLS/SSL Weak Message Authentication Code Cipher Suites

Transport Layer Security version 1.2 and earlier include support for cipher suites which use cryptographically weak Hash-based message authentication codes (HMACs), such as MD5 or SHA1.

TAC recommended to upgrade it to 3.3 in which there is an option to disable weak ciphers. But that is not available in version-3.2

NMAP output from one ISE node as below - 

 

PORT STATE SERVICE
443/tcp open https
| ssl-enum-ciphers:
| TLSv1.0:
| ciphers:
| TLS_DHE_RSA_WITH_AES_128_CBC_SHA (dh 2048) - A
| TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (secp256r1) - A
| TLS_RSA_WITH_AES_128_CBC_SHA (rsa 4096) - A
| TLS_RSA_WITH_AES_256_CBC_SHA (rsa 4096) - A
| compressors:
| NULL
| cipher preference: server
| warnings:
| Key exchange (dh 2048) of lower strength than certificate key
| Key exchange (secp256r1) of lower strength than certificate key
| TLSv1.1:
| ciphers:
| TLS_DHE_RSA_WITH_AES_128_CBC_SHA (dh 2048) - A
| TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (secp256r1) - A
| TLS_RSA_WITH_AES_128_CBC_SHA (rsa 4096) - A
| TLS_RSA_WITH_AES_256_CBC_SHA (rsa 4096) - A
| compressors:
| NULL
| cipher preference: server
| warnings:
| Key exchange (dh 2048) of lower strength than certificate key
| Key exchange (secp256r1) of lower strength than certificate key
| TLSv1.2:
| ciphers:
| TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (secp256r1) - A
| TLS_RSA_WITH_AES_128_GCM_SHA256 (rsa 4096) - A
| TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (secp256r1) - A
| TLS_RSA_WITH_AES_256_GCM_SHA384 (rsa 4096) - A
| TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 (dh 2048) - A
| TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 (dh 2048) - A
| TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 (dh 2048) - A
| TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 (secp256r1) - A
| TLS_RSA_WITH_AES_128_CBC_SHA256 (rsa 4096) - A
| TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 (secp256r1) - A
| TLS_RSA_WITH_AES_256_CBC_SHA256 (rsa 4096) - A
| TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256 (secp256r1) - A
| TLS_DHE_RSA_WITH_AES_128_CBC_SHA (dh 2048) - A
| TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (secp256r1) - A
| TLS_RSA_WITH_AES_128_CBC_SHA (rsa 4096) - A
| TLS_RSA_WITH_AES_256_CBC_SHA (rsa 4096) - A
| compressors:
| NULL
| cipher preference: server
| warnings:
| Key exchange (dh 2048) of lower strength than certificate key
| Key exchange (secp256r1) of lower strength than certificate key
|_ least strength: A
8443/tcp filtered https-alt
8444/tcp filtered pcsync-http
8905/tcp closed unknown
9094/tcp filtered unknown
9095/tcp filtered unknown
MAC Address: 02:50:41:00:00:02 (Unknown)

0 Helpful

adamscottmaster2013
Level 3
Level 3
In response to thomas

‎07-01-2024 12:44 PM

I am running ISE 3.2 patch 4 with TLS 1.0/1.1 disable and when I use nmap to scan the system, it only returns TLS v1.2:

Host is up (0.0060s latency).

PORT STATE SERVICE
443/tcp open https
| ssl-enum-ciphers:
| TLSv1.2:
| ciphers:
| TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (secp256r1) - A
| TLS_RSA_WITH_AES_128_GCM_SHA256 (rsa 4096) - A
| TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (secp256r1) - A
| TLS_RSA_WITH_AES_256_GCM_SHA384 (rsa 4096) - A
| TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 (dh 2048) - A
| TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 (dh 2048) - A
| TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 (dh 2048) - A
| TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 (secp256r1) - A
| TLS_RSA_WITH_AES_128_CBC_SHA256 (rsa 4096) - A
| TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 (secp256r1) - A
| TLS_RSA_WITH_AES_256_CBC_SHA256 (rsa 4096) - A
| TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256 (secp256r1) - A
| compressors:
| NULL
| cipher preference: server
| warnings:
| Key exchange (dh 2048) of lower strength than certificate key
| Key exchange (secp256r1) of lower strength than certificate key
|_ least strength: A

Nmap done: 1 IP address (1 host up) scanned in 1.61 seconds

I also have ISE 3.0 patch-3 system with TLS 1.0/1.1 OFF and the scan returned only TLS 1.2.

0 Helpful
Customers Also Viewed These Support Documents