02-09-2021 03:34 AM
Hi Experts,
I am disabling the TLS 1.x support from ISE and would like to know if the TLS 2.0 has been enabled on ISE.
How do I verify that TLS 2.0 has been enabled on ISE and if it really supports, since documentation that I refereed does not specifically talk about this.
Any pointers?
Solved! Go to Solution.
02-09-2021 04:19 AM
as per i know TLS 2.x on way (not ready yet).
02-09-2021 04:19 AM
as per i know TLS 2.x on way (not ready yet).
02-09-2021 05:18 AM - edited 02-09-2021 05:19 AM
What you actually disable is TLS 1.0 (and possibly TLS 1.1). When you do that, TLS 1.2 is the offered protocol.
You can verify the supported TLS versions before and after your change by using the open source nmap scanning tool and the "ssl-enum-ciphers" script.
https://nmap.org/nsedoc/scripts/ssl-enum-ciphers.html
See my example of my lab ISE server before and after disabling TLS 1.0 and 1.1.
Before:
nmap -p 443 --script ssl-enum-ciphers ise-new.ccielab.mrneteng.com ... Starting Nmap 7.80 ( https://nmap.org ) at 2021-02-09 21:05 Malay Peninsula Standard Time Nmap scan report for ise-new.ccielab.mrneteng.com (172.31.1.12) Host is up (0.00s latency). rDNS record for 172.31.1.12: hotspot.ccielab.mrneteng.com PORT STATE SERVICE 443/tcp open https | ssl-enum-ciphers: | TLSv1.0: | ciphers: | TLS_DHE_RSA_WITH_AES_128_CBC_SHA (dh 2048) - A | TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (ecdh_x25519) - A | TLS_RSA_WITH_AES_128_CBC_SHA (rsa 4096) - A | TLS_RSA_WITH_AES_256_CBC_SHA (rsa 4096) - A | compressors: | NULL | cipher preference: server | warnings: | Key exchange (dh 2048) of lower strength than certificate key | Key exchange (ecdh_x25519) of lower strength than certificate key | TLSv1.1: | ciphers: | TLS_DHE_RSA_WITH_AES_128_CBC_SHA (dh 2048) - A | TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (ecdh_x25519) - A | TLS_RSA_WITH_AES_128_CBC_SHA (rsa 4096) - A | TLS_RSA_WITH_AES_256_CBC_SHA (rsa 4096) - | compressors: | NULL | cipher preference: server | warnings: | Key exchange (dh 2048) of lower strength than certificate key | Key exchange (ecdh_x25519) of lower strength than certificate key | TLSv1.2: | ciphers: | TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (ecdh_x25519) - A | TLS_RSA_WITH_AES_128_GCM_SHA256 (rsa 4096) - A | TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (ecdh_x25519) - A | TLS_RSA_WITH_AES_256_GCM_SHA384 (rsa 4096) - A | TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 (dh 2048) - A | TLS_DHE_RSA_WITH_AES_128_CBC_SHA (dh 2048) - A | TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 (dh 2048) - A | TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 (dh 2048) - A | TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (ecdh_x25519) - A | TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 (ecdh_x25519) - A | TLS_RSA_WITH_AES_128_CBC_SHA256 (rsa 4096) - A | TLS_RSA_WITH_AES_128_CBC_SHA (rsa 4096) - A | TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 (ecdh_x25519) - A | TLS_RSA_WITH_AES_256_CBC_SHA256 (rsa 4096) - A | TLS_RSA_WITH_AES_256_CBC_SHA (rsa 4096) - A | TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256 (ecdh_x25519) - A | compressors: | NULL | cipher preference: server | warnings: | Key exchange (dh 2048) of lower strength than certificate key | Key exchange (ecdh_x25519) of lower strength than certificate key |_ least strength: A MAC Address: 00:0C:29:1D:7E:60 (VMware) Nmap done: 1 IP address (1 host up) scanned in 3.78 seconds
After:
nmap scan report for ise-new.ccielab.mrneteng.com (172.31.1.12) Host is up (0.00s latency). rDNS record for 172.31.1.12: mydevices.ccielab.mrneteng.com PORT STATE SERVICE 443/tcp open https | ssl-enum-ciphers: | TLSv1.2: | ciphers: | TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (ecdh_x25519) - A | TLS_RSA_WITH_AES_128_GCM_SHA256 (rsa 4096) - A | TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (ecdh_x25519) - A | TLS_RSA_WITH_AES_256_GCM_SHA384 (rsa 4096) - A | TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 (dh 2048) - A | TLS_DHE_RSA_WITH_AES_128_CBC_SHA (dh 2048) - A | TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 (dh 2048) - A | TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 (dh 2048) - A | TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (ecdh_x25519) - A | TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 (ecdh_x25519) - A | TLS_RSA_WITH_AES_128_CBC_SHA256 (rsa 4096) - A | TLS_RSA_WITH_AES_128_CBC_SHA (rsa 4096) - A | TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 (ecdh_x25519) - A | TLS_RSA_WITH_AES_256_CBC_SHA256 (rsa 4096) - A | TLS_RSA_WITH_AES_256_CBC_SHA (rsa 4096) - A | TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256 (ecdh_x25519) - A | compressors: | NULL | cipher preference: server | warnings: | Key exchange (dh 2048) of lower strength than certificate key | Key exchange (ecdh_x25519) of lower strength than certificate key |_ least strength: A MAC Address: 00:0C:29:1D:7E:60 (VMware) Nmap done: 1 IP address (1 host up) scanned in 2.63 seconds
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide