Well done for wanting to disable TLS 1.0 (as well as TLS 1.1 I assume).
When I have done this in the past, I found that there were still clients that negotiated this old protocol and I wasn't aware of it - then had to re-enable TLS 1.0/1.1
Changing this setting will restart application services on ALL nodes at the same time - yes ... ALL ISE nodes at the same time.
In my case, the clients that were preventing me to turn off TLS 1.0 were:
- DNAC / Catalyst Center - if DNAC has provisioned your devices with RADIUS settings, then PAC (Protected Access Credential) will be configured on NAD - this involves TLS 1.0 and EAP-FAST - in ISE 3.4 and IOS-XE 17.15.1 there is PAC-Less Provisioning - however, there is no version of DNAC/CatC that supports this yet
- Old Cisco desk phones - workaround would be to use MAB instead of 802.1X - but that makes security even worse
How to detect what systems are reliant on using TLS when speaking to ISE? If you're talking about 802.1X clients, then you need to enable SYSLOG forwarding for successful RADIUS authentications to a SYSLOG server and check the events - they contain attributes similar to "days remaining=xxx" (I don't recall the exact string) and also TLS version and cipher details. It's very handy.
But you must configure your ISE Authorization Profiles to re-auth WIRED endpoints periodically (e.g. reauth every 65535 seconds) to get these SYSLOG events. If you don't reauth 802.1X wired clients then you might have missed the auth that could have potentially happened a long time ago when the devices was first connected to a switch.
Web-based clients should not be using TLS 1.0 (e.g. web browsers from guests) - that must be some ancient equipment I would not want on my network. The focus should be on 802.1X clients, and also DNAC (if you're using it)
