07-11-2024 09:15 PM - last edited on 07-11-2024 09:45 PM by shaiksh
Dear Community,
While ISE 3.x versions by default use TLS 1.2, so cannot find an option to enable TLS 1.3.
To avoid the use of weak cipher of TLS 1.2, do you have any recommend /advice to keep it secure like protocols
CBC, RC4,DES...or else?
In case we disabled CBC, RC4, other DES what is occur? Is there impact with ISE and endpoint devices?
Thanks,
07-11-2024 10:21 PM
@Da ICS16 hi, check below guide. HTH
07-12-2024 07:08 AM
TLS 1.3 is available on ISE 3.3:
07-12-2024 03:11 PM
Don't get too excited yet about TLS 1.3 support in ISE. For most folks the only advantage of enabling this (it's disabled by default) is that the ISE Admin UI will now negotiate TLS 1.3 with your browser. Yay. But there is no TLS 1.3 for the Guest Portal - I don't remember if I checked the Sponsor Portal - I suspect it's also not running 1.3 yet.
I have not tested EAP-TLS yet with TLS 1.3 enabled
Just be aware also that if you change these settings in ISE, it will restart ALL of your nodes at the SAME TIME. This means you must plan an outage window in which your entire ISE deployment is offline for 10-15 minutes (or however long it take to restart services in your case) - if you decide to be brave (or stupid) to disable TLS 1.0/1.1 on your ISE deployment that operates 802.1X to clients, then you might be in for a bad day, because of older devices that still work with TLS 1.0 - I was bitten by this with a customer who had older Cisco deskphones that only did TLS 1.0 on EAP-TLS. The best course of action is to trawl your SIEM (or your entire SYSLOG database) looking for what TLS version was used - if you find 1.0 or 1.1 then find those devices and try to swap them out. Otherwise, don't disable those old protocols.
07-12-2024 03:15 PM
Perfect Answer
MHM
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide