Don't get too excited yet about TLS 1.3 support in ISE. For most folks the only advantage of enabling this (it's disabled by default) is that the ISE Admin UI will now negotiate TLS 1.3 with your browser. Yay. But there is no TLS 1.3 for the Guest Portal - I don't remember if I checked the Sponsor Portal - I suspect it's also not running 1.3 yet.
I have not tested EAP-TLS yet with TLS 1.3 enabled
Just be aware also that if you change these settings in ISE, it will restart ALL of your nodes at the SAME TIME. This means you must plan an outage window in which your entire ISE deployment is offline for 10-15 minutes (or however long it take to restart services in your case) - if you decide to be brave (or stupid) to disable TLS 1.0/1.1 on your ISE deployment that operates 802.1X to clients, then you might be in for a bad day, because of older devices that still work with TLS 1.0 - I was bitten by this with a customer who had older Cisco deskphones that only did TLS 1.0 on EAP-TLS. The best course of action is to trawl your SIEM (or your entire SYSLOG database) looking for what TLS version was used - if you find 1.0 or 1.1 then find those devices and try to swap them out. Otherwise, don't disable those old protocols.
