Solved: Re: ISE as a server with TLS 1.2

Nancy Saini · ‎04-15-2019

Hi,

Is server based TLS 1.2 supported on ISE 2.4?

The release notes mentions only about client-based TLS 1.2 : https://www.cisco.com/c/en/us/td/docs/security/ise/2-4/release_notes/b_ise_24_rn.html#id_82769

Regards,

Nancy

Marvin Rhoads · ‎04-16-2019

An ISE 2.4 server will support both TLS 1.1 and TLS 1.2 connections.

I confirmed this using nmap with the enum ciphers script as shown in the output below.

Nmap scan report for 172.31.1.12
Host is up (0.00s latency).

PORT    STATE SERVICE   VERSION
443/tcp open  ssl/https
| fingerprint-strings: 
|   DNSStatusRequestTCP, DNSVersionBindReqTCP, Help, RPCCheck, RTSPRequest, SSLSessionReq, TLSSessionReq: 
|     HTTP/1.1 400 Bad Request
|     Date: Tue, 16 Apr 2019 10:07:19 GMT
|     Connection: close
|     Server:
|   FourOhFourRequest: 
|     HTTP/1.1 302 Found
|     Strict-Transport-Security: max-age=86400
|     Location: https://localhost/admin/
|     Content-Length: 0
|     Date: Tue, 16 Apr 2019 10:07:14 GMT
|     Connection: close
|     Server:
|   GetRequest: 
|     HTTP/1.1 302 Found
|     Strict-Transport-Security: max-age=86400
|     Location: https://localhost/admin/
|     Content-Length: 0
|     Date: Tue, 16 Apr 2019 10:07:09 GMT
|     Connection: close
|     Server:
|   HTTPOptions: 
|     HTTP/1.1 405 Method Not Allowed
|     Date: Tue, 16 Apr 2019 10:07:14 GMT
|     Connection: close
|     Server:
|   tor-versions: 
|     HTTP/1.1 400 Bad Request
|     Date: Tue, 16 Apr 2019 10:07:14 GMT
|     Connection: close
|_    Server:
|_http-server-header: <empty>
|_http-trane-info: Problem with XML parsing of /evox/about
| ssl-enum-ciphers: 
|   TLSv1.1: 
|     ciphers: 
|       TLS_DHE_RSA_WITH_AES_128_CBC_SHA (dh 1024) - A
|       TLS_DHE_RSA_WITH_AES_256_CBC_SHA (dh 1024) - A
|       TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (secp256r1) - A
|       TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (secp256r1) - A
|       TLS_RSA_WITH_AES_128_CBC_SHA (rsa 2048) - A
|       TLS_RSA_WITH_AES_256_CBC_SHA (rsa 2048) - A
|     compressors: 
|       NULL
|     cipher preference: client
|     warnings: 
|       Key exchange (dh 1024) of lower strength than certificate key
|   TLSv1.2: 
|     ciphers: 
|       TLS_DHE_RSA_WITH_AES_128_CBC_SHA (dh 1024) - A
|       TLS_DHE_RSA_WITH_AES_256_CBC_SHA (dh 1024) - A
|       TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (secp256r1) - A
|       TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (secp256r1) - A
|       TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (secp256r1) - A
|       TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (secp256r1) - A
|       TLS_RSA_WITH_AES_128_CBC_SHA (rsa 2048) - A
|       TLS_RSA_WITH_AES_128_CBC_SHA256 (rsa 2048) - A
|       TLS_RSA_WITH_AES_256_CBC_SHA (rsa 2048) - A
|       TLS_RSA_WITH_AES_256_CBC_SHA256 (rsa 2048) - A
|     compressors: 
|       NULL
|     cipher preference: client
|     warnings: 
|       Key exchange (dh 1024) of lower strength than certificate key
|_  least strength: A

View solution in original post

Jason Kunst · ‎04-16-2019

https://community.cisco.com/t5/identity-services-engine-ise/cisco-ise-tls/td-p/3549414

View solution in original post

Marvin Rhoads · ‎04-16-2019

An ISE 2.4 server will support both TLS 1.1 and TLS 1.2 connections.

I confirmed this using nmap with the enum ciphers script as shown in the output below.

Nmap scan report for 172.31.1.12
Host is up (0.00s latency).

PORT    STATE SERVICE   VERSION
443/tcp open  ssl/https
| fingerprint-strings: 
|   DNSStatusRequestTCP, DNSVersionBindReqTCP, Help, RPCCheck, RTSPRequest, SSLSessionReq, TLSSessionReq: 
|     HTTP/1.1 400 Bad Request
|     Date: Tue, 16 Apr 2019 10:07:19 GMT
|     Connection: close
|     Server:
|   FourOhFourRequest: 
|     HTTP/1.1 302 Found
|     Strict-Transport-Security: max-age=86400
|     Location: https://localhost/admin/
|     Content-Length: 0
|     Date: Tue, 16 Apr 2019 10:07:14 GMT
|     Connection: close
|     Server:
|   GetRequest: 
|     HTTP/1.1 302 Found
|     Strict-Transport-Security: max-age=86400
|     Location: https://localhost/admin/
|     Content-Length: 0
|     Date: Tue, 16 Apr 2019 10:07:09 GMT
|     Connection: close
|     Server:
|   HTTPOptions: 
|     HTTP/1.1 405 Method Not Allowed
|     Date: Tue, 16 Apr 2019 10:07:14 GMT
|     Connection: close
|     Server:
|   tor-versions: 
|     HTTP/1.1 400 Bad Request
|     Date: Tue, 16 Apr 2019 10:07:14 GMT
|     Connection: close
|_    Server:
|_http-server-header: <empty>
|_http-trane-info: Problem with XML parsing of /evox/about
| ssl-enum-ciphers: 
|   TLSv1.1: 
|     ciphers: 
|       TLS_DHE_RSA_WITH_AES_128_CBC_SHA (dh 1024) - A
|       TLS_DHE_RSA_WITH_AES_256_CBC_SHA (dh 1024) - A
|       TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (secp256r1) - A
|       TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (secp256r1) - A
|       TLS_RSA_WITH_AES_128_CBC_SHA (rsa 2048) - A
|       TLS_RSA_WITH_AES_256_CBC_SHA (rsa 2048) - A
|     compressors: 
|       NULL
|     cipher preference: client
|     warnings: 
|       Key exchange (dh 1024) of lower strength than certificate key
|   TLSv1.2: 
|     ciphers: 
|       TLS_DHE_RSA_WITH_AES_128_CBC_SHA (dh 1024) - A
|       TLS_DHE_RSA_WITH_AES_256_CBC_SHA (dh 1024) - A
|       TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (secp256r1) - A
|       TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (secp256r1) - A
|       TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (secp256r1) - A
|       TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (secp256r1) - A
|       TLS_RSA_WITH_AES_128_CBC_SHA (rsa 2048) - A
|       TLS_RSA_WITH_AES_128_CBC_SHA256 (rsa 2048) - A
|       TLS_RSA_WITH_AES_256_CBC_SHA (rsa 2048) - A
|       TLS_RSA_WITH_AES_256_CBC_SHA256 (rsa 2048) - A
|     compressors: 
|       NULL
|     cipher preference: client
|     warnings: 
|       Key exchange (dh 1024) of lower strength than certificate key
|_  least strength: A

Jason Kunst · ‎04-16-2019

https://community.cisco.com/t5/identity-services-engine-ise/cisco-ise-tls/td-p/3549414