04-15-2019 06:01 PM
Hi,
Is server based TLS 1.2 supported on ISE 2.4?
The release notes mentions only about client-based TLS 1.2 : https://www.cisco.com/c/en/us/td/docs/security/ise/2-4/release_notes/b_ise_24_rn.html#id_82769
Regards,
Nancy
Solved! Go to Solution.
04-16-2019 03:14 AM
An ISE 2.4 server will support both TLS 1.1 and TLS 1.2 connections.
I confirmed this using nmap with the enum ciphers script as shown in the output below.
Nmap scan report for 172.31.1.12 Host is up (0.00s latency). PORT STATE SERVICE VERSION 443/tcp open ssl/https | fingerprint-strings: | DNSStatusRequestTCP, DNSVersionBindReqTCP, Help, RPCCheck, RTSPRequest, SSLSessionReq, TLSSessionReq: | HTTP/1.1 400 Bad Request | Date: Tue, 16 Apr 2019 10:07:19 GMT | Connection: close | Server: | FourOhFourRequest: | HTTP/1.1 302 Found | Strict-Transport-Security: max-age=86400 | Location: https://localhost/admin/ | Content-Length: 0 | Date: Tue, 16 Apr 2019 10:07:14 GMT | Connection: close | Server: | GetRequest: | HTTP/1.1 302 Found | Strict-Transport-Security: max-age=86400 | Location: https://localhost/admin/ | Content-Length: 0 | Date: Tue, 16 Apr 2019 10:07:09 GMT | Connection: close | Server: | HTTPOptions: | HTTP/1.1 405 Method Not Allowed | Date: Tue, 16 Apr 2019 10:07:14 GMT | Connection: close | Server: | tor-versions: | HTTP/1.1 400 Bad Request | Date: Tue, 16 Apr 2019 10:07:14 GMT | Connection: close |_ Server: |_http-server-header: <empty> |_http-trane-info: Problem with XML parsing of /evox/about | ssl-enum-ciphers: | TLSv1.1: | ciphers: | TLS_DHE_RSA_WITH_AES_128_CBC_SHA (dh 1024) - A | TLS_DHE_RSA_WITH_AES_256_CBC_SHA (dh 1024) - A | TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (secp256r1) - A | TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (secp256r1) - A | TLS_RSA_WITH_AES_128_CBC_SHA (rsa 2048) - A | TLS_RSA_WITH_AES_256_CBC_SHA (rsa 2048) - A | compressors: | NULL | cipher preference: client | warnings: | Key exchange (dh 1024) of lower strength than certificate key | TLSv1.2: | ciphers: | TLS_DHE_RSA_WITH_AES_128_CBC_SHA (dh 1024) - A | TLS_DHE_RSA_WITH_AES_256_CBC_SHA (dh 1024) - A | TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (secp256r1) - A | TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (secp256r1) - A | TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (secp256r1) - A | TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (secp256r1) - A | TLS_RSA_WITH_AES_128_CBC_SHA (rsa 2048) - A | TLS_RSA_WITH_AES_128_CBC_SHA256 (rsa 2048) - A | TLS_RSA_WITH_AES_256_CBC_SHA (rsa 2048) - A | TLS_RSA_WITH_AES_256_CBC_SHA256 (rsa 2048) - A | compressors: | NULL | cipher preference: client | warnings: | Key exchange (dh 1024) of lower strength than certificate key |_ least strength: A
04-16-2019 10:41 PM
04-16-2019 03:14 AM
An ISE 2.4 server will support both TLS 1.1 and TLS 1.2 connections.
I confirmed this using nmap with the enum ciphers script as shown in the output below.
Nmap scan report for 172.31.1.12 Host is up (0.00s latency). PORT STATE SERVICE VERSION 443/tcp open ssl/https | fingerprint-strings: | DNSStatusRequestTCP, DNSVersionBindReqTCP, Help, RPCCheck, RTSPRequest, SSLSessionReq, TLSSessionReq: | HTTP/1.1 400 Bad Request | Date: Tue, 16 Apr 2019 10:07:19 GMT | Connection: close | Server: | FourOhFourRequest: | HTTP/1.1 302 Found | Strict-Transport-Security: max-age=86400 | Location: https://localhost/admin/ | Content-Length: 0 | Date: Tue, 16 Apr 2019 10:07:14 GMT | Connection: close | Server: | GetRequest: | HTTP/1.1 302 Found | Strict-Transport-Security: max-age=86400 | Location: https://localhost/admin/ | Content-Length: 0 | Date: Tue, 16 Apr 2019 10:07:09 GMT | Connection: close | Server: | HTTPOptions: | HTTP/1.1 405 Method Not Allowed | Date: Tue, 16 Apr 2019 10:07:14 GMT | Connection: close | Server: | tor-versions: | HTTP/1.1 400 Bad Request | Date: Tue, 16 Apr 2019 10:07:14 GMT | Connection: close |_ Server: |_http-server-header: <empty> |_http-trane-info: Problem with XML parsing of /evox/about | ssl-enum-ciphers: | TLSv1.1: | ciphers: | TLS_DHE_RSA_WITH_AES_128_CBC_SHA (dh 1024) - A | TLS_DHE_RSA_WITH_AES_256_CBC_SHA (dh 1024) - A | TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (secp256r1) - A | TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (secp256r1) - A | TLS_RSA_WITH_AES_128_CBC_SHA (rsa 2048) - A | TLS_RSA_WITH_AES_256_CBC_SHA (rsa 2048) - A | compressors: | NULL | cipher preference: client | warnings: | Key exchange (dh 1024) of lower strength than certificate key | TLSv1.2: | ciphers: | TLS_DHE_RSA_WITH_AES_128_CBC_SHA (dh 1024) - A | TLS_DHE_RSA_WITH_AES_256_CBC_SHA (dh 1024) - A | TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (secp256r1) - A | TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (secp256r1) - A | TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (secp256r1) - A | TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (secp256r1) - A | TLS_RSA_WITH_AES_128_CBC_SHA (rsa 2048) - A | TLS_RSA_WITH_AES_128_CBC_SHA256 (rsa 2048) - A | TLS_RSA_WITH_AES_256_CBC_SHA (rsa 2048) - A | TLS_RSA_WITH_AES_256_CBC_SHA256 (rsa 2048) - A | compressors: | NULL | cipher preference: client | warnings: | Key exchange (dh 1024) of lower strength than certificate key |_ least strength: A
04-16-2019 10:41 PM
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: