cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC! We will not comment or assist with your TAC case in these forums.
Please see How to Ask the Community for Help for other best practices.

1093
Views
5
Helpful
2
Replies
Nancy Saini
Cisco Employee

ISE as a server with TLS 1.2

Hi,

 

Is server based TLS 1.2 supported on ISE 2.4?

 

The release notes mentions only about client-based TLS 1.2 : https://www.cisco.com/c/en/us/td/docs/security/ise/2-4/release_notes/b_ise_24_rn.html#id_82769

 

Regards,

Nancy

2 ACCEPTED SOLUTIONS

Accepted Solutions
Marvin Rhoads
Hall of Fame Guru

An ISE 2.4 server will support both TLS 1.1 and TLS 1.2 connections.

 

I confirmed this using nmap with the enum ciphers script as shown in the output below.

 

Nmap scan report for 172.31.1.12
Host is up (0.00s latency).

PORT    STATE SERVICE   VERSION
443/tcp open  ssl/https
| fingerprint-strings: 
|   DNSStatusRequestTCP, DNSVersionBindReqTCP, Help, RPCCheck, RTSPRequest, SSLSessionReq, TLSSessionReq: 
|     HTTP/1.1 400 Bad Request
|     Date: Tue, 16 Apr 2019 10:07:19 GMT
|     Connection: close
|     Server:
|   FourOhFourRequest: 
|     HTTP/1.1 302 Found
|     Strict-Transport-Security: max-age=86400
|     Location: https://localhost/admin/
|     Content-Length: 0
|     Date: Tue, 16 Apr 2019 10:07:14 GMT
|     Connection: close
|     Server:
|   GetRequest: 
|     HTTP/1.1 302 Found
|     Strict-Transport-Security: max-age=86400
|     Location: https://localhost/admin/
|     Content-Length: 0
|     Date: Tue, 16 Apr 2019 10:07:09 GMT
|     Connection: close
|     Server:
|   HTTPOptions: 
|     HTTP/1.1 405 Method Not Allowed
|     Date: Tue, 16 Apr 2019 10:07:14 GMT
|     Connection: close
|     Server:
|   tor-versions: 
|     HTTP/1.1 400 Bad Request
|     Date: Tue, 16 Apr 2019 10:07:14 GMT
|     Connection: close
|_    Server:
|_http-server-header: <empty>
|_http-trane-info: Problem with XML parsing of /evox/about
| ssl-enum-ciphers: 
|   TLSv1.1: 
|     ciphers: 
|       TLS_DHE_RSA_WITH_AES_128_CBC_SHA (dh 1024) - A
|       TLS_DHE_RSA_WITH_AES_256_CBC_SHA (dh 1024) - A
|       TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (secp256r1) - A
|       TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (secp256r1) - A
|       TLS_RSA_WITH_AES_128_CBC_SHA (rsa 2048) - A
|       TLS_RSA_WITH_AES_256_CBC_SHA (rsa 2048) - A
|     compressors: 
|       NULL
|     cipher preference: client
|     warnings: 
|       Key exchange (dh 1024) of lower strength than certificate key
|   TLSv1.2: 
|     ciphers: 
|       TLS_DHE_RSA_WITH_AES_128_CBC_SHA (dh 1024) - A
|       TLS_DHE_RSA_WITH_AES_256_CBC_SHA (dh 1024) - A
|       TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (secp256r1) - A
|       TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (secp256r1) - A
|       TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (secp256r1) - A
|       TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (secp256r1) - A
|       TLS_RSA_WITH_AES_128_CBC_SHA (rsa 2048) - A
|       TLS_RSA_WITH_AES_128_CBC_SHA256 (rsa 2048) - A
|       TLS_RSA_WITH_AES_256_CBC_SHA (rsa 2048) - A
|       TLS_RSA_WITH_AES_256_CBC_SHA256 (rsa 2048) - A
|     compressors: 
|       NULL
|     cipher preference: client
|     warnings: 
|       Key exchange (dh 1024) of lower strength than certificate key
|_  least strength: A

View solution in original post

Jason Kunst
Cisco Employee
2 REPLIES 2
Marvin Rhoads
Hall of Fame Guru

An ISE 2.4 server will support both TLS 1.1 and TLS 1.2 connections.

 

I confirmed this using nmap with the enum ciphers script as shown in the output below.

 

Nmap scan report for 172.31.1.12
Host is up (0.00s latency).

PORT    STATE SERVICE   VERSION
443/tcp open  ssl/https
| fingerprint-strings: 
|   DNSStatusRequestTCP, DNSVersionBindReqTCP, Help, RPCCheck, RTSPRequest, SSLSessionReq, TLSSessionReq: 
|     HTTP/1.1 400 Bad Request
|     Date: Tue, 16 Apr 2019 10:07:19 GMT
|     Connection: close
|     Server:
|   FourOhFourRequest: 
|     HTTP/1.1 302 Found
|     Strict-Transport-Security: max-age=86400
|     Location: https://localhost/admin/
|     Content-Length: 0
|     Date: Tue, 16 Apr 2019 10:07:14 GMT
|     Connection: close
|     Server:
|   GetRequest: 
|     HTTP/1.1 302 Found
|     Strict-Transport-Security: max-age=86400
|     Location: https://localhost/admin/
|     Content-Length: 0
|     Date: Tue, 16 Apr 2019 10:07:09 GMT
|     Connection: close
|     Server:
|   HTTPOptions: 
|     HTTP/1.1 405 Method Not Allowed
|     Date: Tue, 16 Apr 2019 10:07:14 GMT
|     Connection: close
|     Server:
|   tor-versions: 
|     HTTP/1.1 400 Bad Request
|     Date: Tue, 16 Apr 2019 10:07:14 GMT
|     Connection: close
|_    Server:
|_http-server-header: <empty>
|_http-trane-info: Problem with XML parsing of /evox/about
| ssl-enum-ciphers: 
|   TLSv1.1: 
|     ciphers: 
|       TLS_DHE_RSA_WITH_AES_128_CBC_SHA (dh 1024) - A
|       TLS_DHE_RSA_WITH_AES_256_CBC_SHA (dh 1024) - A
|       TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (secp256r1) - A
|       TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (secp256r1) - A
|       TLS_RSA_WITH_AES_128_CBC_SHA (rsa 2048) - A
|       TLS_RSA_WITH_AES_256_CBC_SHA (rsa 2048) - A
|     compressors: 
|       NULL
|     cipher preference: client
|     warnings: 
|       Key exchange (dh 1024) of lower strength than certificate key
|   TLSv1.2: 
|     ciphers: 
|       TLS_DHE_RSA_WITH_AES_128_CBC_SHA (dh 1024) - A
|       TLS_DHE_RSA_WITH_AES_256_CBC_SHA (dh 1024) - A
|       TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (secp256r1) - A
|       TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (secp256r1) - A
|       TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (secp256r1) - A
|       TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (secp256r1) - A
|       TLS_RSA_WITH_AES_128_CBC_SHA (rsa 2048) - A
|       TLS_RSA_WITH_AES_128_CBC_SHA256 (rsa 2048) - A
|       TLS_RSA_WITH_AES_256_CBC_SHA (rsa 2048) - A
|       TLS_RSA_WITH_AES_256_CBC_SHA256 (rsa 2048) - A
|     compressors: 
|       NULL
|     cipher preference: client
|     warnings: 
|       Key exchange (dh 1024) of lower strength than certificate key
|_  least strength: A

View solution in original post

Jason Kunst
Cisco Employee
Content for Community-Ad