Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
5783
Views
15
Helpful
4
Replies

ISE legacy cipher suites

Go to solution
rmueller@cisco.com
Cisco Employee
Cisco Employee

‎05-16-2017 08:25 AM

Hello team,

got the following question from my customer:

I'm a little bit confused regarding the legacy SSL cipher settings within Cisco ISE.

My question is regarding the settings in the ISE GUI under: Administration > System > Settings / Protocols > Security Settings:

Enable TLS 1.0 only for legacy clients

Enable SHA-1 only for legacy clients

In the ISE GUI, the tooltip states:

Enable [TLS 1.0 | SHA-1 cipher suites] only for legacy clients for EAP-TLS, PEAP, EAP-FAST and EAP-TTLS protocols and for legacy secure services

--> So the tooltip states, that this setting acutally affects EAP protocols, which use SSL/TLS (e.g EAP-TLS and PEAP)

   

Contratory to this, the ISE 2.2  admin guide documentation states:

The following workflow is not affected by the Security Settings:
Cisco ISE acts as an EAP-TLS, EAP-TTLS, PEAP, or EAP-FAST server that authenticates clients to
provide them access to the network

--> The admin guide states, that these settings does not affect EAP protocols, which use SSL/TLS (e.g EAP-TLS and PEAP)

So, which statement is correct?

Thanks in advance.

Roland

1 Accepted Solution

Accepted Solutions

Go to solution
hslai
Cisco Employee
Cisco Employee

‎05-16-2017 08:53 AM

The ISE 2.2 admin guide is correct and we have also updated it in the ISE 2.2 admin web UI (see the video below). I believe all our ISE admin guides showing the correct info.

Video Link : 16264

View solution in original post

4 Replies 4

Go to solution
hslai
Cisco Employee
Cisco Employee

‎05-16-2017 08:53 AM

The ISE 2.2 admin guide is correct and we have also updated it in the ISE 2.2 admin web UI (see the video below). I believe all our ISE admin guides showing the correct info.

Video Link : 16264

Go to solution
Johannes Luther
Level 4
Level 4
In response to hslai

‎05-17-2017 11:19 PM

Hi Roland and "hslai",

thank you so much for bringing light into this.

There is also an open topic in the Supportforums:

https://supportforums.cisco.com/discussion/13291721/ise-legacy-cipher-suites

I'll share this finding there as well

Go to solution
Chrispel
Level 1
Level 1
In response to hslai

‎10-14-2021 06:02 AM

I know this post is old, but do you have a updated link for the Video? It's not found when I click on it.

Go to solution
thomas
Cisco Employee
Cisco Employee

‎05-16-2017 12:37 PM

Please provide direct links to any incorrect documents so we can forward to our Docs team.

Customers Also Viewed These Support Documents