Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1907
Views
0
Helpful
3
Replies

ISE legacy cipher suites

Go to solution
Mad Max
Level 1
Level 1

‎03-17-2020 09:01 AM

Hello Dear Community

 

I hope you can help me to clarify a simple question about clients authenticating using dot1x.

 

The enviroment:

Authenticator Server: ISE running 2.4

Authenticator: Catalyst 2960-X

Suplicant: A printer dealing only with TLSv1.0

 

My problem is. there are about 70 Printers that can only deal with TLSv1.0 while authenticating. To replace them all its not an option right now and based on Vendor there is currently no firmware Upgrade to improve this situation.

 

While authenticating it comes to an error, that the client is trying to use a lower version than TLSv1.2.

 

My question is:

Going to System -> Security Settings and allowing legacy versions of TLS will allow this insecure protocols for also for the HTTPS Portal of ISE?

 

I hope my question was clearly formulated.

 

Thanks in advance for your input

Regards,

 

0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
marce1000
VIP
VIP
In response to Mad Max

‎03-17-2020 10:29 AM

 

 - Below are a few threads which you may want to review concerning the issue ; in the first one I notice a passage from Mr. haslai stating : The security settings in ISE 2.3 do not affect ISE web portals, such as sponsor and guest. ISE 2.4 has not yet been released so please check it out at http://cs.co/ise-beta   I tend to think it will be the same in 2.4

  https://community.cisco.com/t5/network-access-control/cisco-ise-tls/m-p/3549414

  https://community.cisco.com/t5/network-access-control/ise-legacy-cipher-suites/td-p/3056777

 M.



-- ' 'Good body every evening' ' this sentence was once spotted on a logo at the entrance of a Weight Watchers Club !

View solution in original post

0 Helpful
3 Replies 3

Go to solution
marce1000
VIP
VIP

‎03-17-2020 09:16 AM

 

 - Since you have a very specific printer-model , for which you want to resolve, would it not be best to tryout ?

  M.



-- ' 'Good body every evening' ' this sentence was once spotted on a logo at the entrance of a Weight Watchers Club !
0 Helpful

Go to solution
Mad Max
Level 1
Level 1
In response to marce1000

‎03-17-2020 09:26 AM

Hello marce1000

 

Thanks for replying so quickly. Sure this is an option.

 

Applying for such a change imply a bit of paperwork inside the company.

 

Therefore I need first to doublecheck with the security team before I can apply a change in the system. I also have not be provided with a test enviroment. And I couldnt find in the documentation a clear statement regarding this option.

 

I must be sure my changes wont affect the HTTPS Portal by allowing weak ciphers. I want only clients to be authenticated with the weak cipher.

 

Regards,

0 Helpful

Go to solution
marce1000
VIP
VIP
In response to Mad Max

‎03-17-2020 10:29 AM

 

 - Below are a few threads which you may want to review concerning the issue ; in the first one I notice a passage from Mr. haslai stating : The security settings in ISE 2.3 do not affect ISE web portals, such as sponsor and guest. ISE 2.4 has not yet been released so please check it out at http://cs.co/ise-beta   I tend to think it will be the same in 2.4

  https://community.cisco.com/t5/network-access-control/cisco-ise-tls/m-p/3549414

  https://community.cisco.com/t5/network-access-control/ise-legacy-cipher-suites/td-p/3056777

 M.



-- ' 'Good body every evening' ' this sentence was once spotted on a logo at the entrance of a Weight Watchers Club !
0 Helpful
Customers Also Viewed These Support Documents