Solved: Re: Restrict TLS version in RADIUS Policy

Walker · ‎01-04-2023

I am in the process of migrating from v2.4 to v3.1 and during this process, a new device type was introduced to our network that only supports TLSv1.0. On the new v3.1 ISE server, I have disabled TLSv1.0 and TLSv1.1 in the security settings. The devices are currently working on our v2.4 server because all TLS version are enabled.

My question - If I enable TLSv1.0 on my v3.1 ISE server, is there a way to restrict authentication to all devices to TLSv1.2 except if it is this specific device? I am browsing the RADIUS attributes but unable to find anything relevant.

Any suggestions is appreciated.

Rodrigo Diaz · ‎01-04-2023

Hi @Walker , unfortunately as per the current versions of ISE , such feature is not possible . If you go to the menu displayed below (Administration>system>settings>security settings) and enable/disable TLS versions, this is a configuration global that is implemented in all the nodes within your deployment and there is no way to restrict what you suggest by rules . What it will be ideal is that you update that device you mention using TLS 1.0 towards one of the newest versions .

Let me know if that helped you .

View solution in original post

Rodrigo Diaz · ‎01-04-2023

Hi @Walker , unfortunately as per the current versions of ISE , such feature is not possible . If you go to the menu displayed below (Administration>system>settings>security settings) and enable/disable TLS versions, this is a configuration global that is implemented in all the nodes within your deployment and there is no way to restrict what you suggest by rules . What it will be ideal is that you update that device you mention using TLS 1.0 towards one of the newest versions .

Let me know if that helped you .

Walker · ‎01-05-2023

@Rodrigo Diaz Thanks for confirmation. We have already pressed the vendor to update to TLSv1.2 but I suspect that won't happen anytime soon.