I want to be able to enable or disable specific ciphers or TLS versions for a specific authentication protocol definition
Policy -> Policy elements -> Authentication -> Allowed protocols
Currently all I can do is enable or disable weak ciphers (see attached picture), or enable or disable TLS1.0/TLS1.1 installation-wide (Admin -> System -> Settings -> Protocols -> Security settings).
Are there any plans for doing this in the future ?
If not, then please add options to enable or disable these already-existing settings to the auth protocol definition settings.
For cipher suite selections, I don't need a fancy cipher suite selection UI - a simple string field for cipher suites (as input to OpenSSL) would be fine. But a simple "enable weak ciphers" is not good enough, if I for some reason need to disable a specific cipher set.
My name is Tal Surasky and I'm one of ISE's product manager.
Currently changing protocols settings is something we can do in a deployment-wide settings only and not as you requested, per policy.
Can you please elaborate on the use case and why do you need this option?
The use cases for changing TLS cipher/protocol settings per policy, and not deployment-wide, are the following:
Eg. Use EAP-PEAP-MD5 or similar as replacement for MAB, for devices that support EAP – but will most certainly have devices that only support older protocol versions and weaker ciphers