Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2231
Views
15
Helpful
7
Replies

Cisco Firepower User Agent support for TLSv1.2

borman.bravo
Level 1
Level 1

‎12-09-2019 09:43 AM - edited ‎02-21-2020 09:45 AM

Can someone please confirm if the Firepower user agent 2.4 supports TLSV1.2? I disabled TLSV1.0 in my Windows Domain Controller 2016 and I'm not getting any mappings anymore, thank you.

1 person had this problem
Labels:
7 Replies 7

Marvin Rhoads
Hall of Fame
Hall of Fame

‎12-09-2019 07:11 PM

User Agent to FMC should support strong ciphers.

Reference: https://www.cisco.com/c/en/us/td/docs/security/firesight/user-agent/24/config-guide/Firepower-User-Agent-Configuration-Guide-v2-4/ConfigAgent.html

Is your User Agent running on the DC itself?

0 Helpful

borman.bravo
Level 1
Level 1
In response to Marvin Rhoads

‎12-10-2019 06:32 AM

Hi Marvin, yes it is running in the domain controllers, thanks
0 Helpful

borman.bravo
Level 1
Level 1
In response to Marvin Rhoads

‎01-06-2020 11:17 AM

Thank you for your reply and Happy New Year!

The article you referred me to has no mention of TLS v1.2 support for User Agent which is the question I had, would you know if this is supported in 6.4?

0 Helpful

nspasov
Cisco Employee
Cisco Employee

‎12-10-2019 07:13 PM

I would recommend reaching out to Cisco TAC to have this verified but the last time I checked the User Agent only supported TLSv1.0. 

Thank you for rating helpful posts!

dotran
Level 1
Level 1
In response to nspasov

‎04-10-2020 07:07 AM

I'm seeing a similar issue.  According to this, no.  https://bst.cloudapps.cisco.com/bugsearch/bug/CSCve30062/?rfs=iqvred

 

I'm flabbergasted by the suggested  workaround.   Is this a push to get people off the FREE User agent and requiring a  license ICE product.........

 

CSCve30062

Symptom:
User agent cannot communicate with the Firepower Management Center. The following error is displayed on the user agent:

[The client and server cannot communicate, because they do not possess a common algorithm]

Conditions:
The server hosting the user agent has TLS 1.0 disabled.

Workaround:
Enable TLS 1.0 on the machine where user agent is running. If security policy forbids enabling TLS 1.0 on that machine, install the user agent on a different machine. (For security reasons, you might not want the TLS 1.0 to run on your Active Directory server, for example.)

Joshua Edwards
Level 1
Level 1
In response to dotran

‎04-29-2020 11:31 AM

It definitely is, the user agent is going out of support and our fixes are to either re-enable TLS 1.0 (can't happen) or utilize ISE-PIC. We don't currently utilize ISE in our environment, so in order to have this functionality we would have to bring it in. 

 

0 Helpful

borman.bravo
Level 1
Level 1
In response to Joshua Edwards

‎04-29-2020 12:52 PM

Yes, that is my understanding as well now, was informed by TAC that ISE-PIC was the recommended approach...either that or replace with Palos :)

 

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card