Solved: Re: ISE 3.0 TLS v1.2 enable.

Ricardo Matias Aires · ‎07-21-2021

Hi,

To enable TLS 1.2, I only need to uncheck 'Allow TLS 1.0' and 'Allow TLS 1.1' on Administration > System > Settings > Security Settings?

How do I check if TLS 1.2 is active after disabling 1.0 and 1.1 ?

Thanks

Marvin Rhoads · ‎07-21-2021

You can scan the ISE server using nmap afterwards to confirm.

nmap -p 443 --script ssl-enum-ciphers i <your ISE server address of FQDN>

Here's mine before and after making the setting change.

Before:

Starting Nmap 7.80 ( https://nmap.org ) at 2021-07-22 13:08 Malay Peninsula Standard Time

Nmap scan report for ise-new.ccielab.mrneteng.com (172.31.1.12)

Host is up (0.00s latency).

rDNS record for 172.31.1.12: mydevices.ccielab.mrneteng.com

PORT    STATE SERVICE

443/tcp open  https
| ssl-enum-ciphers: 
|   TLSv1.0: 
|     ciphers: 
|       TLS_DHE_RSA_WITH_AES_128_CBC_SHA (dh 2048) - A
|       TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (ecdh_x25519) - A
|       TLS_RSA_WITH_AES_128_CBC_SHA (rsa 4096) - A
|       TLS_RSA_WITH_AES_256_CBC_SHA (rsa 4096) - A
|     compressors: 
|       NULL
|     cipher preference: server
|     warnings: 
|       Key exchange (dh 2048) of lower strength than certificate key
|       Key exchange (ecdh_x25519) of lower strength than certificate key
|   TLSv1.1: 
|     ciphers: 
|       TLS_DHE_RSA_WITH_AES_128_CBC_SHA (dh 2048) - A
|       TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (ecdh_x25519) - A
|       TLS_RSA_WITH_AES_128_CBC_SHA (rsa 4096) - A
|       TLS_RSA_WITH_AES_256_CBC_SHA (rsa 4096) - A
|     compressors: 
|       NULL
|     cipher preference: server
|     warnings: 
|       Key exchange (dh 2048) of lower strength than certificate key
|       Key exchange (ecdh_x25519) of lower strength than certificate key
|   TLSv1.2: 
|     ciphers: 
|       TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (ecdh_x25519) - A
|       TLS_RSA_WITH_AES_128_GCM_SHA256 (rsa 4096) - A
|       TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (ecdh_x25519) - A
|       TLS_RSA_WITH_AES_256_GCM_SHA384 (rsa 4096) - A
|       TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 (dh 2048) - A
|       TLS_DHE_RSA_WITH_AES_128_CBC_SHA (dh 2048) - A
|       TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 (dh 2048) - A
|       TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 (dh 2048) - A
|       TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (ecdh_x25519) - A
|       TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 (ecdh_x25519) - A
|       TLS_RSA_WITH_AES_128_CBC_SHA256 (rsa 4096) - A
|       TLS_RSA_WITH_AES_128_CBC_SHA (rsa 4096) - A
|       TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 (ecdh_x25519) - A
|       TLS_RSA_WITH_AES_256_CBC_SHA256 (rsa 4096) - A
|       TLS_RSA_WITH_AES_256_CBC_SHA (rsa 4096) - A
|       TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256 (ecdh_x25519) - A
|     compressors: 
|       NULL
|     cipher preference: server
|     warnings: 
|       Key exchange (dh 2048) of lower strength than certificate key
|       Key exchange (ecdh_x25519) of lower strength than certificate key
|_  least strength: A
MAC Address: 00:0C:29:8D:FD:F9 (VMware)

Nmap done: 1 IP address (1 host up) scanned in 3.39 seconds

After:

Starting Nmap 7.80 ( https://nmap.org ) at 2021-07-22 13:17 Malay Peninsula Standard Time

Nmap scan report for ise-new.ccielab.mrneteng.com (172.31.1.12)

Host is up (0.00s latency).

rDNS record for 172.31.1.12: sponsor.ccielab.mrneteng.com



PORT    STATE SERVICE

443/tcp open  https

| ssl-enum-ciphers: 

|   TLSv1.2: 
|     ciphers: 
|       TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (ecdh_x25519) - A
|       TLS_RSA_WITH_AES_128_GCM_SHA256 (rsa 4096) - A
|       TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (ecdh_x25519) - A
|       TLS_RSA_WITH_AES_256_GCM_SHA384 (rsa 4096) - A
|       TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 (dh 2048) - A
|       TLS_DHE_RSA_WITH_AES_128_CBC_SHA (dh 2048) - A
|       TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 (dh 2048) - A
|       TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 (dh 2048) - A
|       TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (ecdh_x25519) - A
|       TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 (ecdh_x25519) - A
|       TLS_RSA_WITH_AES_128_CBC_SHA256 (rsa 4096) - A
|       TLS_RSA_WITH_AES_128_CBC_SHA (rsa 4096) - A
|       TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 (ecdh_x25519) - A
|       TLS_RSA_WITH_AES_256_CBC_SHA256 (rsa 4096) - A
|       TLS_RSA_WITH_AES_256_CBC_SHA (rsa 4096) - A
|       TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256 (ecdh_x25519) - A
|     compressors: 
|       NULL
|     cipher preference: server
|     warnings: 
|       Key exchange (dh 2048) of lower strength than certificate key
|       Key exchange (ecdh_x25519) of lower strength than certificate key
|_  least strength: A
MAC Address: 00:0C:29:8D:FD:F9 (VMware)

Nmap done: 1 IP address (1 host up) scanned in 3.20 seconds

View solution in original post

Marvin Rhoads · ‎07-21-2021

You can scan the ISE server using nmap afterwards to confirm.

nmap -p 443 --script ssl-enum-ciphers i <your ISE server address of FQDN>

Here's mine before and after making the setting change.

Before:

Starting Nmap 7.80 ( https://nmap.org ) at 2021-07-22 13:08 Malay Peninsula Standard Time

Nmap scan report for ise-new.ccielab.mrneteng.com (172.31.1.12)

Host is up (0.00s latency).

rDNS record for 172.31.1.12: mydevices.ccielab.mrneteng.com

PORT    STATE SERVICE

443/tcp open  https
| ssl-enum-ciphers: 
|   TLSv1.0: 
|     ciphers: 
|       TLS_DHE_RSA_WITH_AES_128_CBC_SHA (dh 2048) - A
|       TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (ecdh_x25519) - A
|       TLS_RSA_WITH_AES_128_CBC_SHA (rsa 4096) - A
|       TLS_RSA_WITH_AES_256_CBC_SHA (rsa 4096) - A
|     compressors: 
|       NULL
|     cipher preference: server
|     warnings: 
|       Key exchange (dh 2048) of lower strength than certificate key
|       Key exchange (ecdh_x25519) of lower strength than certificate key
|   TLSv1.1: 
|     ciphers: 
|       TLS_DHE_RSA_WITH_AES_128_CBC_SHA (dh 2048) - A
|       TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (ecdh_x25519) - A
|       TLS_RSA_WITH_AES_128_CBC_SHA (rsa 4096) - A
|       TLS_RSA_WITH_AES_256_CBC_SHA (rsa 4096) - A
|     compressors: 
|       NULL
|     cipher preference: server
|     warnings: 
|       Key exchange (dh 2048) of lower strength than certificate key
|       Key exchange (ecdh_x25519) of lower strength than certificate key
|   TLSv1.2: 
|     ciphers: 
|       TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (ecdh_x25519) - A
|       TLS_RSA_WITH_AES_128_GCM_SHA256 (rsa 4096) - A
|       TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (ecdh_x25519) - A
|       TLS_RSA_WITH_AES_256_GCM_SHA384 (rsa 4096) - A
|       TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 (dh 2048) - A
|       TLS_DHE_RSA_WITH_AES_128_CBC_SHA (dh 2048) - A
|       TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 (dh 2048) - A
|       TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 (dh 2048) - A
|       TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (ecdh_x25519) - A
|       TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 (ecdh_x25519) - A
|       TLS_RSA_WITH_AES_128_CBC_SHA256 (rsa 4096) - A
|       TLS_RSA_WITH_AES_128_CBC_SHA (rsa 4096) - A
|       TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 (ecdh_x25519) - A
|       TLS_RSA_WITH_AES_256_CBC_SHA256 (rsa 4096) - A
|       TLS_RSA_WITH_AES_256_CBC_SHA (rsa 4096) - A
|       TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256 (ecdh_x25519) - A
|     compressors: 
|       NULL
|     cipher preference: server
|     warnings: 
|       Key exchange (dh 2048) of lower strength than certificate key
|       Key exchange (ecdh_x25519) of lower strength than certificate key
|_  least strength: A
MAC Address: 00:0C:29:8D:FD:F9 (VMware)

Nmap done: 1 IP address (1 host up) scanned in 3.39 seconds

After:

Starting Nmap 7.80 ( https://nmap.org ) at 2021-07-22 13:17 Malay Peninsula Standard Time

Nmap scan report for ise-new.ccielab.mrneteng.com (172.31.1.12)

Host is up (0.00s latency).

rDNS record for 172.31.1.12: sponsor.ccielab.mrneteng.com



PORT    STATE SERVICE

443/tcp open  https

| ssl-enum-ciphers: 

|   TLSv1.2: 
|     ciphers: 
|       TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (ecdh_x25519) - A
|       TLS_RSA_WITH_AES_128_GCM_SHA256 (rsa 4096) - A
|       TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (ecdh_x25519) - A
|       TLS_RSA_WITH_AES_256_GCM_SHA384 (rsa 4096) - A
|       TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 (dh 2048) - A
|       TLS_DHE_RSA_WITH_AES_128_CBC_SHA (dh 2048) - A
|       TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 (dh 2048) - A
|       TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 (dh 2048) - A
|       TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (ecdh_x25519) - A
|       TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 (ecdh_x25519) - A
|       TLS_RSA_WITH_AES_128_CBC_SHA256 (rsa 4096) - A
|       TLS_RSA_WITH_AES_128_CBC_SHA (rsa 4096) - A
|       TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 (ecdh_x25519) - A
|       TLS_RSA_WITH_AES_256_CBC_SHA256 (rsa 4096) - A
|       TLS_RSA_WITH_AES_256_CBC_SHA (rsa 4096) - A
|       TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256 (ecdh_x25519) - A
|     compressors: 
|       NULL
|     cipher preference: server
|     warnings: 
|       Key exchange (dh 2048) of lower strength than certificate key
|       Key exchange (ecdh_x25519) of lower strength than certificate key
|_  least strength: A
MAC Address: 00:0C:29:8D:FD:F9 (VMware)

Nmap done: 1 IP address (1 host up) scanned in 3.20 seconds

Ricardo Matias Aires · ‎07-22-2021

Hello, Marvin.

Thanks for the information, it was a great help.

I can replay this action, in other versions of ISE?

Marvin Rhoads · ‎07-22-2021

You're welcome.

I believe the support for TLS 1.2 (and thus ability to disable TLS 1.0 and 1.1) was introduced early in the 2.x versions. I know it's in 2.4 and later for sure.

Ricardo Matias Aires · ‎07-22-2021

Perfect!

Thanks again Marvin.