Solved: Cisco prime 2.1 / 2.2 support for Cisco ise 1.3 ?

alois.heilmaier · ‎11-20-2014

Hi, I just tried to connect cisco PI 2.1 to cisco ISE 1.3, but fails.
I read the release Notes, only ISE 1.2 ist supported.
But I was wondering that the ssl handshake fails (I have done a packet capture).
So PI 2.1 has not tried to connect to ise 1.3 via api, because of the connection fails at the ssl handshake stage.

Anyway, does anybody know if ISE 1.3 will be supported with PI 2.2 or a version of PI 2.1.x ?

Leo Laohoo · ‎11-20-2014

CPI 2.1.2 supports up to ISE 1.2. CPI 2.2 release date is scheduled for December 2014. Read below.

Table 4 Cisco Prime Infrastructure and Cisco Wireless Release Compatibility Matrix

View solution in original post

Leo Laohoo · ‎11-20-2014

CPI 2.1.2 supports up to ISE 1.2. CPI 2.2 release date is scheduled for December 2014. Read below.

Table 4 Cisco Prime Infrastructure and Cisco Wireless Release Compatibility Matrix

Mats Nilson · ‎12-02-2014

Why doesn't the REST API communication in Prime 2.1 (2.1.0.0.87) support TLS? The platform itself seem to be able to handle TLS-DHE-RSA with AES-128-CBC-SHA. Why is it trying to use SSLv2 ?

These protocol is incompatible and very much outdated: http://en.wikipedia.org/wiki/Transport_Layer_Security#SSL_1.0.2C_2.0_and_3.0

Can this behavour be reconfigured in CLI or at least be allowed in ISE 1.3 to make a workaround until a working patch or upgrade is done? Could or should adding the Cisco Prime server as managed node in ISE circumvent the incompability?

alois.heilmaier · ‎12-02-2014

You are right I have not seen that in my trace. Cisco Prime 2.1 really tries sslv2.

Also using PI Version Identifier 2.1.0.0.87.

If there ist basic security implemented in the product I think older, supported ise Versions (1.1 or 1.2) should not work also.

So it seems to be a bug, not a unsupported product matrix.