Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1367
Views
0
Helpful
4
Replies

Can TLS version be a condition in an authentication or authorization policy?

Go to solution
Nadav
Level 7
Level 7

‎11-10-2018 07:32 AM

Hi everyone,

 

I was wondering if I can create policy sets where the TLS version (and possibly even cipher suite) can be a stipulation for success. For example, if a certain group of endpoints support TLS 1.0, 1.1 and 1.2, I could demand that only if they negotiated on TLS 1.2 would authentication succeed.

 

Thanks!

0 Helpful
3 Accepted Solutions

Accepted Solutions

Go to solution
Jason Kunst
Cisco Employee
Cisco Employee

‎11-10-2018 09:31 AM

It seems like this is a duplicate of another question posted recently. Perhaps on another forum or same from another team member?

Pretty sure the answer is no on this. I will Double check

It’s a global setting so if a client can do 1.2 then it does. If another client can’t it will negotiate lower if ise is set to allow it

View solution in original post

0 Helpful

Go to solution
Francesco Molino
VIP Alumni
VIP Alumni

‎11-10-2018 10:37 AM

Hi

You will need to enable the TLS version you authorize to communicate (authenticate) with ISE. By default (on version 2.x) it's TLS1.2.

However, you won't be able to do some policies based on TLS version. You can just play with global settings by allowing tls1.0 and tls 1.1 or not.


Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question

View solution in original post

0 Helpful

Go to solution
Jason Kunst
Cisco Employee
Cisco Employee
In response to Nadav

‎11-11-2018 05:19 AM

Confirmed please reach out to the ise product management team for an enhancement

View solution in original post

0 Helpful
4 Replies 4

Go to solution
Jason Kunst
Cisco Employee
Cisco Employee

‎11-10-2018 09:31 AM

It seems like this is a duplicate of another question posted recently. Perhaps on another forum or same from another team member?

Pretty sure the answer is no on this. I will Double check

It’s a global setting so if a client can do 1.2 then it does. If another client can’t it will negotiate lower if ise is set to allow it

0 Helpful

Go to solution
Francesco Molino
VIP Alumni
VIP Alumni

‎11-10-2018 10:37 AM

Hi

You will need to enable the TLS version you authorize to communicate (authenticate) with ISE. By default (on version 2.x) it's TLS1.2.

However, you won't be able to do some policies based on TLS version. You can just play with global settings by allowing tls1.0 and tls 1.1 or not.


Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question
0 Helpful

Go to solution
Nadav
Level 7
Level 7
In response to Francesco Molino

‎11-11-2018 12:43 AM - edited ‎11-11-2018 12:45 AM

Hey,

 

Globally enabling or disabling a TLS version isn't the most granular of approaches, but it's what the product supports.

 

I sent an enhancement request a few days ago to support authenticating by TLS version as part of an authentication policy, so that certain endpoints can authenticate only with TLS 1.2, others only with TLS 1.1 or TLS 1.0, etc.

 

This is in part to avoid renegotiation attacks and using susceptible encryption and hash functions. 

 

I hope someone in Cisco will think it over :)

0 Helpful

Go to solution
Jason Kunst
Cisco Employee
Cisco Employee
In response to Nadav

‎11-11-2018 05:19 AM

Confirmed please reach out to the ise product management team for an enhancement
0 Helpful
Customers Also Viewed These Support Documents