Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
6778
Views
10
Helpful
4
Replies

Cisco ISE-PIC: How to Disable TLS 1.0 (and possibly TLS 1.1)?

Brandon1
Level 1
Level 1

‎03-10-2021 11:31 AM

I have recently introduced Cisco ISE-PIC 2.7 into my infrastructure for the sole purpose of providing user identity management for Firepower access control. This is because the Firepower User Agent is no longer supported and ISE-PIC is now a requirement.

 

My vulnerability management solutions (Nessus/Tenable) is scanning the ISE-PIC host and reporting the use of TLS 1.0. I need to figure out how to disable this and ideally only allow TLS 1.2 for any possible connection.  I have been thoroughly through the web GUI and CLI and have found no means to resolve this. My "Google" skills have also failed me. The six open TCP ports that accept TLS 1.0 connections all appear to be Java related. 

 

Does anyone have any knowledge on how to accomplish this task?

 

I am providing the six open ports accepting TLS 1.0 and the process information for each as retrieved from the ISE-PIC CLI

 

Nessus reports TCP 9095

Process : java (1805)
tcp: :::9095, :::8095

iseadmi+ 1805 ? 1 Mon Jan 18 15:02:44 2021 /opt/CSCOcpm/jre/bin/java - 05:49:42


Nessus reports TCP 8443
Nessus reports TCP 8444
Nessus reports TCP 8445
Nessus reports TCP 8910

Process : jsvc.exec (26698)
tcp: 127.0.0.1:8888, :::9061, :::9063, :::8905, :::8009, :::5514, :::9002, :::1099, :::2030, :::8910, :::8911, :::80, :::2035, :::9080, 10.0.0.60:8443, :::443, 10.0.0.60:8444, 10.0.0.60:8445, :::9085, :::29249, :::9090, 127.0.0.1:2020, :::9060
udp: 0.0.0.2:56564, 10.0.0.60:15648, 169.254.2.1:25735, 169.254.0.228:17931, 0.0.0.0:28750, 169.254.2.1:28972, 0.0.0.0:53916, 10.0.0.60:62150, 169.254.0.228:54512, :::33453, :::10335, :::44664, :::29927

iseadmi+ 26698 ? 26697 Mon Jan 18 15:00:50 2021 jsvc.exec -java-home /opt/C 1-04:59:43

 

 

Nessus reports TCP 9094

Process : java (968)
tcp: :::9094, :::8092

iseadmi+ 968 ? 1 Mon Jan 18 15:02:39 2021 /opt/CSCOcpm/jre/bin/java - 05:32:15

0 Helpful
4 Replies 4

Marcelo Morais
VIP
VIP

‎03-10-2021 06:21 PM

Hi @Brandon1 ,

 please take a look at: CSCvv02086 Add ability to disable TLS 1.0 and 1.1 on ISE PIC node.

Last Modified: Feb 9,2021
Status: Open
Severity: 6 Enhancement
Known Affected Releases: 2.4(0.357), 2.6(0.156), 2.7(0.356)

 

Hope this helps !!!

0 Helpful

Brandon1
Level 1
Level 1
In response to Marcelo Morais

‎03-11-2021 06:43 AM

Marcelo,

 

Thank you very much for the reply! I did come across this at some point but didn't and still don't want to believe that such a premier organization as Cisco and a foundational platform that has a core function of supporting security, such as ISE (although it is the PIC branch, I believe it to run on the same platform because it notifies me that simply upgrading with a new license will unlock the full ISE features), lacks the means to disable a 20+ year old security protocol that has been depreciated. 

 

I'm sure the proper response from me would be to open a TAC case and let that process play out, but Cisco TAC is not what it once was. I just recently had a TAC case close that had been open roughly a year, with most of my cases being 3 - 6 months old prior to closing ( and sometimes not resolved). I understand it's partially related to the relatively young age of the Firepower platform and new bugs, I accepted that concept when adopting the platform.  But what does that say when someone wants to avoid using a support asset they pay a bill for... 

 

Anyways, I am hoping someone knows of an non-documented method of turning off TLS 1.0/1.1 for the processes I listed. 

 

Thanks,

 

Brandon

0 Helpful

thomas
Cisco Employee
Cisco Employee

‎03-13-2021 12:23 PM

Regular ISE offers the ability to disable TLS 1.0 if you decide that is your best path forward.

image.png

Brandon1
Level 1
Level 1
In response to thomas

‎04-13-2021 12:21 PM

Thomas,

 

Thank you for your response. However, I would prefer not to purchase the full ISE platform for the sole purpose of fixing a security weakness in an already purchased (required to use for user based access control after Firepower User Agent was discontinued) product that has a core function of assisting with security. 

 

Not sure how your response and the previous from Marcelo got selected as the solution to my question, but I went ahead and fixed that. For note, the only solution to my question would involve the ability to disable TLS 1.0 (and TLS 1.1) in ISE-PIC 2.7+. 

 

Have a great day!

 

Brandon

0 Helpful
Customers Also Viewed These Support Documents