The Cisco ISE must use TLS 1.2, at a minimum, to protect the confidentiality of information passed between the endpoint agent and the Cisco ISE for the purposes of client posture assessment.

The Cisco ISE must use TLS 1.2, at a minimum, to protect the confidentiality of information passed between the endpoint agent and the Cisco ISE for the purposes of client posture assessment.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-242575	CSCO-NC-000010	SV-242575r714035_rule		High

Description
The agent may pass information about the endpoint to the Cisco ISE, which may be sensitive. Using older unauthorized versions or incorrectly configuring protocol negotiation makes the gateway vulnerable to known and unknown attacks that exploit vulnerabilities in this protocol.

STIG	Date
Cisco ISE NAC Security Technical Implementation Guide	2021-04-14

Details

Check Text ( C-45850r714033_chk )
Verify that only TLS 1.2 is enabled. From the Web Admin portal: 1. Navigate to Administration >> System >> Settings >> Security Settings. 2. Ensure "Allow TLS1.0", "Allow TLS1.1", and "Allow legacy unsafe TLS renegotiation for ISE as a client" are unchecked. If TLS 1.0 or 1.1 is enabled, this is a finding.

Fix Text (F-45807r714034_fix)
Configure ISE so that only TLS 1.2 is enabled: From the Web Admin portal: 1. Navigate to Administration >> System >> Settings >> Security Settings. 2. Ensure "Allow TLS1.0", "Allow TLS1.1", and "Allow legacy unsafe TLS renegotiation for ISE as a client" are unchecked.