The Cisco ISE must use TLS 1.2, at a minimum, to protect the confidentiality of information passed between the endpoint agent and the Cisco ISE. This is This is required for compliance with C2C Step 1.
Overview
| Finding ID | Version | Rule ID | IA Controls | Severity |
| V-242575 | CSCO-NC-000010 | SV-242575r812732_rule | CCI-000068 | high |
| Description | ||||
| The agent may pass information about the endpoint to the Cisco ISE, which may be sensitive. Using older unauthorized versions or incorrectly configuring protocol negotiation makes the gateway vulnerable to known and unknown attacks that exploit vulnerabilities in this protocol. | ||||
| STIG | Date | |||
| Cisco ISE NAC Security Technical Implementation Guide | 2024-09-10 | |||
Related Frameworks
3 paths across 3 frameworks
Related Frameworks
NIST 800-531 mapping
AC-17(2)
1.00
- DISA · 2 · disa_xccdf · related
- DISA · 2025-01-23 · disa_cci_list · equivalent
NIST 800-1711 mapping
3.1.13
1.00
- DISA · 2 · disa_xccdf · related
- DISA · 2025-01-23 · disa_cci_list · equivalent
- NIST · Rev 2 (Feb 2020, errata Jan 2021) · nist_800_171_app_d · equivalent
CCI1 mapping
CCI-000068
1.00
- DISA · 2 · disa_xccdf · related
Details
Check Text (C-242575r812732_chk)
If DoD is not at C2C Step 1 or higher, this is not a finding.
Verify that only TLS 1.2 is enabled.
From the Web Admin portal:
1. Navigate to Administration >> System >> Settings >> Security Settings.
2. Ensure "Allow TLS1.0", "Allow TLS1.1", and "Allow legacy unsafe TLS renegotiation for ISE as a client" are unchecked.
If TLS 1.0 or 1.1 is enabled, this is a finding.
Fix Text (F-45807r714034_fix)
Configure ISE so that only TLS 1.2 is enabled:
From the Web Admin portal:
1. Navigate to Administration >> System >> Settings >> Security Settings.
2. Ensure "Allow TLS1.0", "Allow TLS1.1", and "Allow legacy unsafe TLS renegotiation for ISE as a client" are unchecked.