STIGQter: STIG Summary: Cisco ISE NAC Security Technical Implementation Guide Version: 1 Release: 1 Benchmark Date: 13 Apr 2021:

The Cisco ISE must use TLS 1.2, at a minimum, to protect the confidentiality of information passed between the endpoint agent and the Cisco ISE for the purposes of client posture assessment.

DISA Rule

SV-242575r714035_rule

Vulnerability Number

V-242575

Group Title

SRG-NET-000062-NAC-000340

Rule Version

CSCO-NC-000010

Severity

CAT I

CCI(s)

CCI-000068 - The information system implements cryptographic mechanisms to protect the confidentiality of remote access sessions.

Weight

Fix Recommendation

Configure ISE so that only TLS 1.2 is enabled:

From the Web Admin portal:
1. Navigate to Administration >> System >> Settings >> Security Settings.
2. Ensure "Allow TLS1.0", "Allow TLS1.1", and "Allow legacy unsafe TLS renegotiation for ISE as a client" are unchecked.

Check Contents

Verify that only TLS 1.2 is enabled.

From the Web Admin portal:
1. Navigate to Administration >> System >> Settings >> Security Settings.
2. Ensure "Allow TLS1.0", "Allow TLS1.1", and "Allow legacy unsafe TLS renegotiation for ISE as a client" are unchecked.

If TLS 1.0 or 1.1 is enabled, this is a finding.

The Cisco ISE must use TLS 1.2, at a minimum, to protect the confidentiality of information passed between the endpoint agent and the Cisco ISE for the purposes of client posture assessment.

DISA Rule

Vulnerability Number

Group Title

Rule Version

Severity

CCI(s)

Weight

Fix Recommendation

Check Contents

Vulnerability Number

Documentable

Rule Version

Severity Override Guidance

Check Content Reference

Target Key

Comments