STIGQter: STIG Summary: Cisco ISE NAC Security Technical Implementation Guide Version: 1 Release: 1 Benchmark Date: 13 Apr 2021:

Before establishing a local, remote, and/or network connection with any endpoint device, the Cisco ISE must use a bidirectional authentication mechanism configured with a FIPS-validated Advanced Encryption Standard (AES) cipher block algorithm to authenticate with the endpoint device.

DISA Rule

SV-242604r714122_rule

Vulnerability Number

V-242604

Group Title

SRG-NET-000151-NAC-000630

Rule Version

CSCO-NC-000300

Severity

CAT II

CCI(s)

• CCI-001967 - The information system authenticates organization-defined devices and/or types of devices before establishing a local, remote, and/or network connection using bidirectional authentication that is cryptographically based.

Weight

10

Fix Recommendation

From the Web Admin portal:
1. Navigate to Administration >> System >> Settings >> Security Settings.
2. Ensure "Allow TLS1.0", "Allow TLS1.1", and "Allow legacy unsafe TLS renegotiation for ISE as a client" are unchecked.

Check Contents

From the Web Admin portal:
1. Navigate to Administration >> System >> Settings >> Security Settings.
2. Ensure "Allow TLS1.0", "Allow TLS1.1", and "Allow legacy unsafe TLS renegotiation for ISE as a client" are unchecked.

If TLS 1.0 or 1.1 is enabled, this is a finding.

Vulnerability Number

V-242604

Documentable

False

Rule Version

CSCO-NC-000300

Severity Override Guidance

From the Web Admin portal:
1. Navigate to Administration >> System >> Settings >> Security Settings.
2. Ensure "Allow TLS1.0", "Allow TLS1.1", and "Allow legacy unsafe TLS renegotiation for ISE as a client" are unchecked.

If TLS 1.0 or 1.1 is enabled, this is a finding.

Check Content Reference

M

Target Key

5383

Comments