Field Notice: FN - 70590 - Cisco Identity Services Engine - Cisco Feed Service For Posture Updates and Client Provisioning via Transport Layer Security 1.0 Has Been Discontinued - Software Upgrade Recommended

Available Languages

Updated:August 13, 2020
Document ID:FN70590

Bias-Free Language

The documentation set for this product strives to use bias-free language. For the purposes of this documentation set, bias-free is defined as language that does not imply discrimination based on age, disability, gender, racial identity, ethnic identity, sexual orientation, socioeconomic status, and intersectionality. Exceptions may be present in the documentation due to language that is hardcoded in the user interfaces of the product software, language used based on RFP documentation, or language that is used by a referenced third-party product. Learn more about how Cisco is using Inclusive Language.

Notice

THIS FIELD NOTICE IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTY OF MERCHANTABILITY. YOUR USE OF THE INFORMATION ON THE FIELD NOTICE OR MATERIALS LINKED FROM THE FIELD NOTICE IS AT YOUR OWN RISK. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE THIS FIELD NOTICE AT ANY TIME.

Revision History

Revision Publish Date Comments
1.0
06-Aug-20
Initial Release
1.1
10-Aug-20
Updated the Products Affected Section

Products Affected

Affected OS Type Affected Software Product Affected Release Affected Release Number Comments
NON-IOS
Identity Services Engine System Software
1
1.0, 1.0 MR, 1.1, 1.1.1, 1.1.2, 1.1.3, 1.1.4, 1.2, 1.2.1, 1.3, 1.4
For ISE 1.X - all versions
NON-IOS
Identity Services Engine System Software
2
2.0, 2.0.1
For ISE 2.0 – all patch versions
NON-IOS
Identity Services Engine System Software
2
2.1.0
For ISE 2.1 – all patch versions
NON-IOS
Identity Services Engine System Software
2
2.2.0
For ISE 2.2 - up to and including Patch 10
NON-IOS
Identity Services Engine System Software
2
2.3.0
For ISE 2.3 – up to and including Patch 5

Defect Information

Defect ID Headline
CSCvk10081 ISE uses TLS 1.0 when proxy configured and TLS 1.2 if no proxy configured

Problem Description

For the affected Cisco Identity Services Engine (ISE) versions, the Cisco feed service for posture updates and client provisioning via Transport Layer Security (TLS) 1.0 is no longer considered secure and has been discontinued.

Background

When proxy connections are configured, ISE connections to external sites for posture updates and client provisioning that use TLS 1.0 are no longer considered secure. The Cisco feed service headend currently operates with TLS 1.2 for improved security.

Problem Symptom

For the affected ISE versions, proxy connections to external sites for posture updates and client provisioning will fail with an error when TLS 1.0 is used.

The posture updates error displayed on the ISE console is shown in this image.

The client provisioning error displayed on the ISE console is shown in this image.

Workaround/Solution

In order to utilize TLS 1.2 for proxy connections, upgrade the ISE system software to one of these versions:

  • ISE 2.2 Patch 12 or later
  • ISE 2.3 Patch 6 or later
  • ISE 2.4 or later

If an upgrade to the ISE system software is not immediately possible, perform the Cisco ISE Offline Updates process. To do so, see the respective Cisco Identity Services Engine Release Notes document for the ISE version used.

For More Information

If you require further assistance, or if you have any further questions regarding this field notice, please contact the Cisco Systems Technical Assistance Center (TAC) by one of the following methods:

Receive Email Notification For New Field Notices

My Notifications—Set up a profile to receive email updates about reliability, safety, network security, and end-of-sale issues for the Cisco products you specify.

Was this Document Helpful?

FeedbackFeedback

Contact Cisco

This Document Applies to These Products