Field Notice: FN74081 - Identity Services Engine: TC-NAC Services on ISE Will Fail Due to AMP Cloud Deprecation of TLS 1.0 Support - Software Upgrade Recommended

Available Languages

Updated:December 21, 2023

Document ID:FN74081

Bias-Free Language

The documentation set for this product strives to use bias-free language. For the purposes of this documentation set, bias-free is defined as language that does not imply discrimination based on age, disability, gender, racial identity, ethnic identity, sexual orientation, socioeconomic status, and intersectionality. Exceptions may be present in the documentation due to language that is hardcoded in the user interfaces of the product software, language used based on RFP documentation, or language that is used by a referenced third-party product. Learn more about how Cisco is using Inclusive Language.

Notice

THIS FIELD NOTICE IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTY OF MERCHANTABILITY. YOUR USE OF THE INFORMATION ON THE FIELD NOTICE OR MATERIALS LINKED FROM THE FIELD NOTICE IS AT YOUR OWN RISK. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE THIS FIELD NOTICE AT ANY TIME.

Products Affected

Affected Software Product	Affected Release	Affected Release Number	Comments
Identity Services Engine System Software	2	2.1.0, 2.2.0, 2.3.0, 2.4.0, 2.6.0, 2.7.0
Identity Services Engine System Software	3	3.0.0, 3.1.0, 3.2.0, 3.3.0

Defect Information

Defect ID	Headline
CSCwc53824	ISE limits connection to AMP AMQP service to TLSv1.0

Problem Description

For affected releases of Cisco Identity Services Engine (ISE), Threat Centric-Network Access Control (TC-NAC) services on Cisco ISE will fail due to the deprecation of Transport Layer Security (TLS) 1.0 support on Cisco Advanced Malware Protection (AMP) Cloud starting on March 31, 2024.

Background

TLS 1.0 support will be deprecated on Cisco AMP Cloud starting on March 31, 2024. Cisco AMP Cloud will continue to support later versions of TLS. Existing Cisco ISE releases support only TLS 1.0 with Cisco AMP Cloud and, as a result, Cisco ISE integration with Cisco AMP Cloud will be impacted after the deprecation date.

Problem Symptom

Cisco AMP adapter status shows a Disconnected state and will not allow further configuration.

Go to Administration > Threat Centric NAC > Third Party Vendors.

A log message similar to the following example will also be displayed in irf.log from the Admin console:

show logging application irf.log

INFO [admin-http-pool15][[]] cpm.irf.rest.engine.IRFCoreRestClient:info:122 -::::::- Returning result: {adapterUuid=f4a41add-f370-49d3-8a74-1941992f3150, instanceUuid=f08b5a03-f384-4a84-a69d-a325da3dab67, name=AMP1, state=Registered, adapterType=THREAT, adapterVersion=1.0, vendor=AMP, status=Configuration in progress, message=, hostname=https://api.amp.sourcefire.com, connectivity=Disconnected}

Workaround/Solution

Workaround

There is no workaround for this issue.

Solution

To address this issue, Cisco ISE has migrated from TLS 1.0 to TLS 1.2 support. Cisco recommends upgrading to one of the following Cisco ISE releases to obtain TLS 1.2 support:

3.1 Patch 8 or later (for 3.1 Patch 8, a special configuration may be required as noted below)
3.2 Patch 5 or later (estimated release date: second half of Feb 2024)
3.3 Patch 1 or later

There is no plan to backport TLS 1.2 support for Cisco ISE releases 3.0 and earlier.

Configuration for Cisco ISE Release 3.1 Patch 8

The steps below are only required for customers who currently have TC-NAC services enabled. For customers who do not currently have TC-NAC services enabled, the steps below are not required.

Go to Administration > System > Deployment.
Select the node that has TC-NAC services enabled.
Disable TC-NAC services by unchecking Enable Threat Centric NAC Service and clicking Save.
After disabling TC-NAC services, please wait five minutes before re-enabling.
Re-enable TC-NAC services by checking Enable Threat Centric NAC Service and clicking Save.

Revision History

Version	Description	Section	Date
1.0	Initial Release	—	2023-DEC-21

For More Information

For further assistance or for more information about this field notice, contact the Cisco Technical Assistance Center (TAC) using one of the following methods:

Receive Email Notification About New Field Notices

To receive email updates about Field Notices (reliability and safety issues), Security Advisories (network security issues), and end-of-life announcements for specific Cisco products, set up a profile in My Notifications

Was this Document Helpful?

Feedback

Contact Cisco

Open a Support Case
(Requires a Cisco Service Contract)

This Document Applies to These Products

Identity Services Engine Software