Check: CSCO-NC-000300
Cisco ISE NAC STIG:
CSCO-NC-000300
(in versions v1 r2 through v1 r1)
Title
Before establishing a local, remote, and/or network connection with any endpoint device, the Cisco ISE must use a bidirectional authentication mechanism configured with a FIPS-validated Advanced Encryption Standard (AES) cipher block algorithm to authenticate with the endpoint device. (Cat II impact)
Discussion
Bidirectional authentication provides stronger safeguards to validate the identity of other devices for connections that are of greater risk. Currently, DoD requires the use of AES for bidirectional authentication since it is the only FIPS-validated AES cipher block algorithm. Because of the challenges of applying this requirement on a large scale, organizations are encouraged to apply the requirement only to those limited number (and type) of devices that truly need to support this capability.
Check Content
From the Web Admin portal: 1. Navigate to Administration >> System >> Settings >> Security Settings. 2. Ensure "Allow TLS1.0", "Allow TLS1.1", and "Allow legacy unsafe TLS renegotiation for ISE as a client" are unchecked. If TLS 1.0 or 1.1 is enabled, this is a finding.
Fix Text
From the Web Admin portal: 1. Navigate to Administration >> System >> Settings >> Security Settings. 2. Ensure "Allow TLS1.0", "Allow TLS1.1", and "Allow legacy unsafe TLS renegotiation for ISE as a client" are unchecked.
Additional Identifiers
Rule ID: SV-242604r714122_rule
Vulnerability ID: V-242604
Group Title: SRG-NET-000151-NAC-000630
Expert Comments
CCIs
Number | Definition |
---|---|
CCI-001967 |
The information system authenticates organization-defined devices and/or types of devices before establishing a local, remote, and/or network connection using bidirectional authentication that is cryptographically based. |
Controls
Number | Title |
---|---|
IA-3 (1) |
Cryptographic Bidirectional Authentication |