ACS 5.3.40 is there patch available to support TLS 1.1 and 1.2 regarding SSL termination?
We are trying to reduce our susceptibility to SSL BEAST information disclosure vulnerability regarding our ACS 5.3.40 system.
It's been suggested that we consider some defensive measures such as cipher suite selection. Wherever possible, we should ensure that servers and clients that support TLS/SSL are configured to support TLS versions 1.1 and 1.2, not just SSLv3 and TLSv1.0 which is often the default configuration.
Can you advise how this is done within the ACS 5.3.40 application? Is it just a case of patching to another level?
(Default SSLv3 and TLSv1.0 defaults are not deemed strong enough).
Unfortunately, I still do not see any information regarding ACS.
@Cisco: There is still no EOL announcement out for ACS, so responsible business unit should really put TLS 1.2 on the roadmap for ACS. Everyone who thinks about network security is moving to TLS 1.2 for month, if not years. Please do something.
The PCI DSS 3.1 bans the use of TLS 1.0 as of June 2016, PCI approved scanning vendors (ASVs) are already giving failing grades on scans that detect anything less than TLS 1.2. This is a problem for Cisco ACS, and Cisco CSM and Cisco firepower defense center.
Public view shows Status "Open", but I was told internally it was declined. Since ISE is near to feature parity with ACS, it (ACS) will be EOL soon (I would expect EOL notice this year). There seems to be no plans to implement any new features in ACS.
BenefitsDocumentationPrerequisiteImage Download LinksLimitationsSupported PlatformsLicense RequirementsTopologyStep-By-Step ConfigurationConfigure Virtual ServiceActivate the virtual service and configure guest IPsConfiguring UTD (Service Plane)Configurin...
Login to the FXOS chassis manager.
Direct your browser to https://hostname/, and log-in using the user-name and password.
Go to Help > About and check the current version:
Check the current version availa...
We have configured the outside and inside Interface with official ipv6 adresses, set a default route on outside Interface to our router, we also have definied a rule , which also gets hits, to permit tcp from inside Interface to any6.
In Syslog I also se...