https://community.cisco.com/t5/network-access-control/tls1-0-on-supplicant-authenticating-to-ise/m-p/3818961#M484324 <P>Thank you Arne!</P> <P>This was suggested by Nadav as well.&nbsp; It did fix my initial issue.</P> <P>&nbsp;</P> Wed, 13 Mar 2019 16:55:51 GMT rsharp001 2019-03-13T16:55:51Z https://community.cisco.com/t5/network-access-control/tls1-0-on-supplicant-authenticating-to-ise/m-p/3818412#M484312 <P>I have a new setup of ISE and I am currently testing the ability to connect various devices.&nbsp; I have noticed my Windows 10 supplicants ar being rejected by ISE with the following error: "Client requested TLSv1.0 or TLSv1.1 that is not allowed"</P> <P>&nbsp;</P> <P>I cannot find anything on the supplicants to force a higher version.</P> <P>&nbsp;</P> <P>I did find in ISE where I can allow it to accept TLS1.0.&nbsp; When I enable this the authentications work as I expect.</P> <P>&nbsp;</P> <P>Am I missing a setting in ISE or on the supplicant?</P> <P>&nbsp;</P> <P>Thanks!</P> Tue, 12 Mar 2019 21:24:18 GMT https://community.cisco.com/t5/network-access-control/tls1-0-on-supplicant-authenticating-to-ise/m-p/3818412#M484312 rsharp001 2019-03-12T21:24:18Z https://community.cisco.com/t5/network-access-control/tls1-0-on-supplicant-authenticating-to-ise/m-p/3818418#M484313 <P>Same thing with some other supplicants like a Cisco 3700 series AP doing EAP-FAST - it expects to use TLS 1.0 and SHA1 - if you don't enable those in ISE (i.e. make ISE backwards compatible with protocols that should be outlawed) then your AP won't authenticate via EAP-FAST.&nbsp; Sad state of affairs.</P> <P>As for Windows 10 native supplicant I am surprised that this is the case.&nbsp; I have not tested in a while but I am pretty sure Windows uses TLS 1.2 - but I stand to be corrected.&nbsp; TLS 1.2 has been around for a long time now and is already starting to look dated.&nbsp; Maybe there is a registry setting in Windows that is not set right (or never got upgraded if the OS was upgraded from XP/Win7 etc.) - no idea.&nbsp; Keep us updated with your findings.</P> Tue, 12 Mar 2019 21:35:22 GMT https://community.cisco.com/t5/network-access-control/tls1-0-on-supplicant-authenticating-to-ise/m-p/3818418#M484313 Arne Bier 2019-03-12T21:35:22Z https://community.cisco.com/t5/network-access-control/tls1-0-on-supplicant-authenticating-to-ise/m-p/3818431#M484317 <P>Fresh Win10 machine, only thing I could guess may be tipping the scale is it was joined to our domain.&nbsp; Maybe we have a carryover in a GPO?&nbsp; I've been working with our server/systems guy but he isn't totally sure.</P> <P>&nbsp;</P> <P>I tried with the native supplicant and with the net manager piece of AnyConnect, all are giving the same issue.&nbsp; Looks like I may be biting the bullet and turning on the support for TLS1.0, seems odd that such newer devices are forcing that first.&nbsp; Would you suggest using something other than EAP-FAST?&nbsp; I have flipped my setting sin AnyConnect to use TTLS but did not gain any more traction there.</P> Tue, 12 Mar 2019 21:58:42 GMT https://community.cisco.com/t5/network-access-control/tls1-0-on-supplicant-authenticating-to-ise/m-p/3818431#M484317 rsharp001 2019-03-12T21:58:42Z https://community.cisco.com/t5/network-access-control/tls1-0-on-supplicant-authenticating-to-ise/m-p/3818619#M484320 <P>All Windows workstations as of Windows 7 support changing the SSL/TLS versions with which they authenticate.&nbsp;</P> <P>&nbsp;</P> <P>Take a look at:</P> <P><A href="https://support.microsoft.com/en-us/help/3121002/windows-10-devices-can-t-connect-to-an-802-1x-environment" target="_self">https://support.microsoft.com/en-us/help/3121002/windows-10-devices-can-t-connect-to-an-802-1x-environment</A></P> <P>&nbsp;</P> <P>If you are interested in only authenticating EAP-TLS with TLS 1.2, change the key to&nbsp;<SPAN>0xC00. If you'd like to support either 1.1 or 1.2, but nothing else, you can logical OR the key to 0xC00 | 0x300 == 0xF00. Same goes for any combination.&nbsp;</SPAN></P> <P>&nbsp;</P> <P><SPAN>Once this is done, either reset the workstations or restart the net3svc and eaphost services.&nbsp;</SPAN></P> <P>&nbsp;</P> <P>This is for the Windows native EAP supplicant. If I recall, the AnyConnect negotiated cipher suites and TLS versions are a subset of the Windows native supplicant, though I'm not 100% about that. You should update the Windows supplicant and see if that helps.&nbsp;</P> Wed, 13 Mar 2019 08:30:56 GMT https://community.cisco.com/t5/network-access-control/tls1-0-on-supplicant-authenticating-to-ise/m-p/3818619#M484320 Nadav 2019-03-13T08:30:56Z https://community.cisco.com/t5/network-access-control/tls1-0-on-supplicant-authenticating-to-ise/m-p/3818625#M484321 Hi Arne,<BR />We faced same issue on our new win10 machines, the VPN certificate base authentication stopped working.<BR />After troubleshooting it appears than win10 machines comes with default TLS v1.1 as maximum and the ASA was configured TLS v1.2 minimum.<BR />I had to reduce the minimum version to TLS1.1 on the FW to make it work again.<BR />Weird why Microsoft does not enable TLS1.2 by default on their Win 10 machines. Wed, 13 Mar 2019 08:39:38 GMT https://community.cisco.com/t5/network-access-control/tls1-0-on-supplicant-authenticating-to-ise/m-p/3818625#M484321 bern81 2019-03-13T08:39:38Z https://community.cisco.com/t5/network-access-control/tls1-0-on-supplicant-authenticating-to-ise/m-p/3818636#M484322 <P>hhhm.&nbsp; Since November 2018 windows Windows 10 started using TLS 1.2 - I had no idea.</P> <P>&nbsp;</P> <P>There are registry hacks to change this to whatever version you need- see article below</P> <P><A href="https://support.microsoft.com/en-au/help/3121002/windows-10-devices-can-t-connect-to-an-802-1x-environment" target="_blank">https://support.microsoft.com/en-au/help/3121002/windows-10-devices-can-t-connect-to-an-802-1x-environment</A></P> Wed, 13 Mar 2019 08:57:40 GMT https://community.cisco.com/t5/network-access-control/tls1-0-on-supplicant-authenticating-to-ise/m-p/3818636#M484322 Arne Bier 2019-03-13T08:57:40Z https://community.cisco.com/t5/network-access-control/tls1-0-on-supplicant-authenticating-to-ise/m-p/3818958#M484323 <P>Thank you Nadav!</P> <P>&nbsp;</P> <P>This article got me over the hump.&nbsp; I'm going to test on some more machines before making any system wide changes but now I'm getting past that hurdle without enabling TLS1.0 on ISE</P> <P>&nbsp;</P> Wed, 13 Mar 2019 16:53:10 GMT https://community.cisco.com/t5/network-access-control/tls1-0-on-supplicant-authenticating-to-ise/m-p/3818958#M484323 rsharp001 2019-03-13T16:53:10Z https://community.cisco.com/t5/network-access-control/tls1-0-on-supplicant-authenticating-to-ise/m-p/3818961#M484324 <P>Thank you Arne!</P> <P>This was suggested by Nadav as well.&nbsp; It did fix my initial issue.</P> <P>&nbsp;</P> Wed, 13 Mar 2019 16:55:51 GMT https://community.cisco.com/t5/network-access-control/tls1-0-on-supplicant-authenticating-to-ise/m-p/3818961#M484324 rsharp001 2019-03-13T16:55:51Z