Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
3000
Views
0
Helpful
7
Replies

TLS1.0 on supplicant authenticating to ISE

Go to solution
rsharp001
Level 1
Level 1

‎03-12-2019 02:24 PM

I have a new setup of ISE and I am currently testing the ability to connect various devices.  I have noticed my Windows 10 supplicants ar being rejected by ISE with the following error: "Client requested TLSv1.0 or TLSv1.1 that is not allowed"

 

I cannot find anything on the supplicants to force a higher version.

 

I did find in ISE where I can allow it to accept TLS1.0.  When I enable this the authentications work as I expect.

 

Am I missing a setting in ISE or on the supplicant?

 

Thanks!

0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Nadav
Level 7
Level 7
In response to rsharp001

‎03-13-2019 01:30 AM

All Windows workstations as of Windows 7 support changing the SSL/TLS versions with which they authenticate. 

 

Take a look at:

https://support.microsoft.com/en-us/help/3121002/windows-10-devices-can-t-connect-to-an-802-1x-environment

 

If you are interested in only authenticating EAP-TLS with TLS 1.2, change the key to 0xC00. If you'd like to support either 1.1 or 1.2, but nothing else, you can logical OR the key to 0xC00 | 0x300 == 0xF00. Same goes for any combination. 

 

Once this is done, either reset the workstations or restart the net3svc and eaphost services. 

 

This is for the Windows native EAP supplicant. If I recall, the AnyConnect negotiated cipher suites and TLS versions are a subset of the Windows native supplicant, though I'm not 100% about that. You should update the Windows supplicant and see if that helps. 

View solution in original post

0 Helpful
7 Replies 7

Go to solution
Arne Bier
VIP
VIP

‎03-12-2019 02:35 PM

Same thing with some other supplicants like a Cisco 3700 series AP doing EAP-FAST - it expects to use TLS 1.0 and SHA1 - if you don't enable those in ISE (i.e. make ISE backwards compatible with protocols that should be outlawed) then your AP won't authenticate via EAP-FAST.  Sad state of affairs.

As for Windows 10 native supplicant I am surprised that this is the case.  I have not tested in a while but I am pretty sure Windows uses TLS 1.2 - but I stand to be corrected.  TLS 1.2 has been around for a long time now and is already starting to look dated.  Maybe there is a registry setting in Windows that is not set right (or never got upgraded if the OS was upgraded from XP/Win7 etc.) - no idea.  Keep us updated with your findings.

0 Helpful

Go to solution
rsharp001
Level 1
Level 1
In response to Arne Bier

‎03-12-2019 02:58 PM

Fresh Win10 machine, only thing I could guess may be tipping the scale is it was joined to our domain.  Maybe we have a carryover in a GPO?  I've been working with our server/systems guy but he isn't totally sure.

 

I tried with the native supplicant and with the net manager piece of AnyConnect, all are giving the same issue.  Looks like I may be biting the bullet and turning on the support for TLS1.0, seems odd that such newer devices are forcing that first.  Would you suggest using something other than EAP-FAST?  I have flipped my setting sin AnyConnect to use TTLS but did not gain any more traction there.

0 Helpful

Go to solution
Nadav
Level 7
Level 7
In response to rsharp001

‎03-13-2019 01:30 AM

All Windows workstations as of Windows 7 support changing the SSL/TLS versions with which they authenticate. 

 

Take a look at:

https://support.microsoft.com/en-us/help/3121002/windows-10-devices-can-t-connect-to-an-802-1x-environment

 

If you are interested in only authenticating EAP-TLS with TLS 1.2, change the key to 0xC00. If you'd like to support either 1.1 or 1.2, but nothing else, you can logical OR the key to 0xC00 | 0x300 == 0xF00. Same goes for any combination. 

 

Once this is done, either reset the workstations or restart the net3svc and eaphost services. 

 

This is for the Windows native EAP supplicant. If I recall, the AnyConnect negotiated cipher suites and TLS versions are a subset of the Windows native supplicant, though I'm not 100% about that. You should update the Windows supplicant and see if that helps. 

0 Helpful

Go to solution
rsharp001
Level 1
Level 1
In response to Nadav

‎03-13-2019 09:53 AM

Thank you Nadav!

 

This article got me over the hump.  I'm going to test on some more machines before making any system wide changes but now I'm getting past that hurdle without enabling TLS1.0 on ISE

 

0 Helpful

Go to solution
bern81
Level 1
Level 1
In response to Arne Bier

‎03-13-2019 01:39 AM

Hi Arne,
We faced same issue on our new win10 machines, the VPN certificate base authentication stopped working.
After troubleshooting it appears than win10 machines comes with default TLS v1.1 as maximum and the ASA was configured TLS v1.2 minimum.
I had to reduce the minimum version to TLS1.1 on the FW to make it work again.
Weird why Microsoft does not enable TLS1.2 by default on their Win 10 machines.
0 Helpful

Go to solution
Arne Bier
VIP
VIP
In response to bern81

‎03-13-2019 01:57 AM

hhhm.  Since November 2018 windows Windows 10 started using TLS 1.2 - I had no idea.

 

There are registry hacks to change this to whatever version you need- see article below

https://support.microsoft.com/en-au/help/3121002/windows-10-devices-can-t-connect-to-an-802-1x-environment

0 Helpful

Go to solution
rsharp001
Level 1
Level 1
In response to Arne Bier

‎03-13-2019 09:55 AM

Thank you Arne!

This was suggested by Nadav as well.  It did fix my initial issue.

 

0 Helpful
Customers Also Viewed These Support Documents