03-12-2019 02:24 PM
I have a new setup of ISE and I am currently testing the ability to connect various devices. I have noticed my Windows 10 supplicants ar being rejected by ISE with the following error: "Client requested TLSv1.0 or TLSv1.1 that is not allowed"
I cannot find anything on the supplicants to force a higher version.
I did find in ISE where I can allow it to accept TLS1.0. When I enable this the authentications work as I expect.
Am I missing a setting in ISE or on the supplicant?
Thanks!
Solved! Go to Solution.
03-13-2019 01:30 AM
All Windows workstations as of Windows 7 support changing the SSL/TLS versions with which they authenticate.
Take a look at:
If you are interested in only authenticating EAP-TLS with TLS 1.2, change the key to 0xC00. If you'd like to support either 1.1 or 1.2, but nothing else, you can logical OR the key to 0xC00 | 0x300 == 0xF00. Same goes for any combination.
Once this is done, either reset the workstations or restart the net3svc and eaphost services.
This is for the Windows native EAP supplicant. If I recall, the AnyConnect negotiated cipher suites and TLS versions are a subset of the Windows native supplicant, though I'm not 100% about that. You should update the Windows supplicant and see if that helps.
03-12-2019 02:35 PM
Same thing with some other supplicants like a Cisco 3700 series AP doing EAP-FAST - it expects to use TLS 1.0 and SHA1 - if you don't enable those in ISE (i.e. make ISE backwards compatible with protocols that should be outlawed) then your AP won't authenticate via EAP-FAST. Sad state of affairs.
As for Windows 10 native supplicant I am surprised that this is the case. I have not tested in a while but I am pretty sure Windows uses TLS 1.2 - but I stand to be corrected. TLS 1.2 has been around for a long time now and is already starting to look dated. Maybe there is a registry setting in Windows that is not set right (or never got upgraded if the OS was upgraded from XP/Win7 etc.) - no idea. Keep us updated with your findings.
03-12-2019 02:58 PM
Fresh Win10 machine, only thing I could guess may be tipping the scale is it was joined to our domain. Maybe we have a carryover in a GPO? I've been working with our server/systems guy but he isn't totally sure.
I tried with the native supplicant and with the net manager piece of AnyConnect, all are giving the same issue. Looks like I may be biting the bullet and turning on the support for TLS1.0, seems odd that such newer devices are forcing that first. Would you suggest using something other than EAP-FAST? I have flipped my setting sin AnyConnect to use TTLS but did not gain any more traction there.
03-13-2019 01:30 AM
All Windows workstations as of Windows 7 support changing the SSL/TLS versions with which they authenticate.
Take a look at:
If you are interested in only authenticating EAP-TLS with TLS 1.2, change the key to 0xC00. If you'd like to support either 1.1 or 1.2, but nothing else, you can logical OR the key to 0xC00 | 0x300 == 0xF00. Same goes for any combination.
Once this is done, either reset the workstations or restart the net3svc and eaphost services.
This is for the Windows native EAP supplicant. If I recall, the AnyConnect negotiated cipher suites and TLS versions are a subset of the Windows native supplicant, though I'm not 100% about that. You should update the Windows supplicant and see if that helps.
03-13-2019 09:53 AM
Thank you Nadav!
This article got me over the hump. I'm going to test on some more machines before making any system wide changes but now I'm getting past that hurdle without enabling TLS1.0 on ISE
03-13-2019 01:39 AM
03-13-2019 01:57 AM
hhhm. Since November 2018 windows Windows 10 started using TLS 1.2 - I had no idea.
There are registry hacks to change this to whatever version you need- see article below
03-13-2019 09:55 AM
Thank you Arne!
This was suggested by Nadav as well. It did fix my initial issue.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide