cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements
 
Register for the monthly ISE Webinars to learn about ISE configuration and deployment.
Choose one of the topics below to view our ISE Resources to help you on your journey with ISE

This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC! We will not comment or assist with your TAC case in these forums.
Please see How to Ask the Community for Help for other best practices.

242
Views
10
Helpful
1
Replies
Beginner

TrustSec & ISE - NDAC & TLS Handshake

I am configuring TrustSec on an ISE node & Catalyst 6807 Switch. I configured NDAC & EAP-FAST on the Catalyst 6807 Switch and the ISE node so they can create a secure RADIUS channel between them for the TrustSec solution.  TLS 1.0 is disabled on the ISE node, and when the Catalyst 6807 Switch tries to perform the TLS handshake with the ISE node, TLS negotiation fails.  The RADIUS Live Logs on the ISE node show the following failure reason:

 

"Client requested TLSv1.0 or TLSv1.1 that is not allowed"

 

It seems the Catalyst 6807 Switch (RADIUS Client) is sending a TLS Client Hello message with support for only TLS version 1.0.  Is it possible to configure the Catalyst 6807 Switch to send a TLS Client Hello message with support for TLS version 1.1 during the TLS handshake with the ISE node?  I have a requirement in my Customer’s network environment where TLS version 1.0 isn't enabled.  I would greatly appreciate any feedback. 

1 ACCEPTED SOLUTION

Accepted Solutions
Highlighted
Cisco Employee

Re: TrustSec & ISE - NDAC & TLS Handshake

This PAC provisioning uses TLS 1.0 since the network device uses TLS 1.0 for the PAC requests. We are working towards a solution to remove the requirement for PAC provisioning for SGACL/Environmental data from the network device. The main reason is today we are using a pre-shared key which would be derived from the PAC and even with a very long pre-shared key of the PAC we are not adding any real security to the RADIUS request.  Hence we are coming with a PAC-less solution which should be out some time this year. BTW we always recommend DTLS for real security of the RADIUS transactions.

 

1 REPLY 1
Highlighted
Cisco Employee

Re: TrustSec & ISE - NDAC & TLS Handshake

This PAC provisioning uses TLS 1.0 since the network device uses TLS 1.0 for the PAC requests. We are working towards a solution to remove the requirement for PAC provisioning for SGACL/Environmental data from the network device. The main reason is today we are using a pre-shared key which would be derived from the PAC and even with a very long pre-shared key of the PAC we are not adding any real security to the RADIUS request.  Hence we are coming with a PAC-less solution which should be out some time this year. BTW we always recommend DTLS for real security of the RADIUS transactions.