Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2432
Views
0
Helpful
4
Replies

Client requested TLSv1.0 that is not allowed

andreas.jorgensen
Level 1
Level 1

‎03-08-2017 03:37 AM - edited ‎03-11-2019 12:31 AM

Hi!
I am trying to authenticate a Xerox WorkCentre 7120 printer on Cisco ISE 2.2, using PEAP-MSCHAPv2.

The printer cannot authenticate due to the following error:

12986 Client requested TLSv1.0 that is not allowed.

Digging more into the error message it says: 

Resolution: Configure supplicant to use a more advanced TLS version 1.1 or 1.2. If supplicant doesnt support TLS version 1.1 or higher, allow TLS 1.0 in security settings. 

As the printer does not seem to have any TLS settings to change, I have to do it on Cisco ISE.

So, I have entered: Administration -> System -> Settings -> Protocols -> EAP-FAST -> Security Settings -> Allow TLS 1.0 for Legacy Servers.  Actually, it was already enabled by default. 

Still, the same error message occurs.

Any ideas?
Thanks!

Labels:
0 Helpful
4 Replies 4

Simon Brooks
Level 1
Level 1

‎03-08-2017 05:39 AM

To allow Cisco ISE to authenticate such legacy devices, after upgrade to Release 2.1, ensure that you update the Allowed Protocols configuration as follows:

1. From the Admin portal, choose Policy > Policy Elements > Authentication > Allowed Protocols .

2. Edit the Allowed Protocols service and check the Allow weak ciphers for EAP check box.

3. Click Submit .

(should be the same for ISE 2.2??)

0 Helpful

Simon Brooks
Level 1
Level 1
In response to Simon Brooks

‎03-08-2017 05:40 AM

Yep:

If you have legacy devices such as old IP phones that use these deprecated ciphers authenticating against Cisco ISE, the authentication fails because these devices use legacy ciphers. To allow Cisco ISE to authenticate such legacy devices, after upgrade to Release 2.2, ensure that you update the Allowed Protocols configuration as follows:

  1. From the Admin portal, choose Policy > Policy Elements > Authentication > Allowed Protocols.

  2. Edit the Allowed Protocols service and check the Allow weak ciphers for EAP check box.

  3. Click Submit.

http://www.cisco.com/c/en/us/td/docs/security/ise/2-2/upgrade_guide/b_ise_upgrade_guide_22/b_ise_upgrade_guide_22_chapter_0100.html

0 Helpful

andreas.jorgensen
Level 1
Level 1
In response to Simon Brooks

‎03-08-2017 05:42 AM

Hi!
Thank you, but Allow weak ciphers is already enabled, but still nothing.

0 Helpful

Mooitartist
Level 1
Level 1
In response to andreas.jorgensen

‎09-08-2017 08:41 AM

Thanks, What if you can't enable legacy support feature? For Instance MacOS is sending it's requests via a TLS 1.0. I haven't seen any documentation from apple for changing this. 

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents