This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC! We will not comment or assist with your TAC case in these forums.
Please see How to Ask the Community for Help for other best practices.
I am trying to authenticate a Xerox WorkCentre 7120 printer on Cisco ISE 2.2, using PEAP-MSCHAPv2.
The printer cannot authenticate due to the following error:
12986 Client requested TLSv1.0 that is not allowed.
Digging more into the error message it says:
Resolution: Configure supplicant to use a more advanced TLS version 1.1 or 1.2. If supplicant doesnt support TLS version 1.1 or higher, allow TLS 1.0 in security settings.
As the printer does not seem to have any TLS settings to change, I have to do it on Cisco ISE.
So, I have entered: Administration -> System -> Settings -> Protocols -> EAP-FAST -> Security Settings -> Allow TLS 1.0 for Legacy Servers. Actually, it was already enabled by default.
Still, the same error message occurs.
To allow Cisco ISE to authenticate such legacy devices, after upgrade to Release 2.1, ensure that you update the Allowed Protocols configuration as follows:
(should be the same for ISE 2.2??)
If you have legacy devices such as old IP phones that use these deprecated ciphers authenticating against Cisco ISE, the authentication fails because these devices use legacy ciphers. To allow Cisco ISE to authenticate such legacy devices, after upgrade to Release 2.2, ensure that you update the Allowed Protocols configuration as follows:
From the Admin portal, choose Policy > Policy Elements > Authentication > Allowed Protocols.
Edit the Allowed Protocols service and check the Allow weak ciphers for EAP check box.
Thanks, What if you can't enable legacy support feature? For Instance MacOS is sending it's requests via a TLS 1.0. I haven't seen any documentation from apple for changing this.