cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC! We will not comment or assist with your TAC case in these forums.
Please see How to Ask the Community for Help for other best practices.

1598
Views
0
Helpful
4
Replies

Client requested TLSv1.0 that is not allowed

Hi!
I am trying to authenticate a Xerox WorkCentre 7120 printer on Cisco ISE 2.2, using PEAP-MSCHAPv2.

The printer cannot authenticate due to the following error:

12986 Client requested TLSv1.0 that is not allowed.

Digging more into the error message it says: 

Resolution: Configure supplicant to use a more advanced TLS version 1.1 or 1.2. If supplicant doesnt support TLS version 1.1 or higher, allow TLS 1.0 in security settings. 

As the printer does not seem to have any TLS settings to change, I have to do it on Cisco ISE.

So, I have entered: Administration -> System -> Settings -> Protocols -> EAP-FAST -> Security Settings -> Allow TLS 1.0 for Legacy Servers.  Actually, it was already enabled by default. 

Still, the same error message occurs.

Any ideas?
Thanks!

4 REPLIES 4
Simon Brooks
Beginner

To allow Cisco ISE to authenticate such legacy devices, after upgrade to Release 2.1, ensure that you update the Allowed Protocols configuration as follows:

1. From the Admin portal, choose Policy > Policy Elements > Authentication > Allowed Protocols .

2. Edit the Allowed Protocols service and check the Allow weak ciphers for EAP check box.

3. Click Submit .

(should be the same for ISE 2.2??)

Yep:

If you have legacy devices such as old IP phones that use these deprecated ciphers authenticating against Cisco ISE, the authentication fails because these devices use legacy ciphers. To allow Cisco ISE to authenticate such legacy devices, after upgrade to Release 2.2, ensure that you update the Allowed Protocols configuration as follows:

  1. From the Admin portal, choose Policy > Policy Elements > Authentication > Allowed Protocols.

  2. Edit the Allowed Protocols service and check the Allow weak ciphers for EAP check box.

  3. Click Submit.

http://www.cisco.com/c/en/us/td/docs/security/ise/2-2/upgrade_guide/b_ise_upgrade_guide_22/b_ise_upgrade_guide_22_chapter_0100.html

Hi!
Thank you, but Allow weak ciphers is already enabled, but still nothing.

Thanks, What if you can't enable legacy support feature? For Instance MacOS is sending it's requests via a TLS 1.0. I haven't seen any documentation from apple for changing this. 

Content for Community-Ad