03-08-2017 03:37 AM - edited 03-11-2019 12:31 AM
Hi!
I am trying to authenticate a Xerox WorkCentre 7120 printer on Cisco ISE 2.2, using PEAP-MSCHAPv2.
The printer cannot authenticate due to the following error:
12986 Client requested TLSv1.0 that is not allowed.
Digging more into the error message it says:
Resolution: Configure supplicant to use a more advanced TLS version 1.1 or 1.2. If supplicant doesnt support TLS version 1.1 or higher, allow TLS 1.0 in security settings.
As the printer does not seem to have any TLS settings to change, I have to do it on Cisco ISE.
So, I have entered: Administration -> System -> Settings -> Protocols -> EAP-FAST -> Security Settings -> Allow TLS 1.0 for Legacy Servers. Actually, it was already enabled by default.
Still, the same error message occurs.
Any ideas?
Thanks!
03-08-2017 05:39 AM
To allow Cisco ISE to authenticate such legacy devices, after upgrade to Release 2.1, ensure that you update the Allowed Protocols configuration as follows:
1. From the Admin portal, choose Policy > Policy Elements > Authentication > Allowed Protocols .
2. Edit the Allowed Protocols service and check the Allow weak ciphers for EAP check box.
(should be the same for ISE 2.2??)
03-08-2017 05:40 AM
Yep:
If you have legacy devices such as old IP phones that use these deprecated ciphers authenticating against Cisco ISE, the authentication fails because these devices use legacy ciphers. To allow Cisco ISE to authenticate such legacy devices, after upgrade to Release 2.2, ensure that you update the Allowed Protocols configuration as follows:
From the Admin portal, choose Policy > Policy Elements > Authentication > Allowed Protocols.
Edit the Allowed Protocols service and check the Allow weak ciphers for EAP check box.
Click Submit.
http://www.cisco.com/c/en/us/td/docs/security/ise/2-2/upgrade_guide/b_ise_upgrade_guide_22/b_ise_upgrade_guide_22_chapter_0100.html
03-08-2017 05:42 AM
Hi!
Thank you, but Allow weak ciphers is already enabled, but still nothing.
09-08-2017 08:41 AM
Thanks, What if you can't enable legacy support feature? For Instance MacOS is sending it's requests via a TLS 1.0. I haven't seen any documentation from apple for changing this.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide