Hello
I'm sure all of us would love to disable TLS 1.0/1.1 support in ISE to imrove security, but there's always something in the network that seems to make this dream impossible. I discovered today that CTS uses EAP-FAST under the covers, and on the 3850 that I was capturing the traffic, it was using TLS 1.0 in the TLS Handshake Client Hello. I never wanted CTS and I have no need for it, but because all the devices are provisioned with the latest version of DNAC, we get CTS whether we like it or not.
- Is it possible to disable the CTS stuff when provisioning network devices?
- Is there a TLS 1.2 version of EAP-FAST for CTS ? Some of our network switches are 3850 and 16.12 is the latest IOS-XE.
I read in some Community post that CTS can be done via REST API but you need IOS-XE 17.X - even if I had a network with that version of code, does DNAC do all the hard work, and then no longer uses EAP-FAST ?
thanks for any advice