cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
452
Views
5
Helpful
6
Replies

How to disable TLS 1.0 in ISE when DNAC is used to provision devices?

Arne Bier
VIP
VIP

Hello

I'm sure all of us would love to disable TLS 1.0/1.1 support in ISE to imrove security, but there's always something in the network that seems to make this dream impossible.  I discovered today that CTS uses EAP-FAST under the covers, and on the 3850 that I was capturing the traffic, it was using TLS 1.0 in the TLS Handshake Client Hello.  I never wanted CTS and I have no need for it, but because all the devices are provisioned with the latest version of DNAC, we get CTS whether we like it or not.

  • Is it possible to disable the CTS stuff when provisioning network devices? 
  • Is there a TLS 1.2 version of EAP-FAST for CTS ?  Some of our network switches are 3850 and 16.12 is the latest IOS-XE.

I read in some Community post that CTS can be done via REST API but you need IOS-XE 17.X - even if I had a network with that version of code, does DNAC do all the hard work, and then no longer uses EAP-FAST ?

thanks for any advice

 

1 Accepted Solution

Accepted Solutions

@Arne Bier , ISE 3.4 added an enhancement for PAC-less RADIUS communications for TrustSec.

I would expect the plan for Catalyst Center will be to implement this method to mitigate issues around the requirement for TLS 1.0 in the EAP-FAST PAC communication.
It is only supported on network devices with IOS-XE version 17.15.1 or higher so I realise that doesn't help with your 3850s, but that platform reaches End of Support next year so I don't think there are any options with those.

 

 

View solution in original post