Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1151
Views
0
Helpful
3
Replies

ISE 2.6 failed TLS 1.1 handshake with Cisco Phone 802.1x

Go to solution
mhryckowian
Level 1
Level 1

‎09-26-2019 10:46 AM

We are using Cisco 7962G and 7942G model IP Phones and attempting to authenticate them to our ISE 2.6 servers using 802.1x LSC certificates.

 

My test phone successfully installed the LSC cert, CUCM CAPF cert was imported into ISE, phone set for 802.1x, and ISE authentication / authorization rules were defined based on Cisco ISE Deployment for Wired Network Access guides.

 

It appears that these model phones only support TLS 1.0 / 1.1 so I checked off Allow TLS 1.1 under ISE Security Setting page

 

ISE-Security-Settings.PNG

But the RADIUS Authentication details still indicate that TLS 1.1 is not allowed.

RADIUS-Auth-Details.png

Any assistance is greatly appreciated.

 

 

 

0 Helpful
2 Accepted Solutions

Accepted Solutions

Go to solution
Mike.Cifelli
VIP Alumni
VIP Alumni

‎09-26-2019 11:23 AM

My first assumption would be that it tried to use TLS1.0. The error message says it tried to use one or the other. My recommendation would be to enable TLS1.0, disable 1.1, then run the test again. This way you can identify if it throws same error or if the end node is truly using 1.0. Good luck & HTH!

View solution in original post

0 Helpful

Go to solution
mhryckowian
Level 1
Level 1
In response to mhryckowian

‎09-30-2019 04:45 AM

By enabling the TLS 1.0 the phone was able to perform a portion of the handshake revealing another issue.  It appears that the current firmware on these model phones are using older/weaker ciphers.  Given the security implication of enabling ISE to accept weaker ciphers, we are going to have to use MAB authentication for our 7962/7965 model Cisco IP Phones.

 

Thanks,

Mitchell

View solution in original post

0 Helpful
3 Replies 3

Go to solution
Mike.Cifelli
VIP Alumni
VIP Alumni

‎09-26-2019 11:23 AM

My first assumption would be that it tried to use TLS1.0. The error message says it tried to use one or the other. My recommendation would be to enable TLS1.0, disable 1.1, then run the test again. This way you can identify if it throws same error or if the end node is truly using 1.0. Good luck & HTH!
0 Helpful

Go to solution
mhryckowian
Level 1
Level 1
In response to Mike.Cifelli

‎09-26-2019 12:47 PM

Mike,

Thanks for the reply.  I was figuring that would have to be my next step but I was hoping there was something else I was missing.  Changing this options requires the ISE servers to restart so I will do this after hours tonight and see what happens.

 

Thanks again for your help.

0 Helpful

Go to solution
mhryckowian
Level 1
Level 1
In response to mhryckowian

‎09-30-2019 04:45 AM

By enabling the TLS 1.0 the phone was able to perform a portion of the handshake revealing another issue.  It appears that the current firmware on these model phones are using older/weaker ciphers.  Given the security implication of enabling ISE to accept weaker ciphers, we are going to have to use MAB authentication for our 7962/7965 model Cisco IP Phones.

 

Thanks,

Mitchell

0 Helpful
Customers Also Viewed These Support Documents