I'm trying to authenticate a SIP-T31G (Yearlink IP Phone) with ISE via 802.1X, but I'm facing some issues. The IP Phone didn't authenticates and ISE shows error logs as failed TLS handshake.
Config in the IP Phone side:
AuthC via PEAP-MSCHAPv2;
User and Passwd inserted;
I have selected the option to accept untrusted certificate, just to discard the possibility of the Phone didn't trust the ISE presented cert;
Config in the ISE side:
Allowed Protocol allowing PEAP with MSCHAPv2;
Allowing EAPv0 (I have testes with and without this option);
Allowing Weak Ciphers (I have testes with and without this option);
I also have tested with the default Allowed Protocols, but the same result
Just configured to send the voice vlan to the switch;
Conditions: Wired_802.1X and AD Group;
Result: Voice Vlan AuthZ Profile
This same policy is working okay with a Grandstream IP Phone, but with the Yalink occurs the erros about the handshake. Other dot1x policies for User or Machine authentication is also working okay.
The Yalink IP Phone is authenticating normal, with the same config described above, with the Windows NPS Server. I saw the NPS policies and its the same I have configured in ISE.
In a packet capture, we can see that ISE tried to request EAP-TLS response for IP Phone, but the IP Phone answered with a "Legacy NAK". After that, a new request is sent with PEAP, the endpoints returns with the response, but in the sequence, the switch/ISE sends a failure message as reply.
PS.: The switch used in this environment is a Meraki MS210.
Can it be compatibility problem between ISE and Yalink?
Please, see below the ISE log and a snippet of the packet capture.
I have analyzed the entire flow in the packet capture and can see that the endpoint was sending hello via TLSv1 and Cisco ISE was rejecting. So, as you suggested, I have enabled the TLSv1 in the ISE's Security Settings and the authentication works okay.