03-17-2020 09:01 AM
Hello Dear Community
I hope you can help me to clarify a simple question about clients authenticating using dot1x.
The enviroment:
Authenticator Server: ISE running 2.4
Authenticator: Catalyst 2960-X
Suplicant: A printer dealing only with TLSv1.0
My problem is. there are about 70 Printers that can only deal with TLSv1.0 while authenticating. To replace them all its not an option right now and based on Vendor there is currently no firmware Upgrade to improve this situation.
While authenticating it comes to an error, that the client is trying to use a lower version than TLSv1.2.
My question is:
Going to System -> Security Settings and allowing legacy versions of TLS will allow this insecure protocols for also for the HTTPS Portal of ISE?
I hope my question was clearly formulated.
Thanks in advance for your input
Regards,
Solved! Go to Solution.
03-17-2020 10:29 AM
- Below are a few threads which you may want to review concerning the issue ; in the first one I notice a passage from Mr. haslai stating : The security settings in ISE 2.3 do not affect ISE web portals, such as sponsor and guest. ISE 2.4 has not yet been released so please check it out at http://cs.co/ise-beta I tend to think it will be the same in 2.4
https://community.cisco.com/t5/network-access-control/cisco-ise-tls/m-p/3549414
https://community.cisco.com/t5/network-access-control/ise-legacy-cipher-suites/td-p/3056777
M.
03-17-2020 09:16 AM
- Since you have a very specific printer-model , for which you want to resolve, would it not be best to tryout ?
M.
03-17-2020 09:26 AM
Hello marce1000
Thanks for replying so quickly. Sure this is an option.
Applying for such a change imply a bit of paperwork inside the company.
Therefore I need first to doublecheck with the security team before I can apply a change in the system. I also have not be provided with a test enviroment. And I couldnt find in the documentation a clear statement regarding this option.
I must be sure my changes wont affect the HTTPS Portal by allowing weak ciphers. I want only clients to be authenticated with the weak cipher.
Regards,
03-17-2020 10:29 AM
- Below are a few threads which you may want to review concerning the issue ; in the first one I notice a passage from Mr. haslai stating : The security settings in ISE 2.3 do not affect ISE web portals, such as sponsor and guest. ISE 2.4 has not yet been released so please check it out at http://cs.co/ise-beta I tend to think it will be the same in 2.4
https://community.cisco.com/t5/network-access-control/cisco-ise-tls/m-p/3549414
https://community.cisco.com/t5/network-access-control/ise-legacy-cipher-suites/td-p/3056777
M.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide