Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
8866
Views
2
Helpful
3
Replies

Supplicant device won't connect to new CISCO ISE 2.7 RADIUS server with TLS1.1

deadlys00
Level 1
Level 1

‎07-02-2021 04:08 AM

We've had an issue when implementing a new CISCO ISE RADIUS server, in which our supplicant devices are struggling to authenticate a connection. They use an SSL3 protocol to authenticate the connection, which is rejected by the Cisco server which is TLS1.1. 

 

The error we got originally was this one:

  • Client didn’t provide suitable ciphers’ ‘Check that the supplicant and ISE have intersection in configured cipher lists.  If the supplicant is configured to use only cipher groups that are disabled in ISE security configuration (like SHA1 or 3DES ciphers) consider upgrading the supplicant to use more secure ciphers.   As the last option consider allowing less secure ciphers in ISE while doing this can cause essential security weaknesses and is not recommended’

This was fixed by adding a special kernel to the supplicant device, which added the complete openSSL package (v:1.0.0d)

 

This seemed to mean that the handshake wase made, but we got a new connection error after this:

  • 11510 Supplicant declined EAP method selected by Authentication Policy but did not propose another one; EAP negotiation failed.  Resolution - Ensure that the supplicant is correctly configured. Verify that supplicant has at least one EAP method configured.
  • Root cause - In previous EAP message ISE started an EAP method selected by Authentication Policy. Supplicant declined this EAP method by sending EAP NAK message but did not propose another EAP method that it is ready to conduct. Owing to this, EAP-negotiation failed.

Do you know how I can solve this error?

1 person had this problem
Preview file
182 KB
0 Helpful
3 Replies 3

Marvin Rhoads
Hall of Fame
Hall of Fame

‎07-02-2021 10:55 AM

Please check your ISE server under Administration > System > Settings > Security Settings. there you will see boxes to enable TLS 1.0 and TLS 1.1. (TLS 1.2 is the default and preferred transport and cannot be changed.)

Hover over the information icon for each to see the affected services that potentially used the less secure TLS versions.

202002913
Level 1
Level 1
In response to Marvin Rhoads

‎12-19-2024 09:22 AM

Thank you 10/10 person.

0 Helpful

hslai
Cisco Employee
Cisco Employee

‎07-05-2021 10:15 AM

OpenSSL 1.0.0d was released in 2011 (10 years ago) so it's too old and has lots of vulnerabilities. Please update to a recent release.

0 Helpful
Customers Also Viewed These Support Documents