TLS 1.1 on ACS 4.1

Adir G · ‎10-19-2017

HI,

do you now if I can use TLS 1.1 with Cisco ACS 4.1.1 for windows ?

Thx

Arne Bier · ‎10-19-2017

I assume you're talking about TLS in the context of securing the EAP tunnel? I don't know of a clever way of testing that, but in general, web servers are easy to test using the free OpenSSL tool suite.

You could try using the OpenSSL client (MACOS, Linux or Windows) when testing https services (such as portals).

I have an ISE 2.3 system (just for testing purposes, you would of course point this to your ACS server and see if you get a connection) called ise01.vm.lab.

In my CentOS client I would use the syntax

[abier@centos]$ openssl s_client -connect ise01.vm.lab:443 -tls1_1
CONNECTED(00000003)
depth=1 CN = MEGA-MEGASERVER-CA
verify error:num=19:self signed certificate in certificate chain
verify return:0

The eapol_test command from FreeRadius Radtest suite (free) can be used to perform EAP-PEAP/TLS authentication to your ACS server using TLS 1.0 (I use it all the time in my labs).

I was able to confirm that if I disable TLS 1.0 in ISE, my eapol_test attempt fails. If there was a way to make eapol_test use TLS 1.1 then you'd have the perfect solution to your problem.

Adir G · ‎10-29-2017

Hi,

I didn't try it

I just need to know if Cisco ACS 4.1 server edition does support TLS 1.1

Marvin Rhoads · ‎10-29-2017

I doubt it since ACS 4.1 has been end of sales for something like 8+ years.

However if you perform the simple check that Arnie suggested against your ACS server it will give you an answer in less than a minute.

You can also use nmap with the enum-ciphers option.

https://nmap.org/nsedoc/scripts/ssl-enum-ciphers.html

If you are still using it in an environment that is being audited for compliance, its ability or inability to use TLS 1.1 is the least of your problems.