- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
01-29-2019 04:26 PM
I am configuring TrustSec on an ISE node & Catalyst 6807 Switch. I configured NDAC & EAP-FAST on the Catalyst 6807 Switch and the ISE node so they can create a secure RADIUS channel between them for the TrustSec solution. TLS 1.0 is disabled on the ISE node, and when the Catalyst 6807 Switch tries to perform the TLS handshake with the ISE node, TLS negotiation fails. The RADIUS Live Logs on the ISE node show the following failure reason:
"Client requested TLSv1.0 or TLSv1.1 that is not allowed"
It seems the Catalyst 6807 Switch (RADIUS Client) is sending a TLS Client Hello message with support for only TLS version 1.0. Is it possible to configure the Catalyst 6807 Switch to send a TLS Client Hello message with support for TLS version 1.1 during the TLS handshake with the ISE node? I have a requirement in my Customer’s network environment where TLS version 1.0 isn't enabled. I would greatly appreciate any feedback.
Solved! Go to Solution.
- Labels:
-
Identity Services Engine (ISE)
Accepted Solutions
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
02-04-2019 08:55 AM
This PAC provisioning uses TLS 1.0 since the network device uses TLS 1.0 for the PAC requests. We are working towards a solution to remove the requirement for PAC provisioning for SGACL/Environmental data from the network device. The main reason is today we are using a pre-shared key which would be derived from the PAC and even with a very long pre-shared key of the PAC we are not adding any real security to the RADIUS request. Hence we are coming with a PAC-less solution which should be out some time this year. BTW we always recommend DTLS for real security of the RADIUS transactions.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
02-04-2019 08:55 AM
This PAC provisioning uses TLS 1.0 since the network device uses TLS 1.0 for the PAC requests. We are working towards a solution to remove the requirement for PAC provisioning for SGACL/Environmental data from the network device. The main reason is today we are using a pre-shared key which would be derived from the PAC and even with a very long pre-shared key of the PAC we are not adding any real security to the RADIUS request. Hence we are coming with a PAC-less solution which should be out some time this year. BTW we always recommend DTLS for real security of the RADIUS transactions.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
04-15-2021 01:14 PM
Hello, has a PAC-less solution been released for SGACL/Env data as noted in the response? I don't know of any and the response was posted over 2 years ago? All my network devices are also attempting to negotiate TLS 1.0, and thus failing when TLS 1.0 and TLS 1.1 are disabled.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
04-15-2021 02:18 PM
Yes, ISE 2.7 and 3.0 support REST API based pac/SGACL/Environment data provisioning dropping the need for TLS 1.0. This document outlines it and it is available on 17.1+ IOS-XE software.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
04-16-2021 08:49 AM
Thank you Damien! I appreciate your help very much.
So from this information, am I correct in my understanding that if my installation includes ISE v2.6 operating as a TrustSec server, with my switches operating as TrustSec clients having SGACL/Environment data provisioned via PAC, that I'll not be able to disable TLS1.0/1.1 without breaking my CTS domain?
Thanks again for your help.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
04-16-2021 09:31 AM
That's correct, you won't be able to disable TLS 1.0 until all of your TrustSec enabled NADs are running on IOS-XE 17.x and reconfigured to leverage the Rest API functionality. Disabling TLS 1.0 with the traditional TrustSec provisioning method will break the capability.