08-15-2019 12:46 PM - edited 08-15-2019 12:50 PM
Hello,
I'm trying to setup up NEAT with Cisco ISE, this is my scenario:
ISE version 2.4 patch 5, TLS 1.0 and 1.1 disabled
Authenticator SW: 4500 running 03.09.00.E
Supplicant SW: 2960CX running 15.2(4)E2
How can I change the TLS version on my supplicant SW, when I'm trying to authenticate the SW, ISE rejects the SW because the TLS version that the SW is trying to negotiate:
RADIUS Protocol
Code: Access-Challenge (11)
Packet identifier: 0x78 (120)
Length: 151
Authenticator: a193b5e781dd35c7107560654d5dfeb2
[This is a response to a request in frame 4176]
[Time from request: 0.004227000 seconds]
Attribute Value Pairs
AVP: t=State(24) l=85 val=333743504d53657373696f6e49443d304135303035423430…
AVP: t=EAP-Message(79) l=28 Last Segment[1]
Type: 79
Length: 28
EAP fragment: 0146001a2b210004001051457d84255d1e972518fd3c9dc6…
Extensible Authentication Protocol
Code: Request (1)
Id: 70
Length: 26
Type: Flexible Authentication via Secure Tunneling EAP (EAP-FAST) (43)
EAP-TLS Flags: 0x21
0... .... = Length Included: False
.0.. .... = More Fragments: False
..1. .... = Start: True
.... .001 = Version: 1
Transport Layer Security
AVP: t=Message-Authenticator(80) l=18 val=417bc0983cf917f333a3c70f495e1eb6
If there's a way that I can change the TLS version on the SW then ISE will authenticate it.
Thanks
Solved! Go to Solution.
08-21-2019 07:34 PM
This is due to switch platform support so I moved it to Switching.
CSCuv27265 in Caveats Resolved in Cisco IOS Release 15.2(4)E2 is for HTTP support only so I do not think this platform supporting TLS 1.2 on EAP yet.
08-22-2019 06:06 AM
Thanks for the reply. I opened a Cisco TAC case and after troubleshooting they filed a new BUG/ENH to enable TLS1.2 to support NEAT (CSCvq92091 - ENH Support for NEAT/CISP supplicant to use TLS 1.2 for authentication).
08-21-2019 07:34 PM
This is due to switch platform support so I moved it to Switching.
CSCuv27265 in Caveats Resolved in Cisco IOS Release 15.2(4)E2 is for HTTP support only so I do not think this platform supporting TLS 1.2 on EAP yet.
08-22-2019 06:06 AM
Thanks for the reply. I opened a Cisco TAC case and after troubleshooting they filed a new BUG/ENH to enable TLS1.2 to support NEAT (CSCvq92091 - ENH Support for NEAT/CISP supplicant to use TLS 1.2 for authentication).
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide