Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2229
Views
0
Helpful
2
Replies

NEAT and Cisco ISE

Go to solution
pabloayalas
Level 1
Level 1

‎08-15-2019 12:46 PM - edited ‎08-15-2019 12:50 PM

Hello,

 

I'm trying to setup up NEAT with Cisco ISE, this is my scenario:

 

ISE version 2.4 patch 5, TLS 1.0 and 1.1 disabled

Authenticator SW: 4500 running 03.09.00.E

Supplicant SW: 2960CX running 15.2(4)E2

 

How can I change the TLS version on my supplicant SW, when I'm trying to authenticate the SW, ISE rejects the SW because the TLS version that the SW is trying to negotiate:

 

RADIUS Protocol
Code: Access-Challenge (11)
Packet identifier: 0x78 (120)
Length: 151
Authenticator: a193b5e781dd35c7107560654d5dfeb2
[This is a response to a request in frame 4176]
[Time from request: 0.004227000 seconds]
Attribute Value Pairs
AVP: t=State(24) l=85 val=333743504d53657373696f6e49443d304135303035423430…
AVP: t=EAP-Message(79) l=28 Last Segment[1]
Type: 79
Length: 28
EAP fragment: 0146001a2b210004001051457d84255d1e972518fd3c9dc6…
Extensible Authentication Protocol
Code: Request (1)
Id: 70
Length: 26
Type: Flexible Authentication via Secure Tunneling EAP (EAP-FAST) (43)
EAP-TLS Flags: 0x21
0... .... = Length Included: False
.0.. .... = More Fragments: False
..1. .... = Start: True
.... .001 = Version: 1
Transport Layer Security
AVP: t=Message-Authenticator(80) l=18 val=417bc0983cf917f333a3c70f495e1eb6

If there's a way that I can change the TLS version on the SW then ISE will authenticate it.

 

Thanks

0 Helpful
2 Accepted Solutions

Accepted Solutions

Go to solution
hslai
Cisco Employee
Cisco Employee

‎08-21-2019 07:34 PM

This is due to switch platform support so I moved it to Switching.

CSCuv27265 in Caveats Resolved in Cisco IOS Release 15.2(4)E2 is for HTTP support only so I do not think this platform supporting TLS 1.2 on EAP yet.

 

View solution in original post

0 Helpful

Go to solution
pabloayalas
Level 1
Level 1
In response to hslai

‎08-22-2019 06:06 AM

Thanks for the reply. I opened a Cisco TAC case and after troubleshooting they filed a new BUG/ENH to enable TLS1.2 to support NEAT (CSCvq92091 - ENH Support for NEAT/CISP supplicant to use TLS 1.2 for authentication).

View solution in original post

0 Helpful
2 Replies 2

Go to solution
hslai
Cisco Employee
Cisco Employee

‎08-21-2019 07:34 PM

This is due to switch platform support so I moved it to Switching.

CSCuv27265 in Caveats Resolved in Cisco IOS Release 15.2(4)E2 is for HTTP support only so I do not think this platform supporting TLS 1.2 on EAP yet.

 

0 Helpful

Go to solution
pabloayalas
Level 1
Level 1
In response to hslai

‎08-22-2019 06:06 AM

Thanks for the reply. I opened a Cisco TAC case and after troubleshooting they filed a new BUG/ENH to enable TLS1.2 to support NEAT (CSCvq92091 - ENH Support for NEAT/CISP supplicant to use TLS 1.2 for authentication).

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card