08-15-2019 12:46 PM - edited 08-15-2019 12:50 PM
Hello,
I'm trying to setup up NEAT with Cisco ISE, this is my scenario:
ISE version 2.4 patch 5, TLS 1.0 and 1.1 disabled
Authenticator SW: 4500 running 03.09.00.E
Supplicant SW: 2960CX running 15.2(4)E2
How can I change the TLS version on my supplicant SW, when I'm trying to authenticate the SW, ISE rejects the SW because the TLS version that the SW is trying to negotiate:
RADIUS Protocol
Code: Access-Challenge (11)
Packet identifier: 0x78 (120)
Length: 151
Authenticator: a193b5e781dd35c7107560654d5dfeb2
[This is a response to a request in frame 4176]
[Time from request: 0.004227000 seconds]
Attribute Value Pairs
AVP: t=State(24) l=85 val=333743504d53657373696f6e49443d304135303035423430…
AVP: t=EAP-Message(79) l=28 Last Segment[1]
Type: 79
Length: 28
EAP fragment: 0146001a2b210004001051457d84255d1e972518fd3c9dc6…
Extensible Authentication Protocol
Code: Request (1)
Id: 70
Length: 26
Type: Flexible Authentication via Secure Tunneling EAP (EAP-FAST) (43)
EAP-TLS Flags: 0x21
0... .... = Length Included: False
.0.. .... = More Fragments: False
..1. .... = Start: True
.... .001 = Version: 1
Transport Layer Security
AVP: t=Message-Authenticator(80) l=18 val=417bc0983cf917f333a3c70f495e1eb6
If there's a way that I can change the TLS version on the SW then ISE will authenticate it.
Thanks
Solved! Go to Solution.
08-21-2019 07:34 PM
This is due to switch platform support so I moved it to Switching.
CSCuv27265 in Caveats Resolved in Cisco IOS Release 15.2(4)E2 is for HTTP support only so I do not think this platform supporting TLS 1.2 on EAP yet.
08-22-2019 06:06 AM
Thanks for the reply. I opened a Cisco TAC case and after troubleshooting they filed a new BUG/ENH to enable TLS1.2 to support NEAT (CSCvq92091 - ENH Support for NEAT/CISP supplicant to use TLS 1.2 for authentication).
08-21-2019 07:34 PM
This is due to switch platform support so I moved it to Switching.
CSCuv27265 in Caveats Resolved in Cisco IOS Release 15.2(4)E2 is for HTTP support only so I do not think this platform supporting TLS 1.2 on EAP yet.
08-22-2019 06:06 AM
Thanks for the reply. I opened a Cisco TAC case and after troubleshooting they filed a new BUG/ENH to enable TLS1.2 to support NEAT (CSCvq92091 - ENH Support for NEAT/CISP supplicant to use TLS 1.2 for authentication).
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: