Solved: Re: TLS 1.2 support on Cisco APs

andy!doesnt!like!uucp · ‎05-30-2022

Gents

quick & short Q pls as i was not able to find answer in web.

where can i find compatibility matrix or more/less relevant info for subject?

one of our customers decided to keep TLS 1.2 only enabled on ISE (2.7) & number of APs previously successfully AuthC'ed against ISE by EAP-FAST(MSCHAPv2) with TLSv1.0 now just fail to AuthC. From what i understand thought EAP-FAST must support TLS 1.2 giving a hope that enforcing APs to use it must resolve issue. Any clues pls?

br andy

Nicolas Darchis · ‎05-31-2022

As hinted by the above, all IOS-based APs (i.e. before 11ac wave 2) do not support TLS 1.1/TLS 1.2 on any aspect (dot1x auth, dtls capwap encryption, etc ...)

View solution in original post

marce1000 · ‎05-30-2022

- FYI : https://community.cisco.com/t5/wireless/wlc-authenticating-on-radius-server-with-tls-1-2-802-1x/td-p/4258590

M.

-- ' 'Good body every evening' ' this sentence was once spotted on a logo at the entrance of a Weight Watchers Club !

andy!doesnt!like!uucp · ‎05-30-2022

tnx. i saw this tread already. but how exactly we can move WLC & its APs to use TLS 1.2?

UPD. if i enable 1.2 for secureweb as per Solved: Enabling TLS for management access in WLC - Cisco Community

will it as well enforce APs to use TLS 1.2 ?

Flavio Miranda · ‎05-30-2022

You can use the command:

config ap dtls-version {dtls1.0 | dtls1.2 | dtls_all}

https://www.cisco.com/c/en/us/td/docs/wireless/controller/8-10/config-guide/b_cg810/ap_connectivity_to_cisco_wlc.html

Flavio Miranda · ‎05-30-2022

Hi

What authentication you are talking about?

Your post suggest authentication between the AP and ISE?

" From what i understand thought EAP-FAST must support TLS 1.2 giving a hope that enforcing APs to use it must resolve issue. Any clues pls?"

Not following you. Is it autonomous AP deployment?

andy!doesnt!like!uucp · ‎05-30-2022

Hi Flavio

all APs r lightw8. different models. & yes it's about dot1x authentication LAP<>ISE with EAP-FAST(MSCHAPv2).

atm i'm looking for mapping of disjointed LAP(s)<>WLC & affected LAP(s) part# to discover any differences between affected & unaffected LAPs (yes there r still LAPs conducting either EAP-TLS or EAP-FAST(MSCHAPv2) with TLS 1.2 negotiated.

UPD. what i can state atm is that C9120AXI r not affected & always negotiate on suggested TLS 1.2. Even if connected to AIR-OS WLC 8.10.171.0 . but on the WLC i dont see any SSL/TLS restrictions (config looks to be default on this matter)

Flavio Miranda · ‎05-30-2022

Take a look on this doc.

This is for 8.10 but also fits in others versions.

https://www.cisco.com/c/en/us/td/docs/wireless/controller/8-10/config-guide/b_cg810/ap_connectivity_to_cisco_wlc.html

Nicolas Darchis · ‎05-31-2022

As hinted by the above, all IOS-based APs (i.e. before 11ac wave 2) do not support TLS 1.1/TLS 1.2 on any aspect (dot1x auth, dtls capwap encryption, etc ...)

andy!doesnt!like!uucp · ‎05-31-2022

no relevant info on TLS version for dot1x in there.

https://www.cisco.com/c/en/us/td/docs/wireless/access_point/feature-matrix/ap-feature-matrix.html#_Toc87523893 (802.1x on AP (EAP-FAST)) is only i've found on topic for IOS-XE based WLCs. For AIR-OS it's still unclear.

atm it's also clear that WAVE 1 APs dont implement TLS 1.2 in its supplicant in default configuration.

customer opened SR in TAC & i expect something like above in the end.

cheers

Nicolas Darchis · ‎05-31-2022

that matrix is only for latest AP models.

The story is that APs only ever supported TLS 1.0. Until 16.12 on 9800 or 8.10.110 on Aireos where TLS 1.2 support was added for COS APs (this is documented but does not say clearly that IOS-based APs were left out).

I am updating https://www.cisco.com/c/en/us/support/docs/wireless-mobility/wireless-fixed/107946-LAP-802-1x.html to mention this black on white in the next hour or so.