cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
751
Views
15
Helpful
9
Replies

TLS 1.2 support on Cisco APs

Gents

quick & short Q pls as i was not able to find answer in web.

where can i find compatibility matrix or more/less relevant info for subject?

one of our customers decided to keep TLS 1.2 only enabled on ISE (2.7) & number of APs previously successfully AuthC'ed against ISE by EAP-FAST(MSCHAPv2) with TLSv1.0 now just fail to AuthC. From what i understand thought EAP-FAST must support TLS 1.2 giving a hope that enforcing APs to use it must resolve issue. Any clues pls?

br andy

 

1 Accepted Solution

Accepted Solutions

As hinted by the above, all IOS-based APs (i.e. before 11ac wave 2) do not support TLS 1.1/TLS 1.2 on any aspect (dot1x auth, dtls capwap encryption, etc ...)

View solution in original post

9 Replies 9

tnx. i saw this tread already. but how exactly we can move WLC & its APs to use TLS 1.2?

UPD. if i enable 1.2 for secureweb as per Solved: Enabling TLS for management access in WLC - Cisco Community

will it as well enforce APs to use TLS 1.2 ?

You can use the command:

config ap dtls-version {dtls1.0 | dtls1.2 | dtls_all}

 

https://www.cisco.com/c/en/us/td/docs/wireless/controller/8-10/config-guide/b_cg810/ap_connectivity_to_cisco_wlc.html 

Flavio Miranda
Advisor
Advisor

Hi

 What authentication you are talking about?

 

Your post suggest authentication between the AP and ISE?

" From what i understand thought EAP-FAST must support TLS 1.2 giving a hope that enforcing APs to use it must resolve issue. Any clues pls?"

Not following you.  Is it autonomous AP deployment?

 

Hi Flavio

all APs r lightw8. different models. & yes it's about dot1x authentication LAP<>ISE with EAP-FAST(MSCHAPv2).

atm i'm looking for mapping of disjointed LAP(s)<>WLC & affected LAP(s) part# to discover any differences between affected & unaffected LAPs (yes there r still LAPs conducting either EAP-TLS or EAP-FAST(MSCHAPv2) with TLS 1.2 negotiated.

UPD. what i can state atm is that C9120AXI r not affected & always negotiate on suggested TLS 1.2. Even if connected to AIR-OS WLC 8.10.171.0 . but on the WLC i dont see any SSL/TLS restrictions (config looks to be default on this matter)

Take a look on this doc.

This is for 8.10 but also fits in others versions. 

 

https://www.cisco.com/c/en/us/td/docs/wireless/controller/8-10/config-guide/b_cg810/ap_connectivity_to_cisco_wlc.html 

As hinted by the above, all IOS-based APs (i.e. before 11ac wave 2) do not support TLS 1.1/TLS 1.2 on any aspect (dot1x auth, dtls capwap encryption, etc ...)

no relevant info on TLS version for dot1x in there.

https://www.cisco.com/c/en/us/td/docs/wireless/access_point/feature-matrix/ap-feature-matrix.html#_Toc87523893 (802.1x on AP (EAP-FAST)) is only i've found on topic for IOS-XE based WLCs. For AIR-OS it's still unclear.

atm it's also clear that WAVE 1 APs dont implement TLS 1.2 in its supplicant in default configuration.

customer opened SR in TAC & i expect something like above in the end.

cheers

that matrix is only for latest AP models.

The story is that APs only ever supported TLS 1.0. Until 16.12 on 9800 or 8.10.110 on Aireos where TLS 1.2 support was added for COS APs (this is documented but does not say clearly that IOS-based APs were left out).

 

I am updating https://www.cisco.com/c/en/us/support/docs/wireless-mobility/wireless-fixed/107946-LAP-802-1x.html to mention this black on white in the next hour or so.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Recognize Your Peers