quick & short Q pls as i was not able to find answer in web.
where can i find compatibility matrix or more/less relevant info for subject?
one of our customers decided to keep TLS 1.2 only enabled on ISE (2.7) & number of APs previously successfully AuthC'ed against ISE by EAP-FAST(MSCHAPv2) with TLSv1.0 now just fail to AuthC. From what i understand thought EAP-FAST must support TLS 1.2 giving a hope that enforcing APs to use it must resolve issue. Any clues pls?
Solved! Go to Solution.
tnx. i saw this tread already. but how exactly we can move WLC & its APs to use TLS 1.2?
UPD. if i enable 1.2 for secureweb as per Solved: Enabling TLS for management access in WLC - Cisco Community
will it as well enforce APs to use TLS 1.2 ?
What authentication you are talking about?
Your post suggest authentication between the AP and ISE?
" From what i understand thought EAP-FAST must support TLS 1.2 giving a hope that enforcing APs to use it must resolve issue. Any clues pls?"
Not following you. Is it autonomous AP deployment?
all APs r lightw8. different models. & yes it's about dot1x authentication LAP<>ISE with EAP-FAST(MSCHAPv2).
atm i'm looking for mapping of disjointed LAP(s)<>WLC & affected LAP(s) part# to discover any differences between affected & unaffected LAPs (yes there r still LAPs conducting either EAP-TLS or EAP-FAST(MSCHAPv2) with TLS 1.2 negotiated.
UPD. what i can state atm is that C9120AXI r not affected & always negotiate on suggested TLS 1.2. Even if connected to AIR-OS WLC 220.127.116.11 . but on the WLC i dont see any SSL/TLS restrictions (config looks to be default on this matter)
no relevant info on TLS version for dot1x in there.
https://www.cisco.com/c/en/us/td/docs/wireless/access_point/feature-matrix/ap-feature-matrix.html#_Toc87523893 (802.1x on AP (EAP-FAST)) is only i've found on topic for IOS-XE based WLCs. For AIR-OS it's still unclear.
atm it's also clear that WAVE 1 APs dont implement TLS 1.2 in its supplicant in default configuration.
customer opened SR in TAC & i expect something like above in the end.
that matrix is only for latest AP models.
The story is that APs only ever supported TLS 1.0. Until 16.12 on 9800 or 8.10.110 on Aireos where TLS 1.2 support was added for COS APs (this is documented but does not say clearly that IOS-based APs were left out).
I am updating https://www.cisco.com/c/en/us/support/docs/wireless-mobility/wireless-fixed/107946-LAP-802-1x.html to mention this black on white in the next hour or so.