05-30-2022 01:27 AM
Gents
quick & short Q pls as i was not able to find answer in web.
where can i find compatibility matrix or more/less relevant info for subject?
one of our customers decided to keep TLS 1.2 only enabled on ISE (2.7) & number of APs previously successfully AuthC'ed against ISE by EAP-FAST(MSCHAPv2) with TLSv1.0 now just fail to AuthC. From what i understand thought EAP-FAST must support TLS 1.2 giving a hope that enforcing APs to use it must resolve issue. Any clues pls?
br andy
Solved! Go to Solution.
05-31-2022 01:08 AM
As hinted by the above, all IOS-based APs (i.e. before 11ac wave 2) do not support TLS 1.1/TLS 1.2 on any aspect (dot1x auth, dtls capwap encryption, etc ...)
05-30-2022 01:49 AM
M.
05-30-2022 01:56 AM - edited 05-30-2022 02:16 AM
tnx. i saw this tread already. but how exactly we can move WLC & its APs to use TLS 1.2?
UPD. if i enable 1.2 for secureweb as per Solved: Enabling TLS for management access in WLC - Cisco Community
will it as well enforce APs to use TLS 1.2 ?
05-30-2022 02:35 AM - edited 05-30-2022 02:36 AM
You can use the command:
config ap dtls-version {dtls1.0 | dtls1.2 | dtls_all}
05-30-2022 02:22 AM - edited 05-30-2022 02:22 AM
Hi
What authentication you are talking about?
Your post suggest authentication between the AP and ISE?
" From what i understand thought EAP-FAST must support TLS 1.2 giving a hope that enforcing APs to use it must resolve issue. Any clues pls?"
Not following you. Is it autonomous AP deployment?
05-30-2022 02:38 AM - edited 05-30-2022 02:45 AM
Hi Flavio
all APs r lightw8. different models. & yes it's about dot1x authentication LAP<>ISE with EAP-FAST(MSCHAPv2).
atm i'm looking for mapping of disjointed LAP(s)<>WLC & affected LAP(s) part# to discover any differences between affected & unaffected LAPs (yes there r still LAPs conducting either EAP-TLS or EAP-FAST(MSCHAPv2) with TLS 1.2 negotiated.
UPD. what i can state atm is that C9120AXI r not affected & always negotiate on suggested TLS 1.2. Even if connected to AIR-OS WLC 8.10.171.0 . but on the WLC i dont see any SSL/TLS restrictions (config looks to be default on this matter)
05-30-2022 02:47 AM
Take a look on this doc.
This is for 8.10 but also fits in others versions.
05-31-2022 01:08 AM
As hinted by the above, all IOS-based APs (i.e. before 11ac wave 2) do not support TLS 1.1/TLS 1.2 on any aspect (dot1x auth, dtls capwap encryption, etc ...)
05-31-2022 01:13 AM
no relevant info on TLS version for dot1x in there.
https://www.cisco.com/c/en/us/td/docs/wireless/access_point/feature-matrix/ap-feature-matrix.html#_Toc87523893 (802.1x on AP (EAP-FAST)) is only i've found on topic for IOS-XE based WLCs. For AIR-OS it's still unclear.
atm it's also clear that WAVE 1 APs dont implement TLS 1.2 in its supplicant in default configuration.
customer opened SR in TAC & i expect something like above in the end.
cheers
05-31-2022 01:29 AM
that matrix is only for latest AP models.
The story is that APs only ever supported TLS 1.0. Until 16.12 on 9800 or 8.10.110 on Aireos where TLS 1.2 support was added for COS APs (this is documented but does not say clearly that IOS-based APs were left out).
I am updating https://www.cisco.com/c/en/us/support/docs/wireless-mobility/wireless-fixed/107946-LAP-802-1x.html to mention this black on white in the next hour or so.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide