12-15-2020 01:00 AM - edited 07-05-2021 12:54 PM
Hi there!
We're operating a Cisco WLC 5508 for one of our customers. The WLC has to authenticate through a RADIUS server, which is working fine. Our customer now wants to disable TLS 1.0 on the RADIUS server, so only TLS 1.2 should be enabled. We're facing the problem that the clients can't connect to the wifi when only TLS 1.2 is enabled. Since we eliminated all other possibilities, it must be the WLC, which may not support TLS 1.2 right now. Is it possible to force the WLC use TLS 1.2 whilst authenticating on the RADIUS server? We are running software version 8.5.151.0 on the WLC, do we need an update? We couldn't find any option to enable TLS 1.2 in the settings.
Any help would be appreciated.
Solved! Go to Solution.
12-16-2020 10:05 AM
Just to add.... 802.1x is just a simple setting on the WLC. The radius and the device are the two that share the certificate information. Just make sure that the device certificates if using eap-tls does indeed use TLSv1.2. If you disable TLSv1.0 and 1.1, then the radius will only accept certificates that use TLSv1.2. The only setting to allow TLSv1.2 on the controllers is for the secure web for https access.
12-16-2020 04:57 AM
This might also be a Windows and/or Radius Server issue:
12-16-2020 05:15 AM
Thank you for your answer. We already thought that the RADIUS server could be the problem and not the WLC. We are currently working with the provider of our RADIUS to find a solution. I will keep you updated if we find a way to fix this.
12-16-2020 10:05 AM
Just to add.... 802.1x is just a simple setting on the WLC. The radius and the device are the two that share the certificate information. Just make sure that the device certificates if using eap-tls does indeed use TLSv1.2. If you disable TLSv1.0 and 1.1, then the radius will only accept certificates that use TLSv1.2. The only setting to allow TLSv1.2 on the controllers is for the secure web for https access.
12-17-2020 01:42 AM
Thank you for this information! We found out that the authentication happens between the client and the RADIUS, the WLC is barely involved here. So the customers server team had do change some registry keys on the RADIUS server to get TLS 1.2 working. So once again the issue was not in the network infrastructure - as always.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide