Wireless Access

Reply
Contributor I
Posts: 74
Registered: ‎03-21-2012

EAP/TLS 1.2?

It seems the new osx 10.11 is only supporting TLS 1.2 which we currently don't have enabled on our 802.1x network. We terminate on our controller and not the a Radius server currently, anyone know of a way to enable TLS 1.2 on 6.4 code? Looking into this it seems since 6.1 this has been supported however in newer documentation I can't find anything about this and these commands aren't on 6.4 code.

 

==========================================================================
Support for TLS 1.2

The AAA FastConnect authentication mechanism has been enhanced to support TLS protocol version 1.2. This support allows you to use the Suite B cryptographic algorithms. By default the TLS 1.2 protocol is
disabled. Use the aaa authentication dot1x new-eap-termination commandto enable TLS 1.2 support.

Using CLI to Enable TLS 1.2:
aaa authentication dot1x default-eap-termination
enforce-suite-b-128
enforce-suite-b-192

Where, the enforce-suite-b-128 option enables 128-bit security level and the enforce-suite-b-192enables the 192-bit security level.

Guru Elite
Posts: 21,029
Registered: ‎03-29-2007

Re: EAP/TLS 1.2?

Those relese notes refer to suite b encryption for users who have purchased an enable the ACR or advanced encryption license.  Those are typically government and highly secure installations.  Most users do not have that license.

 

If you are not using termination, only your radius server needs to support TLS 1.2

 

If you are using Termination, TLS 1.2 support is enabled in:

 

6.4.3.3 - Released 7/24/2015

6.4.2.9 - Released 7/12/2015

6.3.1.x - Not released as of yet

 

The bug in the 6.4.3.3 release notes is below:

 

tls.png

The versions above support TLS negotiation to 1.2, so they should support the latest IOS beta 9 and MAC OSX change.

 



Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Contributor I
Posts: 74
Registered: ‎03-21-2012

Re: EAP/TLS 1.2?

I tested on the latest 6.4.2.10 is that not supported as well? What commands do we need to do to enable TLS 1.2 if we don't have ACR or advanced encryption license?

Guru Elite
Posts: 8,460
Registered: ‎09-08-2010

Re: EAP/TLS 1.2?

The short term solution if you choose to support beta software is to terminate on your TLS 1.2 RADIUS server.


Thanks,
Tim

Tim Cappalli | Aruba Security TME
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480
Contributor I
Posts: 74
Registered: ‎03-21-2012

Re: EAP/TLS 1.2?

Well we understand its beta and we don't support it either however if it's something apple pushes out in the final release only allowing TLS 1.2 we'd be screwed at the moment, currently I don't have controll over our radius servers as thats a different department and will go that route if it's necessary so right now would like to find out how to support it while terminating on the controller as we do now.

Guru Elite
Posts: 21,029
Registered: ‎03-29-2007

Re: EAP/TLS 1.2?

[ Edited ]

flava,

 

No commands should be needed to enable TLS 1.2.  According to the bug, the controller should now be able to negotiate with EAP-TLS 1.2 whereas it could not before.

 

I suggest you open a TAC case to make sure everything is configured properly in your setup. If you have a lab, it would be advisable to stage things there to ensure you have no gaps in your strategy.



Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Contributor I
Posts: 74
Registered: ‎03-21-2012

Re: EAP/TLS 1.2?

Will TAC even support this even though current release of osx 10.11 is in beta?

Guru Elite
Posts: 21,029
Registered: ‎03-29-2007

Re: EAP/TLS 1.2?

The fix was put in due to the change. They should be able to handle this based on the fix.


Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

New Contributor
Posts: 2
Registered: ‎01-06-2011

Re: EAP/TLS 1.2?

Android 6.0 (Marshmallow) has this issue too by the look of it.

 

https://code.google.com/p/android/issues/detail?id=188867


Cory C.

Ohio University.

Contributor II
Posts: 40
Registered: ‎05-27-2014

Re: EAP/TLS 1.2?

We have the same issue here with Marshmallow.

Any fix known ?

Search Airheads
Showing results for 
Search instead for 
Did you mean: