Local EAP Ciphersuite
A local EAP ciphersuite is a security protocol configuration that
-
determines which encryption algorithms the controller supports during EAP transactions
-
allows customization of enabled or disabled ciphersuites for improved security and compatibility, and
-
is manageable by administrators from Cisco IOS XE Cupertino 17.7.1 Release onwards.
Feature history
|
Feature Name |
Release |
Description |
|---|---|---|
|
Ciphersuite Selection for Local EAP Authentication |
Cisco IOS XE 17.1.1s |
This feature provides the controller with a knob to control the list of ciphersuites used in local EAP authentication Prior to Cisco IOS XE Cupertino 17.7.1 Release, the controller acts as an SSL server supporting a hardcoded list of ciphersuites for each EAP application. |
Supported and configurable ciphersuites for Local EAP
The controller, acting as an SSL server, negotiates ciphersuites with the client during the SSL handshake. The client sends a prioritized list of supported ciphersuites, and the server selects one that is mutually acceptable.
The table lists the hardcoded ciphersuites and their descriptions:
|
Ciphersuites |
Description |
|---|---|
|
aes128-sha |
Encryption Type tls_rsa_with_aes_128_cbc_sha. |
|
aes256-sha |
Encryption Type tls_rsa_with_aes_256_cbc_sha. |
|
dhe-rsa-aes-gcm-sha2 |
Encryption Type tls_dhe_rsa_with_aes_128_gcm_sha256 and tls_dhe_rsa_with_aes_256_gcm_sha384(TLS1.2 and above). |
|
dhe-rsa-aes-sha2 |
Encryption Type tls_dhe_rsa_with_aes_128_cbc_sha256 and tls_dhe_rsa_with_aes_256_cbc_sha256 (TLS 1.2 and above). |
|
dhe-rsa-aes128-sha |
Encryption Type tls_dhe_rsa_with_aes_128_cbc_sha. |
|
dhe-rsa-aes256-sha |
Encryption Type tls_dhe_rsa_with_aes_256_cbc_sha. |
|
ecdhe-ecdsa-aes-gcm-sha2 |
Encryption Type tls_ecdhe_ecdsa_with_aes_128_gcm_sha256 and tls_ecdhe_ecdsa_with_aes_256_gcm_sha384(TLS1.2 and above). |
|
ecdhe-ecdsa-aes-sha |
Encryption Type tls_ecdhe_ecdsa_with_aes_128_cbc_sha and tls_ecdhe_ecdsa_with_aes_256_cbc_sha. |
|
ecdhe-ecdsa-aes-sha2 |
Encryption Type tls_ecdhe_ecdsa_with_aes_128_cbc_sha256 and tls_ecdhe_ecdsa_with_aes_256_cbc_sha384(TLS1.2 and above). |
|
ecdhe-rsa-aes-gcm-sha2 |
Encryption Type tls_ecdhe_rsa_with_aes_128_gcm_sha256 and tls_ecdhe_rsa_with_aes_256_gcm_sha384(TLS1.2 and above). |
|
ecdhe-rsa-aes-sha |
Encryption Type tls_ecdhe_rsa_with_aes_128_cbc_sha and tls_ecdhe_rsa_with_aes_256_cbc_sha. |
|
ecdhe-rsa-aes-sha2 |
Encryption Type tls_ecdhe_rsa_with_aes_128_cbc_sha256 and tls_ecdhe_rsa_with_aes_256_cbc_sha384(TLS1.2 and above). |
 Note |
By default, all the ciphersuites are supported. Using the Local EAP ciphersuite feature, you can enable or disable the ciphersuites based on your requirement. |
Restrictions for Local EAP Ciphersuite
-
SNMP is not supported.
-
Ciphersuites are specific to 802.1X.
Configure Local EAP Ciphersuite (CLI)
Procedure
|
Step 1 |
Enable privileged EXEC mode. Example: |
||
|
Step 2 |
Enter global configuration mode. Example: |
||
|
Step 3 |
Create an EAP profile. Example:Example: |
||
|
Step 4 |
Select a ciphersuite. Example:Using this command, you will be able to configure only one ciphersuite. To configure more than one ciphersuite, you need to issue this command with various ciphersuites. By default, all ciphersuites are supported if you issue the no ciphersuite command.
|
||
|
Step 5 |
Return to privileged EXEC mode. Example:Alternatively, you can also press Ctrl-Z to exit global configuration mode. |
Feedback