Information About Local EAP Ciphersuite
Prior to Cisco IOS XE Cupertino 17.7.1 Release, the controller acts as an SSL server supporting a hardcoded list of ciphersuites for each EAP application. From Cisco IOS XE Cupertino 17.7.1 Release onwards, the controller is equipped with a knob that controls the list of ciphersuites when using local authentication.
The following table lists the hardcoded list of ciphersuites:
Ciphersuites |
Description |
---|---|
aes128-sha |
Encryption Type tls_rsa_with_aes_128_cbc_sha. |
aes256-sha |
Encryption Type tls_rsa_with_aes_256_cbc_sha. |
dhe-rsa-aes-gcm-sha2 |
Encryption Type tls_dhe_rsa_with_aes_128_gcm_sha256 and tls_dhe_rsa_with_aes_256_gcm_sha384(TLS1.2 and above). |
dhe-rsa-aes-sha2 |
Encryption Type tls_dhe_rsa_with_aes_128_cbc_sha256 and tls_dhe_rsa_with_aes_256_cbc_sha256 (TLS 1.2 and above). |
dhe-rsa-aes128-sha |
Encryption Type tls_dhe_rsa_with_aes_128_cbc_sha. |
dhe-rsa-aes256-sha |
Encryption Type tls_dhe_rsa_with_aes_256_cbc_sha. |
ecdhe-ecdsa-aes-gcm-sha2 |
Encryption Type tls_ecdhe_ecdsa_with_aes_128_gcm_sha256 and tls_ecdhe_ecdsa_with_aes_256_gcm_sha384(TLS1.2 and above). |
ecdhe-ecdsa-aes-sha |
Encryption Type tls_ecdhe_ecdsa_with_aes_128_cbc_sha and tls_ecdhe_ecdsa_with_aes_256_cbc_sha. |
ecdhe-ecdsa-aes-sha2 |
Encryption Type tls_ecdhe_ecdsa_with_aes_128_cbc_sha256 and tls_ecdhe_ecdsa_with_aes_256_cbc_sha384(TLS1.2 and above). |
ecdhe-rsa-aes-gcm-sha2 |
Encryption Type tls_ecdhe_rsa_with_aes_128_gcm_sha256 and tls_ecdhe_rsa_with_aes_256_gcm_sha384(TLS1.2 and above). |
ecdhe-rsa-aes-sha |
Encryption Type tls_ecdhe_rsa_with_aes_128_cbc_sha and tls_ecdhe_rsa_with_aes_256_cbc_sha. |
ecdhe-rsa-aes-sha2 |
Encryption Type tls_ecdhe_rsa_with_aes_128_cbc_sha256 and tls_ecdhe_rsa_with_aes_256_cbc_sha384(TLS1.2 and above). |
When the Client and Server Hello messages are exchanged, the client sends a prioritized list of ciphersuites it supports in Client Hello. The server then responds with the ciphersuite selected from the list in Server Hello. The server needs to select a ciphersuite that is acceptable to both the client and server. Using this approach, only one ciphersuite is selected and sent to the client.
The Local EAP ciphersuite feature controls the list of ciphersuites the controller as SSL server supports.
Note |
By default, all the ciphersuites are supported. Using the Local EAP ciphersuite feature, you can enable or disable the ciphersuites based on your requirement. |