Applies ToWindows 10

Symptoms

After you apply the Windows 10 November update to a device, you cannot connect to a WPA-2 Enterprise network that's using certificates for server-side or mutual authentication (EAP TLS, PEAP, TTLS).

Cause

In the Windows 10 November update, EAP was updated to support TLS 1.2. This implies that, if the server advertises support for TLS 1.2 during TLS negotiation, TLS 1.2 will be used. We have reports that some Radius server implementations experience a bug with TLS 1.2. In this bug scenario, EAP authentication succeeds but the MPPE Key calculation fails because an incorrect PRF (Pseudo Random Function) is used.

Radius servers known to be affected

Note This information is based on research and partner reports. We will add more details as we get more data.

Server

Additional information

Fix available

FreeRADIUS 2.x

2.2.6 for all TLS based methods, 2.2.6 - 2.2.8 for TTLS

Yes

FreeRADIUS 3.x

3.0.7 for all TLS based methods, 3.0.7-3.0.9 for TTLS

Yes

Radiator

4.14 when used with Net::SSLeay 1.52 or earlier

Yes

Aruba ClearPass Policy Manager

6.5.1

Yes

Pulse Policy Secure

https://kb.pulsesecure.net/articles/Pulse_Secure_Article/KB40089

Fix under test

Cisco Identify Services Engine 2.x

2.0.0.306 patch 1

Fix under test

Resolution

Recommended fix

Work with your IT administrator to update the Radius server to the appropriate version that includes a fix.

Temporary workaround for Windows-based computers that have applied the November update

Note Microsoft recommends the use of TLS 1.2 for EAP authentication wherever it's supported. Although all known issues in TLS 1.0 have patches available, we recognize that TLS 1.0 is an older standard that's been proven vulnerable. To configure the TLS version that EAP uses by default, you must add a DWORD value that's named TlsVersion to the following registry subkey:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\RasMan\PPP\EAP\13The value of this registry key can be 0xC0, 0x300, or 0xC00.Notes

  • This registry key is applicable only to EAP TLS and PEAP; it does not affect TTLS behavior.

  • If the EAP client and the EAP server are misconfigured so that there is no common configured TLS version, authentication will fail, and the user may lose the network connection. Therefore, we recommend that only IT administrators apply these settings and that the settings be tested before deployment. However, a user can manually configure the TLS version number if the server supports the corresponding TLS version.

Important This section, method, or task contains steps that tell you how to modify the registry. However, serious problems might occur if you modify the registry incorrectly. Therefore, make sure that you follow these steps carefully. For added protection, back up the registry before you modify it. Then, you can restore the registry if a problem occurs. For more information about how to back up and restore the registry, click the following article number to view the article in the Microsoft Knowledge Base: 322756 How to back up and restore the registry in Windows To add these registry values, follow these steps:

  1. Click Start, click Run, type regedit in the Open box, and then click OK.

  2. Locate and then click the following subkey in the registry:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\RasMan\PPP\EAP\13

  3. On the Edit menu, point to New, and then click DWORD Value.

  4. Type TlsVersion for the name of the DWORD value, and then press Enter.

  5. Right-click TlsVersion, and then click Modify.

  6. In the Value data box, use the following values for the various versions of TLS, and then click OK.

    TLS version

    DWORD value

    TLS 1.0

    0xC0

    TLS 1.1

    0x300

    TLS 1.2

    0xC00

  7. Exit Registry Editor, and then either restart the computer or restart the EapHost service.

More Information

Related documentation:Microsoft security advisory: Update for Microsoft EAP implementation that enables the use of TLS: October 14, 2014https://support.microsoft.com/en-us/kb/2977292

Need more help?

Want more options?

Explore subscription benefits, browse training courses, learn how to secure your device, and more.

Communities help you ask and answer questions, give feedback, and hear from experts with rich knowledge.