Windows 10 devices can't connect to an 802.1X environment

Symptoms
After you apply the Windows 10 November update to a device, you cannot connect to a WPA-2 Enterprise network that's using certificates for server-side or mutual authentication (EAP TLS, PEAP, TTLS).
Cause
In the Windows 10 November update, EAP was updated to support TLS 1.2. This implies that, if the server advertises support for TLS 1.2 during TLS negotiation, TLS 1.2 will be used.

We have reports that some Radius server implementations experience a bug with TLS 1.2. In this bug scenario, EAP authentication succeeds but the MPPE Key calculation fails because an incorrect PRF (Pseudo Random Function) is used.

Radius servers known to be affected
Note This information is based on research and partner reports. We will add more details as we get more data.

ServerAdditional informationFix available
FreeRADIUS 2.x2.2.6 for all TLS based methods, 2.2.6 - 2.2.8 for TTLSYes
FreeRADIUS 3.x3.0.7 for all TLS based methods, 3.0.7-3.0.9 for TTLSYes
Radiator4.14 when used with Net::SSLeay 1.52 or earlierYes
Aruba ClearPass Policy Manager6.5.1Yes
Pulse Policy Securehttps://kb.pulsesecure.net/articles/Pulse_Secure_Article/KB40089Fix under test
Cisco Identify Services Engine 2.x2.0.0.306 patch 1Fix under test

Resolution

Recommended fix

Work with your IT administrator to update the Radius server to the appropriate version that includes a fix.

Temporary workaround for Windows-based computers that have applied the November update

Note Microsoft recommends the use of TLS 1.2 for EAP authentication wherever it's supported. Although all known issues in TLS 1.0 have patches available, we recognize that TLS 1.0 is an older standard that's been proven vulnerable.

To configure the TLS version that EAP uses by default, you must add a DWORD value that's named TlsVersion to the following registry subkey:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\RasMan\PPP\EAP\13

The value of this registry key can be 0xC0, 0x300, or 0xC00.

Notes
  • This registry key is applicable only to EAP TLS and PEAP; it does not affect TTLS behavior.
  • If the EAP client and the EAP server are misconfigured so that there is no common configured TLS version, authentication will fail, and the user may lose the network connection. Therefore, we recommend that only IT administrators apply these settings and that the settings be tested before deployment. However, a user can manually configure the TLS version number if the server supports the corresponding TLS version.

Important This section, method, or task contains steps that tell you how to modify the registry. However, serious problems might occur if you modify the registry incorrectly. Therefore, make sure that you follow these steps carefully. For added protection, back up the registry before you modify it. Then, you can restore the registry if a problem occurs. For more information about how to back up and restore the registry, click the following article number to view the article in the Microsoft Knowledge Base:

322756 How to back up and restore the registry in Windows


To add these registry values, follow these steps:
  1. Click Start, click Run, type regedit in the Open box, and then click OK.
  2. Locate and then click the following subkey in the registry:

    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\RasMan\PPP\EAP\13
  3. On the Edit menu, point to New, and then click DWORD Value.
  4. Type TlsVersion for the name of the DWORD value, and then press Enter.
  5. Right-click TlsVersion, and then click Modify.
  6. In the Value data box, use the following values for the various versions of TLS, and then click OK.

    TLS versionDWORD value
    TLS 1.00xC0
    TLS 1.10x300
    TLS 1.2 0xC00
  7. Exit Registry Editor, and then either restart the computer or restart the EapHost service.
More information
Related documentation:

Microsoft security advisory: Update for Microsoft EAP implementation that enables the use of TLS: October 14, 2014
https://support.microsoft.com/en-us/kb/2977292
Properties

Article ID: 3121002 - Last Review: 12/07/2015 19:23:00 - Revision: 4.0

Windows 10

  • kbexpertiseadvanced kbtshoot kbsurveynew KB3121002
Feedback