Symptoms
After you apply the Windows 10 November update to a device, you cannot connect to a WPA-2 Enterprise network that's using certificates for server-side or mutual authentication (EAP TLS, PEAP, TTLS).
Cause
In the Windows 10 November update, EAP was updated to support TLS 1.2. This implies that, if the server advertises support for TLS 1.2 during TLS negotiation, TLS 1.2 will be used. We have reports that some Radius server implementations experience a bug with TLS 1.2. In this bug scenario, EAP authentication succeeds but the MPPE Key calculation fails because an incorrect PRF (Pseudo Random Function) is used.
Radius servers known to be affected
Note This information is based on research and partner reports. We will add more details as we get more data.
|
Server |
Additional information |
Fix available |
|
FreeRADIUS 2.x |
2.2.6 for all TLS based methods, 2.2.6 - 2.2.8 for TTLS |
Yes |
|
FreeRADIUS 3.x |
3.0.7 for all TLS based methods, 3.0.7-3.0.9 for TTLS |
Yes |
|
Radiator |
4.14 when used with Net::SSLeay 1.52 or earlier |
Yes |
|
Aruba ClearPass Policy Manager |
6.5.1 |
Yes |
|
Pulse Policy Secure |
https://kb.pulsesecure.net/articles/Pulse_Secure_Article/KB40089 |
Fix under test |
|
Cisco Identify Services Engine 2.x |
2.0.0.306 patch 1 |
Fix under test |
Resolution
Recommended fix
Work with your IT administrator to update the Radius server to the appropriate version that includes a fix.
Temporary workaround for Windows-based computers that have applied the November update
Note Microsoft recommends the use of TLS 1.2 for EAP authentication wherever it's supported. Although all known issues in TLS 1.0 have patches available, we recognize that TLS 1.0 is an older standard that's been proven vulnerable. To configure the TLS version that EAP uses by default, you must add a DWORD value that's named TlsVersion to the following registry subkey:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\RasMan\PPP\EAP\13The value of this registry key can be 0xC0, 0x300, or 0xC00.Notes
-
This registry key is applicable only to EAP TLS and PEAP; it does not affect TTLS behavior.
-
If the EAP client and the EAP server are misconfigured so that there is no common configured TLS version, authentication will fail, and the user may lose the network connection. Therefore, we recommend that only IT administrators apply these settings and that the settings be tested before deployment. However, a user can manually configure the TLS version number if the server supports the corresponding TLS version.
Important This section, method, or task contains steps that tell you how to modify the registry. However, serious problems might occur if you modify the registry incorrectly. Therefore, make sure that you follow these steps carefully. For added protection, back up the registry before you modify it. Then, you can restore the registry if a problem occurs. For more information about how to back up and restore the registry, click the following article number to view the article in the Microsoft Knowledge Base: 322756 How to back up and restore the registry in Windows To add these registry values, follow these steps:
-
Click Start, click Run, type regedit in the Open box, and then click OK.
-
Locate and then click the following subkey in the registry:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\RasMan\PPP\EAP\13
-
On the Edit menu, point to New, and then click DWORD Value.
-
Type TlsVersion for the name of the DWORD value, and then press Enter.
-
Right-click TlsVersion, and then click Modify.
-
In the Value data box, use the following values for the various versions of TLS, and then click OK.
TLS version
DWORD value
TLS 1.0
0xC0
TLS 1.1
0x300
TLS 1.2
0xC00
-
Exit Registry Editor, and then either restart the computer or restart the EapHost service.
More Information
Related documentation:Microsoft security advisory: Update for Microsoft EAP implementation that enables the use of TLS: October 14, 2014https://support.microsoft.com/en-us/kb/2977292
