Reset Search
 

 

Article

Devices using Win10 with TLS v1.2 cannot connect to secure WiFi (802.1x).

« Go Back

Information

 
TitleDevices using Win10 with TLS v1.2 cannot connect to secure WiFi (802.1x).
Symptoms
Devices using Win10 with TLS v1.2 cannot connect to secure WiFi (802.1x).
Environment
All identiFi solutions.
Cause
After you apply the Windows 10 November update to a device, you cannot connect to a WPA-2 Enterprise network that's using certificates for server-side or mutual authentication (EAP TLS, PEAP, TTLS). In the Windows 10 November update, EAP was updated to support TLS 1.2. This implies that, if the server advertises support for TLS 1.2 during TLS negotiation, TLS 1.2 will be used.

We have reports that some Radius server implementations experience a bug with TLS 1.2. In this bug scenario, EAP authentication succeeds but the MPPE Key calculation fails because an incorrect PRF (Pseudo Random Function) is used.
Resolution
Work with your IT administrator to update the Radius server to the appropriate version that includes a fix.

Temporary workaround for Windows-based computers that have applied the November update

Note Microsoft recommends the use of TLS 1.2 for EAP authentication wherever it's supported. Although all known issues in TLS 1.0 have patches available, we recognize that TLS 1.0 is an older standard that's been proven vulnerable.

To configure the TLS version that EAP uses by default, you must add a DWORD value that's named TlsVersion to the following registry subkey:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\RasMan\PPP\EAP\13

The value of this registry key can be 0xC0, 0x300, or 0xC00.

Notes
This registry key is applicable only to EAP TLS and PEAP; it does not affect TTLS behavior.
If the EAP client and the EAP server are misconfigured so that there is no common configured TLS version, authentication will fail, and the user may lose the network connection. Therefore, we recommend that only IT administrators apply these settings and that the settings be tested before deployment. However, a user can manually configure the TLS version number if the server supports the corresponding TLS version.

Important This section, method, or task contains steps that tell you how to modify the registry. However, serious problems might occur if you modify the registry incorrectly. Therefore, make sure that you follow these steps carefully. For added protection, back up the registry before you modify it. Then, you can restore the registry if a problem occurs. For more information about how to back up and restore the registry, click the following article number to view the article in the Microsoft Knowledge Base:

322756 How to back up and restore the registry in Windows


To add these registry values, follow these steps:
Click Start, click Run, type regedit in the Open box, and then click OK.
Locate and then click the following subkey in the registry:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\RasMan\PPP\EAP\13
On the Edit menu, point to New, and then click DWORD Value.
Type TlsVersion for the name of the DWORD value, and then press Enter.
Right-click TlsVersion, and then click Modify.
In the Value data box, use the following values for the various versions of TLS, and then click OK.

TLS version DWORD value
TLS 1.0 0xC0
TLS 1.1 0x300
TLS 1.2 0xC00
Exit Registry Editor, and then either restart the computer or restart the EapHost service.

See also, Windows 10 End Systems Show as Rejected Due To Authentication Became Stale
Additional notes

Feedback

 

Was this article helpful?


   

Feedback

Please tell us how we can make this article more useful.

Characters Remaining: 255