However, a user can manually configure the TLS version number if the server supports the corresponding TLS version. Therefore, we recommend that only IT administrators apply these settings and that the settings be tested before deployment. If the EAP client and the EAP server are misconfigured so that there is no common configured TLS version, authentication will fail, and the user may lose the network connection. This registry key is applicable only to EAP TLS and PEAP it does not affect TTLS behavior. The value of this registry key can be 0xC0, 0x300, or 0xC00. HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\RasMan\PPP\EAP\13 To configure the TLS version that EAP uses by default, you must add a DWORD value that's named TlsVersion to the following registry subkey: Although all known issues in TLS 1.0 have patches available, we recognize that TLS 1.0 is an older standard that's been proven vulnerable. Note Microsoft recommends the use of TLS 1.2 for EAP authentication wherever it's supported.
Temporary workaround for Windows-based computers that have applied the November update Work with your IT administrator to update the Radius server to the appropriate version that includes a fix. We will add more details as we get more data.Ģ.2.6 for all TLS based methods, 2.2.6 - 2.2.8 for TTLSģ.0.7 for all TLS based methods, 3.0.7-3.0.9 for TTLSĤ.14 when used with Net::SSLeay 1.52 or earlier Note This information is based on research and partner reports.
In this bug scenario, EAP authentication succeeds but the MPPE Key calculation fails because an incorrect PRF (Pseudo Random Function) is used. We have reports that some Radius server implementations experience a bug with TLS 1.2. This implies that, if the server advertises support for TLS 1.2 during TLS negotiation, TLS 1.2 will be used.
In the Windows 10 November update, EAP was updated to support TLS 1.2. After you apply the Windows 10 November update to a device, you cannot connect to a WPA-2 Enterprise network that's using certificates for server-side or mutual authentication (EAP TLS, PEAP, TTLS).