Wireless Access

Reply
Frequent Contributor I
Posts: 70
Registered: ‎04-03-2007

Windows 10 EAP-PEAP Termination Broken

I have a customer who recently upgrade a large number of their laptops to Windows 10 and now they are unable to authenticate on wireless. 

It appears that this is an issue with TLS and EAP with Windows 10. There are some registry hacks but I and the customer are not comfortable with this workaround. https://support.microsoft.com/en-us/kb/3121002

Is there an option to resolve this from the controller side?

The termination is EAP-PEAP on the controller and the inner termination is eap-mschapv2.

They are currently running ArubaOS 6.3.1.19. 

Windows 7 clients, iPads, tablets, phones all authenticate without issue. Windows 10 is a no go. 

Michael McNamee
Sr. Network Engineer - SecurEdge Networks
ACMP / ACDX / AWMP

http://www.securedgenetworks.com/secure-edge-networks-blog/
Guru Elite
Posts: 8,325
Registered: ‎09-08-2010

Re: Windows 10 EAP-PEAP Termination Broken

The solution is to use a RADIUS server instead of termination.

Tim Cappalli | Aruba Security TME
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480
Frequent Contributor I
Posts: 70
Registered: ‎04-03-2007

Re: Windows 10 EAP-PEAP Termination Broken

Unfortunately they removed their Windows servers and moved to Office365 with no domain. 

 

Any other ideas/options?

Michael McNamee
Sr. Network Engineer - SecurEdge Networks
ACMP / ACDX / AWMP

http://www.securedgenetworks.com/secure-edge-networks-blog/
Guru Elite
Posts: 8,325
Registered: ‎09-08-2010

Re: Windows 10 EAP-PEAP Termination Broken

[ Edited ]

Even with Office 365, they should still have domain controllers (Azure AD).

 

The other alternative would be to roll out EAP-TLS.


Tim Cappalli | Aruba Security TME
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480
New Contributor
Posts: 4
Registered: ‎10-17-2014

Re: Windows 10 EAP-PEAP Termination Broken

Isn´t this fixed in 6.4.3.6 (Bug 128466)?

 

TAC told me so.

Frequent Contributor I
Posts: 70
Registered: ‎04-03-2007

Re: Windows 10 EAP-PEAP Termination Broken

I will look into that. I hope so.

Thanks

Sent from my Verizon Wireless 4G LTE DROID
Michael McNamee
Sr. Network Engineer - SecurEdge Networks
ACMP / ACDX / AWMP

http://www.securedgenetworks.com/secure-edge-networks-blog/
eip
Occasional Contributor II
Posts: 22
Registered: ‎02-08-2008

Re: Windows 10 EAP-PEAP Termination Broken

Interesting. Release note 6.4.3.6  shows Bug ID: 128466 as a known issue not as a fixed issue.

 

We have encountered this issue as well and contacted TAC. Since the issue is fixed in ClearPass, I asked if the issue will be fixed on the controller. Still waiting on an official answer. You might want to contact TAC for more updated inromation.

 

Ed

New Contributor
Posts: 3
Registered: ‎09-18-2013

Re: Windows 10 EAP-PEAP Termination Broken

[ Edited ]

I am having the same issue. We are using Windows Server 2012 R2 for a radius server, but Windows 10 machines are not able to connect. They get denied at the controller. Contacted TAC and they are recommending i use ClearPass as the radius server as a work-around. 

 

We are runnning ArubaOS 6.4.3.6 on our controllers. 

 

I'll be setting up a time to work with them so they can help me set it up. I'm hoping this works. 

Frequent Contributor I
Posts: 70
Registered: ‎04-03-2007

Re: Windows 10 EAP-PEAP Termination Broken

I tried updating the controller to 6.4.3.6 but that did not resolve the issue.

Clear Pass would be a great solution but no everyone can afford it.

Has TAC identified what the root cause of this issue is? Is it the TLS or EAP implementation on Windows 10?
Michael McNamee
Sr. Network Engineer - SecurEdge Networks
ACMP / ACDX / AWMP

http://www.securedgenetworks.com/secure-edge-networks-blog/
Guru Elite
Posts: 8,325
Registered: ‎09-08-2010

Re: Windows 10 EAP-PEAP Termination Broken

The recommendation isn't neceassarily ClearPass, it's to use a RADIUS server instead of termination on the controller. There are many free/FOSS RADIUS servers out there. RADIUS server has been best practice for a number of years.


Tim Cappalli | Aruba Security TME
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480
Search Airheads
Showing results for 
Search instead for 
Did you mean: