Security

last person joined: yesterday 

Forum to discuss Enterprise security using HPE Aruba Networking NAC solutions (ClearPass), Introspect, VIA, 360 Security Exchange, Extensions, and Policy Enforcement Firewall (PEF).
Back to discussions
Expand all | Collapse all

EAP-TLS 1.2 and Windows Clients

This thread has been viewed 23 times

  • 1.  EAP-TLS 1.2 and Windows Clients

    Posted Aug 08, 2017 03:29 PM

    I’ve seen little information about this issue on this site or elsewhere, so I thought I would post about this solution we found at a client site. If you’re having difficulty getting Windows clients to connect to an EAP-TLS network using TLS 1.2, read on…  

    (All the usual disclaimers apply: modifying the Windows registry can be hazardous to your health. Don’t proceed without the knowledge of what you’re doing and a good backup.)

     

    Wireless clients were connecting to an EAP-TLS network using TLS 1.0, even though ClearPass 6.6.7 was in use (TLS 1.2 support was added to ClearPass several versions prior). Packet captures confirmed that clients were connecting to the network using TLS 1.0. The security department was requiring a move to TLS 1.2.

     

    To disable TLS 1.0 and 1.1, modifications were made to the Windows registry according to this document:

    https://technet.microsoft.com/en-us/library/dn786418(v=ws.11).aspx#BKMK_SchannelTR_TLS10

     

    By adding the appropriate DWORD values to this key:

    HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols

    We can disable TLS 1.0 and 1.1, leaving only 1.2 available.

    tls1.2-1.png

     

    After making this change, Windows 10 clients could connect using TLS 1.2. However, Windows 7 clients would no longer connect at all.

     

    Much searching unearthed this article, which says that Win 7 needs additional registry values set:

    https://support.microsoft.com/en-us/help/2977292/microsoft-security-advisory-update-for-microsoft-eap-implementation-th

     

    (This article references a Windows patch that came out in 2014. We assumed that it had long since been downloaded to the computer, but if this process doesn't work, you might want to make sure you’ve got the patch.)

     

    Per the article, we added the ‘TlsVersion’ DWORD with a value of 0xC00 to this branch:

    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\RasMan\PPP\EAP\13

     tls1.2-2.png

     

    With these two registry changes and a reboot, Windows 7 computers connected happily using TLS 1.2, as shown by this packet capture:

    tls1.2-3.png

     

     

    Also, if you don’t want to do packet captures, you can be fairly certain that EAP-TLS 1.2 is in use by disabling TLS 1.0, 1.1, AND 1.2 using the first article mentioned above. Verify that the computer will not connect. Then re-enable only TLS 1.2, and test again. At that point, you’re likely connecting with TLS 1.2

     

    Note: reboots are usually required between these changes.

     

    Enjoy!

     

     

     

     



  • 2.  RE: EAP-TLS 1.2 and Windows Clients

    Posted Aug 24, 2017 05:17 PM

     

    this looks more like a bug of the operating system i mean windows, as you said you were using clearpass .6.6.7 that support 1.2 and even with that you had to manually had to disable it on the windows  clients....

     

     

    Cheers

    Carlos