Wireless Access

It seems the new osx 10.11 is only supporting TLS 1.2 which we currently don't have enabled on our 802.1x network. We terminate on our controller and not the a Radius server currently, anyone know of a way to enable TLS 1.2 on 6.4 code? Looking into this it seems since 6.1 this has been supported however in newer documentation I can't find anything about this and these commands aren't on 6.4 code.

 

==========================================================================
Support for TLS 1.2

The AAA FastConnect authentication mechanism has been enhanced to support TLS protocol version 1.2. This support allows you to use the Suite B cryptographic algorithms. By default the TLS 1.2 protocol is
disabled. Use the aaa authentication dot1x new-eap-termination commandto enable TLS 1.2 support.

Using CLI to Enable TLS 1.2:
aaa authentication dot1x default-eap-termination
enforce-suite-b-128
enforce-suite-b-192

Where, the enforce-suite-b-128 option enables 128-bit security level and the enforce-suite-b-192enables the 192-bit security level.

Those relese notes refer to suite b encryption for users who have purchased an enable the ACR or advanced encryption license.  Those are typically government and highly secure installations.  Most users do not have that license.

 

If you are not using termination, only your radius server needs to support TLS 1.2

 

If you are using Termination, TLS 1.2 support is enabled in:

 

6.4.3.3 - Released 7/24/2015

6.4.2.9 - Released 7/12/2015

6.3.1.x - Not released as of yet

 

The bug in the 6.4.3.3 release notes is below:

 

The versions above support TLS negotiation to 1.2, so they should support the latest IOS beta 9 and MAC OSX change.

 

I tested on the latest 6.4.2.10 is that not supported as well? What commands do we need to do to enable TLS 1.2 if we don't have ACR or advanced encryption license?

The short term solution if you choose to support beta software is to terminate on your TLS 1.2 RADIUS server.


Thanks,
Tim

Well we understand its beta and we don't support it either however if it's something apple pushes out in the final release only allowing TLS 1.2 we'd be screwed at the moment, currently I don't have controll over our radius servers as thats a different department and will go that route if it's necessary so right now would like to find out how to support it while terminating on the controller as we do now.

flava,

 

No commands should be needed to enable TLS 1.2.  According to the bug, the controller should now be able to negotiate with EAP-TLS 1.2 whereas it could not before.

 

I suggest you open a TAC case to make sure everything is configured properly in your setup. If you have a lab, it would be advisable to stage things there to ensure you have no gaps in your strategy.

Will TAC even support this even though current release of osx 10.11 is in beta?

The fix was put in due to the change. They should be able to handle this based on the fix.

Android 6.0 (Marshmallow) has this issue too by the look of it.

 

https://code.google.com/p/android/issues/detail?id=188867

Cory C.

Ohio University.

We have the same issue here with Marshmallow.

Any fix known ?

Are you using EAP-TTLS?

no, eap-mschapv2

What is your radius server?

What version of ClearPass?

 

On 6.5.2+, this issue is only present for EAP-TTLS.

Sorry , my mistake, we do not use clearpass.

I guess i will check with the people who put the radius on line.

 

Gerry_uottawa,

 

The radius server is the key here.  If the controller is not doing termination, they are just passing everything through to the radius server, which might not support TLS 1.2

EAP-TTLS with ClearPass and TLS 1.2 seems to be fixed in ClearPass 6.5.4... https://twitter.com/arjan_k/status/661658617314213892

Hi all,

We actually fixed the issue with TAC yesterday.

We had to upgrade all controllers to 6.3.1.18.

All good now.

It seems that in a new Build for Windows 10 1511 - 10586 they are changing a setting for EAP TLS 1.2

We have Aruba version 6.4.3.3 which we upgraded to resolve the above mentioned issue.   We terminate on the controllers for our Primary SSID and users are unable to connect.  If they use  "eduroam" which is terminated on the Clear Pass servers they have no issues.  The following link describes a work around of disabling EAP TLS 1.2 in the Registry which I believe allows them to connect but have not verified myself yet  <http://answers.microsoft.com/en-us/windows/forum/windows_10-networking/after-update-to-1511-i-cant-connect-via-wlan-to-my/696f12ed-6e08-4e14-ae30-c7a878ebbd17?auth=1>

Also I have read that Microsoft has pulled this build and is adding the changed to be pushed out as part of monthly patches.     I do have a case for this and am working to get captures to the TAC.      Anyone else see this problem?          Not sure if this should have been a new post or not.

 

 

Thanks

 

Chris Hart

Norhtwestern University.

 

Sounds like this just adds Win10 to the list of systems that default to TLS1.2 by default.  If your local users are authenticating successfully via ClearPass, I think you just need to:

1) update the controllers

-or-

2) remove termination from SSIDs and enable it on ClearPass for those SSIDs.

 

We went with option 2 though we use NPS instead of ClearPass.

 

Cory C.

Ohio University

We have the same issue at a customer.

Terminating EAP on the controller (6.4.2.13)

Win10 clients with all patches can´t connect.

The registry patch is a valid workaround.

 

Will this be fixed in 6.4?

 

Christian

You should consider terminating on your RADIUS server.

Sent from Nine

I found this that give more details of the issue from Microsoft

 

https://support.microsoft.com/en-us/kb/3121002

 

Also note that I am at Aruba OS 6.4.3 and have the issue.

 

Chris Hart

Northwestern University

 

Model: Aruba650
Version: 6.4.2.2

 

I have an open ticket with Aruba and i'm using the controller with internal authentification and i'm having issue with Windows 10 with november patch and Android 6.0.

 

Temporary fix fox Windows 10(Downgrade TLS version):

REG add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RasMan\PPP\EAP\13" /v TlsVersion /t REG_DWORD /d 192 /f

net stop EapHost

net start EapHost

Android : No Fix 

 

Here is the support message :
"The controller does not support TLS 1.1 and TLS 1.2 on the version the controller is running, thus we are facing this issue. There is no way to disable or enable it on the controller for now. However, I am tracking the engineering ticket. Will keep you posted on this."

 

Waiting for them ! 

We are at the same stage here.

Even though the Microsoft fix works, it is not an options when you have 60 000+ users.

 

Waiting for TAC to get back to me.

Same here.

Also have a case open.

 

Christian

---

@Gerry_uottawa wrote:

.....it is not an options when you have 60 000+ users.

 

Waiting for TAC to get back to me.

---

Are you saying you are doing EAP termination of 60,000+ users on the controllers?    I would advise against that and use termination on your RADIUS servers.

 

Please share how things go with TAC.

no, the termination is done on the Radius, not on the controllers.

Does your RADIUS server support TLS 1.2? If you're not doing termination on the controller and your RADIUS server is up to date, Win 10 shouldn't have any issues connecting.

EDIT:

what Tim said ;-)

---

@Gerry_uottawa wrote:

no, the termination is done on the Radius, not on the controllers.

---

If termination is not done on your controllers, does your RADIUS server support TLS 1.2?    What RADIUS solution are you using?   If you are not terminating on the controller and the server supports TLS 1.2, you should not have these specific authentication issues.

I personally don't access access to the Radius.

I just know that it runs on Windows 2008 R2 and has been patch about 10 days ago.

I am waiting for the Sys Analyst to check why we are having that kind of issue.

Thanks

Seems Android 6.0.1 has a workaround for broken Radius Servers.

 

https://android.googlesource.com/platform/frameworks/opt/net/wifi/+/eb5caea

 

Christian