Wireless Access

I have a customer who recently upgrade a large number of their laptops to Windows 10 and now they are unable to authenticate on wireless. 

It appears that this is an issue with TLS and EAP with Windows 10. There are some registry hacks but I and the customer are not comfortable with this workaround. https://support.microsoft.com/en-us/kb/3121002

Is there an option to resolve this from the controller side?

The termination is EAP-PEAP on the controller and the inner termination is eap-mschapv2.

They are currently running ArubaOS 6.3.1.19. 

Windows 7 clients, iPads, tablets, phones all authenticate without issue. Windows 10 is a no go. 

The solution is to use a RADIUS server instead of termination.

Unfortunately they removed their Windows servers and moved to Office365 with no domain. 

 

Any other ideas/options?

Even with Office 365, they should still have domain controllers (Azure AD).

 

The other alternative would be to roll out EAP-TLS.

Isn´t this fixed in 6.4.3.6 (Bug 128466)?

 

TAC told me so.

I will look into that. I hope so.

Thanks

Sent from my Verizon Wireless 4G LTE DROID

Interesting. Release note 6.4.3.6  shows Bug ID: 128466 as a known issue not as a fixed issue.

 

We have encountered this issue as well and contacted TAC. Since the issue is fixed in ClearPass, I asked if the issue will be fixed on the controller. Still waiting on an official answer. You might want to contact TAC for more updated inromation.

 

Ed

I am having the same issue. We are using Windows Server 2012 R2 for a radius server, but Windows 10 machines are not able to connect. They get denied at the controller. Contacted TAC and they are recommending i use ClearPass as the radius server as a work-around. 

 

We are runnning ArubaOS 6.4.3.6 on our controllers. 

 

I'll be setting up a time to work with them so they can help me set it up. I'm hoping this works. 

I tried updating the controller to 6.4.3.6 but that did not resolve the issue.

Clear Pass would be a great solution but no everyone can afford it.

Has TAC identified what the root cause of this issue is? Is it the TLS or EAP implementation on Windows 10?

The recommendation isn't neceassarily ClearPass, it's to use a RADIUS server instead of termination on the controller. There are many free/FOSS RADIUS servers out there. RADIUS server has been best practice for a number of years.

---

@mmcnamee wrote:

Has TAC identified what the root cause of this issue is? Is it the TLS or EAP implementation on Windows 10?

---

looking at the microsoft article, it is the use of TLS 1.2 which is causing this, and radius servers are fixing it, so it is up to that the side to solve it. as pointed out termination isn't best practice so Aruba probably won't solve this extremely fast on the controller. at some point they probably will.

 

for the one response that used windows 2012, i assume you could use NPS there.

hi,

 

is this still an issue ?

We still have this issue. We use Server 2012 R2 NPS. Workarround is to add the following registrykey in Windows 10:

 

reg add HKLM\SYSTEM\CurrentControlSet\Services\RasMan\PPP\EAP\13 /v TlsVersion /t REG_DWORD /d 0xc0

Unfortunately this doesn't help us with Windows Phone 10. Please help us to fix this problem:

 

Our configuration:

 

• Server 2012 R2 NPS with PEAP policy and RapidSSL CA
• Aruba3200 Controller
• Running  ArubaOS 6.4.3.6 

Hello,

We already owned airwave so we reconfigured our set up to use airwave as the radius server rather than a Windows 2012 NPS. Unfortunately this means we don't have any failover though.

Do you have to touch the registry in people's personal devices to get them to connect?

AirWave is not a RADIUS server. Can you elaborate on what you did?

Sorry, that was my mistake. I meant to say we are using ClearPass as our authentication server not Airwave.

Thank you,

Ricardo Rivera (Danny)
Assistant Director of IT Client Services & Media Services
Northern Essex Community College
100 Elliott St.
Haverhill, MA 01830
978-556-3742