Question

Extreme Control Support for TLS1.2


Userlevel 5
Just hit this issue when using EAP-TLS when customer upgraded to Windows Version 10:

https://support.microsoft.com/en-gb/help/3121002/windows-10-devices-can-t-connect-to-an-802-1x-environment

https://gtacknowledge.extremenetworks.com/articles/Solution/Devices-using-Win10-with-TLS-v1-2-cannot-connect-to-secure-WiFi-802-1x

Changing the registry on Windows machine to version TLS1.0 enabled the device to connect, but we need to use version TLS1.2 to comply with the customers security policy.

Any idea when this will be supported in Extreme Control?

Many thanks in advance

5 replies

Hello Martin.

Thank you for reporting this issue. We have encountered this in the past and have advised the same workaround procedure. I can not confirm that ExtremeControl has been patched at this time to address this.

What software release are / were you using?
Userlevel 5
Hi Robert, thanks for responding.

Apologies, I was meant to include that. Its 8.1.3.65.

Cheers.
Hello Martin.

It appears we implemented the required changes several major releases ago and that particular MPPE / cryptobinding keys issue should no longer be applicable / relevant.

If you had to use that workaround to avoid some issue in this area I would suggest you open a case with GTAC support and provide a TLS12 client trace and corresponding logging from NAC for the two cases - when TLS12 is enabled and when TLS12 has been disabled.
Userlevel 5
Hi Robert,

Thanks for getting back.

Will do a little more debugging. Initially changing TLS.1.0 in the reg of the Win10 seemed to initially correct the issue. The solution uses Extreme Cloud Wireless and primary RADIUS source of NAC and Secondary is their own NPS server.

Changed the auth order to see if would work with NPS, but made no difference. Changed back and couldn't replicate the fix, so at this time I have a little more work to do.

I have run a packet trace on NAC at the point of connecting to wireless using cert based auth, and I couldn't see any requests at all showing up!?

I need to validate those findings, as it seems odd, probably try it again when next onsite. Was going to try cert based auth on wired and see if I get same results and take some more packet captures. Need to nail where in the chain the problem lies.

Will report back any findings, and raise a GTAC case if i get stuck.

Thanks
Ok thank you. The best path forward for an issue this involved is to open a GTAC case. Have a great day.

Reply