This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Extreme Control Support for TLS1.2

Extreme Control Support for TLS1.2

Anonymous
Not applicable

‎12-13-2018 10:57 AM

Just hit this issue when using EAP-TLS when customer upgraded to Windows Version 10:

https://support.microsoft.com/en-gb/help/3121002/windows-10-devices-can-t-connect-to-an-802-1x-environment

https://extremeportal.force.com/ExtrArticleDetail?an=000061810

Changing the registry on Windows machine to version TLS1.0 enabled the device to connect, but we need to use version TLS1.2 to comply with the customers security policy.

Any idea when this will be supported in Extreme Control?

Many thanks in advance

0 Kudos
5 REPLIES 5

Robert_Haynes
Extreme Employee

‎12-14-2018 01:49 PM

Ok thank you. The best path forward for an issue this involved is to open a GTAC case. Have a great day.
0 Kudos

Anonymous
Not applicable

‎12-14-2018 01:31 PM

Hi Robert,

Thanks for getting back.

Will do a little more debugging. Initially changing TLS.1.0 in the reg of the Win10 seemed to initially correct the issue. The solution uses Extreme Cloud Wireless and primary RADIUS source of NAC and Secondary is their own NPS server.

Changed the auth order to see if would work with NPS, but made no difference. Changed back and couldn't replicate the fix, so at this time I have a little more work to do.

I have run a packet trace on NAC at the point of connecting to wireless using cert based auth, and I couldn't see any requests at all showing up!?

I need to validate those findings, as it seems odd, probably try it again when next onsite. Was going to try cert based auth on wired and see if I get same results and take some more packet captures. Need to nail where in the chain the problem lies.

Will report back any findings, and raise a GTAC case if i get stuck.

Thanks
0 Kudos

Robert_Haynes
Extreme Employee

‎12-13-2018 05:05 PM

Hello Martin.

It appears we implemented the required changes several major releases ago and that particular MPPE / cryptobinding keys issue should no longer be applicable / relevant.

If you had to use that workaround to avoid some issue in this area I would suggest you open a case with GTAC support and provide a TLS12 client trace and corresponding logging from NAC for the two cases - when TLS12 is enabled and when TLS12 has been disabled.
0 Kudos

Anonymous
Not applicable

‎12-13-2018 03:51 PM

Hi Robert, thanks for responding.

Apologies, I was meant to include that. Its 8.1.3.65.

Cheers.
0 Kudos
GTM-P2G8KFN