cancel
Showing results for 
Search instead for 
Did you mean: 

Extreme Control Support for TLS1.2

Extreme Control Support for TLS1.2

Anonymous
Not applicable

Just hit this issue when using EAP-TLS when customer upgraded to Windows Version 10:

https://support.microsoft.com/en-gb/help/3121002/windows-10-devices-can-t-connect-to-an-802-1x-environment

https://extremeportal.force.com/ExtrArticleDetail?an=000061810

Changing the registry on Windows machine to version TLS1.0 enabled the device to connect, but we need to use version TLS1.2 to comply with the customers security policy.

Any idea when this will be supported in Extreme Control?

Many thanks in advance

5 REPLIES 5

Robert_Haynes
Extreme Employee
Ok thank you. The best path forward for an issue this involved is to open a GTAC case. Have a great day.

Anonymous
Not applicable
Hi Robert,

Thanks for getting back.

Will do a little more debugging. Initially changing TLS.1.0 in the reg of the Win10 seemed to initially correct the issue. The solution uses Extreme Cloud Wireless and primary RADIUS source of NAC and Secondary is their own NPS server.

Changed the auth order to see if would work with NPS, but made no difference. Changed back and couldn't replicate the fix, so at this time I have a little more work to do.

I have run a packet trace on NAC at the point of connecting to wireless using cert based auth, and I couldn't see any requests at all showing up!?

I need to validate those findings, as it seems odd, probably try it again when next onsite. Was going to try cert based auth on wired and see if I get same results and take some more packet captures. Need to nail where in the chain the problem lies.

Will report back any findings, and raise a GTAC case if i get stuck.

Thanks

Robert_Haynes
Extreme Employee
Hello Martin.

It appears we implemented the required changes several major releases ago and that particular MPPE / cryptobinding keys issue should no longer be applicable / relevant.

If you had to use that workaround to avoid some issue in this area I would suggest you open a case with GTAC support and provide a TLS12 client trace and corresponding logging from NAC for the two cases - when TLS12 is enabled and when TLS12 has been disabled.

Anonymous
Not applicable
Hi Robert, thanks for responding.

Apologies, I was meant to include that. Its 8.1.3.65.

Cheers.
GTM-P2G8KFN