https://community.cisco.com/t5/network-access-control/windows-10-devices-can-t-connect-to-an-802-1x-environment/m-p/3599540#M511852 <HTML><HEAD></HEAD><BODY><P>The Microsoft support help pages might be either giving confusing or incorrect info.</P><P>ISE 2.0 FCS without patches is impacted. ISE 2.0 Patch 1 is the one providing the fix for this issue.</P><P></P><P>See <A href="https://www.cisco.com/c/en/us/td/docs/security/ise/2-0/release_notes/ise20_rn.html#pgfId-633243">Resolved Issues in Cisco ISE Version 2.0.0.306—Cumulative Patch 1</A></P><P></P><P>Table 12 Cisco ISE Patch Version 2.0.0.306—Patch 1 Resolved Caveats&nbsp; </P><TABLE border="1"><TBODY><TR><TH><P class="pCH1_CellHead1"> <A name="pgfId-618796"></A>Caveat</P></TH><TH><P class="pCH1_CellHead1"> <A name="pgfId-618798"></A>Description</P></TH></TR><TR><TD><P class="pB1_Body1"> <A name="pgfId-618800"></A>CSCuw88770</P></TD><TD><P class="pB1_Body1"> <A name="pgfId-618802"></A>ISE 2.0 PEAP TLS 1.2 wireless authentication fails with Android 6 and Win 10.</P><P class="pB1_Body1"> <A name="pgfId-618803"></A>This issue occurred because in TLS 1.2, the mechanism of MPPE keys generation has been changed for EAP-TLS, PEAP, and EAP-TTLS. EAP-FAST is not affected.</P><P class="pB1_Body1"> <A name="pgfId-618804"></A>Symptom: Authentication reports from logs show that the authentication is successful; however, the state on the WLC of the client session is dot1x required. Wireless packet captures reveal that 4-way handshakes following EAP-success are not completing, either M1 and M2 or M1 only.</P><P class="pB1_Body1"> <A name="pgfId-618805"></A>Conditions: This issue occurs when a combination of the following conditions are true:</P><UL><LI> <A name="pgfId-618806"></A>If you have Cisco ISE, Release 2.0 FCS version with no patch installed.</LI><LI> <A name="pgfId-618807"></A>Wireless LAN with L2 security configured for WPA2 Enterprise.</LI><LI> <A name="pgfId-618808"></A>A device with Android 6 or Windows 10 version 1511 tries to authenticate.</LI><LI> <A name="pgfId-618809"></A>Protocols used are PEAP or TTLS or EAP-TLS</LI></UL>&nbsp; <A name="pgfId-618810"></A>Workaround: <UL><LI> <A name="pgfId-618811"></A>For Android, none. You cannot configure TLS version from Android client or Cisco ISE</LI><LI> <A name="pgfId-618812"></A>For Windows 10 clients, you may disable TLS 1.2 and enable TLS 1.0:</LI></UL><P class="pBu2_Bullet2"> <A name="pgfId-618813"></A> – Create DWORD HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RasMan\PPP\EAP\13\TlsVersion and set the associate DWORD value to C0.</P><P class="pBu2_Bullet2"> <A name="pgfId-618814"></A> – Restart EapHost service.</P></TD></TR></TBODY></TABLE><H2 class="p_H_Head1"> <A name="pgfId-634275"></A><A name="97275"></A></H2></BODY></HTML> Mon, 05 Mar 2018 20:35:21 GMT hslai 2018-03-05T20:35:21Z https://community.cisco.com/t5/network-access-control/windows-10-devices-can-t-connect-to-an-802-1x-environment/m-p/3599539#M511851 <HTML><HEAD></HEAD><BODY><H1 class="x-hidden-focus ng-scope article-heading c-heading-3 ng-binding">Windows 10 devices can't connect to an 802.1X environment (November Update)</H1><P></P><P><A href="https://support.microsoft.com/en-gb/help/3121002/windows-10-devices-can-t-connect-to-an-802-1x-environment" title="https://support.microsoft.com/en-gb/help/3121002/windows-10-devices-can-t-connect-to-an-802-1x-environment">https://support.microsoft.com/en-gb/help/3121002/windows-10-devices-can-t-connect-to-an-802-1x-environment</A></P><P><A href="https://support.microsoft.com/en-gb/help/3121002/windows-10-devices-can-t-connect-to-an-802-1x-environment" title="https://support.microsoft.com/en-gb/help/3121002/windows-10-devices-can-t-connect-to-an-802-1x-environment">https://support.microsoft.com/en-gb/help/3121002/windows-10-devices-can-t-connect-to-an-802-1x-environment</A></P><P></P><P><SPAN style="font-size: 12.0pt; font-family: 'Arial','sans-serif';"><A href="https://support.microsoft.com/en-gb/help/3121002/windows-10-devices-can-t-connect-to-an-802-1x-environment">https://support.microsoft.com/en-gb/help/3121002/windows-10-devices-can-t-connect-to-an-802-1x-environment</A></SPAN></P><P></P><P></P><P>Please advise me the fix release on Cisco ISE to mitigate above issue.</P><P>I am intending to upgrade to version 2.0 from version 1.4, , according to Microsoft ISE version 2.0.0.306 patch 1 is effected,&nbsp; </P><P></P><P>thanks</P></BODY></HTML> Mon, 05 Mar 2018 13:22:46 GMT https://community.cisco.com/t5/network-access-control/windows-10-devices-can-t-connect-to-an-802-1x-environment/m-p/3599539#M511851 PNW Weer 2018-03-05T13:22:46Z https://community.cisco.com/t5/network-access-control/windows-10-devices-can-t-connect-to-an-802-1x-environment/m-p/3599540#M511852 <HTML><HEAD></HEAD><BODY><P>The Microsoft support help pages might be either giving confusing or incorrect info.</P><P>ISE 2.0 FCS without patches is impacted. ISE 2.0 Patch 1 is the one providing the fix for this issue.</P><P></P><P>See <A href="https://www.cisco.com/c/en/us/td/docs/security/ise/2-0/release_notes/ise20_rn.html#pgfId-633243">Resolved Issues in Cisco ISE Version 2.0.0.306—Cumulative Patch 1</A></P><P></P><P>Table 12 Cisco ISE Patch Version 2.0.0.306—Patch 1 Resolved Caveats&nbsp; </P><TABLE border="1"><TBODY><TR><TH><P class="pCH1_CellHead1"> <A name="pgfId-618796"></A>Caveat</P></TH><TH><P class="pCH1_CellHead1"> <A name="pgfId-618798"></A>Description</P></TH></TR><TR><TD><P class="pB1_Body1"> <A name="pgfId-618800"></A>CSCuw88770</P></TD><TD><P class="pB1_Body1"> <A name="pgfId-618802"></A>ISE 2.0 PEAP TLS 1.2 wireless authentication fails with Android 6 and Win 10.</P><P class="pB1_Body1"> <A name="pgfId-618803"></A>This issue occurred because in TLS 1.2, the mechanism of MPPE keys generation has been changed for EAP-TLS, PEAP, and EAP-TTLS. EAP-FAST is not affected.</P><P class="pB1_Body1"> <A name="pgfId-618804"></A>Symptom: Authentication reports from logs show that the authentication is successful; however, the state on the WLC of the client session is dot1x required. Wireless packet captures reveal that 4-way handshakes following EAP-success are not completing, either M1 and M2 or M1 only.</P><P class="pB1_Body1"> <A name="pgfId-618805"></A>Conditions: This issue occurs when a combination of the following conditions are true:</P><UL><LI> <A name="pgfId-618806"></A>If you have Cisco ISE, Release 2.0 FCS version with no patch installed.</LI><LI> <A name="pgfId-618807"></A>Wireless LAN with L2 security configured for WPA2 Enterprise.</LI><LI> <A name="pgfId-618808"></A>A device with Android 6 or Windows 10 version 1511 tries to authenticate.</LI><LI> <A name="pgfId-618809"></A>Protocols used are PEAP or TTLS or EAP-TLS</LI></UL>&nbsp; <A name="pgfId-618810"></A>Workaround: <UL><LI> <A name="pgfId-618811"></A>For Android, none. You cannot configure TLS version from Android client or Cisco ISE</LI><LI> <A name="pgfId-618812"></A>For Windows 10 clients, you may disable TLS 1.2 and enable TLS 1.0:</LI></UL><P class="pBu2_Bullet2"> <A name="pgfId-618813"></A> – Create DWORD HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RasMan\PPP\EAP\13\TlsVersion and set the associate DWORD value to C0.</P><P class="pBu2_Bullet2"> <A name="pgfId-618814"></A> – Restart EapHost service.</P></TD></TR></TBODY></TABLE><H2 class="p_H_Head1"> <A name="pgfId-634275"></A><A name="97275"></A></H2></BODY></HTML> Mon, 05 Mar 2018 20:35:21 GMT https://community.cisco.com/t5/network-access-control/windows-10-devices-can-t-connect-to-an-802-1x-environment/m-p/3599540#M511852 hslai 2018-03-05T20:35:21Z