Ciphers suites for EAP-TLS on windows 10/11

REJR77 — Tue, 07 Jan 2025 13:55:25 GMT

Hello,

I was reading this kb regarding ISE 3.3 and Ciphers https://www.cisco.com/c/en/us/support/docs/security/identity-services-engine-33/221570-configure-ciphers-in-ise-3-3-and-later.html

and I was wondering if some of you know where to restrict the ciphers and protocols used by the Windows 10/11 supplicant for EAP-TLS. I found some registry keys but not sure if this is exactly what I need and which one exactly:

HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols
HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\CipherSuites
HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Cryptography\Configuration\SSL\00010002

Any idea or feedback based on your experience?

Re: Ciphers suites for EAP-TLS on windows 10/11

ahollifield — Tue, 07 Jan 2025 14:16:10 GMT

Following.

Re: Ciphers suites for EAP-TLS on windows 10/11

Arne Bier — Tue, 07 Jan 2025 20:30:27 GMT

Great question. Have you asked Microsoft or their Community forums too?

Re: Ciphers suites for EAP-TLS on windows 10/11

REJR77 — Tue, 14 Jan 2025 08:56:59 GMT

Hi,

I was able to get the following from microsoft

On Windows 10/11, TLS settings and Cipher Suites configuration are important for network authentication such as EAP-TLS. Below are detailed instructions on how to modify these settings and answers to confirm that these registry entries work with EAP-TLS.

Confirming the role of registry entries

Here are the roles of the registry entries you mentioned and whether they affect EAP-TLS:

HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols

Purpose: Used to enable or disable specific TLS protocol versions (e.g. TLS 1.0, TLS 1.1, TLS 1.2, TLS 1.3).

Relevance to EAP-TLS: Yes, EAP-TLS relies on the SCHANNEL stack, so the settings in this registry entry affect the protocol version used by EAP-TLS.

How to configure.

The subsections Client and Server define the enabled state of the protocol.

Add the DWORD values Enabled and DisabledByDefault:

Enabled = 1 Enables the protocol.

DisabledByDefault = 1 to disable the protocol.

For example, to disable TLS 1.0:

HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Client

DWORD: DisabledByDefault = 1

DWORD: Enabled = 0

HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\CipherSuites

Function: Defines the list of cipher suites supported by SCHANNEL.

Is relevant for EAP-TLS: Yes, this controls the cipher suites used by EAP-TLS.

How to configure:

Windows does not include this registry entry by default. If you need to restrict ciphersuites, you can add it via Group Policy or manually.

The format is the name of the cipher suite (e.g. TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384).

For example, to disable some cipher suites, you can manually add unneeded suites to this item and set the value to zero.

HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers

Function: Used to enable or disable specific encryption algorithms (e.g. AES, DES, RC4).

Relevance to EAP-TLS: Yes, this item affects the choice of encryption algorithms for EAP-TLS.

How to configure:

Add a child (e.g. AES 256/128) and set the DWORD value Enabled = 0 or 1.

For example, to disable RC4 encryption:

HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC4 128/128

DWORD: Enabled = 0

HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Cryptography\Configuration\SSL\00010002

Purpose: Defines the cipher suite prioritization for TLS.

Relevance to EAP-TLS: Yes, this item is used to control cipher suite prioritization and affects EAP-TLS negotiation.

How to configure:

This is managed by Group Policy and may be overridden by manual editing.

The Functions value contains the cipher suite's priority order, separated by semicolons.

Example:

TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384;TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA25

Disclaimer: Modifying the registry or workgroups is usually geared towards advanced users, administrators, and IT professionals, and it can help fix some problems, however, improper registry modifications can cause serious problems. Therefore, please make sure to strictly follow the steps below. For further protection, make a backup of the registry before modifying it. For more information on how to backup and restore the registry ref:

How to back up and restore the registry in Windows - Microsoft Support

Re: Ciphers suites for EAP-TLS on windows 10/11

thomas — Tue, 14 Jan 2025 23:00:58 GMT

Thank you for posting the answer to this! I referenced this post in https://cs.co/ise-berg#windows

topic Re: Ciphers suites for EAP-TLS on windows 10/11 in Network Access Control

Ciphers suites for EAP-TLS on windows 10/11

Re: Ciphers suites for EAP-TLS on windows 10/11

Re: Ciphers suites for EAP-TLS on windows 10/11

Re: Ciphers suites for EAP-TLS on windows 10/11

Re: Ciphers suites for EAP-TLS on windows 10/11