cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1909
Views
5
Helpful
1
Replies

Windows 10 Dot1x

doyle2661
Level 1
Level 1

So i've been reading that by default windows 10's Microsoft Windows 10 802.1X Client is only compatible w/ ACS 5.8 Patch 4/ ISE 1.4.0.253/ ISE 2.0 (There may be other versions, but these are the big ones if seen in compatibility notes). The reason they are not compatible is because ACS below 5.8 patch 4 does not support TLS 1.2 and the new win 10 box use TLS 1.2 by default, the ISE boxes do support TLS 1.2; Sometime the TLS compliant servers also do not work because the EAP authentication succeeds but the MPPE Key calculation fails because an incorrect PRF (Pseudo Random Function) is used.  I am writing this to see if anyone has been successful in altering the supplicant from the windows 10 box in order for it to allow communication to ACS or ISE that do not have windows 10 in their compatability list.  As far as I can tell the easiest fix for a lot of the ACS models seems to be setting the Win 10 box to TLS 1.0 in the registry as follows: ( I am writing this for ACS 5.7)

* Create DWORD HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RasMan\PPP\EAP\13\TlsVersion and set the associate DWORD value to C0.

* Restart service EapHost service.

The other fixes are to install Anyconnect 3.0 or 3.1 and use that as the dot1x supplicant from the box. As I am in an enterprise deployment and do not know immediately how licensing works w/ anyconnect this would be my second choice.

I personally am about to lab this up with ACS 5.7 for PEAP (Does not have win 10 listed as compatible) and just wanted to know if anyone else has had an luck bringing the TLS version down on the win 10 box to work Dot1x or the anyconnect models to work w/ ACS.

Reference Links:

https://bst.cloudapps.cisco.com/bugsearch/bug/CSCuu29920

http://www.cisco.com/c/en/us/td/docs/net_mgmt/cisco_secure_access_control_system/5-8/release/notes/acs_58_rn.html#20584

https://support.microsoft.com/en-us/kb/3121002

*** WILL EDIT WHEN COMPLETE***

1 Reply 1

Noclss2000
Level 1
Level 1

so what were the results of your lab?

We are about to upgrade from ACS 5.6.0 to 5.8 and are kind of worried about the TLS changes.