cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
19745
Views
0
Helpful
10
Replies

Windows 10 November update version 1511 WPA2 Enterprise issues

Elon Turner
Level 1
Level 1

I run a large WPA2 Enterprise secured wifi environemnt with a radius authentication back-end. After yesterday's Windows 10 November update, we're seeing increased reports of inability to connect to these SSIDs. 

Is anyone else seeing this type of user report?

10 Replies 10

Freerk Terpstra
Level 7
Level 7

I’m not familiar with problems due to Windows update for Windows 10, but I do have a few questions:

  • Which specific windows update (KB) are you referring?
  • Which kind of EAP implementation do you use?
  • What is your WLC software version?
  • What does a “client debug MAC” show on the WLC CLI?
  • Which messages are being shown in the radius logs?

Please rate useful posts... :-)

My company also uses Enterprise WPA2 with PEAP and a user/password login for a personal employee network, and my client PC can no longer connect after Windows 10 Update 1511. The PC has an AC wifi card in it. I can see the network and I am prompted to enter my user name and password like my PC has not connected to it before, but when attempting to connect it fails with a message saying that the PC cannot connect to the network.

When I reverted my Windows 10 build back to the previous RTM build, I was able to connect to the network fine like I could prior to the update. The update was rolled out on Friday, November 13, 2015 to all Windows 10 users.

We're working to get the exact build of OS to test in-house, so I don't have an answer to a couple of the questions yet. Right now, it only seems to be Windows 10, Version 1511, build 10586 that is an update just release for the Home edition for now. I beleive the same update is being released for Pro and Enterprise at a later date. 

We're using EAP-TLS authentication with WLC 8.0.120.0.

This may be true for Windows Enterprise, but the update has also been release to Windows 10 Pro, which is what I'm on. I can't confirm if there is a different build/version number I'm afraid, but it's the same update released to Home users on the same day.

Thanks for confirming Pro is also affected right now. 

I'm on Windows 10 pro as well. The build number is the same.

I'm on Windows 10 pro as well. Just added the cumulative update version 1511 today and it still doesn't work.

We reached a breakthrough with our Radius authentication vendor. 

Here is a descrtipton of the problem from the vendor:

At the end of a successful EAP-PEAP or EAP-TLS authentication, native 802.1x supplicants on both Android 6.0 and Windows 10 TH2, require MPPE keying material to be generated using the TLS 1.2 cryptography standard.  Due to limitations with Pulse Policy Secure RADIUS method of generating MPPE keys, this effectively prohibits successful negotiation of dynamic session encryption keys between the wireless access point and the wireless supplicant, resulting in lack of connectivity.

MPPE (Microsoft Point-to-Point Encryption) keys are generated by a RADIUS server after a successful RADIUS authentication and are used by the wireless access point to create dynamic session encryption keys to protect data over Wi-Fi.

This has also caused compatibility problems with other RADIUS servers including FreeRADIUS: https://code.google.com/p/android/issues/detail?id=188867

 
Cause
Pulse Policy Secure RADIUS does not currently support the TLS 1.2 cryptography standard for generating MPPE keys.

This is due to the fact that, during the authentication process, under TLS 1.2, the hashing algorithm for generating the MPPE keys is dynamically negotiated as part of the cipher suite.  Whereas with TLS 1.0 and TLS 1.1, the hashing algorithm used to generate the MPPE keys is hardcoded as legacy MD5|SHA1.

Thus the keying material used in the WPA 4-way handshake between the supplicant and the access point will always fail, due to the mismatch in the generated keying material.

Temporary workaround that I can confirm does work. The only problem is that it disables TLS 1.2 from negotiating at all.

http://answers.microsoft.com/en-us/windows/forum/windows_10-networking/after-update-to-1511-i-cant-connect-via-wlan-to-my/696f12ed-6e08-4e14-ae30-c7a878ebbd17?auth=1

ritchie888
Level 1
Level 1

Coming from a client point of view and not an administrator, I also cannot connect to my workplace WPA2-Enterprise following the November Windows 10 update. I can't find the KB for the update, but it was rolled out about a week ago and was a very large Windows 10 update which can be seen as a service pack of sorts. Any advice?

Review Cisco Networking for a $25 gift card