Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Windows 10 November update version 1511 WPA2 Enterprise issues

I run a large WPA2 Enterprise secured wifi environemnt with a radius authentication back-end. After yesterday's Windows 10 November update, we're seeing increased reports of inability to connect to these SSIDs. 

Is anyone else seeing this type of user report?

10 REPLIES

I’m not familiar with

I’m not familiar with problems due to Windows update for Windows 10, but I do have a few questions:

  • Which specific windows update (KB) are you referring?
  • Which kind of EAP implementation do you use?
  • What is your WLC software version?
  • What does a “client debug MAC” show on the WLC CLI?
  • Which messages are being shown in the radius logs?

Please rate useful posts... :-)

New Member

My company also uses

My company also uses Enterprise WPA2 with PEAP and a user/password login for a personal employee network, and my client PC can no longer connect after Windows 10 Update 1511. The PC has an AC wifi card in it. I can see the network and I am prompted to enter my user name and password like my PC has not connected to it before, but when attempting to connect it fails with a message saying that the PC cannot connect to the network.

When I reverted my Windows 10 build back to the previous RTM build, I was able to connect to the network fine like I could prior to the update. The update was rolled out on Friday, November 13, 2015 to all Windows 10 users.

New Member

We're working to get the

We're working to get the exact build of OS to test in-house, so I don't have an answer to a couple of the questions yet. Right now, it only seems to be Windows 10, Version 1511, build 10586 that is an update just release for the Home edition for now. I beleive the same update is being released for Pro and Enterprise at a later date. 

We're using EAP-TLS authentication with WLC 8.0.120.0.

New Member

This may be true for Windows

This may be true for Windows Enterprise, but the update has also been release to Windows 10 Pro, which is what I'm on. I can't confirm if there is a different build/version number I'm afraid, but it's the same update released to Home users on the same day.

New Member

Thanks for confirming Pro is

Thanks for confirming Pro is also affected right now. 

New Member

I'm on Windows 10 pro as well

I'm on Windows 10 pro as well. The build number is the same.

New Member

I'm on Windows 10 pro as well

I'm on Windows 10 pro as well. Just added the cumulative update version 1511 today and it still doesn't work.

New Member

We reached a breakthrough

We reached a breakthrough with our Radius authentication vendor. 

Here is a descrtipton of the problem from the vendor:

At the end of a successful EAP-PEAP or EAP-TLS authentication, native 802.1x supplicants on both Android 6.0 and Windows 10 TH2, require MPPE keying material to be generated using the TLS 1.2 cryptography standard.  Due to limitations with Pulse Policy Secure RADIUS method of generating MPPE keys, this effectively prohibits successful negotiation of dynamic session encryption keys between the wireless access point and the wireless supplicant, resulting in lack of connectivity.

MPPE (Microsoft Point-to-Point Encryption) keys are generated by a RADIUS server after a successful RADIUS authentication and are used by the wireless access point to create dynamic session encryption keys to protect data over Wi-Fi.

This has also caused compatibility problems with other RADIUS servers including FreeRADIUS: https://code.google.com/p/android/issues/detail?id=188867

 
Cause
Pulse Policy Secure RADIUS does not currently support the TLS 1.2 cryptography standard for generating MPPE keys.

This is due to the fact that, during the authentication process, under TLS 1.2, the hashing algorithm for generating the MPPE keys is dynamically negotiated as part of the cipher suite.  Whereas with TLS 1.0 and TLS 1.1, the hashing algorithm used to generate the MPPE keys is hardcoded as legacy MD5|SHA1.

Thus the keying material used in the WPA 4-way handshake between the supplicant and the access point will always fail, due to the mismatch in the generated keying material.
New Member

Temporary workaround that I

Temporary workaround that I can confirm does work. The only problem is that it disables TLS 1.2 from negotiating at all.

http://answers.microsoft.com/en-us/windows/forum/windows_10-networking/after-update-to-1511-i-cant-connect-via-wlan-to-my/696f12ed-6e08-4e14-ae30-c7a878ebbd17?auth=1

New Member

Coming from a client point of

Coming from a client point of view and not an administrator, I also cannot connect to my workplace WPA2-Enterprise following the November Windows 10 update. I can't find the KB for the update, but it was rolled out about a week ago and was a very large Windows 10 update which can be seen as a service pack of sorts. Any advice?

13866
Views
0
Helpful
10
Replies