Reset Search
 

 

Article

KB40089 - EAP-PEAP and EAP-TLS Wi-Fi authentication from Android 6.0 and Windows 10 TH2 native clients will fail against Pulse Policy Secure RADIUS

« Go Back

Information

 
Last Modified Date8/31/2016 6:30 PM
Synopsis
This article provides more information on failed authentications between native 802.1X supplicants on Android 6.0 and Windows 10 TH2 and Pulse Policy Secure RADIUS.

 
Problem or Goal
At the end of a successful EAP-PEAP or EAP-TLS authentication, native 802.1x supplicants on both Android 6.0 and Windows 10 TH2, require MPPE keying material to be generated using the TLS 1.2 cryptography standard.  Due to limitations with Pulse Policy Secure RADIUS method of generating MPPE keys, this effectively prohibits successful negotiation of dynamic session encryption keys between the wireless access point and the wireless supplicant, resulting in lack of connectivity.

MPPE (Microsoft Point-to-Point Encryption) keys are generated by a RADIUS server after a successful RADIUS authentication and are used by the wireless access point to create dynamic session encryption keys to protect data over Wi-Fi.

This has also caused compatibility problems with other RADIUS servers including FreeRADIUS: https://code.google.com/p/android/issues/detail?id=188867

 
Cause
Pulse Policy Secure RADIUS does not currently support the TLS 1.2 cryptography standard for generating MPPE keys.

This is due to the fact that, during the authentication process, under TLS 1.2, the hashing algorithm for generating the MPPE keys is dynamically negotiated as part of the cipher suite.  Whereas with TLS 1.0 and TLS 1.1, the hashing algorithm used to generate the MPPE keys is hardcoded as legacy MD5|SHA1.

Thus the keying material used in the WPA 4-way handshake between the supplicant and the access point will always fail, due to the mismatch in the generated keying material.

 
Solution
Pulse Secure has developed a permanent fix for this issue and it is included in Pulse Policy Secure 5.3R1.1 and Pulse Policy Secure 5.2R6.  


 
Related Links
Attachment 1 
Created ByMike Condon

Feedback

 

Was this article helpful?


   

Feedback

Please tell us how we can make this article more useful.

Characters Remaining: 255