- Outside of: Vittorio Gambaletta <noc.geantml E toniolowifi.net>
- one: <cat-users AT-lists.geant.org>
- dele: Re: [[cat-users]] Windows 11 Update 22H2 bricht CAT eduroam?
- Given: October 10, 2022 10:09:09 +0200
Hello everybody,
From what I could observe in my implementation (I manage an eduroam service provider in Italy), after a very detailed analysis of the problems reported by users in the last few days, I can say that the main problem is with the latest Windows 11. The 22H2 update does NOT appear to be with Credential Guard, just the newly enabled default use of TLS v1.3 for EAP-TTLS and PEAP.
Windows Defender Credential Guard should only cause problems when using a local account, AD account or perhaps Microsoft account credentials remotely, which should never be the case with eduroam. This shouldn't affect using specific credentials for a specific 802.1x network, at least not for username/password authentication. Unfortunately, I haven't had a chance to test certificate-based authentication (EAP-TLS) on Windows 11 22H2, so I don't know if or how Credential Guard might affect this.
I'd like to share my analysis of the problem with TLS v1.3 and the possible solutions I found.
The use of TLS v1.3 in EAP-TTLS and PEAP requires some specific implementation changes, both in the supplicant RADIUS server and in the identity provider; Without these changes, on the other hand, if TLS v1.3 is negotiated anyway, the software would not perform key derivation calculations correctly, so authentication would always fail for this reason.
There is not yet a finalized standard (RFC) for this; it is currently an internet draft and only very recent versions of some RADIUS servers and supplicants already implement it correctly. For example, only the latest FreeRADIUS v3.0.26 (released a few weeks ago) and v3.2.0+ correctly support TLS v1.3... See the latest specification draft at the time of writing.https://datatracker.ietf.org/doc/html/draft-ietf-emu-tls-eap-types-09#section-5for more details about it.
Basically, the problem occurs when an upgraded requestor tries to use TLS v1.3 for EAP and the RADIUS server enables it by default (eg after an upgrade to OpenSSL v1.1.1+) but does not implement it correctly.
As Windows 11 22H2 now has TLS v1.3 enabled by default for EAP-TTLS and PEAP, the issue surfaced and spread quickly once the Windows update was rolled out to users.
Of course, modern Windows doesn't help as usual because it doesn't show the user any useful error messages. It just asks to enter credentials repeatedly; Sometimes it will stop connecting with just a cryptic message like "Unable to connect to this network" without saying anything useful about what's really going on under the hood. The Windows event log doesn't help either.
By the way, I've also encountered a similar issue on some versions of Linux over the past few months where OpenSSL has been updated but wpa_supplicant hasn't. TLS v1.3 was again automatically enabled incorrectly for EAP, so it regularly failed when a RADIUS server was also willing to negotiate TLS v1.3 (this was also totally wrong back then, due to the same problematic pattern in OpenSSL and the implementation correct is missing from supplicant and RADIUS server)...
Therefore, the problem can be solved or fixed in three main ways:
- updating used RADIUS serveridentity provider(not from the service provider, which just opaquely forwards the EAP request to the FLR servers!);
- disabling the use of TLS v1.3 on older RADIUS servers (again, the IdP) that do not implement it correctly (if possible, as some older versions of RADIUS servers may use TLS library defaults without the manager allowing you to choose which TLS versions to enable - also for OpenSSL, the program needs to know and process a new C "#define" to disable TLS v1.3... Not sure if somehow this could have been circumvented by leaving only sets of ciphers TLS v1.2 enabled);
- disabling the use of TLS v1.3 on the requestor.
Until each affected IdP applies the necessary updates or workarounds, the workaround can be applied on the requester side in Windows 11 simply by adding this registry value:
Windows Registry Editor version 5.00[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Servicios\RasMan\PPP\EAP\13]
"TLSVersion"=dword:00000fc0
This is a bitmask that tells the rastls.dll library to only enable TLS v1.0, v1.1 and v1.2 and disable all other versions (ie including TLS v1.3).
(This should be specified to "13", which is actually EAP-TLS, but also applies to EAP-TTLS and PEAP where a workaround is needed.)
Once you set the new value it shouldn't require a reboot or at least the connection worked immediately again here after forgetting the network, adding the registry value, trying to connect again and re-entering the user credentials provided by an affected IdP.
Unfortunately, on Windows, this setting is global to the entire computer, so admin rights are needed to apply it... I'm not sure if there's a way to apply it to just a specific connection profile, which might be a " ". good""" and effective solution also for geteduroam or eduroam CAT.
I honestly don't understand why Microsoft released an update that implements a "groundbreaking" internet draft like this, without even implementing a mechanism to automatically revert to older working TLS versions when the new version is running with older servers . are really failing completely in production today...
Hope all this can be useful for you too!
Carefully,
Victor Gambaletta
On 10/10/2022 08:33:50 CEST Stefan Winter wrote:
Hello everybody,
I performed connectivity tests from cat-test.eduroam.org to the univ-paris1.fr area and I see that the TLS negotiated version is 1.2Thanks for running such an extensive diagnostics so far that you certainly haven't ruled out Credential Guard, TLS 1.3 on the server side, and TLS 1.2 on the client side as the problem.
What remains is to find out which TLS server side in combination with the TLS 1.3 client side is causing the issues in Windows 11 22H2. I think what we can say with some certainty is that the newer FreeRADIUS servers (3.0.26 and 3.2.0+) handle TLS 1.3 correctly. I also remember seeing TLS 1.3 server side issues in earlier versions of FreeRADIUS, but I can't say exactly which and which settings are affected.
So, as more and more people are faced with this particular issue, it would be great if you could share which RADIUS server product and version you are implementing on your servers. Ideally, not just when you're having issues with Win 22H2 and TLS 1.3, but also when things work fine on that OS: being able to delete products, versions, and settings also helps.
After all, this doesn't seem like a CAT or geteduroam specific problem.
Health,
Stefan Winter
tomasz
On 10/7/2022 at 12:44 PM Paul Dekkers writes (via user cat's mailing list):
Hello,
Glad I tried that; While this means that Credential Guard does not affect you (this may still be the case for others), since the Windows update your client is now trying to negotiate TLS 1.3 and your university's RADIUS servers are not handling this correctly and therefore , , there is no backup. for TLS 1.2
If you have IT contacts at your university, I think it makes sense to let them know - now you can say exactly what it is.
Now hopefully we can find someone else where Credential Guard is really the issue so we can get more clarity on this.
Health,
PabloOn 7/10/2022 12:39 PM Timothée Peraldi wrote:
Hi!
I did the tests you asked me to do:
- This command line in Powershell gives me 0 as a response, so it looks like I'm not in CredentialGuard.
- I reinstalled eduroam (with the CAT installer) with the login you sent me andIt works🇧🇷 I think the problem is in my university setting.
Should I forward this conversation to my university's IT department so they can fix the issue? I saw on Twitter that other people had the same problem after updating Windows at other French universities.
Thank you for your help,
timothy
(Video) Windows 11 Settings You Should Change Right NowPablo Dekkers<paul.dekkers and surf.nl> wrote:
Hello,
Thanks for taking these screenshots and testing. Let's get to the bottom of this;
There are differences between Windows 11 Professional and Enterprise; and I think only Enterprise has Credential Guard enabled by default. You can see this under "System Information" (or msinfo32.exe) at the bottom of the list under "Configured Virtualization-Based Security Services" and "Running Virtualization-Based Security Services". It should show "Credential Guard" if enabled.
You can also run this in powershell:
(Get-CimInstance -ClassName Win32_DeviceGuard -Namespace Root\Microsoft\Windows\DeviceGuard).SecurityServicesRunning
and if the result is 0, it is not in CredentialGuard.
So what could be at play is that you are seeing the TLS 1.3 issue; As Microsoft changed 2 things at the same time for eduroam... I have sent you a separate email with a username/password and hope you will be so kind as to try this account on this particular client. I'm sure this account works with TLS 1.3
The TLS 1.3 issue means that some identity providers do not support clients attempting TLS 1.3 authentication: and authentication fails, no attempt is made to fall back to TLS 1.2. This can be fixed by updating the IdP. When properly configured, clients fall back on TLS 1.2.
Health,
PabloOn 6/10/2022 6:10 PM Timothée Peraldi wrote:
Hello Tony and Pablo,
Here are some screenshots of the issue:
System setup:
Note that I have the professional edition of Windows 11 and not the commercial edition (but I think they have the same security policies).
When I try to connect to eduroam, it asks for my username and password ("some action required") and says "unable to connect to this network":
If I try again, I'm asked for the password again, and so on.
I've also tried the geteduroam app, but it says "unable to connect to eduroam" and returns the same "unable to connect to this network" error:
(Video) How to Fix Windows 11 Taskbar Not Working? Taskbar Not Showing IssueFor reference, here is a screenshot of eduroam working normally on Android 12, with the same login and in the exact same location:
Please let me know if you need more information.
Have a nice day,
timothy
Pablo Dekkers<paul.dekkers and surf.nl> wrote:Hello,
If anyone has more experience with Credential Guard and/or this Windows Update, I'd love to hear about it. If that's true, we might have to write a recommendation, but that will affect a lot of people.
So far it looks like this will affect Windows Enterprise Edition users (perhaps Timothée can confirm?) And it would be an ongoing update - some are already getting it, some might not.
Some cumulative updates are rumored to fix some of the "saving credentials" issues for users, but I'm not sure this will resolve PEAP-MSCHAPv2 authentication for users who entered credentials manually and not via AD - Obtained User Credentials".
If this really affects all PEAP-MSCHAPv2 authentication on Windows and most of our users have Enterprise editions for Windows, then we need to investigate which options still work.
Timothy; Could you actually verify that geteduroam would work for Windows? We have some reports of a strange bug, maybe this really is related. you can download fromhttps://www.geteduroam.app/
Health,
PabloOn 5/10/2022 at 6:20 PM, Tony Skalski wrote (via user cat's mailing list):
According to reports, CredentialGuard is enabled by default in the latest W11 update (I haven't confirmed this myself). This blocks the use of NTLM hashes and prevents EAP-PEAP from working.
On Wednesday, October 5, 2022 at 10:29 am Timothée Peraldi <cat-users AT-lists.geant.org> wrote:
Hello,
I updated my computer to the Windows 11 22H2 update, which was
released yesterday by Microsoft.
Since then I can no longer connect my computer to eduroam. my other devices
(Android 12, ChromeOS) still working fine and other WiFi networks still working
work on this computer.
I've tried uninstalling and reinstalling CAT, but it still won't connect.
I just checked Reddit and saw some other similar threads,
all published in the last few days.
Is this a common problem?
Have a nice day,
timothyTo unsubscribe, send this message: mailto:bom AT-lists.geant.org?subject=unsubscribe%20cat-Benutzer
Or use the following link:https://lists.geant.org/sympa/sigrequest/cat-users(Video) Ethernet keeps disconnecting in Windows 11/10
--Tony Skalski (ele/ele/ela)
System Administrator | THAT
Office:507-786-3227
1510 St. Olaf Avenue Northfield, MN 55057
To unsubscribe, send this message:MailScanner suspects a scam by "lists.geant.org" via the following link MailScanner suspects a scam by "lists.geant.org" via the following link MailScanner suspects a scam by "lists.geant.org" via the following link. .geant.org" MailScanner suspects the following link is a scam on behalf of "lists.geant.org" mailto:sympa AT listens.geant.org?subject=unsubscribe%20cat-users
Or use the following link:https://lists.geant.org/sympa/sigrequest/cat-users
To unsubscribe, send this message:mailto: legal AT-lists.geant.org?subject=unsubscribe%20cat-users
Or use the following link:https://lists.geant.org/sympa/sigrequest/cat-users-Thomas Wolniewicztwoln AT umk.pl http://www.home.umk.pl/~twolnUniwersyteckie Centrum Informatyczne Center for Information and Communication TechnologyNicolaus Copernicus University Nicolaus Copernicus University,pl. Rapacki 1, Thorn pl. Rapacki 1, Torun, Polônia Tel: +48-56-611-2750; Celular: +48-693-032-576To unsubscribe, send this message:mailto: legal AT-lists.geant.org?subject=unsubscribe%20cat-users
Or use the following link:https://lists.geant.org/sympa/sigrequest/cat-users-- This email may contain information for limited distribution, please treat accordingly. Fondation Restena, Stefan WINTERChief Technology Officer2, avenue de l'UniversitéL-4365 Esch-sur-AlzetteTo unsubscribe, send this message: mailto:sympa AT-lists.geant.org?subject=unsubscribe%20cat-users
Or use the following link: https://lists.geant.org/sympa/sigrequest/cat-users(Video) Windows 11 TASKBAR Not Working Fixed!
- [[cat-users]] Windows 11 Update 22H2 bricht CAT eduroam?,Timothée Peraldi, 10.05.2022 See More
- Re: [[cat-users]] Windows 11 22H2 update breaks CAT eduroam?,Tony Skalski, May 10, 2022
- Re: [[cat-users]] Windows 11 22H2 update breaks CAT eduroam?,Pablo Dekkers, 10.05.2022 See More
- Re: [[cat-users]] Windows 11 22H2 update breaks CAT eduroam?,Timothée Peraldi, 10.06.2022 See More
- Re: [[cat-users]] Windows 11 22H2 update breaks CAT eduroam?,Pablo Dekkers, 10.07.2022 See More
- Re: [[cat-users]] Windows 11 22H2 update breaks CAT eduroam?,Timothée Peraldi, 10.07.2022 See More
- Re: [[cat-users]] Windows 11 22H2 update breaks CAT eduroam?,Pablo Dekkers, 10.07.2022 See More
- Re: [[cat-users]] Windows 11 22H2 update breaks CAT eduroam?,Tomasz Wolniewicz, July 10, 2022
- Re: [[cat-users]] Windows 11 22H2 update breaks CAT eduroam?,Stefan Winter, 10.10.2022
- Re: [[cat-users]] Windows 11 22H2 update breaks CAT eduroam?,Vittorio Gambaletta, 10.10.2022
- Re: [[cat-users]] Windows 11 22H2 update breaks CAT eduroam?,Cristina Klam, 11.10.2
- Re: [[cat-users]] Windows 11 22H2 update breaks CAT eduroam?,Pablo Dekkers, 10.07.2022 See More
- Re: [[cat-users]] Windows 11 22H2 update breaks CAT eduroam?,Timothée Peraldi, 10.07.2022 See More
- Re: [[cat-users]] Windows 11 22H2 update breaks CAT eduroam?,Pablo Dekkers, 10.07.2022 See More
- Re: [[cat-users]] Windows 11 22H2 update breaks CAT eduroam?,Timothée Peraldi, 10.06.2022 See More
- Re: [[cat-users]] Windows 11 22H2 update breaks CAT eduroam?,Pablo Dekkers, 10.05.2022 See More
- Re: [[cat-users]] Windows 11 22H2 update breaks CAT eduroam?,Tony Skalski, May 10, 2022
- message not available
- Re: [[cat-users]] Windows 11 22H2 update breaks CAT eduroam?,Daniel Dittrich, 10/06/2022 See More
- Re: [[cat-users]] Windows 11 22H2 update breaks CAT eduroam?,Pablo Dekkers, 10.06.2022 See More
- Re: [[cat-users]] Windows 11 22H2 update breaks CAT eduroam?,Daniel Dittrich, 10/06/2022 See More
file operated byMonArc 2.6.19.