Dot11 Guru

802.11, RADIUS

Enforcing TLS 1.2 for Microsoft NPS Server 2008 & 2012

By default, Microsoft NPS server 2008 enables only TLS 1.0.

There are a few steps that need to be taken to enable and support TLS 1.1 and 1.2.

The first step is to patch the operating system using the files found in the below link:

https://support.microsoft.com/en-us/help/2977292/microsoft-security-advisory-update-for-microsoft-eap-implementation-th

The next step, depends on your RADIUS configuraiton. If you use EAP-TLS you will need to modify this entry

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\RasMan\PPP\EAP\13

and for PEAP-TLS, you need to modify this entry

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\RasMan\PPP\EAP\25

Modify the parameter Registry parameter TlsVersion to fc0 (to support TLS1.0, 1.1 and 1.2)

Following a series of reboots, we can see that the server will respond with TLS 1.2

Client Suggests TLS1.2

Client suggests TLS1.2

Server agrees to TLS1.2

Server agrees to TLS1.2

Share this:

Leave a Reply