6 Posts
0
750
802.1X authentication failed after ugrade to ThinOS 2303 or 2306
Hi,
Since upgrading to ThinOS 2303 (9.4.1141), users can’t connect to our Wifi network with 802.1x authentication.
The events log says :
WLAN : EAP PEAP selected
WLAN : Disconnected with bssid=xx:xx:xx:xx:xx:xx reason=7
WLAN : Trying to authenticate with xx:xx:xx:xx:xx:xx (SSID=”my_domain” freq=5180 MHz)
WLAN : Trying to authenticate with xx:xx:xx:xx:xx:xx (SSID=”my_domain” freq=2437 MHz)
WLAN : Trying to authenticate with xx:xx:xx:xx:xx:xx (SSID=”my_domain” freq=2412 MHz)
EAP : authentication failed
WLAN : Disconnected with bssid=xx:xx:xx:xx:xx:xx reason=1
(more often the reason is 7)
It keeps trying to connect, but fails, and at the end the user is prompted for a user/password/domain
That conf works perfectly with all my mobile Thin Client (Wyse 5470 and Latitude 3420) but stop working when they are upgraded to ThinOS 2303. I downgraded a 5470 to ThinOS 2211, and it’s working again !
Issue still there with ThinOS 2306, so my mobile devices will have to stay with ThinOS 2211…
Anyone with the same issue ? Any idea why this ?
I can't open a ticket at DELL as I don't have a PRO licence, just standard (on premise)
Thank you
zzomp
1 Rookie
1 Rookie
•
36 Posts
0
July 25th, 2023 00:00
Yes, TLS 1.2 needs to be enabled on Server 2012 via registry keys. Please note that Server 2012 R2 will be EOL from next October. I suggest you upgrade to a later version. You can do it via in-place upgrade and keep your configuration but of course make a backup first.
zzomp
1 Rookie
1 Rookie
•
36 Posts
0
July 18th, 2023 00:00
Hi.
We use 802.1x as well but we do not have any problems with 2303 or 2306. Can you post your WMS Wireless configuration (without credentials of course)?
Here our configuration.
Vinz62
6 Posts
0
July 18th, 2023 02:00
Hi. Thank you for your answer.
Here is my WMS Wireless configuration (in French, I hope you can understand) :
And sorry but I can't see your configuration, picture is blank
zzomp
1 Rookie
1 Rookie
•
36 Posts
0
July 18th, 2023 05:00
The only difference is that I have "Masquer le domaine" disabled and you enabled. Maybe try disabling that.
Otherwise your configuration is the same as ours and it should work with 2303+. If still doesn't work even with the hide domain option disabled then check whether your network environments
require TLS 1.0 or 1.1 as support for these have been removed in 2303.
Vinz62
6 Posts
0
July 24th, 2023 06:00
Hi.
It still doesn't work with the "hide domain" disabled.
The idea regarding TLS is a very good one, as I didn't notice TLS 1.0 and 1.1 were removed in 2303+
But exploring my WMS configuration, I can see TLS 1.2 is already required for every device :
zzomp
1 Rookie
1 Rookie
•
36 Posts
0
July 24th, 2023 07:00
Hi.
This is not something you need to check on WMS or the Wyse Clients but on your wireless network or authentication servers. What do you use for 802.1x authnetication? We use WIndows Server 2016 NPS and TLS 1.2 is enabled by default.
Vinz62
6 Posts
0
July 24th, 2023 08:00
We use Windows Server 2012R2 NPS. I read somewhere that TLS 1.2 may not be enabled in 2012R2 so I just add registry keys to enable it. It still doesn't work but I think it needs a reboot. I will reboot the NPS server tonight, so I will test after that.
Vinz62
6 Posts
0
July 25th, 2023 08:00
OK it seems to work !!!
Previously I added these registry keys to the NPS Server :
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Client]
"DisabledByDefault"=dword:00000000
"Enabled"=dword:00000001
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Server]
"DisabledByDefault"=dword:00000000
"Enabled"=dword:00000001
I found out that I must add this registry key :
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RasMan\PPP\EAP\13]
"TlsVersion"=dword:00000c00
So after adding it, and restarting the EAP service on the NPS Server, the Wifi 802.1x authentication passed !!
I will do some more tests tomorrow (are all these registry keys necessary, or just the last one ?), but I'm so happy now !
Very huge THANK YOU to you zzomp about the TLS idea !!
zzomp
1 Rookie
1 Rookie
•
36 Posts
0
July 25th, 2023 09:00
I am happy that you got it working. Only the last key is needed to enable TLS 1.2 for NPS.