Microsoft is announcing the availability of an update for supported editions of Windows 7, Windows Server 2008 R2, Windows 8, Windows 8.1, Windows Server 2012, Windows Server 2012 R2, and Windows RT for the Microsoft Extensible Authentication Protocol (EAP) implementation that enables the use of Transport Layer Security (TLS) 1.1 or 1.2 through the modification of the system registry. To enable TLS after you install this security update, you must add a DWORD value that is named
TlsVersion to the following registry subkey:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\RasMan\PPP\EAP\13
The value of this registry key can be 0xC0, 0x300, 0xC00, or any OR'ed combination of these values if you want to support multiple TLS versions. The configuration can be done on both the EAP client and the EAP server.
Note If the EAP client and the EAP server are misconfigured so that there is no common configured TLS version, authentication will fail, and the user may lose the network connection. Therefore, we recommend that only IT Administrators apply these settings and that the settings are tested before deployment.
A user can manually configure the TLS version number if the server supports the corresponding TLS version.
To add these registry values, follow these steps:
- Click Start, click Run, type regedit in the Open box, and then click OK.
- Locate and then click the following subkey in the registry: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\RasMan\PPP\EAP\13
- On the Edit menu, point to New, and then click DWORD Value.
- Type TlsVersion for the name of the DWORD, and then press Enter.
- Right-click TlsVersion, and then click Modify.
- In the Value data box, use the following values for the various versions of TLS, and then click OK.
TLS version - DWORD value - TLS 1.0: 0xC0 TLS 1.1: 0x300 TLS 1.2: 0xC00.
Any OR'ed combination of these values will enable the corresponding protocols.
By default, TLS 1.0 is enabled. If any invalid value is configured, TLS 1.0 will be used.
7. Exit Registry Editor, and then either restart the computer or restart the EapHost service.