On 20/10/14 14:24, Nick Lowe wrote:
Incidentally, we now have TLS 1.2 in Windows for the relevant EAP-types after the last round of Windows Updates, currently disabled by default:
https://support.microsoft.com/kb/2977292
I am not quite sure why they don't default to 0xFC0 though for TLS 1.0, 1.1 and 1.2 support.
Are there really EAP-terminating RADIUS servers out there that baulk on a TLS 1.1 or 1.2 Client Hello, not responding with TLS 1.0 where the newer protocol versions are not supported?
Almost certainly. There are some controller-based wireless systems which "helpfully" have the option of terminating the outer EAP, and only passing the inner EAP along to the RADIUS servers; I wouldn't ever do that, but I bet people who are would see all kinds of craziness. I'm sympathetic to Microsoft not wanting to open that can of worms..