Our network team recently disabled protocol TLS 1.0 on our secure Wi-Fi network in favor of TLS 1.2 for PCI compliance. Subsequently, our Zebra TC70 NScan scanners were unable to connect to the Wi-Fi network. We upgraded the Android OS on the scanners to lollipop 5.1.1 and installed NScan 6.0.9 but they are still unable to connect. Zebra Support had me enable logging on one of the devices and send them the logs. They responded and included a snapshot of a log screen:
“Authentication server is denying connection to TC70. When TC70 sends client hello packet during EAP exchange, the server sends EAP failure instead of Server hello packet. This could be because the server does not support some of the contents of the Client Hello packet. I suspect some of the cipher suites listed in client hello might not have been enabled on the authentication server. So, it is sending EAP failure. Below is the list of cipher suites listed in client hello. Please ask the customer to verify whether all these cipher suites are enabled on the server.”
However, our network administrator pointed out that the log snapshot also showed that the TC70 was still using TLS 1.0 to try to connect. So, of course, it will not connect with TLS 1.0 disabled on our network. Re-enabling TLS 1.0 on our network resolves the problem and the scanners do connect. But then we’re not PCI compliant. I pointed this out to Zebra Support but after a week I cannot get a response from them. The TC70 scanners are our only devices having this issue. Devices including other types of Android tablets, iPhones, and laptops can connect with TLS 1.0 disabled. Is there a way we can force the TC70 to use TLS 1.2 instead of TLS 1.0?