Hi, list!

Here, at University of Minho, we are struggling with an issue related to 
re-authentication on wi-fi network eduroam, situation that only occurs on 
MacBooks running the most recent OS X versions. Every time the session expires, 
users are prompted to insert (again) the credentials, what, actually, is not 
necessary since if you click 'Cancel' or press the 'Esc' key, re-authentication 
occurs successfully. Our infrastructure is configured with a session timeout of 
1800 seconds so, as you already guess, every 30 minutes the affected users face 
this 'problem'. It also happens when devices roam to another Access Point - 
when in roaming, you don't have to wait 30 minutes, you experience the problem 
as soon as the device associates to another AP.

I've checked the RADIUS logs and realized that the first time re-authentication 
occurs, the inner authentication method is no longer the one used the first 
time the device connected (MSCHAPv2), using GTC instead. I managed to configure 
Radiator so support GTC, which, at first, seemed to have solved the problem, 
until I realized that the second time re-authentication occurs, the inner 
method has changed to MD5-Challenge - it looks like the MacBook is trying all 
authentication methods it supports in a round-robin way.

This behavior is very odd and I suppose (nearly 100% sure) that the problem is 
on MacBook side, but maybe some of you have already deal with it and have some 
kind of tip that can help us.

I may say that if we use a configuration profile (created with Apple 
Configurator 2), defined with a supported authentication method (PEAP, 
TTLS/PAP, TTLS/MSCHAPv2 and, most recently, TTLS/GTC), re-authentication and 
roaming are transparent, the device does not prompt you to insert the 
credentials, and everything works just fine. If the profile is defined with the 
option 'OS Default', then the problem persists.

We would prefer not to use the configuration profiles due to the burden it 
carries itself - we want our infrastructure to allow users to connect just by 
inserting their credentials, what we achieved long time ago and want to keep 
going this way.

I've been googling around and found nothing that could help me. I'll post this 
message on Apple mailing lists also (which appears to be the most wise thing to 

Best regards,

Amândio Antunes Gomes da Silva
Serviços de Comunicações da Universidade do Minho
Campus de Gualtar, 4710-057 Braga - Portugal
Tel.: + 351 253 60 40 20, Fax: +351 253 60 40 21
email: aman...@scom.uminho.pt<mailto:aman...@scom.uminho.pt> | 
This email is confidential. If you are not the intended recipient,
you must not disclose or use the information contained in it.
If you have received this mail in error, please tell us immediately
by return email and delete the document.
Este email é confidêncial. Se não é o destinatário do mesmo,
não deve nem revelar, nem usar o seu conteúdo.
Se recebeu esta mensagem por engano, por favor informe-nos
Imediatamente, devolvendo e apagando este email.

radiator mailing list

Reply via email to