RE: [WIRELESS-LAN] IOS 11 problem with eap-mschapv2/peap authentication

2017-11-01 Thread Jason Cook 
We did see this in beta testing and for us it was caused by SHA1 radius 
certificate. We had a 10year cert so didn’t have to update and so got caught 
out with a SHA1(relevant to other discussion). We ended up updating to SHA2 
before IOS 11 was released.

We didn’t see issues for different radius servers, so the question about 
different certs on the different servers seems to make sense.

Apple’s explanation is that they don’t trust SHA1 anymore, and while they do 
allow it for radius and some other things in IOS 11 they don’t trust it in the 
IOS 11 upgrade process. So you can forget and reconfigure after upgrade and the 
same SHA1 cert will work. It will never work without user intervention after 
upgrade.

A Cloudpath installed profile with EAP-TLS didn’t have issues but user 
configured PEAP IOS 11 devices did.

The certificate replacement was easy enough in the end. We tested the 
experience on the main devices, and communicated out about the change. 
Surprisingly very few calls for support, but we told users what to do for each 
device and have onboarding so…..



--
Jason Cook
Technology Services
The University of Adelaide, AUSTRALIA 5005
Ph: +61 8 8313 4800

From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
[mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Becker, Jason
Sent: Wednesday, 1 November 2017 2:23 AM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: Re: [WIRELESS-LAN] IOS 11 problem with eap-mschapv2/peap authentication


We are seeing the same issue here on our Cisco deployment.  I've been telling 
users to reboot or forget it and reconnect unfortunately.  After this they've 
been good, but  I see your point with several certs.





Jason


From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
> 
on behalf of Cappalli, Tim (Aruba Security) >
Sent: Tuesday, October 31, 2017 9:33:35 AM
To: 
WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: Re: [WIRELESS-LAN] IOS 11 problem with eap-mschapv2/peap authentication

Just curious. Why aren't you using the same EAP server certificate across all 
of your RADIUS servers?


From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
> 
on behalf of Linchuan Yang 
>
Reply-To: The EDUCAUSE Wireless Issues Constituent Group Listserv 
>
Date: Tuesday, October 31, 2017 at 10:28 AM
To: 
"WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU" 
>
Subject: [WIRELESS-LAN] IOS 11 problem with eap-mschapv2/peap authentication

Dear All

Good morning. All of our IOS users start having authentication problem after 
they upgrading to IOS 11. The devices keep asking the user name and password. 
The only way we can fix for now is that “forget” the old profile, and manually 
create a new one, after trusting the certificate, the IOS 11 devices can 
connect to the wireless network. However, we have more than three radius 
servers, if the clients go to other buildings, they have to do this again. In 
some case, the clients have to repeat the procedure every morning when they 
come back to the office.

We noticed that some related discussion on Cisco and Apple Communities. But 
there is not any solution for it. Do you have the same problem for your 
wireless network? Could you please give us some suggestions?

​Thank you, and have a nice day.

Yours,
Linchuan Yang (Antony)
MEng, ACMP
Wireless Networking Analyst
Network Assessment and Integration,
IITS-Concordia University
Tel: (514)848-2424 ext. 7664

** Participation and subscription information for this EDUCAUSE 
Constituent Group discussion list can be found at 
http://www.educause.edu/discuss.
** Participation and subscription information for this EDUCAUSE 
Constituent Group discussion list can be found at 
http://www.educause.edu/discuss.



The materials in this message are private and may contain Protected Healthcare 
Information or other information of a sensitive nature. If you are not the 
intended recipient, be advised that any unauthorized use, disclosure, copying 
or the taking of any action in reliance on the contents of this information is 
strictly prohibited. If you have received this email in error, please 
immediately notify the sender via telephone or return mail.
** Participation and subscription information for this EDUCAUSE 
Constituent Group discussion list can be found at 
http://www.educause.edu/discuss.

**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion

RE: [WIRELESS-LAN] IOS 11 problem with eap-mschapv2/peap authentication

2017-11-01 Thread Joseph Roosen 
All,

We have been battling this issue with EAP-MSCHAPv2/PEAP on our BYOD network 
since September just after the iOS 11.0.0 release. We never had issues before 
with onboarding any iOS 10.x versions. We have a few Cisco TAC cases open on 
the issue and have gone down the path of it being it being Cisco ISE(running 
2.1 patch 5) related or even EAP-AUTH certificate trust related with our 
external CA Comodo.  As of this morning, we tried iOS 11.1.0 and it works as 
expected to onboard devices just like in iOS 10.x with our two SSID BYOD 
process. The supplicant is configured correctly via ISE profile install and is 
able to attach to the BYOD network after registering. The popups for incorrect 
password, prompts for a password without location to enter the password or the 
failure to onboard via BYOD have been resolved. The issue seems to be totally 
the iOS 11.0.x series of code and the fix is in as of 11.1.0+. Here are some 
links concerning this issue for your records and history:

https://communities.cisco.com/thread/86199?start=0=0
https://forums.developer.apple.com/thread/87403
https://origin-discussions-us.apple.com/thread/8106481


Related bugs:
https://bst.cloudapps.cisco.com/bugsearch/bug/CSCve97765
https://bst.cloudapps.cisco.com/bugsearch/bug/CSCvg22344

I hope this info helps someone else,

Joe


From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
[mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Becker, Jason
Sent: Tuesday, October 31, 2017 11:53 AM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: Re: [WIRELESS-LAN] IOS 11 problem with eap-mschapv2/peap authentication


We are seeing the same issue here on our Cisco deployment.  I've been telling 
users to reboot or forget it and reconnect unfortunately.  After this they've 
been good, but  I see your point with several certs.





Jason


From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
> 
on behalf of Cappalli, Tim (Aruba Security) >
Sent: Tuesday, October 31, 2017 9:33:35 AM
To: 
WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: Re: [WIRELESS-LAN] IOS 11 problem with eap-mschapv2/peap authentication

Just curious. Why aren't you using the same EAP server certificate across all 
of your RADIUS servers?


From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
> 
on behalf of Linchuan Yang 
>
Reply-To: The EDUCAUSE Wireless Issues Constituent Group Listserv 
>
Date: Tuesday, October 31, 2017 at 10:28 AM
To: 
"WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU" 
>
Subject: [WIRELESS-LAN] IOS 11 problem with eap-mschapv2/peap authentication

Dear All

Good morning. All of our IOS users start having authentication problem after 
they upgrading to IOS 11. The devices keep asking the user name and password. 
The only way we can fix for now is that “forget” the old profile, and manually 
create a new one, after trusting the certificate, the IOS 11 devices can 
connect to the wireless network. However, we have more than three radius 
servers, if the clients go to other buildings, they have to do this again. In 
some case, the clients have to repeat the procedure every morning when they 
come back to the office.

We noticed that some related discussion on Cisco and Apple Communities. But 
there is not any solution for it. Do you have the same problem for your 
wireless network? Could you please give us some suggestions?

​Thank you, and have a nice day.

Yours,
Linchuan Yang (Antony)
MEng, ACMP
Wireless Networking Analyst
Network Assessment and Integration,
IITS-Concordia University
Tel: (514)848-2424 ext. 7664

** Participation and subscription information for this EDUCAUSE 
Constituent Group discussion list can be found at 
http://www.educause.edu/discuss.
** Participation and subscription information for this EDUCAUSE 
Constituent Group discussion list can be found at 
http://www.educause.edu/discuss.



The materials in this message are private and may contain Protected Healthcare 
Information or other information of a sensitive nature. If you are not the 
intended recipient, be advised that any unauthorized use, disclosure, copying 
or the taking of any action in reliance on the contents of this information is 
strictly prohibited. If you have received this email in error, please 
immediately notify the sender via telephone or return mail.
** Participation and subscription information for this EDUCAUSE 
Constituent Group discussion list can be found at

RE: [WIRELESS-LAN] IOS 11 problem with eap-mschapv2/peap authentication

2017-11-01 Thread Linchuan Yang 
Dear All

Thank you for your information. The problem can be fixed by the new release 
today, IOS11.1

Have a nice day.

Yours,​
Linchuan Yang (Antony)
MEng, ACMP
Wireless Networking Analyst
Network Assessment and Integration,
IITS-Concordia University
Tel: (514)848-2424 ext. 7664



From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
[mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Becker, Jason
Sent: October-31-17 11:53 AM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: Re: [WIRELESS-LAN] IOS 11 problem with eap-mschapv2/peap authentication


We are seeing the same issue here on our Cisco deployment.  I've been telling 
users to reboot or forget it and reconnect unfortunately.  After this they've 
been good, but  I see your point with several certs.





Jason


From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
> 
on behalf of Cappalli, Tim (Aruba Security) >
Sent: Tuesday, October 31, 2017 9:33:35 AM
To: 
WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: Re: [WIRELESS-LAN] IOS 11 problem with eap-mschapv2/peap authentication

Just curious. Why aren't you using the same EAP server certificate across all 
of your RADIUS servers?


From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
> 
on behalf of Linchuan Yang 
>
Reply-To: The EDUCAUSE Wireless Issues Constituent Group Listserv 
>
Date: Tuesday, October 31, 2017 at 10:28 AM
To: 
"WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU" 
>
Subject: [WIRELESS-LAN] IOS 11 problem with eap-mschapv2/peap authentication

Dear All

Good morning. All of our IOS users start having authentication problem after 
they upgrading to IOS 11. The devices keep asking the user name and password. 
The only way we can fix for now is that “forget” the old profile, and manually 
create a new one, after trusting the certificate, the IOS 11 devices can 
connect to the wireless network. However, we have more than three radius 
servers, if the clients go to other buildings, they have to do this again. In 
some case, the clients have to repeat the procedure every morning when they 
come back to the office.

We noticed that some related discussion on Cisco and Apple Communities. But 
there is not any solution for it. Do you have the same problem for your 
wireless network? Could you please give us some suggestions?

​Thank you, and have a nice day.

Yours,
Linchuan Yang (Antony)
MEng, ACMP
Wireless Networking Analyst
Network Assessment and Integration,
IITS-Concordia University
Tel: (514)848-2424 ext. 7664

** Participation and subscription information for this EDUCAUSE 
Constituent Group discussion list can be found at 
http://www.educause.edu/discuss.
** Participation and subscription information for this EDUCAUSE 
Constituent Group discussion list can be found at 
http://www.educause.edu/discuss.



The materials in this message are private and may contain Protected Healthcare 
Information or other information of a sensitive nature. If you are not the 
intended recipient, be advised that any unauthorized use, disclosure, copying 
or the taking of any action in reliance on the contents of this information is 
strictly prohibited. If you have received this email in error, please 
immediately notify the sender via telephone or return mail.
** Participation and subscription information for this EDUCAUSE 
Constituent Group discussion list can be found at 
http://www.educause.edu/discuss.

**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/discuss.

Re: [WIRELESS-LAN] Radius certificate length vs. onboarding opinions

2017-11-01 Thread Jethro R Binks 
On Wed, 1 Nov 2017, James Andrewartha wrote:

> One distinction about using a private CA is that you can have an 
> extremely long root CA, and then have shorter lived certificates signed 
> by that CA that are rotated. However, without onboarding to install the 
> CA for the SSID vs just trusting the certificate (which I know is what 
> macOS and iOS do) then it's not much of a distinction in practice. This 
> also means I have the same certificate installed on all RADIUS servers.

This is what we do.  Very long CA, which the clients get in their 
onboarding (via CAT, and a local captive portal), and a less-long server 
cert with a fixed name applied to all the RADIUS servers.  As long as 
replacement server certs use the same name, and are signed by the same 
root, changeovers should be pretty seamless.  (Having gone through a 
previous root CA change, and a server name change along the way, when it 
came up again for renewal I wanted to try and make sure that we didn't 
have that pain any more in the future, at least so far as we can predict).

Long term, I agree that cert auth would be better.  But I have no real 
information on the management overhead or technologies to use for 
efficiently running a PKI for issuing thousands of client certs nor how 
good client support is.

Also agree with the comments about IoT.  It makes me deeply uncomfortable 
when I find out that some wireless device is using the wireless network 
with some researcher's personal credentials are stored in it so it can 
connect.  We encourage the use of "role accounts" where this is necessary, 
but they usually would have to ask to find this out and they often just 
don't.  To be fair, I'm usually surprised if a device can do 802.1X - 
usually means it is linux-based and you've good access to the innards.  
If you've got a device that can do 5G rather than 2.4G, and does WPA2-PSK, 
then you're doing well it seems ... I've learned to pleasantly surprised 
if you get that much and not expect anything more.

It's clear we need a separate SSID for those purposes, but I guess to 
ensure it is only used by suitable devices of limited capabilities it 
needs to be MAC authenticated which isn't terrific, is a management 
overhead, and so on.  And many of those devices still need Internet access 
to talk to their cloudy home.  So that's NAT or proxying in an IPv4 world, 
unless you're gonna burn public IPs on them.  Interested in how people are 
handling this too.

Jethro.


> 
> On EAP-TLS, we briefly tried enabling Windows Credential Guard last week
> on a few IT laptops, and immediately had to turn it off as it breaks
> MSCHAPv2 authentication:
> https://docs.microsoft.com/en-us/windows/access-protection/credential-guard/credential-guard-considerations
> 
> I had a meeting with Microsoft yesterday and they said that certificate
> auth is really the only secure answer. Since our devices are owned by
> the school, we'll probably look at setting up a private Windows CA first
> rather than going down the CloudPath or SecureW2 path.
> 
> On 31/10/17 12:46, Craig Simons wrote:
> > These are very helpful and thoughtful points to consider. I think of
> > this issue using the angel and devil on the shoulder analogy. On one
> > shoulder, as a security conscious engineer (and technophile) I see why
> > shorter certificates (I believe the maximum is 39 months now?) with all
> > allowances made for security are the necessary evil. On the other, we
> > want the campus WiFi experience to be easy, simple and as painless for
> > the user (and Service Desk people) as possible. In many ways, a good
> > onboarding tool lets you have your cake and eat it too... but our recent
> > experience has shown us that even this has it’s limits.
> > 
> > I suppose the “correct” answer is the one that is supportable. This
> > requires the Service Desk/Desktop Support people to be willing and able
> > to handle the hordes when they arrive in the interests of security
> > “tough love”.
> > 
> > However, I still believe there is a large role to play for EAP-TLS in
> > the future. In the IoT world, the willingness of users to put their
> > personal credentials on low-end devices is a security threat before even
> > getting to the certificate conversation.
> > 
> > Thanks to all that replied!
> > 
> > *Craig Simons*
> > Network Operations Manager
> > 
> > Simon Fraser University | Strand Hall
> >  University Dr., Burnaby, B.C. V5A 1S6
> > T: 778.782.8036 | M: 604.649.7977
> > 
> > ?   ?   
> > SFU SIMON FRASER UNIVERSITY
> > IT SERVICES
> > 
> > 
> >> On Oct 30, 2017, at 1:19 PM, Mike Atkins  >> > wrote:
> >>
> >> We are option 3 with 3 year certs.? We were in the same boat as Craig
> >> just over a year ago.? We moved to a different onboarding utility and
> >> different CA.? It is a long story so feel free to hit me up offline.?
> >> That said, in the future we will likely end up using both options 3 &
> >> 4 to be