Re: [WIRELESS-LAN] iOS 4 config profiles
Wow. Thanks, that totally did it! ...interesting how the PC version of a piece of Apple software works better than the Mac version. Of note I had tried the Mac 3.0 IPCU version, so the problem wasn't address in that upgrade. I haven't confirmed it, but my guess is that might be some sort of DER vs. PEM encoding issue. Thanks again, -Keith On Aug 16, 2010, at 3:27 PM, Wong, Jonathan wrote: > Are you creating the .mobileconfig profile under the iPhone Configuration > Utility (iPCU) on a Mac computer? I had the same issue with iOS 4 iPhones. > I noticed that using IPCU version 2.2 on a Mac and a Windows machine produced > different PEM encoded certificates in the profile (if you opened the > .mobileconfig file in a text editor). If I export a .mobileconfig with > certificates with a Mac, I get the "Profile Failed to Install. The > certificate "x" appears to be invalid." error when importing on an > iPhone. If I export the same config under IPCU on a Windows machine, I get a > valid profile with no errors. > > Apple has IPCU version 3.0 out, but I have not had a chance to try it out > yet. I have reported this issue to our Apple SE but no Bug ID has been > created, yet. > > Hopefully experiencing the same issue. Please let me know if this work > around fixes your issue. > > Regards, > > Jonathan Wong > Network Engineer, ITS Networking > University of Texas at Austin > > > -Original Message- > From: The EDUCAUSE Wireless Issues Constituent Group Listserv > [mailto:wireless-...@listserv.educause.edu] On Behalf Of Keith Moores > Sent: Monday, August 16, 2010 1:52 PM > To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU > Subject: [WIRELESS-LAN] iOS 4 config profiles > > Is anyone else having problems with iOS (iPhone OS...) 4 devices not > accepting certificates distributed by configuration profiles (.mobileconfig > files). > > "Profile Failed to Install > The certificate "x" appears to be invalid." > > Our 3.x devices have no problem installing our profile and individually > importing PEM files does continue to work with iOS 4. > > Found this thread: > http://discussions.info.apple.com/thread.jspa?messageID=12078530&tstart=0 > but the suggestions didn't help. I'm wondering if anyone on the list is not > having this problem. > > Without configuration profiles setting up these devices manually is pretty > complicated for our EAP-TLS wireless network. > > Thanks, > -Keith > > > > Keith Moores <mailto:km...@virginia.edu> > Network Systems Senior Engineer/Supervisor Core Network Infrastructure > ITC-Communications and Systems Division > University of Virginia, ITC-2015 Ivy RdPhone (434) 924-0621 > > ** > Participation and subscription information for this EDUCAUSE Constituent > Group discussion list can be found at http://www.educause.edu/groups/. > > ** > Participation and subscription information for this EDUCAUSE Constituent > Group discussion list can be found at http://www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
iOS 4 config profiles
Is anyone else having problems with iOS (iPhone OS...) 4 devices not accepting certificates distributed by configuration profiles (.mobileconfig files). "Profile Failed to Install The certificate "x" appears to be invalid." Our 3.x devices have no problem installing our profile and individually importing PEM files does continue to work with iOS 4. Found this thread: http://discussions.info.apple.com/thread.jspa?messageID=12078530&tstart=0 but the suggestions didn't help. I'm wondering if anyone on the list is not having this problem. Without configuration profiles setting up these devices manually is pretty complicated for our EAP-TLS wireless network. Thanks, -Keith -------- Keith Moores <mailto:km...@virginia.edu> Network Systems Senior Engineer/Supervisor Core Network Infrastructure ITC-Communications and Systems Division University of Virginia, ITC-2015 Ivy RdPhone (434) 924-0621 ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
802.11n WPA2/AES requirement
Just wondering what encryption type those of you that have started moving to (testing with) 802.11n APs are using? I'm trying to confirm that N clients connecting to N APs must use WPA2/ AES to connect with encryption. If an N AP accepts both WPA/TKIP and WPA2/AES can an N client connect set to either albeit only at 802.11n HT rates when using WPA2/AES? -Keith Keith Moores <mailto:[EMAIL PROTECTED]> Network Systems Senior Engineer ITC-Communications and Systems Division University of Virginia, ITC-2015 Ivy RdPhone (434) 924-0621 Box 400324, Charlottesville, VA 22904-4324 Fax(434) 982-4715 ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
Re: [WIRELESS-LAN] IPhones flooding wireless LAN at Duke University
001b63 is what I've seen. We have a Cisco AP infrastructure at UVa and haven't noticed any outages or other issues related to iPhones. Our "Open" SSID requires prior MAC registration and is not broadcast, I'm not clear on how Duke has theirs set up. Some "Open" network setups I've seen just let anything associate and then use captive portal networks (that require some sort of web auth) to gain real network access. These systems can use ARP tricks in redirecting all web traffic to a web auth server. I wonder if Duke could be using anything like that and stumbled on a bug in the system, perhaps exposed by some new and unique iPhone (re)association behavior. -------- Keith Moores <mailto:[EMAIL PROTECTED]> Network Systems ITC-Communications and Systems Division University of Virginia, ITC-2015 Ivy RdPhone (434) 924-0621 Box 400324, Charlottesville, VA 22904-4324 Fax(434) 982-4715 On Jul 17, 2007, at 4:45 PM, Bob Richman wrote: So far, have all the Iphone had the same OUI as the first six chars in the MAC? What are they? Kevin Miller wrote: 1) Could you configure your routers w/ secondaries to "answer" for the 1918 space the phones are looking for? What happens if the phone actually gets an answer? A) Will it shut up, or B) can you use this to get more diagnostic information? We could; the addresses have all been different so far (10.0.1.1, 192.168.1.1, 192.168.2.1) .. we haven't tried during an active problem so far but will. 2) I wonder if they hacked in some special sauce roaming ability? It seems like what you are seeing may be aggravated by the device roaming between ip subnets but staying on the same SSID? Perhaps, yes. We know anecdotally that some people use the same SSID at home as on campus for ease of use. Though the iPhone yesterday apparently did not fall into this category. So could they implement a way to deal with the case where a user would roam from ap A to ap B staying on the same SSID. So maybe they chose to self arp to help populate upstream bridge tables, but they accidentally reuse stale cached ip info? Perhaps, though I'd hope the algorithm was setup to try, wait, timeout after some period of time. -Kevin ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http:// www.educause.edu/groups/. -- Bob Richman Network Engineer 210C Security Building University of Notre Dame Notre Dame, IN 46556 574-631-8562 office [EMAIL PROTECTED] ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http:// www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
Dynamic WEP transition to WPA
All, I'm interested to hear any experiences/thoughts on transitioning from Dynamic WEP to WPA encryption, especially from those of you with "Fat" Cisco AP deployments. I see a few options, none of which I'm convinced is the way to go. 1) Announce a cutover date, after which Dynamic WEP will cease to work and everyone must use to WPA. Pros: relatively easy config change, clean compatibility cut off Cons: potential for a LOT of help desk work that day/week... 2) Announce a cutover period, where both operate for a time (using Cisco's WEP 128 + TKIP migration mode), after which only using WPA. Pros: Gives people a chance to reconfigure on their own schedule Cons: Mac 10.3 seems unable to connect to APs in this migration mode, but IS fine with just WPA, other clients may also have this problem, not sure what to do with them during the migration period. 3) Deploy a new SSID/VLAN, announce a cutover period, after which shutdown the old one. Pros: Gives people a chance to reconfigure on their own schedule Cons: A LOT more back-end work, I'll miss our current ssid, go (cavalier)s! Has anyone gone down one of these paths? Come up with others? Any WPA compatibility horror stories? -Keith p.s. Switching to a different wireless platform is not an option at this point, I realize this could be easier with here>'s amazing product. -------- Keith Moores <mailto:[EMAIL PROTECTED]> Network Systems ITC-Communications and Systems Division University of Virginia, ITC-2015 Ivy RdPhone (434) 924-0621 Box 400324, Charlottesville, VA 22904-4324 Fax(434) 982-4715 ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
Re: [WIRELESS-LAN] WIRELESS-LAN [Another RADIUS Question (802.1x)]
We are running 12.3(4)JA... but we also run 12.2(15)XR2 on our older 350 APs, we haven't had a problem with Apple clients before. The problem we are having only occurs with the MacBook Pro's "AirPort Extreme" card (its probably an intel wireless chipset), not the original AirPort Extreme card (broadcom chipset) that the PowerPC Macs use. The problem only appears for networks using 802.1X WEP encryption, no encryption or WPA (802.1X TKIP) work fine for the MacBook Pro. Our APs encrypted VLAN accepts the following Authentication methods: -Open Authentication + EAP -Network EAP I do know that if you don't enable that first one some clients may not be able to connect, its specifically mentioned in the IOS release notes. -Keith On Mar 23, 2006, at 10:49 AM, Earl Barfield wrote: From:Keith Moores <[EMAIL PROTECTED]> Subject: Re: Another RADIUS Question (802.1x) 802.1X WEP appears to be the problem with the MacBook Pro rather than a specific flavor of EAP. We just tested a yet to be released (hopefully soon) software update from Apple that fixes the problem. -Keith What version of IOS are you running on your APs? We had problems with some variant of 12.3(4) that would not play nice with Apple's Airport Extreme card. There was a bug in Cisco's firmware with regards to open vs shared authentications. The PC clients seemed to overlook it, but Apple's refused to associate. If you turned off WEP, it worked, which made it appear to be a WEP problem. Anyway, IOS 12.3(7) fixed the problem. We're happily running 12.3(7)JA2 now. -- Earl Barfield -- Academic & Research Technologies / Information Technology Georgia Institute of Technology, Atlanta Georgia, 30332 Internet: [EMAIL PROTECTED][EMAIL PROTECTED] ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http:// www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
Re: [WIRELESS-LAN] Another RADIUS Question (802.1x)
802.1X WEP appears to be the problem with the MacBook Pro rather than a specific flavor of EAP. We just tested a yet to be released (hopefully soon) software update from Apple that fixes the problem. -Keith Keith Moores <mailto:[EMAIL PROTECTED]> Network Systems ITC-Communications and Systems Division University of Virginia, ITC-2015 Ivy RdPhone (434) 924-0621 Box 400324, Charlottesville, VA 22904-4324 Fax(434) 982-4715 On Mar 21, 2006, at 10:31 AM, Ruiz, Mike wrote: Not to muddy this particular thread but our Mac experience with PEAP is quite reasonable. However it appears there is a huge issue with the new MacBook Pro laptops connecting to an 802.1x PEAP environment. The issue is reproducible here and at lots of other schools it seems based on the Apple discussion forums. Mike Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http:// www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
FreeRADIUS replacing Cisco ACS
I'm looking to see if anyone has previous experiences with replacing Cisco's ACS with FreeRADIUS. Specifically any perceived stability/ performance/load-capacity pros or cons. Right now we are using ACS (Windows 2k, v3.2) on 2 redundant Dual processor Xeons (2.8 P4s). Peek authentications (mix of EAP-TLS and MAC Authentication) can reach 100 per minute handling requests from 800 APs and our 1+ wireless users. Performance seems to be adequate, however stability and flexibility have been problems for us. We are looking at moving to FreeRADIUS running on Solaris (or possibly Linux), to address those problems but would like hear from others about their opinion of its operational capabilities. -Keith -------- Keith Moores <mailto:[EMAIL PROTECTED]> Network Systems ITC-Communications and Systems Division University of Virginia, ITC-2015 Ivy RdPhone (434) 924-0621 Box 400324, Charlottesville, VA 22904-4324 Fax(434) 982-4715 ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
