RE: [WIRELESS-LAN] IOS 11 problem with eap-mschapv2/peap authentication

2017-11-01 Thread Jason Cook 
We did see this in beta testing and for us it was caused by SHA1 radius 
certificate. We had a 10year cert so didn’t have to update and so got caught 
out with a SHA1(relevant to other discussion). We ended up updating to SHA2 
before IOS 11 was released.

We didn’t see issues for different radius servers, so the question about 
different certs on the different servers seems to make sense.

Apple’s explanation is that they don’t trust SHA1 anymore, and while they do 
allow it for radius and some other things in IOS 11 they don’t trust it in the 
IOS 11 upgrade process. So you can forget and reconfigure after upgrade and the 
same SHA1 cert will work. It will never work without user intervention after 
upgrade.

A Cloudpath installed profile with EAP-TLS didn’t have issues but user 
configured PEAP IOS 11 devices did.

The certificate replacement was easy enough in the end. We tested the 
experience on the main devices, and communicated out about the change. 
Surprisingly very few calls for support, but we told users what to do for each 
device and have onboarding so…..



--
Jason Cook
Technology Services
The University of Adelaide, AUSTRALIA 5005
Ph: +61 8 8313 4800

From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
[mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Becker, Jason
Sent: Wednesday, 1 November 2017 2:23 AM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: Re: [WIRELESS-LAN] IOS 11 problem with eap-mschapv2/peap authentication


We are seeing the same issue here on our Cisco deployment.  I've been telling 
users to reboot or forget it and reconnect unfortunately.  After this they've 
been good, but  I see your point with several certs.





Jason


From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
<WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>> 
on behalf of Cappalli, Tim (Aruba Security) <t...@hpe.com<mailto:t...@hpe.com>>
Sent: Tuesday, October 31, 2017 9:33:35 AM
To: 
WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>
Subject: Re: [WIRELESS-LAN] IOS 11 problem with eap-mschapv2/peap authentication

Just curious. Why aren't you using the same EAP server certificate across all 
of your RADIUS servers?


From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
<WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>> 
on behalf of Linchuan Yang 
<linchuan.y...@concordia.ca<mailto:linchuan.y...@concordia.ca>>
Reply-To: The EDUCAUSE Wireless Issues Constituent Group Listserv 
<WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>>
Date: Tuesday, October 31, 2017 at 10:28 AM
To: 
"WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>" 
<WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>>
Subject: [WIRELESS-LAN] IOS 11 problem with eap-mschapv2/peap authentication

Dear All

Good morning. All of our IOS users start having authentication problem after 
they upgrading to IOS 11. The devices keep asking the user name and password. 
The only way we can fix for now is that “forget” the old profile, and manually 
create a new one, after trusting the certificate, the IOS 11 devices can 
connect to the wireless network. However, we have more than three radius 
servers, if the clients go to other buildings, they have to do this again. In 
some case, the clients have to repeat the procedure every morning when they 
come back to the office.

We noticed that some related discussion on Cisco and Apple Communities. But 
there is not any solution for it. Do you have the same problem for your 
wireless network? Could you please give us some suggestions?

​Thank you, and have a nice day.

Yours,
Linchuan Yang (Antony)
MEng, ACMP
Wireless Networking Analyst
Network Assessment and Integration,
IITS-Concordia University
Tel: (514)848-2424 ext. 7664

** Participation and subscription information for this EDUCAUSE 
Constituent Group discussion list can be found at 
http://www.educause.edu/discuss.
** Participation and subscription information for this EDUCAUSE 
Constituent Group discussion list can be found at 
http://www.educause.edu/discuss.



The materials in this message are private and may contain Protected Healthcare 
Information or other information of a sensitive nature. If you are not the 
intended recipient, be advised that any unauthorized use, disclosure, copying 
or the taking of any action in reliance on the contents of this information is 
strictly prohibited. If you have received this email in error, please 
immediately notify the sender via telephone or return mail.
** Participation and subscription information for this EDUCAUSE 
Constituent Group discussion list can be found at 
http://www.educause.edu/discuss.

***

RE: [WIRELESS-LAN] IOS 11 problem with eap-mschapv2/peap authentication

2017-11-01 Thread Joseph Roosen 
All,

We have been battling this issue with EAP-MSCHAPv2/PEAP on our BYOD network 
since September just after the iOS 11.0.0 release. We never had issues before 
with onboarding any iOS 10.x versions. We have a few Cisco TAC cases open on 
the issue and have gone down the path of it being it being Cisco ISE(running 
2.1 patch 5) related or even EAP-AUTH certificate trust related with our 
external CA Comodo.  As of this morning, we tried iOS 11.1.0 and it works as 
expected to onboard devices just like in iOS 10.x with our two SSID BYOD 
process. The supplicant is configured correctly via ISE profile install and is 
able to attach to the BYOD network after registering. The popups for incorrect 
password, prompts for a password without location to enter the password or the 
failure to onboard via BYOD have been resolved. The issue seems to be totally 
the iOS 11.0.x series of code and the fix is in as of 11.1.0+. Here are some 
links concerning this issue for your records and history:

https://communities.cisco.com/thread/86199?start=0=0
https://forums.developer.apple.com/thread/87403
https://origin-discussions-us.apple.com/thread/8106481


Related bugs:
https://bst.cloudapps.cisco.com/bugsearch/bug/CSCve97765
https://bst.cloudapps.cisco.com/bugsearch/bug/CSCvg22344

I hope this info helps someone else,

Joe


From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
[mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Becker, Jason
Sent: Tuesday, October 31, 2017 11:53 AM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: Re: [WIRELESS-LAN] IOS 11 problem with eap-mschapv2/peap authentication


We are seeing the same issue here on our Cisco deployment.  I've been telling 
users to reboot or forget it and reconnect unfortunately.  After this they've 
been good, but  I see your point with several certs.





Jason


From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
<WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>> 
on behalf of Cappalli, Tim (Aruba Security) <t...@hpe.com<mailto:t...@hpe.com>>
Sent: Tuesday, October 31, 2017 9:33:35 AM
To: 
WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>
Subject: Re: [WIRELESS-LAN] IOS 11 problem with eap-mschapv2/peap authentication

Just curious. Why aren't you using the same EAP server certificate across all 
of your RADIUS servers?


From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
<WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>> 
on behalf of Linchuan Yang 
<linchuan.y...@concordia.ca<mailto:linchuan.y...@concordia.ca>>
Reply-To: The EDUCAUSE Wireless Issues Constituent Group Listserv 
<WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>>
Date: Tuesday, October 31, 2017 at 10:28 AM
To: 
"WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>" 
<WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>>
Subject: [WIRELESS-LAN] IOS 11 problem with eap-mschapv2/peap authentication

Dear All

Good morning. All of our IOS users start having authentication problem after 
they upgrading to IOS 11. The devices keep asking the user name and password. 
The only way we can fix for now is that “forget” the old profile, and manually 
create a new one, after trusting the certificate, the IOS 11 devices can 
connect to the wireless network. However, we have more than three radius 
servers, if the clients go to other buildings, they have to do this again. In 
some case, the clients have to repeat the procedure every morning when they 
come back to the office.

We noticed that some related discussion on Cisco and Apple Communities. But 
there is not any solution for it. Do you have the same problem for your 
wireless network? Could you please give us some suggestions?

​Thank you, and have a nice day.

Yours,
Linchuan Yang (Antony)
MEng, ACMP
Wireless Networking Analyst
Network Assessment and Integration,
IITS-Concordia University
Tel: (514)848-2424 ext. 7664

** Participation and subscription information for this EDUCAUSE 
Constituent Group discussion list can be found at 
http://www.educause.edu/discuss.
** Participation and subscription information for this EDUCAUSE 
Constituent Group discussion list can be found at 
http://www.educause.edu/discuss.



The materials in this message are private and may contain Protected Healthcare 
Information or other information of a sensitive nature. If you are not the 
intended recipient, be advised that any unauthorized use, disclosure, copying 
or the taking of any action in reliance on the contents of this information is 
strictly prohibited. If you have received this email in error, please 
immediately notify the sender via telephone or return mail.
** Participation

RE: [WIRELESS-LAN] IOS 11 problem with eap-mschapv2/peap authentication

2017-11-01 Thread Linchuan Yang 
Dear All

Thank you for your information. The problem can be fixed by the new release 
today, IOS11.1

Have a nice day.

Yours,​
Linchuan Yang (Antony)
MEng, ACMP
Wireless Networking Analyst
Network Assessment and Integration,
IITS-Concordia University
Tel: (514)848-2424 ext. 7664



From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
[mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Becker, Jason
Sent: October-31-17 11:53 AM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: Re: [WIRELESS-LAN] IOS 11 problem with eap-mschapv2/peap authentication


We are seeing the same issue here on our Cisco deployment.  I've been telling 
users to reboot or forget it and reconnect unfortunately.  After this they've 
been good, but  I see your point with several certs.





Jason


From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
<WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>> 
on behalf of Cappalli, Tim (Aruba Security) <t...@hpe.com<mailto:t...@hpe.com>>
Sent: Tuesday, October 31, 2017 9:33:35 AM
To: 
WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>
Subject: Re: [WIRELESS-LAN] IOS 11 problem with eap-mschapv2/peap authentication

Just curious. Why aren't you using the same EAP server certificate across all 
of your RADIUS servers?


From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
<WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>> 
on behalf of Linchuan Yang 
<linchuan.y...@concordia.ca<mailto:linchuan.y...@concordia.ca>>
Reply-To: The EDUCAUSE Wireless Issues Constituent Group Listserv 
<WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>>
Date: Tuesday, October 31, 2017 at 10:28 AM
To: 
"WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>" 
<WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>>
Subject: [WIRELESS-LAN] IOS 11 problem with eap-mschapv2/peap authentication

Dear All

Good morning. All of our IOS users start having authentication problem after 
they upgrading to IOS 11. The devices keep asking the user name and password. 
The only way we can fix for now is that “forget” the old profile, and manually 
create a new one, after trusting the certificate, the IOS 11 devices can 
connect to the wireless network. However, we have more than three radius 
servers, if the clients go to other buildings, they have to do this again. In 
some case, the clients have to repeat the procedure every morning when they 
come back to the office.

We noticed that some related discussion on Cisco and Apple Communities. But 
there is not any solution for it. Do you have the same problem for your 
wireless network? Could you please give us some suggestions?

​Thank you, and have a nice day.

Yours,
Linchuan Yang (Antony)
MEng, ACMP
Wireless Networking Analyst
Network Assessment and Integration,
IITS-Concordia University
Tel: (514)848-2424 ext. 7664

** Participation and subscription information for this EDUCAUSE 
Constituent Group discussion list can be found at 
http://www.educause.edu/discuss.
** Participation and subscription information for this EDUCAUSE 
Constituent Group discussion list can be found at 
http://www.educause.edu/discuss.



The materials in this message are private and may contain Protected Healthcare 
Information or other information of a sensitive nature. If you are not the 
intended recipient, be advised that any unauthorized use, disclosure, copying 
or the taking of any action in reliance on the contents of this information is 
strictly prohibited. If you have received this email in error, please 
immediately notify the sender via telephone or return mail.
** Participation and subscription information for this EDUCAUSE 
Constituent Group discussion list can be found at 
http://www.educause.edu/discuss.

**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/discuss.

Re: [WIRELESS-LAN] IOS 11 problem with eap-mschapv2/peap authentication

2017-10-31 Thread Becker, Jason 
We are seeing the same issue here on our Cisco deployment.  I've been telling 
users to reboot or forget it and reconnect unfortunately.  After this they've 
been good, but  I see your point with several certs.



Jason


From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
<WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU> on behalf of Cappalli, Tim (Aruba 
Security) <t...@hpe.com>
Sent: Tuesday, October 31, 2017 9:33:35 AM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: Re: [WIRELESS-LAN] IOS 11 problem with eap-mschapv2/peap authentication

Just curious. Why aren't you using the same EAP server certificate across all 
of your RADIUS servers?


From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
<WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU> on behalf of Linchuan Yang 
<linchuan.y...@concordia.ca>
Reply-To: The EDUCAUSE Wireless Issues Constituent Group Listserv 
<WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>
Date: Tuesday, October 31, 2017 at 10:28 AM
To: "WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU" <WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>
Subject: [WIRELESS-LAN] IOS 11 problem with eap-mschapv2/peap authentication

Dear All

Good morning. All of our IOS users start having authentication problem after 
they upgrading to IOS 11. The devices keep asking the user name and password. 
The only way we can fix for now is that “forget” the old profile, and manually 
create a new one, after trusting the certificate, the IOS 11 devices can 
connect to the wireless network. However, we have more than three radius 
servers, if the clients go to other buildings, they have to do this again. In 
some case, the clients have to repeat the procedure every morning when they 
come back to the office.

We noticed that some related discussion on Cisco and Apple Communities. But 
there is not any solution for it. Do you have the same problem for your 
wireless network? Could you please give us some suggestions?

​Thank you, and have a nice day.

Yours,
Linchuan Yang (Antony)
MEng, ACMP
Wireless Networking Analyst
Network Assessment and Integration,
IITS-Concordia University
Tel: (514)848-2424 ext. 7664

** Participation and subscription information for this EDUCAUSE 
Constituent Group discussion list can be found at 
http://www.educause.edu/discuss.
** Participation and subscription information for this EDUCAUSE 
Constituent Group discussion list can be found at 
http://www.educause.edu/discuss.


The materials in this message are private and may contain Protected Healthcare 
Information or other information of a sensitive nature. If you are not the 
intended recipient, be advised that any unauthorized use, disclosure, copying 
or the taking of any action in reliance on the contents of this information is 
strictly prohibited. If you have received this email in error, please 
immediately notify the sender via telephone or return mail.

**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/discuss.

Re: [WIRELESS-LAN] IOS 11 problem with eap-mschapv2/peap authentication

2017-10-31 Thread Cappalli, Tim (Aruba Security) 
Just curious. Why aren't you using the same EAP server certificate across all 
of your RADIUS servers?


From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
 on behalf of Linchuan Yang 

Reply-To: The EDUCAUSE Wireless Issues Constituent Group Listserv 

Date: Tuesday, October 31, 2017 at 10:28 AM
To: "WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU" 
Subject: [WIRELESS-LAN] IOS 11 problem with eap-mschapv2/peap authentication

Dear All

Good morning. All of our IOS users start having authentication problem after 
they upgrading to IOS 11. The devices keep asking the user name and password. 
The only way we can fix for now is that “forget” the old profile, and manually 
create a new one, after trusting the certificate, the IOS 11 devices can 
connect to the wireless network. However, we have more than three radius 
servers, if the clients go to other buildings, they have to do this again. In 
some case, the clients have to repeat the procedure every morning when they 
come back to the office.

We noticed that some related discussion on Cisco and Apple Communities. But 
there is not any solution for it. Do you have the same problem for your 
wireless network? Could you please give us some suggestions?

​Thank you, and have a nice day.

Yours,
Linchuan Yang (Antony)
MEng, ACMP
Wireless Networking Analyst
Network Assessment and Integration,
IITS-Concordia University
Tel: (514)848-2424 ext. 7664

** Participation and subscription information for this EDUCAUSE 
Constituent Group discussion list can be found at 
http://www.educause.edu/discuss.

**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/discuss.