Have you also disabled OKC (Opportunistic Key Caching)? This was causing a lot of issues on our campus with sticky laptop AP sessions and so on.
I might try extending our timers a bit. I had not heard of that before. _________________ Angela K. Hollman Information Technology Services Network Manager (308)865-8176 From: Lee H Badman <[email protected]> To: [email protected] Date: 01/23/2009 02:50 PM Subject: Re: [WIRELESS-LAN] Macintosh- Ongoing Connectivity Issues Sent by: The EDUCAUSE Wireless Issues Constituent Group Listserv <[email protected]> We were told to stretch 'em out even more: config advanced eap identity-request-timeout 120 config advanced eap identity-request-retries 20 config advanced eap request-timeout 120 config advanced eap request-retries 20 but still we see a plethora of Mac-specific issues. Lee -----Original Message----- From: The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto:[email protected]] On Behalf Of Rob Brenner Sent: Friday, January 23, 2009 3:37 PM To: [email protected] Subject: Re: [WIRELESS-LAN] Macintosh- Ongoing Connectivity Issues The eap settings need to be changed on the cisco wlc's also. For some reason the default is only 1 second. We set ours to 30 seconds. This change improved the logon process for many platforms. -Rob Brenner -Texas A&M University (WiSM-slot4-1) >show advanced eap EAP-Identity-Request Timeout (seconds)........... 30 <-- EAP-Identity-Request Max Retries................. 20 EAP Key-Index for Dynamic WEP.................... 0 EAP Max-Login Ignore Identity Response........... enable EAP-Request Timeout (seconds).................... 30 <-- EAP-Request Max Retries.......................... 20 EAPOL-Key Timeout (seconds)...................... 1 EAPOL-Key Max Retries............................ 2 -----Original Message----- From: The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto:[email protected]] On Behalf Of Emerson Parker Sent: Friday, January 23, 2009 12:34 PM To: [email protected] Subject: Re: [WIRELESS-LAN] Macintosh- Ongoing Connectivity Issues Just a little note on Macs and 802.1x. Last year, I noticed that some MAC laptops needed a small delay between the EAP-success and the beginning of the key exchange. You can test this theory by implementing a small delay in the Aruba controller. I haven't seen resent issues however and this may be a thing of the past. aaa authentication dot1x <dot1x_profile> timer wpa-key-period 2000 -Emerson -----Original Message----- From: The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto:[email protected]] On Behalf Of Urrea, Nick Sent: Friday, January 23, 2009 11:36 AM To: [email protected] Subject: Re: [WIRELESS-LAN] Macintosh- Ongoing Connectivity Issues We at UC Hastings are using PEAP-MSChapv2 as our EAP type. I noticed that by default the Mac client will setup an 802.1x profile for our wireless network with PEAP, EAP-TLS, and TTLS. With this setup the Mac client would authenticate every time but only get an IP address half the time. By un-selecting EAP-TLS and TTLS and only having PEAP selected in the 802.1x profile has fixed this problem. -----Original Message----- From: The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto:[email protected]] On Behalf Of Ben Thompson Sent: Friday, January 23, 2009 1:42 AM To: [email protected] Subject: Re: [WIRELESS-LAN] Macintosh- Ongoing Connectivity Issues Hi We have a mixed network with a mixture of Cisco fat AP's and Aruba thin AP's and we have found that some Apple Macs are having problems connecting to the Aruba setup. It seems that the authentication periodically fails and I see error messages like these from RADIUS :- Auth fail logs from FreeRADIUS :- Thu Jan 22 16:59:44 2009 : Error: TLS Alert write:fatal:bad record mac Thu Jan 22 16:59:44 2009 : Error: rlm_eap: SSL error error:1408F119:SSL routines:SSL3_GET_RECORD:decryption failed or bad record mac Thu Jan 22 16:59:44 2009 : Error: SSL: SSL_read failed in a system call (-1), TLS session fails. Auth fail reason from IAS :- Reason-Code = 260 Reason = The message or signature supplied for verification has been altered Has anyone else seen anything similar to this? Thanks -- Ben Thompson ********** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ********** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ********** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ********** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ********** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ********** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
