Many of the commands listed have been for Cisco or Aruba. Anyone with Meru have comments? We are seeing various problems that have gotten much better with Apple updates in addition to a Patch for the Meru code. But still seem to have many general problems with the MACs. I am looking at finding some of these changes but if there is any experience all the better.
-- Walt Reynolds Principal Systems Security Development Engineer Information Technology Central Services University of Michigan (734) 615-9438 > -----Original Message----- > From: The EDUCAUSE Wireless Issues Constituent Group Listserv > [mailto:[email protected]] On Behalf Of Angela K > Hollman > Sent: Monday, January 26, 2009 10:52 AM > To: [email protected] > Subject: Re: [WIRELESS-LAN] Macintosh- Ongoing Connectivity Issues > > > I'm running Aruba controllers so I don't know where it would be on > Cisco. On Aruba it's just a checkbox under the authentication profile. > I'm running 3.3.x and I was running 3.1.x. It was on both versions. > > CLI -> > aaa authentication dot1x <profile-name> <enter> opp-key-caching > > On the GUI, it's under the dot1x advanced settings. > > _________________ > Angela K. Hollman > Information Technology Services > Network Manager > (308)865-8176 > > > > From: Lee H Badman <[email protected]> To: > [email protected] Date: 01/26/2009 09:28 AM > Subject: > Re: [WIRELESS-LAN] Macintosh- Ongoing Connectivity Issues Sent by: > The > EDUCAUSE Wireless Issues Constituent Group Listserv > <[email protected]> > > ________________________________ > > > > > Hi Angela- > > > > This is the first I’ve heard of OKC… I’m not seeing as either a > controller or WLAN-level setting. Where does one find this, and do you > know what code versions it goes back to? > > > > -Lee > > > > Lee H. Badman > > Wireless/Network Engineer > > Information Technology and Services > > Syracuse University > > 315 443-3003 > > ________________________________ > > From: The EDUCAUSE Wireless Issues Constituent Group Listserv > [mailto:[email protected] <mailto:WIRELESS- > [email protected]> ] On Behalf Of Angela K Hollman > Sent: Monday, January 26, 2009 10:01 AM > To: [email protected] > Subject: Re: [WIRELESS-LAN] Macintosh- Ongoing Connectivity Issues > > > > > Have you also disabled OKC (Opportunistic Key Caching)? This was > causing a lot of issues on our campus with sticky laptop AP sessions and so > on. > > I might try extending our timers a bit. I had not heard of that before. > > _________________ > Angela K. Hollman > Information Technology Services > Network Manager > (308)865-8176 > > > From: Lee H Badman <[email protected]> To: > [email protected] Date: 01/23/2009 02:50 PM > Subject: > Re: [WIRELESS-LAN] Macintosh- Ongoing Connectivity Issues Sent by: > The > EDUCAUSE Wireless Issues Constituent Group Listserv > <[email protected]> > > > > ________________________________ > > > > > We were told to stretch 'em out even more: > > config advanced eap identity-request-timeout 120 config advanced eap > identity-request-retries 20 config advanced eap request-timeout 120 > config advanced eap request-retries 20 > > but still we see a plethora of Mac-specific issues. > > Lee > > -----Original Message----- > From: The EDUCAUSE Wireless Issues Constituent Group Listserv > [mailto:[email protected] <mailto:WIRELESS- > [email protected]> ] On Behalf Of Rob Brenner > Sent: Friday, January 23, 2009 3:37 PM > To: [email protected] > Subject: Re: [WIRELESS-LAN] Macintosh- Ongoing Connectivity Issues > > The eap settings need to be changed on the cisco wlc's also. For some > reason the default is only 1 second. We set ours to 30 seconds. This > change improved the logon process for many platforms. > > -Rob Brenner > -Texas A&M University > > (WiSM-slot4-1) >show advanced eap > > > EAP-Identity-Request Timeout (seconds)........... 30 > <-- > EAP-Identity-Request Max Retries................. 20 EAP Key-Index for > Dynamic WEP.................... 0 EAP Max-Login Ignore Identity > Response........... enable > EAP-Request Timeout (seconds).................... 30 > <-- > EAP-Request Max Retries.......................... 20 EAPOL-Key Timeout > (seconds)...................... 1 EAPOL-Key Max > Retries............................ 2 > > > > -----Original Message----- > From: The EDUCAUSE Wireless Issues Constituent Group Listserv > [mailto:[email protected] <mailto:WIRELESS- > [email protected]> ] On Behalf Of Emerson Parker > Sent: Friday, January 23, 2009 12:34 PM > To: [email protected] > Subject: Re: [WIRELESS-LAN] Macintosh- Ongoing Connectivity Issues > > Just a little note on Macs and 802.1x. Last year, I noticed that some > MAC laptops needed a small delay between the EAP-success and the > beginning of the key exchange. > > You can test this theory by implementing a small delay in the Aruba > controller. > I haven't seen resent issues however and this may be a thing of the past. > > aaa authentication dot1x <dot1x_profile> timer wpa-key-period 2000 > > -Emerson > > > -----Original Message----- > From: The EDUCAUSE Wireless Issues Constituent Group Listserv > [mailto:[email protected] <mailto:WIRELESS- > [email protected]> ] On Behalf Of Urrea, Nick > Sent: Friday, January 23, 2009 11:36 AM > To: [email protected] > Subject: Re: [WIRELESS-LAN] Macintosh- Ongoing Connectivity Issues > > We at UC Hastings are using PEAP-MSChapv2 as our EAP type. > I noticed that by default the Mac client will setup an 802.1x profile > for our wireless network with PEAP, EAP-TLS, and TTLS. > With this setup the Mac client would authenticate every time but only > get an IP address half the time. By un-selecting EAP-TLS and TTLS and > only having PEAP selected in the 802.1x profile has fixed this problem. > > > > -----Original Message----- > From: The EDUCAUSE Wireless Issues Constituent Group Listserv > [mailto:[email protected] <mailto:WIRELESS- > [email protected]> ] On Behalf Of Ben Thompson > Sent: Friday, January 23, 2009 1:42 AM > To: [email protected] > Subject: Re: [WIRELESS-LAN] Macintosh- Ongoing Connectivity Issues > > Hi > > We have a mixed network with a mixture of Cisco fat AP's and Aruba > thin AP's and we have found that some Apple Macs are having problems > connecting to the Aruba setup. It seems that the authentication > periodically fails and I see error messages like these from RADIUS :- > > Auth fail logs from FreeRADIUS :- > > Thu Jan 22 16:59:44 2009 : Error: TLS Alert write:fatal:bad record mac > Thu Jan 22 16:59:44 2009 : Error: rlm_eap: SSL error error:1408F119:SSL > routines:SSL3_GET_RECORD:decryption failed or bad record mac Thu Jan 22 > 16:59:44 2009 : Error: SSL: SSL_read failed in a system call (-1), TLS > session fails. > > > Auth fail reason from IAS :- > > Reason-Code = 260 Reason = The message or signature supplied for > verification has been altered > > > Has anyone else seen anything similar to this? > > Thanks > > -- > > Ben Thompson > > ********** > Participation and subscription information for this EDUCAUSE > Constituent Group discussion list can be found at > http://www.educause.edu/groups/ <http://www.educause.edu/groups/> . > > ********** > Participation and subscription information for this EDUCAUSE > Constituent Group discussion list can be found at > http://www.educause.edu/groups/ <http://www.educause.edu/groups/> . > > ********** > Participation and subscription information for this EDUCAUSE > Constituent Group discussion list can be found at > http://www.educause.edu/groups/ <http://www.educause.edu/groups/> . > > ********** > Participation and subscription information for this EDUCAUSE > Constituent Group discussion list can be found at > http://www.educause.edu/groups/ <http://www.educause.edu/groups/> . > > ********** > Participation and subscription information for this EDUCAUSE > Constituent Group discussion list can be found at > http://www.educause.edu/groups/ <http://www.educause.edu/groups/> . > > > ********** Participation and subscription information for this > EDUCAUSE Constituent Group discussion list can be found at > http://www.educause.edu/groups/ <http://www.educause.edu/groups/> . > > ********** Participation and subscription information for this > EDUCAUSE Constituent Group discussion list can be found at > http://www.educause.edu/groups/ <http://www.educause.edu/groups/> .
