Ok, that is what I found and wanted some confirmation I guess. According to Meru there is no delay in the key exchange and is only delayed by code (so probably a few hundred milliseconds) It is a feature request right now.
-- Walt Reynolds Principal Systems Security Development Engineer Information Technology Central Services University of Michigan (734) 615-9438 > -----Original Message----- > From: The EDUCAUSE Wireless Issues Constituent Group Listserv > [mailto:[email protected]] On Behalf Of Barber, Matt > Sent: Tuesday, January 27, 2009 8:55 AM > To: [email protected] > Subject: Re: [WIRELESS-LAN] Macintosh- Ongoing Connectivity Issues > > Hi Walter, > > This is in the configuration guide, but there doesn’t seem to be any > configuration available. It looks like OKC might be on all the time. > A quick search through the guide shows this as the only place it is mentioned. > > Opportunistic PMK Caching for WPA > > Opportunistic PMK caching allows the controller, acting as the 802.1X > authenticator, to cache the results of a full 802.1X authentication so > that if a client roams to any AP associated with that controller, the > wireless client needs to perform only the 4-way handshake and > determine new pair-wise transient keys. PMK caching is supported only > for KDDI phones when using WPA with TKIP and 802.1X authentication. > The system automatically detects the KDDI phone using the KDDI Vendor > ID and applies PMK caching if available. > > Matt Barber > Network Analyst > Morrisville State College > 315-684-6053 > > > -----Original Message----- From: The EDUCAUSE Wireless Issues > Constituent Group Listserv [mailto:[email protected]] > On Behalf Of Reynolds, Walter Sent: Tuesday, January 27, 2009 7:29 AM > To: [email protected] Subject: Re: [WIRELESS-LAN] > Macintosh- Ongoing Connectivity Issues > > Many of the commands listed have been for Cisco or Aruba. Anyone with > Meru have comments? We are seeing various problems that have gotten > much better with Apple updates in addition to a Patch for the Meru > code. But still seem to have many general problems with the MACs. I > am looking at finding some of these changes but if there is any experience > all the better. > > -- > Walt Reynolds > Principal Systems Security Development Engineer Information Technology > Central Services University of Michigan > (734) 615-9438 > > >> -----Original Message----- >> From: The EDUCAUSE Wireless Issues Constituent Group Listserv >> [mailto:[email protected]] On Behalf Of Angela K >> Hollman >> Sent: Monday, January 26, 2009 10:52 AM >> To: [email protected] >> Subject: Re: [WIRELESS-LAN] Macintosh- Ongoing Connectivity Issues >> >> >> I'm running Aruba controllers so I don't know where it would be on >> Cisco. On Aruba it's just a checkbox under the authentication profile. >> I'm running 3.3.x and I was running 3.1.x. It was on both versions. >> >> CLI -> >> aaa authentication dot1x <profile-name> <enter> opp-key-caching >> >> On the GUI, it's under the dot1x advanced settings. >> >> _________________ >> Angela K. Hollman >> Information Technology Services >> Network Manager >> (308)865-8176 >> >> >> >> From: Lee H Badman <[email protected]> To: >> [email protected] Date: 01/26/2009 09:28 AM >> Subject: >> Re: [WIRELESS-LAN] Macintosh- Ongoing Connectivity Issues Sent by: >> The EDUCAUSE Wireless Issues Constituent Group Listserv >> <[email protected]> >> >> ________________________________ >> >> >> >> >> Hi Angela- >> >> >> >> This is the first I’ve heard of OKC… I’m not seeing as either a >> controller or WLAN-level setting. Where does one find this, and do >> you know what code versions it goes back to? >> >> >> >> -Lee >> >> >> >> Lee H. Badman >> >> Wireless/Network Engineer >> >> Information Technology and Services >> >> Syracuse University >> >> 315 443-3003 >> >> ________________________________ >> >> From: The EDUCAUSE Wireless Issues Constituent Group Listserv >> [mailto:[email protected] <mailto:WIRELESS- >> [email protected]> ] On Behalf Of Angela K Hollman >> Sent: Monday, January 26, 2009 10:01 AM >> To: [email protected] >> Subject: Re: [WIRELESS-LAN] Macintosh- Ongoing Connectivity Issues >> >> >> >> >> Have you also disabled OKC (Opportunistic Key Caching)? This was >> causing a lot of issues on our campus with sticky laptop AP sessions >> and so on. >> >> I might try extending our timers a bit. I had not heard of that before. >> >> _________________ >> Angela K. Hollman >> Information Technology Services >> Network Manager >> (308)865-8176 >> >> >> From: Lee H Badman <[email protected]> To: >> [email protected] Date: 01/23/2009 02:50 PM >> Subject: >> Re: [WIRELESS-LAN] Macintosh- Ongoing Connectivity Issues Sent by: >> The EDUCAUSE Wireless Issues Constituent Group Listserv >> <[email protected]> >> >> >> >> ________________________________ >> >> >> >> >> We were told to stretch 'em out even more: >> >> config advanced eap identity-request-timeout 120 config advanced eap >> identity-request-retries 20 config advanced eap request-timeout 120 >> config advanced eap request-retries 20 >> >> but still we see a plethora of Mac-specific issues. >> >> Lee >> >> -----Original Message----- >> From: The EDUCAUSE Wireless Issues Constituent Group Listserv >> [mailto:[email protected] <mailto:WIRELESS- >> [email protected]> ] On Behalf Of Rob Brenner >> Sent: Friday, January 23, 2009 3:37 PM >> To: [email protected] >> Subject: Re: [WIRELESS-LAN] Macintosh- Ongoing Connectivity Issues >> >> The eap settings need to be changed on the cisco wlc's also. For >> some reason the default is only 1 second. We set ours to 30 seconds. >> This change improved the logon process for many platforms. >> >> -Rob Brenner >> -Texas A&M University >> >> (WiSM-slot4-1) >show advanced eap >> >> >> EAP-Identity-Request Timeout (seconds)........... 30 >> <-- EAP-Identity-Request Max Retries................. 20 >> EAP Key-Index for Dynamic WEP.................... 0 EAP Max-Login >> Ignore Identity Response........... enable EAP-Request Timeout >> (seconds).................... 30 <-- >> EAP-Request Max Retries.......................... 20 EAPOL-Key Timeout >> (seconds)...................... 1 EAPOL-Key Max >> Retries............................ 2 >> >> >> >> -----Original Message----- >> From: The EDUCAUSE Wireless Issues Constituent Group Listserv >> [mailto:[email protected] <mailto:WIRELESS- >> [email protected]> ] On Behalf Of Emerson Parker >> Sent: Friday, January 23, 2009 12:34 PM >> To: [email protected] >> Subject: Re: [WIRELESS-LAN] Macintosh- Ongoing Connectivity Issues >> >> Just a little note on Macs and 802.1x. Last year, I noticed that >> some MAC laptops needed a small delay between the EAP-success and >> the beginning of the key exchange. >> >> You can test this theory by implementing a small delay in the Aruba >> controller. I haven't seen resent issues however and this may be a >> thing of the past. >> >> aaa authentication dot1x <dot1x_profile> timer wpa-key-period 2000 >> >> -Emerson >> >> >> -----Original Message----- >> From: The EDUCAUSE Wireless Issues Constituent Group Listserv >> [mailto:[email protected] <mailto:WIRELESS- >> [email protected]> ] On Behalf Of Urrea, Nick >> Sent: Friday, January 23, 2009 11:36 AM >> To: [email protected] >> Subject: Re: [WIRELESS-LAN] Macintosh- Ongoing Connectivity Issues >> >> We at UC Hastings are using PEAP-MSChapv2 as our EAP type. >> I noticed that by default the Mac client will setup an 802.1x >> profile for our wireless network with PEAP, EAP-TLS, and TTLS. >> With this setup the Mac client would authenticate every time but >> only get an IP address half the time. By un-selecting EAP-TLS and >> TTLS and only having PEAP selected in the 802.1x profile has fixed this >> problem. >> >> >> >> -----Original Message----- >> From: The EDUCAUSE Wireless Issues Constituent Group Listserv >> [mailto:[email protected] <mailto:WIRELESS- >> [email protected]> ] On Behalf Of Ben Thompson >> Sent: Friday, January 23, 2009 1:42 AM >> To: [email protected] >> Subject: Re: [WIRELESS-LAN] Macintosh- Ongoing Connectivity Issues >> >> Hi >> >> We have a mixed network with a mixture of Cisco fat AP's and Aruba >> thin AP's and we have found that some Apple Macs are having problems >> connecting to the Aruba setup. It seems that the authentication >> periodically fails and I see error messages like these from RADIUS >> :- >> >> Auth fail logs from FreeRADIUS :- >> >> Thu Jan 22 16:59:44 2009 : Error: TLS Alert write:fatal:bad record >> mac Thu Jan 22 16:59:44 2009 : Error: rlm_eap: SSL error >> error:1408F119:SSL routines:SSL3_GET_RECORD:decryption failed or bad >> record mac Thu Jan 22 >> 16:59:44 2009 : Error: SSL: SSL_read failed in a system call (-1), >> TLS session fails. >> >> >> Auth fail reason from IAS :- >> >> Reason-Code = 260 Reason = The message or signature supplied for >> verification has been altered >> >> >> Has anyone else seen anything similar to this? >> >> Thanks >> >> -- >> >> Ben Thompson >> >> ********** >> Participation and subscription information for this EDUCAUSE >> Constituent Group discussion list can be found at >> http://www.educause.edu/groups/ <http://www.educause.edu/groups/> . >> >> ********** >> Participation and subscription information for this EDUCAUSE >> Constituent Group discussion list can be found at >> http://www.educause.edu/groups/ <http://www.educause.edu/groups/> . >> >> ********** >> Participation and subscription information for this EDUCAUSE >> Constituent Group discussion list can be found at >> http://www.educause.edu/groups/ <http://www.educause.edu/groups/> . >> >> ********** >> Participation and subscription information for this EDUCAUSE >> Constituent Group discussion list can be found at >> http://www.educause.edu/groups/ <http://www.educause.edu/groups/> . >> >> ********** >> Participation and subscription information for this EDUCAUSE >> Constituent Group discussion list can be found at >> http://www.educause.edu/groups/ <http://www.educause.edu/groups/> . >> >> >> ********** Participation and subscription information for this >> EDUCAUSE Constituent Group discussion list can be found at >> http://www.educause.edu/groups/ <http://www.educause.edu/groups/> . >> >> ********** Participation and subscription information for this >> EDUCAUSE Constituent Group discussion list can be found at >> http://www.educause.edu/groups/ <http://www.educause.edu/groups/> .
