Has an Apple bug ID, posted previously on this list:) ________________________________________ From: The EDUCAUSE Wireless Issues Constituent Group Listserv [[email protected]] On Behalf Of Holland, Ryan [[email protected]] Sent: Thursday, September 01, 2011 10:06 PM To: [email protected] Subject: Re: [WIRELESS-LAN] MacOS Lion & Wireless Password Resets
Is that posted somewhere? How is it known that it is known? =========== Ryan Holland (sent while mobile) On Sep 1, 2011, at 8:48 PM, "Lee H Badman" <[email protected]> wrote: > Known apple bug. > ________________________________________ > From: The EDUCAUSE Wireless Issues Constituent Group Listserv > [[email protected]] On Behalf Of Ryan Holland > [[email protected]] > Sent: Thursday, September 01, 2011 2:35 PM > To: [email protected] > Subject: Re: [WIRELESS-LAN] MacOS Lion & Wireless Password Resets > > Matt (sorry for the delay), > > I'm making an assumption that when you say "we were able to change our > password correctly", you did that be changing it in Lion? > > The issue I was referring to is this: > - via your institution's account management service, create "password1" and > use it to connect to your SSID > - "password1" is stored in the keychain on the Lion machine > - via your institution's account management service, change password to > "password2" > - Turn on Wi-Fi on the Lion machine and it'll try and use "password1", which > is stored in the keychain. It'll fail and wait ~60seconds before trying again > with "password1". In my testing, I was never prompted to re-enter my > password. Thus, flushing keychain was the only option. > > ========== > Ryan Holland > Network Engineer, Wireless > Office of the Chief Information Officer > The Ohio State University > 614-292-9906 [email protected]<mailto:[email protected]> > > Submit a Kudos to an OCIO > employee!<http://www.surveygizmo.com/s/514095/giveociokudos> > > On Aug 15, 2011, at 5:27 PM, Matt Pendleton wrote: > > Hello all, > > We tested for this bug on our test OS X Lion device and we were able to > change our password correctly. Did we not do something right to get this bug > to appear? I want to make sure we tried everything as our students will be > returning starting this Wednesday. > > Thanks, > > Matt > > > > > Matt Pendleton | Systems & Network Administrator > University of Florida Department of Housing and Residence Education > PO Box 112100 | Gainesville, FL 32611-2100 > office 352.392.2171 x10107 | fax 352.392.6819 | > [email protected]<mailto:[email protected]> > Before printing this email think if it is necessary. > > -------- Original Message -------- > Subject: Re: [WIRELESS-LAN] MacOS Lion & Wireless Password Resets > Date: Tue, 9 Aug 2011 14:26:40 -0400 > From: Holland, Ryan C. <[email protected]<mailto:[email protected]>> > Reply-To: The EDUCAUSE Wireless Issues Constituent Group Listserv > <[email protected]<mailto:[email protected]>> > To: > [email protected]<mailto:[email protected]> > > > > All, > > Per advice from our Apple rep, I have submitted Apple BUG# 9922069. If you > would, please also submit bug entries for this so they understand the affect > of this issue. For your ease of submission, here's what I > submitted: > > 09-Aug-2011 02:23 PM Ryan Holland: > Summary: > After successfully authenticating via 802.1X to an enterprise Wi-Fi > network, credentials are stored in Keychain correctly. If the > username/password are changed on the enterprise side (i.e., user > changes their password), OS 10.7 continues to use the stored keychain > item and never prompts the user to reenter their username and > password. Authentication continuously fails. > > Steps to Reproduce: > 1.) Connect to an 802.1X authenticated WPA2-AES enterprise Wi-Fi > network (like most higher education institutions) and verify > credentials are stored in the keychain. > 2.) Change username and password via the authentication database > 3.) Disconnect from Wi-Fi on the 10.7 machine. > 4.) Reconnect/reauthenticate to Wi-Fi > At this point, reconnection is not possible. > > Expected Results: > OS 10.7 will use the keychain with the now-incorrect username and > password. Upon failed authentication, the UI should prompt the user to > reenter their username and password. User would enter their > now-correct username and password, successfully authenticate, and OS > 10.7 would update the keychain entry appropriately. > > Actual Results: > UI never prompts for now-correct username and password. Authentication > continuously fails. > > Regression: > User must manually remove any and all related keychain items that have > the stored username and password. Then, OS 10.7 UI will prompt user > for NEW username and password. > > Notes: > Regression is workable on a case-by-case basis. However, we have > 10,000+ mac users and a 90-day password policy that is enforced. With > this current bug, users will have to tinker with their keychain at > least every 90 days. > > Please email me at [email protected]<mailto:[email protected]> > <mailto:[email protected]> or > call at 614-292-9906 to discuss this matter further. > **THIS NEEDS TO BE PRIORITIZED, AS NUMEROUS UNIVERSITIES ARE AFFECTED > BY THIS BUG** > > ========== > Ryan Holland > Network Engineer, Wireless > Office of the Chief Information Officer > The Ohio State University > 614-292-9906 [email protected]<mailto:[email protected]> > <mailto:[email protected]> > > > On Aug 5, 2011, at 11:44 AM, Holland, Ryan C. wrote: > > All, > > I used the iPhone configuration utility to create a .mobileconfig > file, as recommended by apple. Upon double-clicking, it prompts to > install the profile, and you can optionally enter a username and > password at that time. Either once you enter those and finish profile > installation, or if you skip entering there and later enter username > and password connecting, either way an entry is added to the keychain. > THEN, if the user changes their password, that keychain entry is still > there and is used, continuously failing auth. Only workaround I've > found is to delete the keychain, which results in user prompted for > username and password, at which point a new keychain item is created. > > I think this is more of a keychain behavior problem.....or just a WiFi > problem on the Apple. Regardless, the Mac supplicant's behavior should > not try and be stubbornly using wrong credentials over and over. "That > password didn't work?! Hmm. Maybe I should try it again. Didn't work > again? Hmm. Maybe I should try it again. Dang! How about now? no!? > Hmm.... Now?......" > > At this point, Xpressconnect is not an option for us. Also, we can't > not do 802.1X. Right now, the only I do I have is bold face text on > the WebUI where users change their password stating that Mac users > *must* delete their keychain, etc. > > Additional ideas? > > =========== > Ryan Holland > > On Aug 5, 2011, at 11:06 AM, "Palmer IV, Daniel" > <[email protected]<mailto:[email protected]> > <mailto:[email protected]>> wrote: > > That was going to be my point. That profile can be for the user or > for the machine. We are using a user based profile that we modify > via script and "slurp" in to create our connection. (Cannot say > which id is being used to validate though, have not had time to test > that). > > dp > > *Daniel Palmer > *University Technology Services (UTS) Emory University Atlanta, GA > 30322 > 404.727.5297 (office) > 404.213.1643 (mobile) > > > > From: David Blahut <[email protected]<mailto:[email protected]> > <mailto:[email protected]>> > Reply-To: The EDUCAUSE Wireless Issues Constituent Group Listserv > <[email protected]<mailto:[email protected]> > <mailto:[email protected]>> > Date: Fri, 5 Aug 2011 11:00:24 -0400 > To: > <[email protected]<mailto:[email protected]> > <mailto:[email protected]>> > Subject: Re: [WIRELESS-LAN] MacOS Lion & Wireless Password Resets > > Great question, I was surprised to not see the + in the 802.1X > window. When I associated to the secure SSID a dialog box popped up > asking for username and password. I think the credentials are added > to the keychain at that point. > > You can also use Lion server to create a profile. I haven't tested > this but more information can be found here: > http://support.apple.com/kb/HT4772 > > -d > > *From:*The EDUCAUSE Wireless Issues Constituent Group Listserv > [mailto:[email protected]] *On Behalf Of *Palmer IV, > Daniel > *Sent:* Friday, August 05, 2011 9:43 AM > *To:* > [email protected]<mailto:[email protected]> > <mailto:[email protected]> > *Subject:* Re: [WIRELESS-LAN] MacOS Lion & Wireless Password Resets > > In your test machine... How did you create your 802.1x profile? > > dp > > *Daniel Palmer** > *University Technology Services (UTS) Emory University Atlanta, GA > 30322 > 404.727.5297 (office) > 404.213.1643 (mobile) > > *From: *David Blahut <[email protected]<mailto:[email protected]> > <mailto:[email protected]>> > *Reply-To: *The EDUCAUSE Wireless Issues Constituent Group Listserv > <[email protected]<mailto:[email protected]> > <mailto:[email protected]>> > *Date: *Fri, 5 Aug 2011 09:13:43 -0400 > *To: > *<[email protected]<mailto:[email protected]> > <mailto:[email protected]>> > *Subject: *Re: [WIRELESS-LAN] MacOS Lion & Wireless Password Resets > > I did some Lion testing yesterday on our 802.1X secured SSID and > discovered the following while watching the RADIUS logs: > > The laptop had two accounts set up on it, mine and another 'tester'. > If you simply switched users the machine would reauthenticate but > still use the other username/password (the account switching from). > > If the laptop was restarted or shut down and started back up the > correct username/password would be used to log into the wireless no > matter what user was logged in when the restart was initiated. > > I don't necessarily think this is a big problem in our environment > but I can see where it could be in others. > > -d > > *From:*The EDUCAUSE Wireless Issues Constituent Group Listserv > [mailto:[email protected]] *On Behalf Of *Holland, > Ryan C. > *Sent:* Thursday, August 04, 2011 5:01 PM > *To:* > [email protected]<mailto:[email protected]> > <mailto:[email protected]> > *Subject:* [WIRELESS-LAN] MacOS Lion & Wireless Password Resets > > I have finally got my hands on MacOS 10.7 (lion) and have started > running it through wireless tests. One item I find very worrisome is > this: > > - Via WPA2-Enterprise (PEAP/MSCHAPv2), I connect to the SSID using > username & password1; these credentials are then stored in the > keychain > > - If I change my password to, say, "password2", then the next time I > connect, the Mac fails authentication > > It seems that the Mac, if failing authentication, never prompts for > the username & password to be reentered. > > Our university is soon to roll-out and enforce a 90-day password > policy, and I am concerned that users will be unable to authenticate > and forced to remove the password from their keychain. > > Have any of you run into this similar issue? If so, how do handle > this behavior? (I don't recall it being this way in MacOS 10.6 or > 10.5) > > ========== > Ryan Holland > Network Engineer, Wireless > Office of the Chief Information Officer The Ohio State University > 614-292-9906 [email protected]<mailto:[email protected]> > <mailto:[email protected]> > > /Submit a Kudos to an OCIO employee! > <http://www.surveygizmo.com/s/514095/giveociokudos>/ > > ********** Participation and subscription information for this > EDUCAUSE Constituent Group discussion list can be found at > http://www.educause.edu/groups/. > > ********** Participation and subscription information for this > EDUCAUSE Constituent Group discussion list can be found at > http://www.educause.edu/groups/. > > --------------------------------------------------------------------- > --- > > > This e-mail message (including any attachments) is for the sole use > of the intended recipient(s) and may contain confidential and > privileged information. If the reader of this message is not the > intended recipient, you are hereby notified that any dissemination, > distribution or copying of this message (including any attachments) > is strictly prohibited. > > If you have received this message in error, please contact the sender > by reply e-mail message and destroy all copies of the original > message (including attachments). > > ********** Participation and subscription information for this > EDUCAUSE Constituent Group discussion list can be found at > http://www.educause.edu/groups/. > > ********** Participation and subscription information for this > EDUCAUSE Constituent Group discussion list can be found at > http://www.educause.edu/groups/. > > --------------------------------------------------------------------- > --- > > Not spam > Forget previous vote > ********** Participation and subscription information for this > EDUCAUSE Constituent Group discussion list can be found at > http://www.educause.edu/groups/. > > > ********** Participation and subscription information for this EDUCAUSE > Constituent Group discussion list can be found at > http://www.educause.edu/groups/. > > ********** > Participation and subscription information for this EDUCAUSE Constituent > Group discussion list can be found at http://www.educause.edu/groups/. > > > -- > > > ********** Participation and subscription information for this EDUCAUSE > Constituent Group discussion list can be found at > http://www.educause.edu/groups/. > > ********** > Participation and subscription information for this EDUCAUSE Constituent > Group discussion list can be found at http://www.educause.edu/groups/. > > > -- > BEGIN-ANTISPAM-VOTING-LINKS > ------------------------------------------------------ > > Teach CanIt if this mail (ID 1250690977) is spam: > Spam: https://antispam.osu.edu/b.php?i=1250690977&m=3e5b7d3dd848&c=s > Not spam: https://antispam.osu.edu/b.php?i=1250690977&m=3e5b7d3dd848&c=n > Forget vote: https://antispam.osu.edu/b.php?i=1250690977&m=3e5b7d3dd848&c=f > ------------------------------------------------------ > END-ANTISPAM-VOTING-LINKS > ********** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ********** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
