Lee, I was the one that submitted that bug id. I know their database knows about it, but I'm less confident that Apple engineers know about it. I guess we will see with the next 10.7 update that comes out. . .
=========== Ryan Holland (sent while mobile) On Sep 1, 2011, at 10:25 PM, "Lee H Badman" <[email protected]> wrote: > Has an Apple bug ID, posted previously on this list:) > ________________________________________ > From: The EDUCAUSE Wireless Issues Constituent Group Listserv > [[email protected]] On Behalf Of Holland, Ryan > [[email protected]] > Sent: Thursday, September 01, 2011 10:06 PM > To: [email protected] > Subject: Re: [WIRELESS-LAN] MacOS Lion & Wireless Password Resets > > Is that posted somewhere? How is it known that it is known? > > =========== > Ryan Holland > (sent while mobile) > > On Sep 1, 2011, at 8:48 PM, "Lee H Badman" <[email protected]> wrote: > >> Known apple bug. >> ________________________________________ >> From: The EDUCAUSE Wireless Issues Constituent Group Listserv >> [[email protected]] On Behalf Of Ryan Holland >> [[email protected]] >> Sent: Thursday, September 01, 2011 2:35 PM >> To: [email protected] >> Subject: Re: [WIRELESS-LAN] MacOS Lion & Wireless Password Resets >> >> Matt (sorry for the delay), >> >> I'm making an assumption that when you say "we were able to change our >> password correctly", you did that be changing it in Lion? >> >> The issue I was referring to is this: >> - via your institution's account management service, create "password1" and >> use it to connect to your SSID >> - "password1" is stored in the keychain on the Lion machine >> - via your institution's account management service, change password to >> "password2" >> - Turn on Wi-Fi on the Lion machine and it'll try and use "password1", which >> is stored in the keychain. It'll fail and wait ~60seconds before trying >> again with "password1". In my testing, I was never prompted to re-enter my >> password. Thus, flushing keychain was the only option. >> >> ========== >> Ryan Holland >> Network Engineer, Wireless >> Office of the Chief Information Officer >> The Ohio State University >> 614-292-9906 [email protected]<mailto:[email protected]> >> >> Submit a Kudos to an OCIO >> employee!<http://www.surveygizmo.com/s/514095/giveociokudos> >> >> On Aug 15, 2011, at 5:27 PM, Matt Pendleton wrote: >> >> Hello all, >> >> We tested for this bug on our test OS X Lion device and we were able to >> change our password correctly. Did we not do something right to get this >> bug to appear? I want to make sure we tried everything as our students will >> be returning starting this Wednesday. >> >> Thanks, >> >> Matt >> >> >> >> >> Matt Pendleton | Systems & Network Administrator >> University of Florida Department of Housing and Residence Education >> PO Box 112100 | Gainesville, FL 32611-2100 >> office 352.392.2171 x10107 | fax 352.392.6819 | >> [email protected]<mailto:[email protected]> >> Before printing this email think if it is necessary. >> >> -------- Original Message -------- >> Subject: Re: [WIRELESS-LAN] MacOS Lion & Wireless Password Resets >> Date: Tue, 9 Aug 2011 14:26:40 -0400 >> From: Holland, Ryan C. <[email protected]<mailto:[email protected]>> >> Reply-To: The EDUCAUSE Wireless Issues Constituent Group Listserv >> <[email protected]<mailto:[email protected]>> >> To: >> [email protected]<mailto:[email protected]> >> >> >> >> All, >> >> Per advice from our Apple rep, I have submitted Apple BUG# 9922069. If you >> would, please also submit bug entries for this so they understand the affect >> of this issue. For your ease of submission, here's what I >> submitted: >> >> 09-Aug-2011 02:23 PM Ryan Holland: >> Summary: >> After successfully authenticating via 802.1X to an enterprise Wi-Fi >> network, credentials are stored in Keychain correctly. If the >> username/password are changed on the enterprise side (i.e., user >> changes their password), OS 10.7 continues to use the stored keychain >> item and never prompts the user to reenter their username and >> password. Authentication continuously fails. >> >> Steps to Reproduce: >> 1.) Connect to an 802.1X authenticated WPA2-AES enterprise Wi-Fi >> network (like most higher education institutions) and verify >> credentials are stored in the keychain. >> 2.) Change username and password via the authentication database >> 3.) Disconnect from Wi-Fi on the 10.7 machine. >> 4.) Reconnect/reauthenticate to Wi-Fi >> At this point, reconnection is not possible. >> >> Expected Results: >> OS 10.7 will use the keychain with the now-incorrect username and >> password. Upon failed authentication, the UI should prompt the user to >> reenter their username and password. User would enter their >> now-correct username and password, successfully authenticate, and OS >> 10.7 would update the keychain entry appropriately. >> >> Actual Results: >> UI never prompts for now-correct username and password. Authentication >> continuously fails. >> >> Regression: >> User must manually remove any and all related keychain items that have >> the stored username and password. Then, OS 10.7 UI will prompt user >> for NEW username and password. >> >> Notes: >> Regression is workable on a case-by-case basis. However, we have >> 10,000+ mac users and a 90-day password policy that is enforced. With >> this current bug, users will have to tinker with their keychain at >> least every 90 days. >> >> Please email me at [email protected]<mailto:[email protected]> >> <mailto:[email protected]> or >> call at 614-292-9906 to discuss this matter further. >> **THIS NEEDS TO BE PRIORITIZED, AS NUMEROUS UNIVERSITIES ARE AFFECTED >> BY THIS BUG** >> >> ========== >> Ryan Holland >> Network Engineer, Wireless >> Office of the Chief Information Officer >> The Ohio State University >> 614-292-9906 [email protected]<mailto:[email protected]> >> <mailto:[email protected]> >> >> >> On Aug 5, 2011, at 11:44 AM, Holland, Ryan C. wrote: >> >> All, >> >> I used the iPhone configuration utility to create a .mobileconfig >> file, as recommended by apple. Upon double-clicking, it prompts to >> install the profile, and you can optionally enter a username and >> password at that time. Either once you enter those and finish profile >> installation, or if you skip entering there and later enter username >> and password connecting, either way an entry is added to the keychain. >> THEN, if the user changes their password, that keychain entry is still >> there and is used, continuously failing auth. Only workaround I've >> found is to delete the keychain, which results in user prompted for >> username and password, at which point a new keychain item is created. >> >> I think this is more of a keychain behavior problem.....or just a WiFi >> problem on the Apple. Regardless, the Mac supplicant's behavior should >> not try and be stubbornly using wrong credentials over and over. "That >> password didn't work?! Hmm. Maybe I should try it again. Didn't work >> again? Hmm. Maybe I should try it again. Dang! How about now? no!? >> Hmm.... Now?......" >> >> At this point, Xpressconnect is not an option for us. Also, we can't >> not do 802.1X. Right now, the only I do I have is bold face text on >> the WebUI where users change their password stating that Mac users >> *must* delete their keychain, etc. >> >> Additional ideas? >> >> =========== >> Ryan Holland >> >> On Aug 5, 2011, at 11:06 AM, "Palmer IV, Daniel" >> <[email protected]<mailto:[email protected]> >> <mailto:[email protected]>> wrote: >> >> That was going to be my point. That profile can be for the user or >> for the machine. We are using a user based profile that we modify >> via script and "slurp" in to create our connection. (Cannot say >> which id is being used to validate though, have not had time to test >> that). >> >> dp >> >> *Daniel Palmer >> *University Technology Services (UTS) Emory University Atlanta, GA >> 30322 >> 404.727.5297 (office) >> 404.213.1643 (mobile) >> >> >> >> From: David Blahut <[email protected]<mailto:[email protected]> >> <mailto:[email protected]>> >> Reply-To: The EDUCAUSE Wireless Issues Constituent Group Listserv >> <[email protected]<mailto:[email protected]> >> <mailto:[email protected]>> >> Date: Fri, 5 Aug 2011 11:00:24 -0400 >> To: >> <[email protected]<mailto:[email protected]> >> <mailto:[email protected]>> >> Subject: Re: [WIRELESS-LAN] MacOS Lion & Wireless Password Resets >> >> Great question, I was surprised to not see the + in the 802.1X >> window. When I associated to the secure SSID a dialog box popped up >> asking for username and password. I think the credentials are added >> to the keychain at that point. >> >> You can also use Lion server to create a profile. I haven't tested >> this but more information can be found here: >> http://support.apple.com/kb/HT4772 >> >> -d >> >> *From:*The EDUCAUSE Wireless Issues Constituent Group Listserv >> [mailto:[email protected]] *On Behalf Of *Palmer IV, >> Daniel >> *Sent:* Friday, August 05, 2011 9:43 AM >> *To:* >> [email protected]<mailto:[email protected]> >> <mailto:[email protected]> >> *Subject:* Re: [WIRELESS-LAN] MacOS Lion & Wireless Password Resets >> >> In your test machine... How did you create your 802.1x profile? >> >> dp >> >> *Daniel Palmer** >> *University Technology Services (UTS) Emory University Atlanta, GA >> 30322 >> 404.727.5297 (office) >> 404.213.1643 (mobile) >> >> *From: *David Blahut <[email protected]<mailto:[email protected]> >> <mailto:[email protected]>> >> *Reply-To: *The EDUCAUSE Wireless Issues Constituent Group Listserv >> <[email protected]<mailto:[email protected]> >> <mailto:[email protected]>> >> *Date: *Fri, 5 Aug 2011 09:13:43 -0400 >> *To: >> *<[email protected]<mailto:[email protected]> >> <mailto:[email protected]>> >> *Subject: *Re: [WIRELESS-LAN] MacOS Lion & Wireless Password Resets >> >> I did some Lion testing yesterday on our 802.1X secured SSID and >> discovered the following while watching the RADIUS logs: >> >> The laptop had two accounts set up on it, mine and another 'tester'. >> If you simply switched users the machine would reauthenticate but >> still use the other username/password (the account switching from). >> >> If the laptop was restarted or shut down and started back up the >> correct username/password would be used to log into the wireless no >> matter what user was logged in when the restart was initiated. >> >> I don't necessarily think this is a big problem in our environment >> but I can see where it could be in others. >> >> -d >> >> *From:*The EDUCAUSE Wireless Issues Constituent Group Listserv >> [mailto:[email protected]] *On Behalf Of *Holland, >> Ryan C. >> *Sent:* Thursday, August 04, 2011 5:01 PM >> *To:* >> [email protected]<mailto:[email protected]> >> <mailto:[email protected]> >> *Subject:* [WIRELESS-LAN] MacOS Lion & Wireless Password Resets >> >> I have finally got my hands on MacOS 10.7 (lion) and have started >> running it through wireless tests. One item I find very worrisome is >> this: >> >> - Via WPA2-Enterprise (PEAP/MSCHAPv2), I connect to the SSID using >> username & password1; these credentials are then stored in the >> keychain >> >> - If I change my password to, say, "password2", then the next time I >> connect, the Mac fails authentication >> >> It seems that the Mac, if failing authentication, never prompts for >> the username & password to be reentered. >> >> Our university is soon to roll-out and enforce a 90-day password >> policy, and I am concerned that users will be unable to authenticate >> and forced to remove the password from their keychain. >> >> Have any of you run into this similar issue? If so, how do handle >> this behavior? (I don't recall it being this way in MacOS 10.6 or >> 10.5) >> >> ========== >> Ryan Holland >> Network Engineer, Wireless >> Office of the Chief Information Officer The Ohio State University >> 614-292-9906 [email protected]<mailto:[email protected]> >> <mailto:[email protected]> >> >> /Submit a Kudos to an OCIO employee! >> <http://www.surveygizmo.com/s/514095/giveociokudos>/ >> >> ********** Participation and subscription information for this >> EDUCAUSE Constituent Group discussion list can be found at >> http://www.educause.edu/groups/. >> >> ********** Participation and subscription information for this >> EDUCAUSE Constituent Group discussion list can be found at >> http://www.educause.edu/groups/. >> >> --------------------------------------------------------------------- >> --- >> >> >> This e-mail message (including any attachments) is for the sole use >> of the intended recipient(s) and may contain confidential and >> privileged information. If the reader of this message is not the >> intended recipient, you are hereby notified that any dissemination, >> distribution or copying of this message (including any attachments) >> is strictly prohibited. >> >> If you have received this message in error, please contact the sender >> by reply e-mail message and destroy all copies of the original >> message (including attachments). >> >> ********** Participation and subscription information for this >> EDUCAUSE Constituent Group discussion list can be found at >> http://www.educause.edu/groups/. >> >> ********** Participation and subscription information for this >> EDUCAUSE Constituent Group discussion list can be found at >> http://www.educause.edu/groups/. >> >> --------------------------------------------------------------------- >> --- >> >> Not spam >> Forget previous vote >> ********** Participation and subscription information for this >> EDUCAUSE Constituent Group discussion list can be found at >> http://www.educause.edu/groups/. >> >> >> ********** Participation and subscription information for this EDUCAUSE >> Constituent Group discussion list can be found at >> http://www.educause.edu/groups/. >> >> ********** >> Participation and subscription information for this EDUCAUSE Constituent >> Group discussion list can be found at http://www.educause.edu/groups/. >> >> >> -- >> >> >> ********** Participation and subscription information for this EDUCAUSE >> Constituent Group discussion list can be found at >> http://www.educause.edu/groups/. >> >> ********** >> Participation and subscription information for this EDUCAUSE Constituent >> Group discussion list can be found at http://www.educause.edu/groups/. >> >> >> -- >> > > ********** > Participation and subscription information for this EDUCAUSE Constituent > Group discussion list can be found at http://www.educause.edu/groups/. > > ********** > Participation and subscription information for this EDUCAUSE Constituent > Group discussion list can be found at http://www.educause.edu/groups/. > > > -- > BEGIN-ANTISPAM-VOTING-LINKS > ------------------------------------------------------ > > Teach CanIt if this mail (ID 1250720236) is spam: > Spam: https://antispam.osu.edu/b.php?i=1250720236&m=dab407c78f0f&c=s > Not spam: https://antispam.osu.edu/b.php?i=1250720236&m=dab407c78f0f&c=n > Forget vote: https://antispam.osu.edu/b.php?i=1250720236&m=dab407c78f0f&c=f > ------------------------------------------------------ > END-ANTISPAM-VOTING-LINKS > ********** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
