I have found that this delay will go away if the cert used for WPA2 auth is updated to also always trust for SSL.
find the cert in Keychain Access - then under trust settings add Secure Socket Layer (ssl) - by default only EAP and X.509 is explicitly trusted Unfortunately this is something that needs to be changed on each client device - and one needs root/admin priv on the macbook to make the change. On Thu, Sep 26, 2013 at 8:28 AM, Jeffrey Sessler <[email protected]>wrote: > Based on the feedback I'm starting to think that the delay in auth is > triggering a login fail on the Cisco side, and after three attempts, it's > excluding the client for 15 mins. > > One of my students said: "The WPA WiFi just goes away and then I can't > connect to any of the SSIDs (WPA, portal, open) - after 15 mins it starts > working again." I'm also seeing a significant increase in the excluded > clients count. > > In one residential hall, I found a few AP's not on the same controller, > and moved them all to the same, and it does appear to help, especially for > those between AP's. > > Jeff > > >>> On Wednesday, September 25, 2013 at 11:33 PM, in message < > 9b14e007db035b49b466f094e5a6ed3638f25...@mailmb02.ad.adelaide.edu.au>, > Jason Cook <[email protected]> wrote: > > Thanks Mike, > A bit of playing has shown why we haven’t had too many complaints, but > when there is one we know why. The one user that had issues every couple of > minutes was in between 2 AP’s, but each AP had a different controller > backend so re-auth. Migrated so that both AP’s were on the same controller > and issue went way. Well it’s still there, however the trigger event for a > re-auth is much less so the impact is minimal. Typically we keep all AP’s > in a building on the same controller.**** > > Jeff, > We have Cisco so yes, but we don’t have a guest portal. If a client can’t > connect it normally falls back to the next available in the wlan list. ** > ** > > ** ** > > ** ** > > --**** > > Jason Cook**** > > Technology Services**** > > The University of Adelaide, AUSTRALIA 5005**** > > Ph : +61 8 8313 4800**** > > ** ** > > *From:* The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto: > [email protected]] *On Behalf Of *Jeffrey Sessler > *Sent:* Wednesday, 25 September 2013 1:41 AM > *To:* [email protected] > *Subject:* Re: [WIRELESS-LAN] Problems with new Apple Laptops**** > > ** ** > > Are Cisco customers seeing this as well? I'm seeing a number of Macs > falling back to a guest portal from our WPA2, and I'm wondering if this > problem is related to it.**** > > **** > > Jeff > > >>> On Tuesday, September 24, 2013 at 6:24 AM, in message < > CAHh=-9XjmX=fbwata0glcjb4pna8hao628yarc3zc1t29lt...@mail.gmail.com>, > "Hanson, Mike" <[email protected]> wrote:**** > > Jason,**** > > ** ** > > Here is more information from an Aruba wireless forum. Seems to be an > issue with Macs and certs.**** > > ** ** > > > http://community.arubanetworks.com/t5/groups/groupmessagepage/board-id/edu/message-id/200#M200 > **** > > ** ** > > Mike**** > > ** ** > > ** ** > > Mike Hanson, CISSP > Network Security Manager > The College of St. Scholastica > Duluth, MN 55811**** > > ** ** > > ** ** > > ** ** > > ** ** > > On Mon, Sep 23, 2013 at 7:59 PM, Jason Cook <[email protected]> > wrote:**** > > Just wondering what the various workarounds people have tried with any > success at all to this issue? The first patch doesn’t appear to have done > the job, and who knows when the final fix will come. I seem to remember it > took Intel the best part of a year to resolve 802.11n issues in their 5000 > series cards. **** > > We had one user who was getting dropouts every couple of minutes with > sometimes an almost instant re-connect to minutes. This was after > installing the update patch. The device has no such issues however on a > WPA2/AES-PSK network. This has been good to provide a solution there, > however PSK’s are not overly scalable for a campus.**** > > Another user reports that disabling v6 & some sleep settings have helped > the situation somewhat. I’m hoping to get more information on that sometime > today. **** > > I see Travis mentioned below an idrequest time-out increase from 5-30 > seconds on Aruba.**** > > I’m doing a bit of research now and considering little session of testing > later in the week so was interested to see what people have tried and how > much it’s helped. Either client or network side.**** > > --**** > > Jason Cook**** > > Technology Services**** > > The University of Adelaide, AUSTRALIA 5005**** > > Ph : +61 8 8313 4800**** > > *From:* The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto: > [email protected]] *On Behalf Of *Shandon Bates > *Sent:* Saturday, 20 July 2013 10:19 AM > *To:* [email protected] > *Subject:* Re: [WIRELESS-LAN] Problems with new Apple Laptops**** > > Should be patch issued... > > Sent from my iPhone**** > > > On Jul 19, 2013, at 5:10 PM, "Shandon Bates" <[email protected]> wrote:* > *** > > Patch issues for air issues.**** > > ** ** > > ** ** > > http://mashable.com/2013/07/19/macbook-air-wifi-fix/**** > > > Sent from my iPhone**** > > > On Jul 19, 2013, at 4:53 PM, "Travis Schick" <[email protected]> wrote: > **** > > I've been getting reports of issues with macbooks on our > wpa2-enterprise ssid - then I finally got one and was able to do some hands > on troubleshooting.**** > > It appeared the mac would decide to roam - but then would fail to auth - > and get stuck in authentication step - wifi menu icon just cycling like no > connection. Worked with our vendor (aruba) and decided to increase the > default idrequest timeout from 5 sec to 30sec. I think there's something > going on when reauthenticating to another AP on the same ssid. tunnel setup > takes a while on the macbook - I think it may be related to the cert - > using the incommon cert - so have server cert incommon intermediate and > addtrust root ca... this is a chunk of data that gets fragmented... not > sure if the mac doesn't like reassembling it - takes exception to it > comming from a new bssid or what. But it does look like increasing the > timeout helps... still a few second without connectivity - but sure as heck > beats the macbook getting stuck in its authentication step and staying > offline until user intervenes.**** > > so still looking into it, but perhaps that info might prove helpful to > others.**** > > macbook is running 10.8.4 - and I was running that prior to changing my > timer settings.**** > > Travis Schick**** > > UCDavis Network Operations Center**** > > . **** > > ********** Participation and subscription information for this EDUCAUSE > Constituent Group discussion list can be found at > http://www.educause.edu/groups/. **** > > ** ** > > ********** Participation and subscription information for this EDUCAUSE > Constituent Group discussion list can be found at > http://www.educause.edu/groups/. **** > > ********** Participation and subscription information for this EDUCAUSE > Constituent Group discussion list can be found at > http://www.educause.edu/groups/. **** > ********** Participation and subscription information for this EDUCAUSE > Constituent Group discussion list can be found at > http://www.educause.edu/groups/. > > ********** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
