Forgot to mention, for this tweak to work, we had to enable both OKC and PMKID.
Marcelo Lew Wireless Network Architect & Engineer University Technology Services University of Denver Desk: (303) 871-6523 Cell: (303) 669-4217 Fax: (303) 871-5900 Email: [email protected] ________________________________ From: The EDUCAUSE Wireless Issues Constituent Group Listserv [[email protected]] on behalf of Marcelo Lew [[email protected]] Sent: Wednesday, October 23, 2013 10:21 PM To: [email protected] Subject: Re: [WIRELESS-LAN] Mac OS X Best Current Practices We have same setup as yours, not sure who is your cert issuer, we use Thawte. I was able to fix the issue by adding the intermediate cert (Thawte SSL CA) as a root cert in the client keychain, and changing the trust level for SSL to Always Trust. We use XpressConnect for provisioning clients, so I was able to add the Thawte SSL CA as a root cert automatically, but XpressConnect still does not have a way of trusting the SSL part of the cert, only EAP. So for clients with issues, we do it manually for now. Not sure why the SSL tweak would work since it should be the EAP setting the one coming into play. Marcelo Lew Wireless Network Architect & Engineer University Technology Services University of Denver Desk: (303) 871-6523 Cell: (303) 669-4217 Fax: (303) 871-5900 Email: [email protected] ________________________________ From: The EDUCAUSE Wireless Issues Constituent Group Listserv [[email protected]] on behalf of Wright, Don [[email protected]] Sent: Wednesday, October 23, 2013 9:40 PM To: [email protected] Subject: Re: [WIRELESS-LAN] Mac OS X Best Current Practices Since these questions get to what people are doing to deal with Apple MacOS and iOS clients, I'm curious as to what, if any issues others on the list are seeing. Here's mine. * MacOS mid-2012 to recent macbooks are randomly dropping off the wlan * The above macbooks take 30 seconds or more to reconnect with roamed to APs Apple has produced a patch specifically for mid-2013 MacbookAirs, but nothing for the other models. If you are also seeing these issue on your campus, what eap-type, certificate size and wireless vendor are you using? We are using eap-ttls, 2048 bit certificates and Aruba wireless. To Jason's question: Apple configs, none that I know of (except cert settings below). Aruba configs, in the 802.1x profile, turn off OKC (Apple doesn't support it anyway), turn on Validate PMKID. General Wifi configs, turn on band-steering (may or may not help depending on your coverage), client certificates should always trust EAP and SSL, and remove revocation settings. Also see Travis Schick's in depth post regarding the ID request timer. - Don Wright Brown University On Wed, Oct 23, 2013 at 9:56 PM, Jason Healy <[email protected]<mailto:[email protected]>> wrote: Hello all, Over the past weeks/months there have been a few threads about Mac OS X, and various tidbits about tweaks, configs, changes, and other items that help with the different problems. I'm hoping to roll these all together on this thread for easier reference. We're an all-Apple campus with an Aruba setup and 802.1X (PEAP) for our primary SSID. We push the server cert out to all clients, and then they authenticate with their normal LDAP credentials. It works "most of the time", but there are always issues here and there. I just want to make sure we're doing what we should to help the user experience. I'd appreciate any: - Apple configs (settings on the client) - Aruba configs (if they are specific settings there) - General Wifi configs (e.g., raising auth timers, band steering, certificate sizes, etc). Please share any changes you make to a vanilla system to help the Macs along... Thanks, Jason ********** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ********** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ********** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ********** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
