From our experience, this is normal. Apple does some caching with its certificate. If the certificate that is being offered from the server differs, they appear to complain. From my experience, there is a dialogue box that will come up on screen telling the users to accept a new certificate. I suspect this interferes with EAP authentication because the time it takes to accept a new certificate from the server will expire the EAP timer value, and after the cert is accepted, the machine will reauthenticate.
I think if I were in your shoes, I would pick a few client mac addresses in the logs, and look at their sessions and make sure they are connected now. I will be you'll see them connected just fine. In any event, when we do a certificate change on our authentication servers, we issue campus wide change notices as a result of some of the aggravation. Ryan H Turner Senior Network Engineer The University of North Carolina at Chapel Hill CB 1150 Chapel Hill, NC 27599 +1 919 445 0113 Office +1 919 274 7926 Mobile -----Original Message----- From: The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Osborne, Bruce W (Network Services) Sent: Thursday, October 24, 2013 7:38 AM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: Re: [WIRELESS-LAN] Wireless authentication issue after certificate renew I assumed you configured your client to explicitly trust the ACS server certificate. In our setup, only the root & intermediate certificates are configured on the client. We can then update our server certificates without any issue as long as we continue to use the same certificate chain. Unfortunately, we are preparing to move to a new certificate chain :( Bruce Osborne Network Engineer IT Network Services (434) 592-4229 Liberty University | Training Champions for Christ since 1971 -----Original Message----- From: Dennis Xu [mailto:d...@uoguelph.ca] Sent: Wednesday, October 23, 2013 3:40 PM Subject: Re: Wireless authentication issue after certificate renew Thanks Bruce. Our ACS server is configured to send all intermediate CAs to clients together (so the client can chain the certificate all the way to its trusted root authority) with the server certificate and we are renewing the certificate with the same CN name and same trust chain. I talked with our certificate provider Thawte and they said it is Apple's issue. Could you let me know how the CloudPath XpressConnect Wizard can avoid this issue? --- Dennis Xu Analyst 3, Network Infrastructure Computing and Communications Services(CCS) University of Guelph 519-824-4120 Ext 56217 d...@uoguelph.ca www.uoguelph.ca/ccs ----- Original Message ----- From: "Bruce W Osborne (Network Services)" <bosbo...@liberty.edu> To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Sent: Friday, October 11, 2013 7:48:23 AM Subject: Re: [WIRELESS-LAN] Wireless authentication issue after certificate renew We use CloudPath XpressConnect Wizard to provision our clients. It only pushed the upstream certificate chain for trust, not the actual server certificates. You can seamlessly renew your certificates if you keep the same trust chain. Bruce Osborne Network Engineer IT Network Services (434) 592-4229 Liberty University | Training Champions for Christ since 1971 -----Original Message----- From: Dennis Xu [mailto:d...@uoguelph.ca] Sent: Thursday, October 10, 2013 1:51 PM Subject: Wireless authentication issue after certificate renew This morning we installed the certificate renewal on our ACS 5.3 servers. The certificate is used for wireless PEAP authentication. After the renewal, we noticed some 5411 EAP timeout errors in ACS logs and the error mainly happened for Apple devices. When we checked it on one Iphone, it could not automatically connect to the wireless network (it used to connect automatically). Then we had to manually connect to the network again and acknowledge certificate on Iphone then it can connect. Android and Blackberry devices do not have this issue. I am thinking what we can do to make the certificate renewal process seamless. Has anyone experienced this issue as well and do you have any solutions? Thanks in advance. --- Dennis Xu Analyst 3, Network Infrastructure Computing and Communications Services(CCS) University of Guelph 519-824-4120 Ext 56217 d...@uoguelph.ca www.uoguelph.ca/ccs ********** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ********** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
