It doesn't happen for TLS....(where clients are authenticated using a cert your PKI infrastructure has provided) but appears specific for PEAP and TTLS - where the client uses a password to authenticate.
It also appears specific to certs based on 2048 bit keys. Also there is no cert validation delay upon initial connect... only when attempting to reauth... ie after a death or a roam event. -Travis On Thu, Jan 23, 2014 at 6:58 AM, Turner, Ryan H <[email protected]>wrote: > I am going to plead some ignorance here, and see if people can connect > the dots… > > > > We use 802.1X (TLS), and we use Godaddy Certs for our radius server. The > clients are set to verify the server certificates. When I look at the > installed certificates, I see information for CRLs. Yet, I connect almost > instantaneously with our SSIDs. Why do some of you seem to be having such > an issue with this, and I don’t seem to? > > > > Ryan H Turner > > Senior Network Engineer > > The University of North Carolina at Chapel Hill > > CB 1150 Chapel Hill, NC 27599 > > +1 919 445 0113 Office > > +1 919 274 7926 Mobile > > > > *From:* The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto: > [email protected]] *On Behalf Of *Ian McDonald > *Sent:* Thursday, January 23, 2014 9:52 AM > > *To:* [email protected] > *Subject:* Re: [WIRELESS-LAN] OS X 802.1x auth issue > > > > I certainly do have concerns about this being the right way to 'fix' the > issue. Sticking plaster on the client behaviour this is.. > > Thanks > > -- > ian > > Sent from my phone, please excuse brevity and misspelling. > ------------------------------ > > *From: *Dan Brisson <[email protected]> > *Sent: *23/01/2014 14:41 > *To: *[email protected] > *Subject: *Re: [WIRELESS-LAN] OS X 802.1x auth issue > > +1 to that. > > -dan > > > > > > On 1/23/2014 9:28 AM, Wright, Don wrote: > > Anyone have concerns about making the trust setting changes to the > certificate chain? I'm thinking of the intermediate certs mostly. Setting > "always trust" on a client machine just makes me a little uncomfortable. > > - Don > > > > On Tue, Jan 21, 2014 at 12:13 PM, Ian McDonald <[email protected]> > wrote: > > I'd be more interested in a method for doing this in a .mobileconfig file, > or for them to fix it in a manner that doesn't involve us having to mess > about on the clients. > > -- > ian > > > -----Original Message----- > From: The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto: > [email protected]] On Behalf Of Michael Dickson > Sent: 21 January 2014 17:06 > To: [email protected] > Subject: Re: [WIRELESS-LAN] OS X 802.1x auth issue > > Is anyone working on (or successfully implemented) a scalable, > automated(?) solution to change the SSL to 'Always Trust' for target certs > and distributed this to their client devices en masse? x-press-con-nect > folks offered a glimmer of hope for adding this feature to their routine > but I was wondering if we could do something quicker. > > Has anyone tweaked Apple's command - suggested in their KB article - into > an Applescript for distribution? As the cert is already installed on the > devices I would thing some modification is needed. > > http://support.apple.com/kb/TS5258 > > Michael Dickson > Network Analyst > Office of Information Technologies > University of Massachusetts Amherst > Voice 413.545.9639 > > On Jan 21, 2014, at 7:41 AM, Tim Cappalli <[email protected]> wrote: > > > Absolutely! This is huge. They never, ever (ever ever ever) admit there > is an issue. Maybe we're seeing some change at the fruit? > > > > > > (Unlikely, but it's nice to dream) > > > > > > Tim Cappalli | ACCP / ACMP / CCNA > > Network Engineer | Brandeis University [email protected] | (617) > > 701-7149 > > > > From: The EDUCAUSE Wireless Issues Constituent Group Listserv > > [mailto:[email protected]] On Behalf Of Joel Coehoorn > > Sent: Friday, January 17, 2014 7:58 PM > > To: [email protected] > > Subject: Re: [WIRELESS-LAN] OS X 802.1x auth issue > > > > Even acknowledging the issue is a huge help for me: Mac people have a > hard time believing Apple could possibly have done anything wrong with > their device until you have something like this to point to. Until Apple > own recommendation is to change the setting on the device, their view is > the problem *must* be in the network. > > > > Sent from my iPad > > > > On Jan 17, 2014, at 5:14 PM, Marcelo Lew <[email protected]> wrote: > > > > Looks like Apple finally sort of "admitted" of an issue with 802.1x > > authentication, several months later and most of us already knew this > > work around, but better late than never J > > > > http://support.apple.com/kb/TS5258 > > > > > > <image001.png> > > > > ********** Participation and subscription information for this EDUCAUSE > Constituent Group discussion list can be found at > http://www.educause.edu/groups/. > > ********** Participation and subscription information for this EDUCAUSE > Constituent Group discussion list can be found at > http://www.educause.edu/groups/. > > ********** Participation and subscription information for this EDUCAUSE > Constituent Group discussion list can be found athttp:// > www.educause.edu/groups/. > > > > ********** > Participation and subscription information for this EDUCAUSE Constituent > Group discussion list can be found at http://www.educause.edu/groups/. > > ********** > Participation and subscription information for this EDUCAUSE Constituent > Group discussion list can be found at http://www.educause.edu/groups/. > > > > ********** Participation and subscription information for this EDUCAUSE > Constituent Group discussion list can be found at > http://www.educause.edu/groups/. > > > ********** Participation and subscription information for this EDUCAUSE > Constituent Group discussion list can be found at > http://www.educause.edu/groups/. > > ********** Participation and subscription information for this EDUCAUSE > Constituent Group discussion list can be found at > http://www.educause.edu/groups/. > ********** Participation and subscription information for this EDUCAUSE > Constituent Group discussion list can be found at > http://www.educause.edu/groups/. > > ********** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
