'It also appears specific to certs based on 2048 bit keys. Also there is no cert validation delay upon initial connect... only when attempting to reauth... ie after a death or a roam event."
Correct. FYI, Cloudpath (XPC) has a way to configure the SSL Trust settings now. Marcelo Lew Wireless Network Architect & Engineer University Technology Services University of Denver Desk: (303) 871-6523 Cell: (303) 669-4217 Fax: (303) 871-5900 Email: [email protected]<mailto:[email protected]> From: The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto:[email protected]] On Behalf Of Travis Schick Sent: Thursday, January 23, 2014 10:10 AM To: [email protected] Subject: Re: [WIRELESS-LAN] OS X 802.1x auth issue It doesn't happen for TLS....(where clients are authenticated using a cert your PKI infrastructure has provided) but appears specific for PEAP and TTLS - where the client uses a password to authenticate. It also appears specific to certs based on 2048 bit keys. Also there is no cert validation delay upon initial connect... only when attempting to reauth... ie after a death or a roam event. -Travis On Thu, Jan 23, 2014 at 6:58 AM, Turner, Ryan H <[email protected]<mailto:[email protected]>> wrote: I am going to plead some ignorance here, and see if people can connect the dots... We use 802.1X (TLS), and we use Godaddy Certs for our radius server. The clients are set to verify the server certificates. When I look at the installed certificates, I see information for CRLs. Yet, I connect almost instantaneously with our SSIDs. Why do some of you seem to be having such an issue with this, and I don't seem to? Ryan H Turner Senior Network Engineer The University of North Carolina at Chapel Hill CB 1150 Chapel Hill, NC 27599 +1 919 445 0113<tel:%2B1%20919%20445%200113> Office +1 919 274 7926<tel:%2B1%20919%20274%207926> Mobile From: The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto:[email protected]<mailto:[email protected]>] On Behalf Of Ian McDonald Sent: Thursday, January 23, 2014 9:52 AM To: [email protected]<mailto:[email protected]> Subject: Re: [WIRELESS-LAN] OS X 802.1x auth issue I certainly do have concerns about this being the right way to 'fix' the issue. Sticking plaster on the client behaviour this is.. Thanks -- ian Sent from my phone, please excuse brevity and misspelling. ________________________________ From: Dan Brisson<mailto:[email protected]> Sent: 23/01/2014 14:41 To: [email protected]<mailto:[email protected]> Subject: Re: [WIRELESS-LAN] OS X 802.1x auth issue +1 to that. -dan On 1/23/2014 9:28 AM, Wright, Don wrote: Anyone have concerns about making the trust setting changes to the certificate chain? I'm thinking of the intermediate certs mostly. Setting "always trust" on a client machine just makes me a little uncomfortable. - Don On Tue, Jan 21, 2014 at 12:13 PM, Ian McDonald <[email protected]<mailto:[email protected]>> wrote: I'd be more interested in a method for doing this in a .mobileconfig file, or for them to fix it in a manner that doesn't involve us having to mess about on the clients. -- ian -----Original Message----- From: The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto:[email protected]<mailto:[email protected]>] On Behalf Of Michael Dickson Sent: 21 January 2014 17:06 To: [email protected]<mailto:[email protected]> Subject: Re: [WIRELESS-LAN] OS X 802.1x auth issue Is anyone working on (or successfully implemented) a scalable, automated(?) solution to change the SSL to 'Always Trust' for target certs and distributed this to their client devices en masse? x-press-con-nect folks offered a glimmer of hope for adding this feature to their routine but I was wondering if we could do something quicker. Has anyone tweaked Apple's command - suggested in their KB article - into an Applescript for distribution? As the cert is already installed on the devices I would thing some modification is needed. http://support.apple.com/kb/TS5258 Michael Dickson Network Analyst Office of Information Technologies University of Massachusetts Amherst Voice 413.545.9639<tel:413.545.9639> On Jan 21, 2014, at 7:41 AM, Tim Cappalli <[email protected]<mailto:[email protected]>> wrote: > Absolutely! This is huge. They never, ever (ever ever ever) admit there is an > issue. Maybe we're seeing some change at the fruit? > > > (Unlikely, but it's nice to dream) > > > Tim Cappalli | ACCP / ACMP / CCNA > Network Engineer | Brandeis University > [email protected]<mailto:[email protected]> | (617) > 701-7149 > > From: The EDUCAUSE Wireless Issues Constituent Group Listserv > [mailto:[email protected]<mailto:[email protected]>] > On Behalf Of Joel Coehoorn > Sent: Friday, January 17, 2014 7:58 PM > To: > [email protected]<mailto:[email protected]> > Subject: Re: [WIRELESS-LAN] OS X 802.1x auth issue > > Even acknowledging the issue is a huge help for me: Mac people have a hard > time believing Apple could possibly have done anything wrong with their > device until you have something like this to point to. Until Apple own > recommendation is to change the setting on the device, their view is the > problem *must* be in the network. > > Sent from my iPad > > On Jan 17, 2014, at 5:14 PM, Marcelo Lew > <[email protected]<mailto:[email protected]>> wrote: > > Looks like Apple finally sort of "admitted" of an issue with 802.1x > authentication, several months later and most of us already knew this > work around, but better late than never J > > http://support.apple.com/kb/TS5258 > > > <image001.png> > > ********** Participation and subscription information for this EDUCAUSE > Constituent Group discussion list can be found at > http://www.educause.edu/groups/. > ********** Participation and subscription information for this EDUCAUSE > Constituent Group discussion list can be found at > http://www.educause.edu/groups/. > ********** Participation and subscription information for this EDUCAUSE > Constituent Group discussion list can be found > athttp://www.educause.edu/groups/<http://www.educause.edu/groups/>. > ********** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ********** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ********** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ********** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ********** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ********** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ********** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ********** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
