The problem we had was because we were running freeradius 2.2.6 and I do not remember version of openssl (1.something) which does support TLSv1.2. There would be a problem after authentication with the 4 way handshake. So you would see a user authenticate every 6 second or so and not receive an IP from the Mac paint of view.
Running freeradius 2.2.6 with an older version of openssl (.9 something) would not support TLSv1.2 so no problem. Freeradius 2.2.7 fixes some TLS issues which fixed the issue. I know aruba's clearpass is based on freeradius but not sure how close it is so as one person said they did need to upgrade that as well. On Jul 27, 2015 10:20 AM, "Turner, Ryan H" <[email protected]> wrote: > I have also just pinged our campus users. Already have a lot of users > running the platform with no issues. > > We are running a full EAP-TLS deployment with Aruba Controllers running > 6.4.2.8 running an older 2.1 freeradius. > > Ryan H Turner > Senior Network Engineer > The University of North Carolina at Chapel Hill > CB 1150 Chapel Hill, NC 27599 > +1 919 445 0113 Office > +1 919 274 7926 Mobile > > -----Original Message----- > From: The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto: > [email protected]] On Behalf Of Lee H Badman > Sent: Monday, July 27, 2015 8:48 AM > To: [email protected] > Subject: Re: [WIRELESS-LAN] Apple OSX 10.11 beta > > I'm polling our Apple adventurists on this. I did talk to one valued > colleague who said he ran 10.11 for a bit on one machine and had no issues > on our WPA2 Cisco campus networks. He's going to build another test machine > and try it again, and hopefully I'll hear from at least a couple of other > bleeding edgers on this end. > > Lee Badman | Network Architect > Information Technology Services > 206 Machinery Hall > 120 Smith Drive > Syracuse, New York 13244 > t 315.443.3003 f 315.443.4325 e [email protected] w its.syr.edu > SYRACUSE UNIVERSITY syr.edu > > -----Original Message----- > From: The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto: > [email protected]] On Behalf Of Julian Y Koh > Sent: Monday, July 27, 2015 8:01 AM > To: [email protected] > Subject: Re: [WIRELESS-LAN] Apple OSX 10.11 beta > > On Mon Jul 27 2015 01:27:57 CDT, Jason Cook <[email protected]> > wrote: > > > > Also seems worth noting that certs will need to be 1024bit. Our certs > > are 1024 so expecting that to be ok for us > > http://superuser.com/questions/935756/mac-os-el-capitan-10-11-not-able > > -to-connect-to-wifiwpa-2-enterprise > > > > Note that the certificate bit length is different from the Diffie-Hellman > group bit length; the latter is what is referred to in that document. > > Also worth noting is that there are other Apple documents that say that OS > X 10.10.4 and iOS 8.4 require a 2048-bit DH group, so there appears to be > some discrepancy at least in the docs. > > We had to upgrade both ClearPass (6.5.2 plus a patch) and our Aruba > controller code (6.4.2.9) to get both iOS 9 and OS X 10.11 to work with our > 802.1X network. > > > -- > Julian Y. Koh > Associate Director, Telecommunications and Network Services Northwestern > University Information Technology (NUIT) > > 2001 Sheridan Road #G-166 > Evanston, IL 60208 > 847-467-5780 > NUIT Web Site: <http://www.it.northwestern.edu/> PGP Public Key:< > http://bt.ittns.northwestern.edu/julian/pgppubkey.html> > > ********** > Participation and subscription information for this EDUCAUSE Constituent > Group discussion list can be found at http://www.educause.edu/groups/. > > ********** > Participation and subscription information for this EDUCAUSE Constituent > Group discussion list can be found at http://www.educause.edu/groups/. > > ********** > Participation and subscription information for this EDUCAUSE Constituent > Group discussion list can be found at http://www.educause.edu/groups/. > ********** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
