Thanks everyone for the input, greatly appreciated. We are freeradius 2.2.6 and I’m not sure what openssl off the top of my head but it certainly seems a good chance that this is our problem.
Time to get fixing with all this info ☺ -- Jason Cook The University of Adelaide, AUSTRALIA 5005 Ph : +61 8 8313 4800 From: The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto:[email protected]] On Behalf Of Walter Reynolds Sent: Tuesday, 28 July 2015 2:49 AM To: [email protected] Subject: Re: [WIRELESS-LAN] Apple OSX 10.11 beta The problem we had was because we were running freeradius 2.2.6 and I do not remember version of openssl (1.something) which does support TLSv1.2. There would be a problem after authentication with the 4 way handshake. So you would see a user authenticate every 6 second or so and not receive an IP from the Mac paint of view. Running freeradius 2.2.6 with an older version of openssl (.9 something) would not support TLSv1.2 so no problem. Freeradius 2.2.7 fixes some TLS issues which fixed the issue. I know aruba's clearpass is based on freeradius but not sure how close it is so as one person said they did need to upgrade that as well. On Jul 27, 2015 10:20 AM, "Turner, Ryan H" <[email protected]<mailto:[email protected]>> wrote: I have also just pinged our campus users. Already have a lot of users running the platform with no issues. We are running a full EAP-TLS deployment with Aruba Controllers running 6.4.2.8 running an older 2.1 freeradius. Ryan H Turner Senior Network Engineer The University of North Carolina at Chapel Hill CB 1150 Chapel Hill, NC 27599 +1 919 445 0113 Office +1 919 274 7926 Mobile -----Original Message----- From: The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto:[email protected]<mailto:[email protected]>] On Behalf Of Lee H Badman Sent: Monday, July 27, 2015 8:48 AM To: [email protected]<mailto:[email protected]> Subject: Re: [WIRELESS-LAN] Apple OSX 10.11 beta I'm polling our Apple adventurists on this. I did talk to one valued colleague who said he ran 10.11 for a bit on one machine and had no issues on our WPA2 Cisco campus networks. He's going to build another test machine and try it again, and hopefully I'll hear from at least a couple of other bleeding edgers on this end. Lee Badman | Network Architect Information Technology Services 206 Machinery Hall 120 Smith Drive Syracuse, New York 13244 t 315.443.3003 f 315.443.4325 e [email protected]<mailto:[email protected]> w its.syr.edu<http://its.syr.edu> SYRACUSE UNIVERSITY syr.edu<http://syr.edu> -----Original Message----- From: The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto:[email protected]<mailto:[email protected]>] On Behalf Of Julian Y Koh Sent: Monday, July 27, 2015 8:01 AM To: [email protected]<mailto:[email protected]> Subject: Re: [WIRELESS-LAN] Apple OSX 10.11 beta On Mon Jul 27 2015 01:27:57 CDT, Jason Cook <[email protected]<mailto:[email protected]>> wrote: > > Also seems worth noting that certs will need to be 1024bit. Our certs > are 1024 so expecting that to be ok for us > http://superuser.com/questions/935756/mac-os-el-capitan-10-11-not-able > -to-connect-to-wifiwpa-2-enterprise > Note that the certificate bit length is different from the Diffie-Hellman group bit length; the latter is what is referred to in that document. Also worth noting is that there are other Apple documents that say that OS X 10.10.4 and iOS 8.4 require a 2048-bit DH group, so there appears to be some discrepancy at least in the docs. We had to upgrade both ClearPass (6.5.2 plus a patch) and our Aruba controller code (6.4.2.9) to get both iOS 9 and OS X 10.11 to work with our 802.1X network. -- Julian Y. Koh Associate Director, Telecommunications and Network Services Northwestern University Information Technology (NUIT) 2001 Sheridan Road #G-166 Evanston, IL 60208 847-467-5780 NUIT Web Site: <http://www.it.northwestern.edu/> PGP Public Key:<http://bt.ittns.northwestern.edu/julian/pgppubkey.html> ********** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ********** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ********** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ********** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ********** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
