> On Jul 28, 2015, at 10:26, Jon Scot Prunckle <[email protected]> wrote: > > Debbie, > > Is your group also running freeradius?
We run OSC Radiator. Sorry, I should have included that. -debbie > > Sincerely, > > > J. Scot Prunckle > Network Engineer > UITS Network and Operations Services > University of Wisconsin-Milwaukee > Office Mobile: (414) 416-9709 > E-mail: [email protected] > >> On Jul 28, 2015, at 8:57 AM, Fligor, Debbie <[email protected]> wrote: >> >> This went out to our campus IT community last Friday, it has some nice >> details about what the wireless/radius team was seeing: >> >> Greetings, >> >> Earlier this week we sent a communication about issues that the iOS 9 and El >> Capitan betas had connecting to the campus network. We are happy to >> announce that the issue has been resolved. While Technology Services does >> not encourage customers to rely on betas for production or every-day work, >> both of the current beta releases are able to connect to IllinoisNet. If you >> have questions regarding this message please contact [email protected]. >> >> *For those with a desire to better understand the technical changes and >> their impacts, feel free to read the additional detail below. >> >> On 2015-07-23 a set of security updates was deployed to the RADIUS >> servers which handle logins for IllinoisNet and eduroam wireless. One >> of these changes was an upgrade to the latest version of Net::SSLeay >> (which provides perl bindings for OpenSSL) to allow clients to negotiate >> TLSv1.1 and TLSv1.2 (as well as TLSv1.0) for the EAP-TTLS tunnel used in >> WPA2 Enterprise authentication. Many modern wireless clients still use >> TLSv1.0 in practice, but Apple OS X El Capitan and iOS 9 do use TLSv1.2, >> and as a result of this upgrade they are now able to successfully >> connect to IllinoisNet and eduroam. >> >> What remains surprising is that, prior to deploying these updates, our >> test iOS 9 client was able to successfully make it all the way through >> the RADIUS authentication stage of 802.11i (producing a RADIUS >> Access-Accept); it failed only during the subsequent four-way handshake >> to construct the PTK (by which point the RADIUS server is no longer >> involved, leading us to believe that the problem resided elsewhere). >> Subsequent re-testing reveals that even with the older Net:SSLeay >> installed, the RADIUS server would respond to the TLSv1.2 Client Hello >> with a TLSv1.2 Server Hello, and side by side comparisons of the >> unencrypted portions of traffic captures in a lab environment show no >> obvious differences in the ensuing conversation depending on which >> Net:SSLeay is installed. We can only speculate at this point that >> perhaps the combination of a modern openssl library with an old >> Net:SSLeay was somehow superficially _appearing_ to correctly support >> TLSv1.2 while in fact producing some subtly different behavior which >> eventually caused iOS 9 to give up on the connection process. >> >> >> >> >>> On Jul 27, 2015, at 18:55, Jason Cook <[email protected]> wrote: >>> >>> Thanks everyone for the input, greatly appreciated. We are freeradius 2.2.6 >>> and I’m not sure what opensslchance that this is our problem. >>> >>> >>> >>> Time to get fixing with all this infoJ >>> >>> >>> >>> -- >>> >>> Jason Cook >>> >>> The University of Adelaide, AUSTRALIA 5005 >>> >>> Ph : +61 8 8313 4800 >>> >>> >>> >>> From: The EDUCAUSE Wireless Issues Constituent Group Listserv >>> [mailto:[email protected]] On Behalf Of Walter Reynolds >>> Sent: Tuesday, 28 July 2015 2:49 AM >>> To: [email protected] >>> Subject: Re: [WIRELESS-LAN] Apple OSX 10.11 beta >>> >>> >>> >>> The problem we had was because we were running freeradius 2.2.6 and I do >>> not remember version of openssl (1.something) which does support TLSv1.2. >>> There would be a problem after authentication with the 4 way handshake. So >>> you would see a user authenticate every 6 second or so and not receive an >>> IP from the Mac paint of view. >>> >>> Running freeradius 2.2.6 with an older version of openssl (.9 something) >>> would not support TLSv1.2 so no problem. >>> >>> Freeradius 2.2.7 fixes some TLS issues which fixed the issue. >>> >>> I know aruba's clearpass is based on freeradius but not sure how close it >>> is so as one person said they did need to upgrade that as well. >>> >>> On Jul 27, 2015 10:20 AM, "Turner, Ryan H" <[email protected]> wrote: >>> >>> I have also just pinged our campus users. Already have a lot of users >>> running the platform with no issues. >>> >>> We are running a full EAP-TLS deployment with Aruba Controllers running >>> 6.4.2.8 running an older 2.1 freeradius. >>> >>> Ryan H Turner >>> Senior Network Engineer >>> The University of North Carolina at Chapel Hill >>> CB 1150 Chapel Hill, NC 27599 >>> +1 919 445 0113 Office >>> +1 919 274 7926 Mobile >>> >>> -----Original Message----- >>> From: The EDUCAUSE Wireless Issues Constituent Group Listserv >>> [mailto:[email protected]] On Behalf Of Lee H Badman >>> Sent: Monday, July 27, 2015 8:48 AM >>> To: [email protected] >>> Subject: Re: [WIRELESS-LAN] Apple OSX 10.11 beta >>> >>> I'm polling our Apple adventurists on this. I did talk to one valued >>> colleague who said he ran 10.11 for a bit on one machine and had no issues >>> on our WPA2 Cisco campus networks. He's going to build another test machine >>> and try it again, and hopefully I'll hear from at least a couple of other >>> bleeding edgers on this end. >>> >>> Lee Badman | Network Architect >>> Information Technology Services >>> 206 Machinery Hall >>> 120 Smith Drive >>> Syracuse, New York 13244 >>> t 315.443.3003 f 315.443.4325 e [email protected] w its.syr.edu SYRACUSE >>> UNIVERSITY syr.edu >>> >>> -----Original Message----- >>> From: The EDUCAUSE Wireless Issues Constituent Group Listserv >>> [mailto:[email protected]] On Behalf Of Julian Y Koh >>> Sent: Monday, July 27, 2015 8:01 AM >>> To: [email protected] >>> Subject: Re: [WIRELESS-LAN] Apple OSX 10.11 beta >>> >>> On Mon Jul 27 2015 01:27:57 CDT, Jason Cook <[email protected]> >>> wrote: >>>> >>>> Also seems worth noting that certs will need to be 1024bit. Our certs >>>> are 1024 so expecting that to be ok for us >>>> http://superuser.com/questions/935756/mac-os-el-capitan-10-11-not-able >>>> -to-connect-to-wifiwpa-2-enterprise >>>> >>> >>> Note that the certificate bit length is different from the Diffie-Hellman >>> group bit length; the latter is what is referred to in that document. >>> >>> Also worth noting is that there are other Apple documents that say that OS >>> X 10.10.4 and iOS 8.4 require a 2048-bit DH group, so there appears to be >>> some discrepancy at least in the docs. >>> >>> We had to upgrade both ClearPass (6.5.2 plus a patch) and our Aruba >>> controller code (6.4.2.9) to get both iOS 9 and OS X 10.11 to work with our >>> 802.1X network. >>> >>> >>> -- >>> Julian Y. Koh >>> Associate Director, Telecommunications and Network Services Northwestern >>> University Information Technology (NUIT) >>> >>> 2001 Sheridan Road #G-166 >>> Evanston, IL 60208 >>> 847-467-5780 >>> NUIT Web Site: <http://www.it.northwestern.edu/> PGP Public >>> Key:<http://bt.ittns.northwestern.edu/julian/pgppubkey.html> >>> >>> ********** >>> Participation and subscription information for this EDUCAUSE Constituent >>> Group discussion list can be found at http://www.educause.edu/groups/. >>> >>> ********** >>> Participation and subscription information for this EDUCAUSE Constituent >>> Group discussion list can be found at http://www.educause.edu/groups/. >>> >>> ********** >>> Participation and subscription information for this EDUCAUSE Constituent >>> Group discussion list can be found at http://www.educause.edu/groups/. >>> >>> ********** Participation and subscription information for this EDUCAUSE >>> Constituent Group discussion list can be found >>> athttp://www.educause.edu/groups/. >>> >>> ********** Participation and subscription information for this EDUCAUSE >>> Constituent Group discussion list can be found at >>> http://www.educause.edu/groups/. >>> >> >> >> ********** >> Participation and subscription information for this EDUCAUSE Constituent >> Group discussion list can be found at http://www.educause.edu/groups/. >> > > > ********** > Participation and subscription information for this EDUCAUSE Constituent > Group discussion list can be found at http://www.educause.edu/groups/. > ********** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
