Thanks Debbie. Wish we could include some technical detail in some of our comms like that.
-- Jason Cook The University of Adelaide, AUSTRALIA 5005 Ph : +61 8 8313 4800 -----Original Message----- From: The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto:[email protected]] On Behalf Of Fligor, Debbie Sent: Tuesday, 28 July 2015 11:28 PM To: [email protected] Subject: Re: [WIRELESS-LAN] Apple OSX 10.11 beta This went out to our campus IT community last Friday, it has some nice details about what the wireless/radius team was seeing: Greetings, Earlier this week we sent a communication about issues that the iOS 9 and El Capitan betas had connecting to the campus network. We are happy to announce that the issue has been resolved. While Technology Services does not encourage customers to rely on betas for production or every-day work, both of the current beta releases are able to connect to IllinoisNet. If you have questions regarding this message please contact [email protected]. *For those with a desire to better understand the technical changes and their impacts, feel free to read the additional detail below. On 2015-07-23 a set of security updates was deployed to the RADIUS servers which handle logins for IllinoisNet and eduroam wireless. One of these changes was an upgrade to the latest version of Net::SSLeay (which provides perl bindings for OpenSSL) to allow clients to negotiate TLSv1.1 and TLSv1.2 (as well as TLSv1.0) for the EAP-TTLS tunnel used in WPA2 Enterprise authentication. Many modern wireless clients still use TLSv1.0 in practice, but Apple OS X El Capitan and iOS 9 do use TLSv1.2, and as a result of this upgrade they are now able to successfully connect to IllinoisNet and eduroam. What remains surprising is that, prior to deploying these updates, our test iOS 9 client was able to successfully make it all the way through the RADIUS authentication stage of 802.11i (producing a RADIUS Access-Accept); it failed only during the subsequent four-way handshake to construct the PTK (by which point the RADIUS server is no longer involved, leading us to believe that the problem resided elsewhere). Subsequent re-testing reveals that even with the older Net:SSLeay installed, the RADIUS server would respond to the TLSv1.2 Client Hello with a TLSv1.2 Server Hello, and side by side comparisons of the unencrypted portions of traffic captures in a lab environment show no obvious differences in the ensuing conversation depending on which Net:SSLeay is installed. We can only speculate at this point that perhaps the combination of a modern openssl library with an old Net:SSLeay was somehow superficially _appearing_ to correctly support TLSv1.2 while in fact producing some subtly different behavior which eventually caused iOS 9 to give up on the connection process. > On Jul 27, 2015, at 18:55, Jason Cook <[email protected]> wrote: > > Thanks everyone for the input, greatly appreciated. We are freeradius 2.2.6 > and I’m not sure what opensslchance that this is our problem. > > > > Time to get fixing with all this infoJ > > > > -- > > Jason Cook > > The University of Adelaide, AUSTRALIA 5005 > > Ph : +61 8 8313 4800 > > > > From: The EDUCAUSE Wireless Issues Constituent Group Listserv > [mailto:[email protected]] On Behalf Of Walter > Reynolds > Sent: Tuesday, 28 July 2015 2:49 AM > To: [email protected] > Subject: Re: [WIRELESS-LAN] Apple OSX 10.11 beta > > > > The problem we had was because we were running freeradius 2.2.6 and I do not > remember version of openssl (1.something) which does support TLSv1.2. There > would be a problem after authentication with the 4 way handshake. So you > would see a user authenticate every 6 second or so and not receive an IP from > the Mac paint of view. > > Running freeradius 2.2.6 with an older version of openssl (.9 something) > would not support TLSv1.2 so no problem. > > Freeradius 2.2.7 fixes some TLS issues which fixed the issue. > > I know aruba's clearpass is based on freeradius but not sure how close it is > so as one person said they did need to upgrade that as well. > > On Jul 27, 2015 10:20 AM, "Turner, Ryan H" <[email protected]> wrote: > > I have also just pinged our campus users. Already have a lot of users > running the platform with no issues. > > We are running a full EAP-TLS deployment with Aruba Controllers running > 6.4.2.8 running an older 2.1 freeradius. > > Ryan H Turner > Senior Network Engineer > The University of North Carolina at Chapel Hill CB 1150 Chapel Hill, > NC 27599 > +1 919 445 0113 Office > +1 919 274 7926 Mobile > > -----Original Message----- > From: The EDUCAUSE Wireless Issues Constituent Group Listserv > [mailto:[email protected]] On Behalf Of Lee H Badman > Sent: Monday, July 27, 2015 8:48 AM > To: [email protected] > Subject: Re: [WIRELESS-LAN] Apple OSX 10.11 beta > > I'm polling our Apple adventurists on this. I did talk to one valued > colleague who said he ran 10.11 for a bit on one machine and had no issues on > our WPA2 Cisco campus networks. He's going to build another test machine and > try it again, and hopefully I'll hear from at least a couple of other > bleeding edgers on this end. > > Lee Badman | Network Architect > Information Technology Services > 206 Machinery Hall > 120 Smith Drive > Syracuse, New York 13244 > t 315.443.3003 f 315.443.4325 e [email protected] w its.syr.edu SYRACUSE > UNIVERSITY syr.edu > > -----Original Message----- > From: The EDUCAUSE Wireless Issues Constituent Group Listserv > [mailto:[email protected]] On Behalf Of Julian Y Koh > Sent: Monday, July 27, 2015 8:01 AM > To: [email protected] > Subject: Re: [WIRELESS-LAN] Apple OSX 10.11 beta > > On Mon Jul 27 2015 01:27:57 CDT, Jason Cook <[email protected]> > wrote: > > > > Also seems worth noting that certs will need to be 1024bit. Our > > certs are 1024 so expecting that to be ok for us > > http://superuser.com/questions/935756/mac-os-el-capitan-10-11-not-ab > > le > > -to-connect-to-wifiwpa-2-enterprise > > > > Note that the certificate bit length is different from the Diffie-Hellman > group bit length; the latter is what is referred to in that document. > > Also worth noting is that there are other Apple documents that say that OS X > 10.10.4 and iOS 8.4 require a 2048-bit DH group, so there appears to be some > discrepancy at least in the docs. > > We had to upgrade both ClearPass (6.5.2 plus a patch) and our Aruba > controller code (6.4.2.9) to get both iOS 9 and OS X 10.11 to work with our > 802.1X network. > > > -- > Julian Y. Koh > Associate Director, Telecommunications and Network Services > Northwestern University Information Technology (NUIT) > > 2001 Sheridan Road #G-166 > Evanston, IL 60208 > 847-467-5780 > NUIT Web Site: <http://www.it.northwestern.edu/> PGP Public > Key:<http://bt.ittns.northwestern.edu/julian/pgppubkey.html> > > ********** > Participation and subscription information for this EDUCAUSE Constituent > Group discussion list can be found at http://www.educause.edu/groups/. > > ********** > Participation and subscription information for this EDUCAUSE Constituent > Group discussion list can be found at http://www.educause.edu/groups/. > > ********** > Participation and subscription information for this EDUCAUSE Constituent > Group discussion list can be found at http://www.educause.edu/groups/. > > ********** Participation and subscription information for this EDUCAUSE > Constituent Group discussion list can be found > athttp://www.educause.edu/groups/. > > ********** Participation and subscription information for this EDUCAUSE > Constituent Group discussion list can be found at > http://www.educause.edu/groups/. > ********** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ********** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
