Same here. Mike
Michael Dickson Network Analyst Information Technology University of Massachusetts Amherst [email protected] 413-545-9639 On Jul 28, 2015, at 8:26 PM, Jason Cook <[email protected]> wrote: > Thanks Debbie. Wish we could include some technical detail in some of our > comms like that. > > > > -- > Jason Cook > The University of Adelaide, AUSTRALIA 5005 > Ph : +61 8 8313 4800 > > -----Original Message----- > From: The EDUCAUSE Wireless Issues Constituent Group Listserv > [mailto:[email protected]] On Behalf Of Fligor, Debbie > Sent: Tuesday, 28 July 2015 11:28 PM > To: [email protected] > Subject: Re: [WIRELESS-LAN] Apple OSX 10.11 beta > > This went out to our campus IT community last Friday, it has some nice > details about what the wireless/radius team was seeing: > > Greetings, > > Earlier this week we sent a communication about issues that the iOS 9 and El > Capitan betas had connecting to the campus network. We are happy to announce > that the issue has been resolved. While Technology Services does not > encourage customers to rely on betas for production or every-day work, both > of the current beta releases are able to connect to IllinoisNet. If you have > questions regarding this message please contact [email protected]. > > *For those with a desire to better understand the technical changes and their > impacts, feel free to read the additional detail below. > > On 2015-07-23 a set of security updates was deployed to the RADIUS servers > which handle logins for IllinoisNet and eduroam wireless. One of these > changes was an upgrade to the latest version of Net::SSLeay (which provides > perl bindings for OpenSSL) to allow clients to negotiate > TLSv1.1 and TLSv1.2 (as well as TLSv1.0) for the EAP-TTLS tunnel used in > WPA2 Enterprise authentication. Many modern wireless clients still use > TLSv1.0 in practice, but Apple OS X El Capitan and iOS 9 do use TLSv1.2, and > as a result of this upgrade they are now able to successfully connect to > IllinoisNet and eduroam. > > What remains surprising is that, prior to deploying these updates, our test > iOS 9 client was able to successfully make it all the way through the RADIUS > authentication stage of 802.11i (producing a RADIUS Access-Accept); it failed > only during the subsequent four-way handshake to construct the PTK (by which > point the RADIUS server is no longer involved, leading us to believe that the > problem resided elsewhere). > Subsequent re-testing reveals that even with the older Net:SSLeay installed, > the RADIUS server would respond to the TLSv1.2 Client Hello with a TLSv1.2 > Server Hello, and side by side comparisons of the unencrypted portions of > traffic captures in a lab environment show no obvious differences in the > ensuing conversation depending on which Net:SSLeay is installed. We can only > speculate at this point that perhaps the combination of a modern openssl > library with an old Net:SSLeay was somehow superficially _appearing_ to > correctly support > TLSv1.2 while in fact producing some subtly different behavior which > eventually caused iOS 9 to give up on the connection process. > > > > >> On Jul 27, 2015, at 18:55, Jason Cook <[email protected]> wrote: >> >> Thanks everyone for the input, greatly appreciated. We are freeradius 2.2.6 >> and I’m not sure what opensslchance that this is our problem. >> >> >> >> Time to get fixing with all this infoJ >> >> >> >> -- >> >> Jason Cook >> >> The University of Adelaide, AUSTRALIA 5005 >> >> Ph : +61 8 8313 4800 >> >> >> >> From: The EDUCAUSE Wireless Issues Constituent Group Listserv >> [mailto:[email protected]] On Behalf Of Walter >> Reynolds >> Sent: Tuesday, 28 July 2015 2:49 AM >> To: [email protected] >> Subject: Re: [WIRELESS-LAN] Apple OSX 10.11 beta >> >> >> >> The problem we had was because we were running freeradius 2.2.6 and I do not >> remember version of openssl (1.something) which does support TLSv1.2. There >> would be a problem after authentication with the 4 way handshake. So you >> would see a user authenticate every 6 second or so and not receive an IP >> from the Mac paint of view. >> >> Running freeradius 2.2.6 with an older version of openssl (.9 something) >> would not support TLSv1.2 so no problem. >> >> Freeradius 2.2.7 fixes some TLS issues which fixed the issue. >> >> I know aruba's clearpass is based on freeradius but not sure how close it is >> so as one person said they did need to upgrade that as well. >> >> On Jul 27, 2015 10:20 AM, "Turner, Ryan H" <[email protected]> wrote: >> >> I have also just pinged our campus users. Already have a lot of users >> running the platform with no issues. >> >> We are running a full EAP-TLS deployment with Aruba Controllers running >> 6.4.2.8 running an older 2.1 freeradius. >> >> Ryan H Turner >> Senior Network Engineer >> The University of North Carolina at Chapel Hill CB 1150 Chapel Hill, >> NC 27599 >> +1 919 445 0113 Office >> +1 919 274 7926 Mobile >> >> -----Original Message----- >> From: The EDUCAUSE Wireless Issues Constituent Group Listserv >> [mailto:[email protected]] On Behalf Of Lee H Badman >> Sent: Monday, July 27, 2015 8:48 AM >> To: [email protected] >> Subject: Re: [WIRELESS-LAN] Apple OSX 10.11 beta >> >> I'm polling our Apple adventurists on this. I did talk to one valued >> colleague who said he ran 10.11 for a bit on one machine and had no issues >> on our WPA2 Cisco campus networks. He's going to build another test machine >> and try it again, and hopefully I'll hear from at least a couple of other >> bleeding edgers on this end. >> >> Lee Badman | Network Architect >> Information Technology Services >> 206 Machinery Hall >> 120 Smith Drive >> Syracuse, New York 13244 >> t 315.443.3003 f 315.443.4325 e [email protected] w its.syr.edu SYRACUSE >> UNIVERSITY syr.edu >> >> -----Original Message----- >> From: The EDUCAUSE Wireless Issues Constituent Group Listserv >> [mailto:[email protected]] On Behalf Of Julian Y Koh >> Sent: Monday, July 27, 2015 8:01 AM >> To: [email protected] >> Subject: Re: [WIRELESS-LAN] Apple OSX 10.11 beta >> >> On Mon Jul 27 2015 01:27:57 CDT, Jason Cook <[email protected]> >> wrote: >>> >>> Also seems worth noting that certs will need to be 1024bit. Our >>> certs are 1024 so expecting that to be ok for us >>> http://superuser.com/questions/935756/mac-os-el-capitan-10-11-not-ab >>> le >>> -to-connect-to-wifiwpa-2-enterprise >>> >> >> Note that the certificate bit length is different from the Diffie-Hellman >> group bit length; the latter is what is referred to in that document. >> >> Also worth noting is that there are other Apple documents that say that OS X >> 10.10.4 and iOS 8.4 require a 2048-bit DH group, so there appears to be some >> discrepancy at least in the docs. >> >> We had to upgrade both ClearPass (6.5.2 plus a patch) and our Aruba >> controller code (6.4.2.9) to get both iOS 9 and OS X 10.11 to work with our >> 802.1X network. >> >> >> -- >> Julian Y. Koh >> Associate Director, Telecommunications and Network Services >> Northwestern University Information Technology (NUIT) >> >> 2001 Sheridan Road #G-166 >> Evanston, IL 60208 >> 847-467-5780 >> NUIT Web Site: <http://www.it.northwestern.edu/> PGP Public >> Key:<http://bt.ittns.northwestern.edu/julian/pgppubkey.html> >> >> ********** >> Participation and subscription information for this EDUCAUSE Constituent >> Group discussion list can be found at http://www.educause.edu/groups/. >> >> ********** >> Participation and subscription information for this EDUCAUSE Constituent >> Group discussion list can be found at http://www.educause.edu/groups/. >> >> ********** >> Participation and subscription information for this EDUCAUSE Constituent >> Group discussion list can be found at http://www.educause.edu/groups/. >> >> ********** Participation and subscription information for this EDUCAUSE >> Constituent Group discussion list can be found >> athttp://www.educause.edu/groups/. >> >> ********** Participation and subscription information for this EDUCAUSE >> Constituent Group discussion list can be found at >> http://www.educause.edu/groups/. >> > > > ********** > Participation and subscription information for this EDUCAUSE Constituent > Group discussion list can be found at http://www.educause.edu/groups/. > > > ********** > Participation and subscription information for this EDUCAUSE Constituent > Group discussion list can be found at http://www.educause.edu/groups/. > ********** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
