> On Aug 11, 2015, at 1:37 AM, Jason Cook <[email protected]> wrote: > > Thanks for all the responses on this. Upgrade worked a treat. > > Was a better response than vendor support but to be fair we hadn’t logged one > with freeradius
And you wouldn't need to of, as we had stable versions with the MPPE
calculation issues fixed prior to the release of iOS9.
We've known about it for the past six months:
https://github.com/FreeRADIUS/freeradius-server/blob/v2.x.x/doc/ChangeLog#L56
Prior to any of the attention it got due to iOS9/Google/Android/Marshmallow.
The later fix for EAP-TTLS was due to some (mostly) duplicate code missed in
the first round of patches. EAP-TLS and PEAP have worked fine since 2.2.7.
The reason why you see an Access-Accept and the same unencrypted portion is
because they are the same. What differs is the method used to derive the
session keys returned to the NAS in the MPPE Key attributes.
TLS 1.2 uses a different method to TLS < 1.2. As a result of that change the
server and the supplicant were deriving different values for the encryption
keys used for WPA/WPA2 and that was causing the session to fail.
In the case of Radiator, it was the crypto library that had not been updated to
use the new method of key derivation.
The reason why the final release of iOS9 worked, was because Apple discovered
the compatibility issues and disabled TLS 1.2
Google also discovered the compatibility issues, but decided that they hated
their users and did not disable TLS 1.2. Result here:
https://code.google.com/p/android/issues/detail?id=188867
-Arran
**********
Participation and subscription information for this EDUCAUSE Constituent Group
discussion list can be found at http://www.educause.edu/groups/.
signature.asc
Description: Message signed with OpenPGP using GPGMail
