Stephen, We are on the latest ClearPass. Apparently Aruba recommends turning off TLS 1.2 on the servers for some reason.
Administration -> Server Manager -> Server Configuration -> [server] -> Service Parameters -> Radius server -> Disable TLS 1.2 -> TRUE Bruce Osborne Wireless Engineer IT Infrastructure & Media Solutions (434) 592-4229 LIBERTY UNIVERSITY Training Champions for Christ since 1971 From: Stephen Oglesby [mailto:[email protected]] Sent: Tuesday, December 8, 2015 10:34 AM Subject: Re: Issue with Android Marshmallow? We are an Aruba shop and had similar issues with TLS1.2 after the November update. Turns out our controller software didn't support TLS 1.2 while our Clearpass radius server did. Since we terminated authentication to the controller, the radius server never even received an Auth attempt. Termination at the Clearpass server resolved the issue in a couple clicks. Stephen Oglesby Network and Telecommunications Architect Aims Community College 5401 W. 20th Street Greeley, CO 80634 970.339.6350 (Office) [email protected]<mailto:[email protected]> On Dec 7, 2015 2:41 PM, "Turner, Ryan H" <[email protected]<mailto:[email protected]>> wrote: Well, a lot of us rushed to get the TLS 1.2 fix about a month or so ago. We recently found out that one of our servers, while patched, was still not working for TLS 1.2 when the latest Windows 10 patch turned on TLS 1.2. Even though the 2.2.8.1 (I think that was the freeRadius rev) was installed, apparently some left over packages from the previous install was causing problems. That caused us some heart ache last week. To verify that it is ‘likely’ a TLS 1.2 issue, you should see a successful radius authentication for the connection attempt in your logs, then you would not see a corresponding DHCP request. Ryan From: The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto:[email protected]<mailto:[email protected]>] On Behalf Of Hart, Michael Sent: Monday, December 07, 2015 4:25 PM To: [email protected]<mailto:[email protected]> Subject: [WIRELESS-LAN] Issue with Android Marshmallow? My networking team is receiving multiple reports of users who have moved to Marshmallow being unable to authenticate and gain access to our wireless. I was wondering if anyone else in the community has dealt with this issue. As a new member of the listserv, I apologize if this is a repeat of an issue someone else has raised. Pertinent information is listed below: One of our more motivated users reports: So I was able to get connected into the WiFi. I did some searching online for articles related to this, the biggest one I found was that older Radius versions running TLS 1.0. Android Marshmallow run/forces TLS 1.2, which is unsupported by old RADIUS versions. The full forum reading I've found is here<https://code.google.com/p/android/issues/detail?id=188867#c29>. I'm not sure if this has anything to do with our network but it's worth looking into. As for the fix, on my Nexus 6P I went into Developer options and was able to enable "Legacy DHCP clients" under the networking section. This forces the device to run DHCP from Andriod Lollipop instead of Marshmallow. I then forgot the network settings for MetroState, restarted the device, and re-configured the connection in WiFi Settings. I am able to connect to the WiFi and am getting a stable connection. I will watch the connectivity over the next few days to see if this is a work around. I have attached SS from my phone to show where the options are, in order to get into Developer option you must tap the "Build number" menu in the Settings>About Phone menu, until the phone says, "You are now a developer!". The developer options will then show above the "About Phone" menu option in settings. Our Windows Radius server has TLS 1.2 enabled, and has been fully patched. We’re set for 802.1x, PEAP, MSCHAPv2. Mike Hart | CISO, Director of ITS Security, Infrastructure, and Networking Metropolitan State University of Denver Information Technology Services Campus Box 96, P.O. Box 173362, Denver, CO 80217-3362 Admin Building - 1201 5th Street 480E Denver, CO 80204 303-556-5074<tel:303-556-5074> (Office) 303-352-7548<tel:303-352-7548> (Help Desk) [email protected]<mailto:[email protected]> | www.msudenver.edu/technology<http://www.msudenver.edu/technology> ********** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ********** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ********** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ********** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
