We did see this in beta testing and for us it was caused by SHA1 radius certificate. We had a 10year cert so didn’t have to update and so got caught out with a SHA1(relevant to other discussion). We ended up updating to SHA2 before IOS 11 was released.
We didn’t see issues for different radius servers, so the question about different certs on the different servers seems to make sense. Apple’s explanation is that they don’t trust SHA1 anymore, and while they do allow it for radius and some other things in IOS 11 they don’t trust it in the IOS 11 upgrade process. So you can forget and reconfigure after upgrade and the same SHA1 cert will work. It will never work without user intervention after upgrade. A Cloudpath installed profile with EAP-TLS didn’t have issues but user configured PEAP IOS 11 devices did. The certificate replacement was easy enough in the end. We tested the experience on the main devices, and communicated out about the change. Surprisingly very few calls for support, but we told users what to do for each device and have onboarding so….. -- Jason Cook Technology Services The University of Adelaide, AUSTRALIA 5005 Ph : +61 8 8313 4800 From: The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Becker, Jason Sent: Wednesday, 1 November 2017 2:23 AM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: Re: [WIRELESS-LAN] IOS 11 problem with eap-mschapv2/peap authentication We are seeing the same issue here on our Cisco deployment. I've been telling users to reboot or forget it and reconnect unfortunately. After this they've been good, but I see your point with several certs. Jason ________________________________ From: The EDUCAUSE Wireless Issues Constituent Group Listserv <WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>> on behalf of Cappalli, Tim (Aruba Security) <t...@hpe.com<mailto:t...@hpe.com>> Sent: Tuesday, October 31, 2017 9:33:35 AM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU> Subject: Re: [WIRELESS-LAN] IOS 11 problem with eap-mschapv2/peap authentication Just curious. Why aren't you using the same EAP server certificate across all of your RADIUS servers? From: The EDUCAUSE Wireless Issues Constituent Group Listserv <WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>> on behalf of Linchuan Yang <linchuan.y...@concordia.ca<mailto:linchuan.y...@concordia.ca>> Reply-To: The EDUCAUSE Wireless Issues Constituent Group Listserv <WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>> Date: Tuesday, October 31, 2017 at 10:28 AM To: "WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>" <WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>> Subject: [WIRELESS-LAN] IOS 11 problem with eap-mschapv2/peap authentication Dear All Good morning. All of our IOS users start having authentication problem after they upgrading to IOS 11. The devices keep asking the user name and password. The only way we can fix for now is that “forget” the old profile, and manually create a new one, after trusting the certificate, the IOS 11 devices can connect to the wireless network. However, we have more than three radius servers, if the clients go to other buildings, they have to do this again. In some case, the clients have to repeat the procedure every morning when they come back to the office. We noticed that some related discussion on Cisco and Apple Communities. But there is not any solution for it. Do you have the same problem for your wireless network? Could you please give us some suggestions? Thank you, and have a nice day. Yours, Linchuan Yang (Antony) MEng, ACMP Wireless Networking Analyst Network Assessment and Integration, IITS-Concordia University Tel: (514)848-2424 ext. 7664 ********** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/discuss. ********** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/discuss. ________________________________ The materials in this message are private and may contain Protected Healthcare Information or other information of a sensitive nature. If you are not the intended recipient, be advised that any unauthorized use, disclosure, copying or the taking of any action in reliance on the contents of this information is strictly prohibited. If you have received this email in error, please immediately notify the sender via telephone or return mail. ********** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/discuss. ********** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/discuss.
