Security

Reply
New Contributor
Posts: 3
Registered: ‎07-10-2015

OS X v10.11 - iOS 9 Public Beta Released - Problem 802.1x

[ Edited ]

Hi,

 

I have a problem with the iOS and OSX updates.

After I did these updates and can't connetct to any WPA2 enterprise 802.1x network anymore.

Controller Model / AP ModelAruba7210 / AP115
ArubaOS Version 6.4.2.5

The network authentication in mycase is terminating on the controller ( EAP-PEAP / mschapv2 ) and uses server group which has internal db and radius in it.

on an other network wich use captive portal L3 authentication the radius/internal db works. 

 

According to this article : https://developer.apple.com/library/prerelease/mac/releasenotes/General/rn-osx-10.11/ 

  • When negotiating a TLS/SSL connection with Diffie-Hellman key exchange, OS X El Capitan requires a 1024-bit group or larger. OS X El Capitan will not connect to a server that allows negotiation with a 512-bit or smaller group. These connections include:

    • Secure Web (HTTPS)

    • Enterprise Wi-Fi (802.1X)

    • Secure e-mail (IMAP, POP, SMTP)

    • Printing servers (IPPS)

Is there aleady any exisiting known issue with  this ?

 

For info I tested this from a factory resetted iPhone and Macbook Pro.

 

Thank you in advance for your help

 

Adrien.

 

 

 

Guru Elite
Posts: 8,456
Registered: ‎09-08-2010

Re: OS X v10.11 - iOS 9 Public Beta Released - Problem 802.1x

You should open a TAC case since these operating systems are beta.


Thanks,
Tim

Tim Cappalli | Aruba Security TME
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480
Frequent Contributor I
Posts: 102
Registered: ‎06-17-2009

Re: OS X v10.11 - iOS 9 Public Beta Released - Problem 802.1x

Don't know that TAC would/should support a BETA OS.

 

Ffor what it's worth I'm experiencing the same. Device won't connect to any 802.1X networks.

 

Capturing_from_Wi-Fi__en0.jpg

EDDIE FORERO | @HeyEddie
Guru Elite
Posts: 8,456
Registered: ‎09-08-2010

Re: OS X v10.11 - iOS 9 Public Beta Released - Problem 802.1x

The factory securelogin and instant.arubanetworks.com certificates are only 1024. Those should never be used in production. You should acquire your own certificate, 2048 or higher.


Tim Cappalli | Aruba Security TME
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480
New Contributor
Posts: 3
Registered: ‎07-10-2015

Re: OS X v10.11 - iOS 9 Public Beta Released - Problem 802.1x

In fact, that's what I'm using for the certificates.
But If it is 1024 (and it think it is) it should be supported.
I also reported the problem to Apple
Guru Elite
Posts: 8,456
Registered: ‎09-08-2010

Re: OS X v10.11 - iOS 9 Public Beta Released - Problem 802.1x

You're right. Sorry misread. Thought it said larger than 1028.


Tim Cappalli | Aruba Security TME
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480
Contributor I
Posts: 32
Registered: ‎10-05-2010

Re: OS X v10.11 - iOS 9 Public Beta Released - Problem 802.1x

I am seeing the factory provided certs as 2048...We actually use 2048 bit Thawte certs for our radius.

Is it safe to assume that Aruba will not field inquiries until IOS9 and OSX10.11 become official releases?

 

securelogin.png

Guru Elite
Posts: 8,456
Registered: ‎09-08-2010

Re: OS X v10.11 - iOS 9 Public Beta Released - Problem 802.1x

AFAIK, the issue is that the controllers don't support TLS 1.2 for EAP. This
issue only comes into play when you're using termination.



Are you able to terminate on your RADIUS server?

Tim Cappalli | Aruba Security TME
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480
New Contributor
Posts: 3
Registered: ‎07-10-2015

Re: OS X v10.11 - iOS 9 Public Beta Released - Problem 802.1x

No I can't terminate in the server , is it supposed to be unsupported ?
Contributor I
Posts: 32
Registered: ‎10-05-2010

Re: OS X v10.11 - iOS 9 Public Beta Released - Problem 802.1x

No we terminate directly to the radius servers.  We are seeing similar issues with the clients not able to stay connected to the AP / network.  Not sure I want to put much effort into this at this time, I was just probing on the possible cert challenge as we just renewed the server certs

 

Thx.

Search Airheads
Showing results for 
Search instead for 
Did you mean: