Security

We've noticed a trend with our iPads in the CPPM environment: some iPads will sometimes get a message when trying to connect to our 802.1x / PEAP WLAN-

(box pops up)

Please provide the password for WLANSSID

Problem is this is a PEAP network so there is no password.  Since it wants a password for the SSID (not a username), it seems it wants a PSK.  Most of the time, the only solution is to forget the network and add it back.  (note, the machine has been on the network before so it has the credentials installed for access)

We had 1 windows 8 computer gets this one time.  Since we are only testing Windows 8, I don't have a machine for testing.

It seems to me the devices (iPad or WIN8) doesn't understand what kind of network it is connecting to.  The same exact SSID is used in production with IAS radius so it is not a configuration of the AOS. Also, no windows 7 devices have seen this issue in production or in CPPm environment.

Any ideas?

What security is used on your network?   PEAP-MSCHAPv2 or EAP-TLS?   If it is PEAP then the password box is just asking for the password for the previously entered username (not a password in the preshared key sense)....the username is cached and not being asked for.    I've seen on iPads this happen on various occasions, sometimes the iPad just wants it again and sometimes the user's password had changed on the backend and needs to be inputted again.

When this happens, what does CPPM show for an event in Access Tracker?

PEAP-MSCHAPv2

Sometimes putting your password in will work, sometimes hitting cancel works and sometimes you have to forget the network then add it back again before it works.

My iPad started having issues (worked perfect with 6.x) today.  It doesn't connect to the AP according to the iPad.  CPPM indicates I autheticated (and assigned the correct role for AOS).

I'm starting to catch tons of flack regarding the IOS stuff from users/management.  I wish Steve Jobs & Apple had never invented them...

Further testing:

My iPad only seems to only do it the first time I use it in the CPPM environment.  I tested someone elses iPad which has it much more often.  The odd thing is hitting ignore (or cancel) then waiting a bit will often work to get connected.

I opened a ticket with TAC and I'm engaging our local Aruba engineer.  The one question none of them can answer at this time:

Why does this only happen in the CPPM environment and not in the production IAS environment?

I have checked and re-checked all the AOS settings.  To the best of my ability, they are exactly the same as a production site except for the radius servers being used.  One theory was a timeout was happening but I can't find any timeout periods which are less than a few seconds.

No one else sees this situation?

P.S. We are doing a bit of WIN8 testing for possible deployment.  Those devices exhibit the same behavior in the CPPM environment (at times).  I'm hoping to get results from testing the WIN8 stuff in the production to see how it behaves.

Might be a longshot, but I've seen this during the implementation of a EAP-TLS Onboarding solution. While your solution is plain EAP-PEAP you still might have the same issues which - if I remember correctly - was related to the validation of the Server certificate, OCSP in combination with EAP-Termination on the Controller..

Does any of these things trigger a line of thought or your own issues? How is your setup in terms of EAP-Termination and Server certificate?

We are looking into server validation for several reasons.  Once that is taken care of, we will see what happens.

We don't terminate on the controllers currently.  All termination is on the CPPM.

I accidently put a radius accounting server into the radius server group.  When it hits the accounting server, the client saw the request for their password.  Once corrected, the problem has not returned.

Thanks to all who posted!!