Wireless Access

last person joined: 22 hours ago 

Access network design for branch, remote, outdoor, and campus locations with HPE Aruba Networking access points and mobility controllers.
Back to discussions
Expand all | Collapse all

Apple 802.1x slow association

This thread has been viewed 1 times

  • 1.  Apple 802.1x slow association

    Posted Mar 14, 2013 04:50 AM

    Hey,

     

    Strange problem that only affects MacBooks. When coming out of sleep/standby or roaming between APs, the Mac Book devices get stuck during the 802.1x authentication process and will either get the self assigned 169 address or continuously try to authenticate.

     

    This can occasionally be solved by turning the wifi interface off and on or manually stopping and starting the 802.1x process on the Mac

     

    (S3-MASTER) #show log user-debug 30 | include 70:56:81:ae:ec:99
Mar 13 12:50:12 :522049:  <INFO> |authmgr|  MAC=70:56:81:ae:ec:99,IP=10.250.49.16 User role updated, existing Role=eduroam-authenticated/eduroam-authenticated, new Role=eduroam-authenticated/eduroam-authenticated, reason=User already authenticated, so retaining his role
Mar 13 12:50:12 :522050:  <INFO> |authmgr|  MAC=70:56:81:ae:ec:99,IP=10.250.49.16 User data downloaded to datapath, new Role=eduroam-authenticated/95, bw Contract=0/0,reason=New user IP processing
Mar 13 12:50:12 :522038:  <INFO> |authmgr|  username=21209508@student.abc.ac.uk MAC=70:56:81:ae:ec:99 IP=10.250.49.16 Authentication result=Authentication Successful method=radius-accounting server=radius01.abc.ac.uk
Mar 13 12:51:59 :501095:  <NOTI> |stm|  Assoc request @ 12:51:59.327063: 70:56:81:ae:ec:99 (SN 1480): AP 10.250.30.144-d8:c7:c8:16:91:f6-SMR-C242
Mar 13 12:51:59 :501100:  <NOTI> |stm|  Assoc success @ 12:51:59.327746: 70:56:81:ae:ec:99: AP 10.250.30.144-d8:c7:c8:16:91:f6-SMR-C242
Mar 13 12:51:59 :501065:  <DBUG> |stm|  Sending STA 70:56:81:ae:ec:99 message to Auth and Mobility Unicast Encr WPA2 8021X AES Multicast Encr WPA2 8021X AES VLAN 0xd50, wmm:1, rsn_cap:0
Mar 13 12:51:59 :500511:  <DBUG> |mobileip|  Station 70:56:81:ae:ec:99, 0.0.0.0: Received association on ESSID: eduroam Mobility service ON, HA Discovery on Association Off, Fastroaming Disabled, AP: Name SMR-C242 Group AP-GROUP-SMR BSSID d8:c7:c8:16:91:f6, phy g, VLAN 3408
Mar 13 12:51:59 :522035:  <INFO> |authmgr|  MAC=70:56:81:ae:ec:99 Station UP: BSSID=d8:c7:c8:16:91:f6 ESSID=eduroam VLAN=3408 AP-name=SMR-C242
Mar 13 12:51:59 :522044:  <INFO> |authmgr|  MAC=70:56:81:ae:ec:99 Station authenticate(start): method=802.1x, role=eduroam-authenticated/eduroam-authenticated/, VLAN=3408/3408/0/0/0, Derivation=1/0, Value Pair=0 
Mar 13 12:51:59 :522049:  <INFO> |authmgr|  MAC=70:56:81:ae:ec:99,IP=N/A User role updated, existing Role=eduroam-authenticated/eduroam-authenticated, new Role=eduroam-authenticated/eduroam-authenticated, reason=Station Authenticated with auth type: 4
Mar 13 12:51:59 :522050:  <INFO> |authmgr|  MAC=70:56:81:ae:ec:99,IP=N/A User data downloaded to datapath, new Role=eduroam-authenticated/95, bw Contract=0/0,reason=Download driven by user role setting
Mar 13 12:51:59 :522029:  <INFO> |authmgr|  MAC=70:56:81:ae:ec:99 Station authenticate: method=802.1x, role=eduroam-authenticated/eduroam-authenticated/, VLAN=3408/3408/0/0/0, Derivation=1/0, Value Pair=0 
Mar 13 12:52:17 :501095:  <NOTI> |stm|  Assoc request @ 12:52:17.521068: 70:56:81:ae:ec:99 (SN 1633): AP 10.250.30.144-d8:c7:c8:16:91:f6-SMR-C242
Mar 13 12:52:17 :501100:  <NOTI> |stm|  Assoc success @ 12:52:17.521762: 70:56:81:ae:ec:99: AP 10.250.30.144-d8:c7:c8:16:91:f6-SMR-C242
Mar 13 12:52:17 :501065:  <DBUG> |stm|  Sending STA 70:56:81:ae:ec:99 message to Auth and Mobility Unicast Encr WPA2 8021X AES Multicast Encr WPA2 8021X AES VLAN 0xd50, wmm:1, rsn_cap:0
Mar 13 12:52:17 :500511:  <DBUG> |mobileip|  Station 70:56:81:ae:ec:99, 0.0.0.0: Received association on ESSID: eduroam Mobility service ON, HA Discovery on Association Off, Fastroaming Disabled, AP: Name SMR-C242 Group AP-GROUP-SMR BSSID d8:c7:c8:16:91:f6, phy g, VLAN 3408
Mar 13 12:52:17 :522035:  <INFO> |authmgr|  MAC=70:56:81:ae:ec:99 Station UP: BSSID=d8:c7:c8:16:91:f6 ESSID=eduroam VLAN=3408 AP-name=SMR-C242
Mar 13 12:52:17 :522044:  <INFO> |authmgr|  MAC=70:56:81:ae:ec:99 Station authenticate(start): method=802.1x, role=eduroam-authenticated/eduroam-authenticated/, VLAN=3408/3408/0/0/0, Derivation=1/0, Value Pair=0 
Mar 13 12:52:17 :522049:  <INFO> |authmgr|  MAC=70:56:81:ae:ec:99,IP=N/A User role updated, existing Role=eduroam-authenticated/eduroam-authenticated, new Role=eduroam-authenticated/eduroam-authenticated, reason=Station Authenticated with auth type: 4
Mar 13 12:52:17 :522050:  <INFO> |authmgr|  MAC=70:56:81:ae:ec:99,IP=N/A User data downloaded to datapath, new Role=eduroam-authenticated/95, bw Contract=0/0,reason=Download driven by user role setting
Mar 13 12:52:17 :522029:  <INFO> |authmgr|  MAC=70:56:81:ae:ec:99 Station authenticate: method=802.1x, role=eduroam-authenticated/eduroam-authenticated/, VLAN=3408/3408/0/0/0, Derivation=1/0, Value Pair=0 
Mar 13 12:53:15 :501095:  <NOTI> |stm|  Assoc request @ 12:53:15.613631: 70:56:81:ae:ec:99 (SN 1961): AP 10.250.30.144-d8:c7:c8:16:91:f6-SMR-C242
Mar 13 12:53:15 :501100:  <NOTI> |stm|  Assoc success @ 12:53:15.614291: 70:56:81:ae:ec:99: AP 10.250.30.144-d8:c7:c8:16:91:f6-SMR-C242
Mar 13 12:53:15 :501065:  <DBUG> |stm|  Sending STA 70:56:81:ae:ec:99 message to Auth and Mobility Unicast Encr WPA2 8021X AES Multicast Encr WPA2 8021X AES VLAN 0xd50, wmm:1, rsn_cap:0
Mar 13 12:53:15 :500511:  <DBUG> |mobileip|  Station 70:56:81:ae:ec:99, 0.0.0.0: Received association on ESSID: eduroam Mobility service ON, HA Discovery on Association Off, Fastroaming Disabled, AP: Name SMR-C242 Group AP-GROUP-SMR BSSID d8:c7:c8:16:91:f6, phy g, VLAN 3408
Mar 13 12:53:15 :522035:  <INFO> |authmgr|  MAC=70:56:81:ae:ec:99 Station UP: BSSID=d8:c7:c8:16:91:f6 ESSID=eduroam VLAN=3408 AP-name=SMR-C242
Mar 13 12:53:15 :522044:  <INFO> |authmgr|  MAC=70:56:81:ae:ec:99 Station authenticate(start): method=802.1x, role=eduroam-authenticated/eduroam-authenticated/, VLAN=3408/3408/0/0/0, Derivation=1/0, Value Pair=0 
Mar 13 12:53:15 :522049:  <INFO> |authmgr|  MAC=70:56:81:ae:ec:99,IP=N/A User role updated, existing Role=eduroam-authenticated/eduroam-authenticated, new Role=eduroam-authenticated/eduroam-authenticated, reason=Station Authenticated with auth type: 4
Mar 13 12:53:15 :522050:  <INFO> |authmgr|  MAC=70:56:81:ae:ec:99,IP=N/A User data downloaded to datapath, new Role=eduroam-authenticated/95, bw Contract=0/0,reason=Download driven by user role setting
Mar 13 12:53:15 :522029:  <INFO> |authmgr|  MAC=70:56:81:ae:ec:99 Station authenticate: method=802.1x, role=eduroam-authenticated/eduroam-authenticated/, VLAN=3408/3408/0/0/0, Derivation=1/0, Value Pair=0

     



  • 2.  RE: Apple 802.1x slow association

    Posted Mar 14, 2013 07:38 AM

    You can try to enable "Validate PMKID" option from 802.1x Authentication Profile. In our environment it helped for Macbook issues. 



  • 3.  RE: Apple 802.1x slow association

    MVP EXPERT
    Posted Mar 14, 2013 03:41 PM

    Do you see anything when running show auth-tracebuf might also hold some clues as to what is going on...



  • 4.  RE: Apple 802.1x slow association

    Posted Mar 15, 2013 02:59 AM

    I have been trying to get to the bottom of this and pulling my hair out whilst trying to make sense of sys logs.

     

    I have three macs on my test bench.

     

    1. Mac Air 2012 - Mountain Lion 10.8.2 latest updates efi etc 2. Mac Pro 2012 - Lion 10.7.5 latest updates efi etc 3. iMac 2011 - 10.7.4 Lion

     

    Machine 3 is the only one which consistently connects without complaint every time. I would of have been happier if the hardware was identical but it's all I could lay my hands on as most if not all our Apple devices have been updated.

     

    I am surprised other institutions haven't experienced this issue and especially so as the shift towards Apple devices is starting to tip the balance.