Wireless Access

Reply
New Contributor

Apple 802.1x slow association

Hey,

 

Strange problem that only affects MacBooks. When coming out of sleep/standby or roaming between APs, the Mac Book devices get stuck during the 802.1x authentication process and will either get the self assigned 169 address or continuously try to authenticate.

 

This can occasionally be solved by turning the wifi interface off and on or manually stopping and starting the 802.1x process on the Mac

 

(S3-MASTER) #show log user-debug 30 | include 70:56:81:ae:ec:99
Mar 13 12:50:12 :522049:  <INFO> |authmgr|  MAC=70:56:81:ae:ec:99,IP=10.250.49.16 User role updated, existing Role=eduroam-authenticated/eduroam-authenticated, new Role=eduroam-authenticated/eduroam-authenticated, reason=User already authenticated, so retaining his role
Mar 13 12:50:12 :522050:  <INFO> |authmgr|  MAC=70:56:81:ae:ec:99,IP=10.250.49.16 User data downloaded to datapath, new Role=eduroam-authenticated/95, bw Contract=0/0,reason=New user IP processing
Mar 13 12:50:12 :522038:  <INFO> |authmgr|  username=21209508@student.abc.ac.uk MAC=70:56:81:ae:ec:99 IP=10.250.49.16 Authentication result=Authentication Successful method=radius-accounting server=radius01.abc.ac.uk
Mar 13 12:51:59 :501095:  <NOTI> |stm|  Assoc request @ 12:51:59.327063: 70:56:81:ae:ec:99 (SN 1480): AP 10.250.30.144-d8:c7:c8:16:91:f6-SMR-C242
Mar 13 12:51:59 :501100:  <NOTI> |stm|  Assoc success @ 12:51:59.327746: 70:56:81:ae:ec:99: AP 10.250.30.144-d8:c7:c8:16:91:f6-SMR-C242
Mar 13 12:51:59 :501065:  <DBUG> |stm|  Sending STA 70:56:81:ae:ec:99 message to Auth and Mobility Unicast Encr WPA2 8021X AES Multicast Encr WPA2 8021X AES VLAN 0xd50, wmm:1, rsn_cap:0
Mar 13 12:51:59 :500511:  <DBUG> |mobileip|  Station 70:56:81:ae:ec:99, 0.0.0.0: Received association on ESSID: eduroam Mobility service ON, HA Discovery on Association Off, Fastroaming Disabled, AP: Name SMR-C242 Group AP-GROUP-SMR BSSID d8:c7:c8:16:91:f6, phy g, VLAN 3408
Mar 13 12:51:59 :522035:  <INFO> |authmgr|  MAC=70:56:81:ae:ec:99 Station UP: BSSID=d8:c7:c8:16:91:f6 ESSID=eduroam VLAN=3408 AP-name=SMR-C242
Mar 13 12:51:59 :522044:  <INFO> |authmgr|  MAC=70:56:81:ae:ec:99 Station authenticate(start): method=802.1x, role=eduroam-authenticated/eduroam-authenticated/, VLAN=3408/3408/0/0/0, Derivation=1/0, Value Pair=0 
Mar 13 12:51:59 :522049:  <INFO> |authmgr|  MAC=70:56:81:ae:ec:99,IP=N/A User role updated, existing Role=eduroam-authenticated/eduroam-authenticated, new Role=eduroam-authenticated/eduroam-authenticated, reason=Station Authenticated with auth type: 4
Mar 13 12:51:59 :522050:  <INFO> |authmgr|  MAC=70:56:81:ae:ec:99,IP=N/A User data downloaded to datapath, new Role=eduroam-authenticated/95, bw Contract=0/0,reason=Download driven by user role setting
Mar 13 12:51:59 :522029:  <INFO> |authmgr|  MAC=70:56:81:ae:ec:99 Station authenticate: method=802.1x, role=eduroam-authenticated/eduroam-authenticated/, VLAN=3408/3408/0/0/0, Derivation=1/0, Value Pair=0 
Mar 13 12:52:17 :501095:  <NOTI> |stm|  Assoc request @ 12:52:17.521068: 70:56:81:ae:ec:99 (SN 1633): AP 10.250.30.144-d8:c7:c8:16:91:f6-SMR-C242
Mar 13 12:52:17 :501100:  <NOTI> |stm|  Assoc success @ 12:52:17.521762: 70:56:81:ae:ec:99: AP 10.250.30.144-d8:c7:c8:16:91:f6-SMR-C242
Mar 13 12:52:17 :501065:  <DBUG> |stm|  Sending STA 70:56:81:ae:ec:99 message to Auth and Mobility Unicast Encr WPA2 8021X AES Multicast Encr WPA2 8021X AES VLAN 0xd50, wmm:1, rsn_cap:0
Mar 13 12:52:17 :500511:  <DBUG> |mobileip|  Station 70:56:81:ae:ec:99, 0.0.0.0: Received association on ESSID: eduroam Mobility service ON, HA Discovery on Association Off, Fastroaming Disabled, AP: Name SMR-C242 Group AP-GROUP-SMR BSSID d8:c7:c8:16:91:f6, phy g, VLAN 3408
Mar 13 12:52:17 :522035:  <INFO> |authmgr|  MAC=70:56:81:ae:ec:99 Station UP: BSSID=d8:c7:c8:16:91:f6 ESSID=eduroam VLAN=3408 AP-name=SMR-C242
Mar 13 12:52:17 :522044:  <INFO> |authmgr|  MAC=70:56:81:ae:ec:99 Station authenticate(start): method=802.1x, role=eduroam-authenticated/eduroam-authenticated/, VLAN=3408/3408/0/0/0, Derivation=1/0, Value Pair=0 
Mar 13 12:52:17 :522049:  <INFO> |authmgr|  MAC=70:56:81:ae:ec:99,IP=N/A User role updated, existing Role=eduroam-authenticated/eduroam-authenticated, new Role=eduroam-authenticated/eduroam-authenticated, reason=Station Authenticated with auth type: 4
Mar 13 12:52:17 :522050:  <INFO> |authmgr|  MAC=70:56:81:ae:ec:99,IP=N/A User data downloaded to datapath, new Role=eduroam-authenticated/95, bw Contract=0/0,reason=Download driven by user role setting
Mar 13 12:52:17 :522029:  <INFO> |authmgr|  MAC=70:56:81:ae:ec:99 Station authenticate: method=802.1x, role=eduroam-authenticated/eduroam-authenticated/, VLAN=3408/3408/0/0/0, Derivation=1/0, Value Pair=0 
Mar 13 12:53:15 :501095:  <NOTI> |stm|  Assoc request @ 12:53:15.613631: 70:56:81:ae:ec:99 (SN 1961): AP 10.250.30.144-d8:c7:c8:16:91:f6-SMR-C242
Mar 13 12:53:15 :501100:  <NOTI> |stm|  Assoc success @ 12:53:15.614291: 70:56:81:ae:ec:99: AP 10.250.30.144-d8:c7:c8:16:91:f6-SMR-C242
Mar 13 12:53:15 :501065:  <DBUG> |stm|  Sending STA 70:56:81:ae:ec:99 message to Auth and Mobility Unicast Encr WPA2 8021X AES Multicast Encr WPA2 8021X AES VLAN 0xd50, wmm:1, rsn_cap:0
Mar 13 12:53:15 :500511:  <DBUG> |mobileip|  Station 70:56:81:ae:ec:99, 0.0.0.0: Received association on ESSID: eduroam Mobility service ON, HA Discovery on Association Off, Fastroaming Disabled, AP: Name SMR-C242 Group AP-GROUP-SMR BSSID d8:c7:c8:16:91:f6, phy g, VLAN 3408
Mar 13 12:53:15 :522035:  <INFO> |authmgr|  MAC=70:56:81:ae:ec:99 Station UP: BSSID=d8:c7:c8:16:91:f6 ESSID=eduroam VLAN=3408 AP-name=SMR-C242
Mar 13 12:53:15 :522044:  <INFO> |authmgr|  MAC=70:56:81:ae:ec:99 Station authenticate(start): method=802.1x, role=eduroam-authenticated/eduroam-authenticated/, VLAN=3408/3408/0/0/0, Derivation=1/0, Value Pair=0 
Mar 13 12:53:15 :522049:  <INFO> |authmgr|  MAC=70:56:81:ae:ec:99,IP=N/A User role updated, existing Role=eduroam-authenticated/eduroam-authenticated, new Role=eduroam-authenticated/eduroam-authenticated, reason=Station Authenticated with auth type: 4
Mar 13 12:53:15 :522050:  <INFO> |authmgr|  MAC=70:56:81:ae:ec:99,IP=N/A User data downloaded to datapath, new Role=eduroam-authenticated/95, bw Contract=0/0,reason=Download driven by user role setting
Mar 13 12:53:15 :522029:  <INFO> |authmgr|  MAC=70:56:81:ae:ec:99 Station authenticate: method=802.1x, role=eduroam-authenticated/eduroam-authenticated/, VLAN=3408/3408/0/0/0, Derivation=1/0, Value Pair=0 

 

Occasional Contributor I

Re: Apple 802.1x slow association

You can try to enable "Validate PMKID" option from 802.1x Authentication Profile. In our environment it helped for Macbook issues. 

Re: Apple 802.1x slow association

Do you see anything when running show auth-tracebuf might also hold some clues as to what is going on...

ACMA, ACMP
If my post addresses your query, give kudos:)
New Contributor

Re: Apple 802.1x slow association

I have been trying to get to the bottom of this and pulling my hair out whilst trying to make sense of sys logs.

 

I have three macs on my test bench.

 

1. Mac Air 2012 - Mountain Lion 10.8.2 latest updates efi etc 2. Mac Pro 2012 - Lion 10.7.5 latest updates efi etc 3. iMac 2011 - 10.7.4 Lion

 

Machine 3 is the only one which consistently connects without complaint every time. I would of have been happier if the hardware was identical but it's all I could lay my hands on as most if not all our Apple devices have been updated.

 

I am surprised other institutions haven't experienced this issue and especially so as the shift towards Apple devices is starting to tip the balance.

 

Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: