- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Printer Friendly Page
Apple devices unable to authenticate with RSA token after the caching period is over
Apple devices unable to authenticate with RSA token after the caching period is over
09-12-2012 05:30 PM
Apple devices like Ios, iphone, Mac laptop are not able to authenticate to 802.1x with RSA token, once the caching period is over. These devices are not prompted for password after the cache period. Instead the devices automatically use the cache credentials and tries to login. However, this login will fail, since the token has already expired.
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Permalink
- Email to a Friend
- Alert a Moderator
Re: Apple devices unable to authenticate with RSA token after the caching period is over
Re: Apple devices unable to authenticate with RSA token after the caching period is over
09-12-2012 05:50 PM
Are you using EAP-GTC to a RSA server?
How long is your token caching period?
What supplicant are you using on your clients?
What encryption?
Did you enable user debug to see what is happening?
What version of ArubaOS?
Colin Joseph
Aruba Customer Engineering
Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Permalink
- Email to a Friend
- Alert a Moderator
Re: Apple devices unable to authenticate with RSA token after the caching period is over
Re: Apple devices unable to authenticate with RSA token after the caching period is over
09-12-2012 06:12 PM
Thank you for your response.
Yes , customer has enabled EAP-GTC on the controller and enabled token caching for 12 hrs.
The 8021x authentication with RSA token works perfectly on the Windows machine with GTC plugin. The current issue is only related to Apple devices like Mac laptops, iphones, where the users after entering or authenticating with the initial token and remain active for 12 hrs. After which, they are not prompted for password. Instead they use cached token as password and authentication fails since that token has already expired.
No debugging is done as of now.
As per one of the documents, I have suggested the customer to enable "user per connection" parameter on the iphones that is used for RSA token enabling customer to enter password after the cache period is over. But customer has informed that it still did not work
Kindly assist.
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Permalink
- Email to a Friend
- Alert a Moderator
Re: Apple devices unable to authenticate with RSA token after the caching period is over
Re: Apple devices unable to authenticate with RSA token after the caching period is over
09-12-2012 08:32 PM
So,
This is how it works:
Once you put in the username and password for the mac or iPhone, it uses it forever.
When you use token caching on the controller, it will only send the first authentication to the RSA server and not send any further authentication traffic for the token caching period (12 hours in this case). The iPhone/mac can roam, as long as it keeps submitting the username and password that was put in the first time.
When the token caching period expires, the controller will then pass through the username and password to the RSA server. Your mac and iphone, by default, will continue sending the old username and password and fail.
Needless to say, it is not good for this to occur during the day, so you might want to extend the token caching period as an initial workaround to see if things improve.
The real problem is that the iPhone and MAC supplicant, after the token caching period expiry, do not gracefully ask for a different username and password when it fails authentication.
The per-user connection config *might* work, but once again, it might ask every time the device goes to sleep, which might not be practical...
Colin Joseph
Aruba Customer Engineering
Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Permalink
- Email to a Friend
- Alert a Moderator