Wireless Access

Reply
Aruba Employee
Posts: 2
Registered: ‎09-12-2012

Apple devices unable to authenticate with RSA token after the caching period is over

Apple devices like Ios, iphone, Mac laptop are not able to authenticate to 802.1x with RSA token, once the caching period is over. These devices are not prompted for password after the cache period. Instead the devices automatically use the cache credentials and tries to login. However, this login will fail, since the token has already expired.

Guru Elite
Posts: 21,279
Registered: ‎03-29-2007

Re: Apple devices unable to authenticate with RSA token after the caching period is over

Are you using EAP-GTC to a RSA server?  

How long is your token caching period?  

What supplicant are you using on your clients?

What encryption? 

Did you enable user debug to see what is happening?  

What version of ArubaOS?

 

 



Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Aruba Employee
Posts: 2
Registered: ‎09-12-2012

Re: Apple devices unable to authenticate with RSA token after the caching period is over

Thank you for your response.

 

Yes , customer has enabled EAP-GTC on the controller and enabled token caching for 12 hrs.

 

The 8021x authentication with RSA token works perfectly on the Windows machine with GTC plugin. The current issue is only related to Apple devices like Mac laptops, iphones, where the users after entering or authenticating with the initial token and remain active for 12 hrs.  After which, they are not prompted for password. Instead they use cached token as password and authentication fails since that token has already expired.

 

No debugging is done as of now.

 

As per one of the documents, I have suggested the customer to enable "user per connection" parameter on the iphones that is used for RSA token enabling customer to enter password after the cache period is over. But customer has informed that it still did not work

 

Kindly assist.

Guru Elite
Posts: 21,279
Registered: ‎03-29-2007

Re: Apple devices unable to authenticate with RSA token after the caching period is over

So,

 

This is how it works:

 

Once you put in the username and password for the mac or iPhone, it uses it forever.

 

When you use token caching on the controller, it will only send the first authentication to the RSA server and not send any further authentication traffic for the token caching period (12 hours in this case).  The iPhone/mac can roam, as long as it keeps submitting the username and password that was put in the first time.

 

When the token caching period expires, the controller will then pass through the username and password to the RSA server.  Your mac and iphone, by default, will continue sending the old username and password and fail.

 

Needless to say, it is not good for this to occur during the day, so you might want to extend the token caching period as an initial workaround to see if things improve.

 

The real problem is that the iPhone and MAC supplicant, after the token caching period expiry, do not gracefully ask for a different username and password when it fails authentication.

 

The per-user connection config *might* work, but once again, it might ask every time the device goes to sleep, which might not be practical...

 



Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Search Airheads
Showing results for 
Search instead for 
Did you mean: