We've been getting reports from Surface 2 RT and Pro users on campus reporting that our SSID with EAP-PEAP authentication hasn't been working for them. They successfully complete EAP authentication, get assigned to the correct VLAN, and the Surface 2 seems to stop sending packets. This often results in the device self assigning itself an autogenerated IP. The users report the captive portal network on the same AP hardware works perfectly fine.
I bought a Surface 2 RT tablet and spent the day confirming the following:
Pre-N AP (61 and 65) if SSID is captive portal/open system and WMM is ENABLED: Surface 2 is fine
Pre-N AP (61 and 65) if SSID is WPA2/EAP and WMM is disabled: Surface 2 is fine
Pre-N AP (61 and 65) if SSID is WPA2/EAP and WMM is ENABLED: Surface 2 is BORKED
N AP (105) if SSID is WPA2/EAP and WMM is ENABLED: Surface 2 is fine
The Surface 2 line falls flat on it's face if ALL of the following is true:
- Client is connected to an AP 61 or 65 (either a or b/g)
- SSID is WPA2 authenicated
- WMM is enabled
Disabling WMM for the WPA2 SSID restores connectivity to the Surface 2 tablet. No other toggle I've found in the SSID profile has made a difference so far. The Surface 1 Pro I have on hand doesn't exhibit this issue and the complaints seem to all be Surface 2 Pro and RT devices.
We're running 6.3.1.2 on our controllers and the Surface 2 RT device I'm testing with exhibits the behavior out of the box and also after every possible update offered in PC Settings is installed.
From my understanding disabling WMM causes problems for Apple devices which far far outnumber Surface devices so that's a non-option even as a temporary workaround.
Has anyone else seen this?