Security

Hi,

 

I have a problem with the iOS and OSX updates.

After I did these updates and can't connetct to any WPA2 enterprise 802.1x network anymore.

Controller Model / AP Model	Aruba7210 / AP115
ArubaOS Version	6.4.2.5

The network authentication in mycase is terminating on the controller ( EAP-PEAP / mschapv2 ) and uses server group which has internal db and radius in it.

on an other network wich use captive portal L3 authentication the radius/internal db works. 

 

According to this article : https://developer.apple.com/library/prerelease/mac/releasenotes/General/rn-osx-10.11/ 

• When negotiating a TLS/SSL connection with Diffie-Hellman key exchange, OS X El Capitan requires a 1024-bit group or larger. OS X El Capitan will not connect to a server that allows negotiation with a 512-bit or smaller group. These connections include:

  • Secure Web (HTTPS)

  • Enterprise Wi-Fi (802.1X)

  • Secure e-mail (IMAP, POP, SMTP)

  • Printing servers (IPPS)

Is there aleady any exisiting known issue with  this ?

 

For info I tested this from a factory resetted iPhone and Macbook Pro.

 

Thank you in advance for your help

 

Adrien.

 

 

 

You should open a TAC case since these operating systems are beta.


Thanks,
Tim

Don't know that TAC would/should support a BETA OS.

 

Ffor what it's worth I'm experiencing the same. Device won't connect to any 802.1X networks.

 

The factory securelogin and instant.arubanetworks.com certificates are only 1024. Those should never be used in production. You should acquire your own certificate, 2048 or higher.

I am seeing the factory provided certs as 2048...We actually use 2048 bit Thawte certs for our radius.

Is it safe to assume that Aruba will not field inquiries until IOS9 and OSX10.11 become official releases?

 

AFAIK, the issue is that the controllers don't support TLS 1.2 for EAP. This
issue only comes into play when you're using termination.



Are you able to terminate on your RADIUS server?

No I can't terminate in the server , is it supposed to be unsupported ?

No we terminate directly to the radius servers.  We are seeing similar issues with the clients not able to stay connected to the AP / network.  Not sure I want to put much effort into this at this time, I was just probing on the possible cert challenge as we just renewed the server certs

 

Thx.

Is there a timeline for TLS 1.2 Support on the Controllers? Surely this won't be a reactive deployment. 

In fact, that's what I'm using for the certificates.
But If it is 1024 (and it think it is) it should be supported.
I also reported the problem to Apple

You're right. Sorry misread. Thought it said larger than 1028.

iOS 9 public beta 2 is out now.  I am still unable to connect to 802.1x networks.  We are terminating on separate radius servers with a 4096-bit cert.  Never been a problem before, which makes me wonder if it's just a beta bug in iOS 9.

Do your radius servers support TLS 1.2?


Thanks,
Tim

I think this took me like 3 hours of fooling around with it.  Mostly because the newest eapol_test from the wpa supplicant has a bug in it apparently that says the authentication failed even though it really succeeded.

 

But long story short, updating our radius servers and some required perl modules added TLSv1.2 support and our 802.1x network now works with my phone on iOS9.

 

Thanks for the pointer in the right direction.

+1 for me.

 

Granted I'm working a few weeks into the future so may be dealing with a different build of 10.11.  That said, I was fighting a MacBook Air over this same issue, uninstalling VPNs, antivirus, etc.; pouring over logs... and then I rebooted.

 

802.1X now works without issue.  Successive reboots, network interface disable/enables, all continue to auth successfully to our X network.

Can some body share a step by step procedure to slove this issue.

 

We lreay have some TAC case open #1788130

 

Regards

 

Nimesh

What RADIUS server are you using?

Are you using EAP termination?