Wireless Access

last person joined: yesterday 

Access network design for branch, remote, outdoor, and campus locations with HPE Aruba Networking access points and mobility controllers.
Back to discussions
Expand all | Collapse all

Apple devices unable to authenticate with RSA token after the caching period is over

This thread has been viewed 0 times

  • 1.  Apple devices unable to authenticate with RSA token after the caching period is over

    Posted Sep 12, 2012 08:31 PM

    Apple devices like Ios, iphone, Mac laptop are not able to authenticate to 802.1x with RSA token, once the caching period is over. These devices are not prompted for password after the cache period. Instead the devices automatically use the cache credentials and tries to login. However, this login will fail, since the token has already expired.



  • 2.  RE: Apple devices unable to authenticate with RSA token after the caching period is over

    EMPLOYEE
    Posted Sep 12, 2012 08:51 PM

    Are you using EAP-GTC to a RSA server?  

    How long is your token caching period?  

    What supplicant are you using on your clients?

    What encryption? 

    Did you enable user debug to see what is happening?  

    What version of ArubaOS?

     

     



  • 3.  RE: Apple devices unable to authenticate with RSA token after the caching period is over

    Posted Sep 12, 2012 09:13 PM

    Thank you for your response.

     

    Yes , customer has enabled EAP-GTC on the controller and enabled token caching for 12 hrs.

     

    The 8021x authentication with RSA token works perfectly on the Windows machine with GTC plugin. The current issue is only related to Apple devices like Mac laptops, iphones, where the users after entering or authenticating with the initial token and remain active for 12 hrs.  After which, they are not prompted for password. Instead they use cached token as password and authentication fails since that token has already expired.

     

    No debugging is done as of now.

     

    As per one of the documents, I have suggested the customer to enable "user per connection" parameter on the iphones that is used for RSA token enabling customer to enter password after the cache period is over. But customer has informed that it still did not work

     

    Kindly assist.



  • 4.  RE: Apple devices unable to authenticate with RSA token after the caching period is over

    EMPLOYEE
    Posted Sep 12, 2012 11:32 PM

    So,

     

    This is how it works:

     

    Once you put in the username and password for the mac or iPhone, it uses it forever.

     

    When you use token caching on the controller, it will only send the first authentication to the RSA server and not send any further authentication traffic for the token caching period (12 hours in this case).  The iPhone/mac can roam, as long as it keeps submitting the username and password that was put in the first time.

     

    When the token caching period expires, the controller will then pass through the username and password to the RSA server.  Your mac and iphone, by default, will continue sending the old username and password and fail.

     

    Needless to say, it is not good for this to occur during the day, so you might want to extend the token caching period as an initial workaround to see if things improve.

     

    The real problem is that the iPhone and MAC supplicant, after the token caching period expiry, do not gracefully ask for a different username and password when it fails authentication.

     

    The per-user connection config *might* work, but once again, it might ask every time the device goes to sleep, which might not be practical...