All,
We've all seen our share of "weird" behaviors with client devices, some more annoying than others, and their never seems to be one place to go to find out if this is a known issue with the client, driver, supplicant, OS, or even AP. Wanted to start a couple of threads around this to start documenting what we in the "field" see with these clients so we can all stop banging our head against the wall trying to diagnose why some clients have issues while others don't. This one will be for Mac, I will start another for Windows, and another for Linux......should be fun. Please add your input and will update this as often as possible when new updates are released.
Having trouble with slow connection times or no ability to connect on a 802.1x enabled SSID? Check this out:MAC WLAN "Apple Menu Extra" (AME): That little WLAN icon in your menubar currently causes some issues with 802.1x authentication, specifically during a key exchange. Too build its list of "available networks", a Macbook will go and off-channel scan in the middle of its own dot1x exchange, missing some key exchange packets. In some cases this will result in a long time to finish the key negotiation and thus get an IP address, in many other cases, it will failed to complete the key negotiation at all and never connect. This happens in versions up to 10.5.6. To verify this is your issue, try the following command on the Aruba "show auth-tracebuf mac <MACADDR>", with the macaddr of the client.....notice any key message retrying and never completing? Should see 4 unicast and 2 group if using WPA(2).
To workaround this, try the following:
1. Disable the AME by holding "command", "left-mouse button", and grab the icon and drag onto desktop or by disabling in Network Preferences.
2. Increase "key message retry" count in 802.1x-profile on Aruba (try 3)
3. Increase "delay between Unicast and Group key" in 802.1x-profile on Aruba (100ms works)
Having trouble roaming with a Macbook on a 802.1x enabled SSID?MacOS up to 10.5.6 does not support Opportunistic Key Caching (OKC), but this is enabled by default in the Aruba 802.1x-profile since it does work on Windows devices. Since Mac does not support this, on a roam, this could cause a significant delay or fail to connected.
To workaround this, try the following:
1. Disable OKC on the Aruba controller in the 802.1x-profile
2. Leave OKC enabled, but select "Validate-PMKID" in the 802.1x-profile....this will instruct the Aruba controller to allow the client to propose a PMKID on association to use for OKC, instead of the Aruba proposing a list of PMKIDs....this should allow a non-OKC enabled client to roam better.
Mac's and Mixed Mode SSIDsI find sometime with 802.11n deployments that while it requires WPA2-AES (if using encryption), we need to support some legacy encryption like WPA-TKIP, until all APs and Clients are upgraded. Have seen issues with these "mixed-mode" SSIDs. To minimize interoperablity issues with clients and especially Mac's, try this:
1. Enable the SSID to do all of the following: WPA-TKIP, WPA-AES, WPA2-TKIP, WPA2-AES
2. Enabled "allow-weak-encryption"
Connection or Roaming problems when 802.11bgn AND 802.11an are available?It has been observed in some Macbooks that roaming from 802.11bgn to 802.11an causes some disconnects. The latest Airport update from Mac seems to resolve this. Also, Macbook's usually tend to connect to 802.11bgn instead of 802.11an when the SSID is available on both bands, try "band-steering" out, it works wonders to move that client to the cleaner, higher performing band.
A note on Machine Authentication, or lack thereofMac's 802.1x implementation does not have a concept of machine authentication. This is problematic for environments that either need to enforce machine authentication on a WLAN or more commonly, need to have the laptop gain network connectivity even if the user is logged off, i.e., a laptop in a school used by multiple users.
To workaround this if you are "enforcing machine authenticatiion", try this:
1. Statically add the machine's macaddr to the master controller's internal DB, with a role of the "machine" role from your 802.1x-profile.
To workaround this for laptops that are used for multiple users where you need network connectivity when user is logged off, try this:
1. Try setting up a WLAN profile under the "System" account
2. Try EAP-TLS with certificates
A Note on Power Management for the WLAN NIC:With the exception of the Macbook Air, all Macbook's will NOT use power management function on the WLAN NIC when the power adapter is plugged in, they will use power management when power via battery. For the Macbook Air, they will ALWAYS use power management function regardless of powered via adapter or battery. Desktop Mac's with WLAN, will NEVER use power management functions. This is important to note for throughput testing purposes.
Wondering what WLAN chipset is in use in your Macbook?Check out the table at this link:
http://en.gentoo-wiki.com/wiki/Apple_MacbookAnything else that you've seen out there? Let's make this thread a goto source for these "nuances"!
Thanks,
Austin</MACADDR>