RE: [WIRELESS-LAN] Curious to see if other schools/businesses will warn about iOS 9 WiFi Assist

[Jeffrey D. Sessler]

I believe that this is a slippery slope where the community will assume we're 
aware of any/all shortcomings in the IoT universe. If I send out report about 
the WiFi Assist feature in the iPhone, but don't send a warning about , it will be my fault.

There are enough news outlets covering these issues that I don't think it 
warrants getting involved in.

Heck, just had a student complain that she used up her family's data plan 
because she arrived on campus but didn't connect to our WiFi.

Jeff


From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
[mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Bob Brown
Sent: Wednesday, September 30, 2015 1:50 PM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: [WIRELESS-LAN] Curious to see if other schools/businesses will warn 
about iOS 9 WiFi Assist

McGill University (I believe its IT dept) has issued a warning to its community 
about the new iOS 9 Wifi Assist feature, which means well (by switching you to 
cellular use from wifi use when wifi signals are bad) but can possibly jack up 
your data usage

http://www.mcgill.ca/channels/news/ios-9-mobile-users-consider-disabling-wi-fi-assist-feature-255683

(Though some say people are just piling on Wifi Assist, and that it's actually 
a swell feature: 
http://www.theguardian.com/technology/2015/sep/30/ignore-the-haters-wi-fi-assist-is-ios-9
 )


Bob Brown

Online Executive Editor, News

T: 508.766.5418

LinkedIn | Twitter: 
@alphadoggs | Facebook 
profile | Google + 
profile | 
Instagram


NETWORK WORLD

492 Old Connecticut Path | PO Box 9002 | Framingham, MA 01701-9002

NetworkWorld.com | Media 
Kit | Conferences & 
Events

An IDG Enterprise Brand


** Participation and subscription information for this EDUCAUSE 
Constituent Group discussion list can be found at 
http://www.educause.edu/groups/.

**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/groups/.

Re: [WIRELESS-LAN] EAP-TLS Windows 8 and 10 Problems

[Kevin McCormick]

This was the exact problem.

We unrevoked the Radius certificate, but Windows 8/8.1/10 devices we 
were testing with still were failing.


We then replaced the Radius certificate and Windows 8/8.1/10 devices we 
were testing with began to work.


I suspect those devices were caching that the cert was revoked and not 
rechecking, although I thought I cleared all those caches out.


Thanks for the help Tobias.

Kevin McCormick
uTech Network Services
Western Illinois University

On 9/24/2015 12:18 PM, Heaton, Tobias wrote:

Kevin,

We recently encountered a similar situation where Windows 8/8.1/10 devices were 
onboarding fine and some days later failing to authenticate and unable to 
re-onboard.

Turns out the Radius certificate (also self-signed root & intermediate) was 
revoked and there was no clear indication of this in the Radius configuration and 
Windows devices were silently failing. I eventually found and unrevoked the Radius 
certificate and the devices associated with no issue.

Apparently Windows 8+ devices are much more particular about revocation status 
versus other operating systems that simply ensure valid certificate dates. 
Cloudpath did add a feature request to add revocation status to the Radius 
configuration pane in the Enrollment System.

Tobias Heaton
Network Operations
University of New Hampshire


-Original Message-
From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
[mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Kevin McCormick
Sent: Thursday, September 24, 2015 1:11 PM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: Re: [WIRELESS-LAN] EAP-TLS Windows 8 and 10 Problems

Clients on Windows 8 and 10 fail on boarding. Macs, Windows 7, IOS, and
Androids does not seem to have any issues.

The radius server is issuing the certificates and the Windows 8 and 10
appear to be saying that the radius server is reporting the certificates
revoked.

We can export the certs from the Windows 8 or 10 machine, and then check
the certs on Windows 7 using the command 'certutil -f -urlfetch -verify
cert_name.cer' and the radius server is reporting the certs are fine.

We use our own Root CA and Intermediate CA.

Kevin McCormick
uTech Network Services
Western Illinois University

On 9/24/2015 11:55 AM, Turner, Ryan H wrote:

Let me see if I can clear things up...

Your clients were successfully onboarded, and when the clients connect, they 
are reporting that the radius server certificates being sent are revoked?  Or 
are you saying that your clients are reporting that the radius servers are 
saying the client certificates are revoked?

If I read the error, it would indicate to me that your clients are having 
issues with the radius server certificates.  Who issued the certs?

Ryan H Turner
Senior Network Engineer
The University of North Carolina at Chapel Hill
CB 1150 Chapel Hill, NC 27599
+1 919 445 0113 Office
+1 919 274 7926 Mobile

-Original Message-
From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
[mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Kevin McCormick
Sent: Thursday, September 24, 2015 12:00 PM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: [WIRELESS-LAN] EAP-TLS Windows 8 and 10 Problems

I know many of you are using EAP-TLS and CloudPath on boarding.

We have ran in to an issue where some Windows 8 and 10 machines will say the 
server said the certificates are revoked, but they are not revoked.
We have checked the things like time being correct. We did discover the command 
'certutil -f -urlfetch -verify cert_name.cer' will work just fine on Windows 7, 
but crashes on Windows 8 and Windows 10. The event viewer is showing these 
errors.

"The certificate received from the remote server has been revoked. This means that 
the certificate authority that issued the certificate has invalidated it. The SSL 
connection request has failed. The attached data contains the server certificate."  
-- Attached is the root CA.

"A fatal alert was generated and sent to the remote endpoint. This may result in 
termination of the connection. The TLS protocol defined fatal error code is 44. The 
Windows SChannel error state is 552."

I have tried googling the problem and and have come up empty.

CouldPath has told our security admin that our university seems to be the only 
one having this issue.

Makes me wonder if our certs are being generated with incorrect settings for 
Windows 8 and Windows 10.

What algorithm and key length are you using?

Any suggestions?

Kevin McCormick
uTech Network Services
Western Illinois University

**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/groups/.

**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/groups/.

**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list