Re: [WIRELESS-LAN] Apple OSX 10.11 beta

[Julian Y Koh]

On Mon Jul 27 2015 01:27:57 CDT, Jason Cook  wrote:
> 
> Also seems worth noting that certs will need to be 1024bit. Our certs are 
> 1024 so expecting that to be ok for us
> http://superuser.com/questions/935756/mac-os-el-capitan-10-11-not-able-to-connect-to-wifiwpa-2-enterprise
>  

Note that the certificate bit length is different from the Diffie-Hellman group 
bit length; the latter is what is referred to in that document.  

Also worth noting is that there are other Apple documents that say that OS X 
10.10.4 and iOS 8.4 require a 2048-bit DH group, so there appears to be some 
discrepancy at least in the docs.  

We had to upgrade both ClearPass (6.5.2 plus a patch) and our Aruba controller 
code (6.4.2.9) to get both iOS 9 and OS X 10.11 to work with our 802.1X 
network.  


-- 
Julian Y. Koh
Associate Director, Telecommunications and Network Services
Northwestern University Information Technology (NUIT)

2001 Sheridan Road #G-166
Evanston, IL 60208
847-467-5780
NUIT Web Site: 
PGP Public Key:

**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/groups/.

RE: [WIRELESS-LAN] Apple OSX 10.11 beta

[Lee H Badman]

I'm polling our Apple adventurists on this. I did talk to one valued colleague 
who said he ran 10.11 for a bit on one machine and had no issues on our WPA2 
Cisco campus networks. He's going to build another test machine and try it 
again, and hopefully I'll hear from at least a couple of other bleeding edgers 
on this end.

Lee Badman | Network Architect
Information Technology Services
206 Machinery Hall
120 Smith Drive
Syracuse, New York 13244
t 315.443.3003   f 315.443.4325   e lhbad...@syr.edu w its.syr.edu
SYRACUSE UNIVERSITY
syr.edu

-Original Message-
From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
[mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Julian Y Koh
Sent: Monday, July 27, 2015 8:01 AM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: Re: [WIRELESS-LAN] Apple OSX 10.11 beta

On Mon Jul 27 2015 01:27:57 CDT, Jason Cook  wrote:
> 
> Also seems worth noting that certs will need to be 1024bit. Our certs are 
> 1024 so expecting that to be ok for us
> http://superuser.com/questions/935756/mac-os-el-capitan-10-11-not-able-to-connect-to-wifiwpa-2-enterprise
>  

Note that the certificate bit length is different from the Diffie-Hellman group 
bit length; the latter is what is referred to in that document.  

Also worth noting is that there are other Apple documents that say that OS X 
10.10.4 and iOS 8.4 require a 2048-bit DH group, so there appears to be some 
discrepancy at least in the docs.  

We had to upgrade both ClearPass (6.5.2 plus a patch) and our Aruba controller 
code (6.4.2.9) to get both iOS 9 and OS X 10.11 to work with our 802.1X 
network.  


-- 
Julian Y. Koh
Associate Director, Telecommunications and Network Services
Northwestern University Information Technology (NUIT)

2001 Sheridan Road #G-166
Evanston, IL 60208
847-467-5780
NUIT Web Site: <http://www.it.northwestern.edu/>
PGP Public Key:<http://bt.ittns.northwestern.edu/julian/pgppubkey.html>

**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/groups/.

**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/groups/.

Re: [WIRELESS-LAN] Apple OSX 10.11 beta

[Andrew Moskowitz]

One more piece of information : we also run Aruba ClearPass, and our Apple
Engineer contact told us that the issue is support for TLS v1.2 - its now
"included" in iOS 9 & OSX 10.11

On Mon, Jul 27, 2015 at 8:48 AM, Lee H Badman  wrote:

> I'm polling our Apple adventurists on this. I did talk to one valued
> colleague who said he ran 10.11 for a bit on one machine and had no issues
> on our WPA2 Cisco campus networks. He's going to build another test machine
> and try it again, and hopefully I'll hear from at least a couple of other
> bleeding edgers on this end.
>
> Lee Badman | Network Architect
> Information Technology Services
> 206 Machinery Hall
> 120 Smith Drive
> Syracuse, New York 13244
> t 315.443.3003   f 315.443.4325   e lhbad...@syr.edu w its.syr.edu
> SYRACUSE UNIVERSITY
> syr.edu
>
> -Original Message-
> From: The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto:
> WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Julian Y Koh
> Sent: Monday, July 27, 2015 8:01 AM
> To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
> Subject: Re: [WIRELESS-LAN] Apple OSX 10.11 beta
>
> On Mon Jul 27 2015 01:27:57 CDT, Jason Cook 
> wrote:
> >
> > Also seems worth noting that certs will need to be 1024bit. Our certs
> are 1024 so expecting that to be ok for us
> >
> http://superuser.com/questions/935756/mac-os-el-capitan-10-11-not-able-to-connect-to-wifiwpa-2-enterprise
> >
>
> Note that the certificate bit length is different from the Diffie-Hellman
> group bit length; the latter is what is referred to in that document.
>
> Also worth noting is that there are other Apple documents that say that OS
> X 10.10.4 and iOS 8.4 require a 2048-bit DH group, so there appears to be
> some discrepancy at least in the docs.
>
> We had to upgrade both ClearPass (6.5.2 plus a patch) and our Aruba
> controller code (6.4.2.9) to get both iOS 9 and OS X 10.11 to work with our
> 802.1X network.
>
>
> --
> Julian Y. Koh
> Associate Director, Telecommunications and Network Services
> Northwestern University Information Technology (NUIT)
>
> 2001 Sheridan Road #G-166
> Evanston, IL 60208
> 847-467-5780
> NUIT Web Site: <http://www.it.northwestern.edu/>
> PGP Public Key:<http://bt.ittns.northwestern.edu/julian/pgppubkey.html>
>
> **
> Participation and subscription information for this EDUCAUSE Constituent
> Group discussion list can be found at http://www.educause.edu/groups/.
>
> **
> Participation and subscription information for this EDUCAUSE Constituent
> Group discussion list can be found at http://www.educause.edu/groups/.
>

**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/groups/.

Re: [WIRELESS-LAN] Apple OSX 10.11 beta

[Howard, Christopher]

I have the iOS 9 beta on my phone and I was unable to connect to any 802.1x 
networks.  I have OS 10.11 on my laptop, but I haven't brought it to campus yet.

I can confirm that the issue was TLS v1.2 support in our RADIUS servers.  
Upgrading the RADIUS software and dependencies, along with adding a new line to 
the configuration fixed the issue.  We were already using a 4096-bit cert.  We 
don't terminate any 802.1x on our Aruba controllers, but I heard it does not 
support TLS v1.2 either.  I don't know if or when that will be fixed if it 
hasn't been already.

Christopher Howard
Associate Director, Network Engineering
University of Tennessee at Chattanooga
christopher-how...@utc.edu



From: Andrew Moskowitz mailto:a...@gwu.edu>>
Reply-To: "a...@gwu.edu<mailto:a...@gwu.edu>" 
mailto:a...@gwu.edu>>
Date: Monday, July 27, 2015 at 9:00 AM
To: 
"WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>" 
mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>>
Subject: Re: [WIRELESS-LAN] Apple OSX 10.11 beta

One more piece of information : we also run Aruba ClearPass, and our Apple 
Engineer contact told us that the issue is support for TLS v1.2 - its now 
"included" in iOS 9 & OSX 10.11

On Mon, Jul 27, 2015 at 8:48 AM, Lee H Badman 
mailto:lhbad...@syr.edu>> wrote:
I'm polling our Apple adventurists on this. I did talk to one valued colleague 
who said he ran 10.11 for a bit on one machine and had no issues on our WPA2 
Cisco campus networks. He's going to build another test machine and try it 
again, and hopefully I'll hear from at least a couple of other bleeding edgers 
on this end.

Lee Badman | Network Architect
Information Technology Services
206 Machinery Hall
120 Smith Drive
Syracuse, New York 13244
t 315.443.3003   f 315.443.4325   e 
lhbad...@syr.edu<mailto:lhbad...@syr.edu> w its.syr.edu<http://its.syr.edu>
SYRACUSE UNIVERSITY
syr.edu<http://syr.edu>

-Original Message-
From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
[mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>]
 On Behalf Of Julian Y Koh
Sent: Monday, July 27, 2015 8:01 AM
To: 
WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>
Subject: Re: [WIRELESS-LAN] Apple OSX 10.11 beta

On Mon Jul 27 2015 01:27:57 CDT, Jason Cook 
mailto:jason.c...@adelaide.edu.au>> wrote:
>
> Also seems worth noting that certs will need to be 1024bit. Our certs are 
> 1024 so expecting that to be ok for us
> http://superuser.com/questions/935756/mac-os-el-capitan-10-11-not-able-to-connect-to-wifiwpa-2-enterprise
>

Note that the certificate bit length is different from the Diffie-Hellman group 
bit length; the latter is what is referred to in that document.

Also worth noting is that there are other Apple documents that say that OS X 
10.10.4 and iOS 8.4 require a 2048-bit DH group, so there appears to be some 
discrepancy at least in the docs.

We had to upgrade both ClearPass (6.5.2 plus a patch) and our Aruba controller 
code (6.4.2.9) to get both iOS 9 and OS X 10.11 to work with our 802.1X network.


--
Julian Y. Koh
Associate Director, Telecommunications and Network Services
Northwestern University Information Technology (NUIT)

2001 Sheridan Road #G-166
Evanston, IL 60208
847-467-5780
NUIT Web Site: <http://www.it.northwestern.edu/>
PGP Public Key:<http://bt.ittns.northwestern.edu/julian/pgppubkey.html>

**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/groups/.

**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/groups/.

** Participation and subscription information for this EDUCAUSE 
Constituent Group discussion list can be found at 
http://www.educause.edu/groups/.

**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/groups/.

RE: [WIRELESS-LAN] Apple OSX 10.11 beta

[Turner, Ryan H]

I have also just pinged our campus users.  Already have a lot of users running 
the platform with no issues.

We are running a full EAP-TLS deployment with Aruba Controllers running 6.4.2.8 
running an older 2.1 freeradius.

Ryan H Turner
Senior Network Engineer
The University of North Carolina at Chapel Hill
CB 1150 Chapel Hill, NC 27599
+1 919 445 0113 Office
+1 919 274 7926 Mobile

-Original Message-
From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
[mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Lee H Badman
Sent: Monday, July 27, 2015 8:48 AM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: Re: [WIRELESS-LAN] Apple OSX 10.11 beta

I'm polling our Apple adventurists on this. I did talk to one valued colleague 
who said he ran 10.11 for a bit on one machine and had no issues on our WPA2 
Cisco campus networks. He's going to build another test machine and try it 
again, and hopefully I'll hear from at least a couple of other bleeding edgers 
on this end.

Lee Badman | Network Architect
Information Technology Services
206 Machinery Hall
120 Smith Drive
Syracuse, New York 13244
t 315.443.3003   f 315.443.4325   e lhbad...@syr.edu w its.syr.edu SYRACUSE 
UNIVERSITY syr.edu

-Original Message-
From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
[mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Julian Y Koh
Sent: Monday, July 27, 2015 8:01 AM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: Re: [WIRELESS-LAN] Apple OSX 10.11 beta

On Mon Jul 27 2015 01:27:57 CDT, Jason Cook  wrote:
> 
> Also seems worth noting that certs will need to be 1024bit. Our certs 
> are 1024 so expecting that to be ok for us 
> http://superuser.com/questions/935756/mac-os-el-capitan-10-11-not-able
> -to-connect-to-wifiwpa-2-enterprise
>  

Note that the certificate bit length is different from the Diffie-Hellman group 
bit length; the latter is what is referred to in that document.  

Also worth noting is that there are other Apple documents that say that OS X 
10.10.4 and iOS 8.4 require a 2048-bit DH group, so there appears to be some 
discrepancy at least in the docs.  

We had to upgrade both ClearPass (6.5.2 plus a patch) and our Aruba controller 
code (6.4.2.9) to get both iOS 9 and OS X 10.11 to work with our 802.1X 
network.  


--
Julian Y. Koh
Associate Director, Telecommunications and Network Services Northwestern 
University Information Technology (NUIT)

2001 Sheridan Road #G-166
Evanston, IL 60208
847-467-5780
NUIT Web Site: <http://www.it.northwestern.edu/> PGP Public 
Key:<http://bt.ittns.northwestern.edu/julian/pgppubkey.html>

**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/groups/.

**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/groups/.

**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/groups/.

Re: [WIRELESS-LAN] Apple OSX 10.11 beta

[Walter Reynolds]

The problem we had was because we were running freeradius 2.2.6 and I do
not remember version of openssl (1.something) which does support TLSv1.2.
There would be a problem after authentication with the 4 way handshake. So
you would see a user authenticate every 6 second or so and not receive an
IP from the Mac paint of view.

Running freeradius 2.2.6 with an older version of openssl (.9 something)
would not support TLSv1.2 so no problem.

Freeradius 2.2.7 fixes some TLS issues which fixed the issue.

I know aruba's clearpass is based on freeradius but not sure how close it
is so as one person said they did need to upgrade that as well.
On Jul 27, 2015 10:20 AM, "Turner, Ryan H"  wrote:

> I have also just pinged our campus users.  Already have a lot of users
> running the platform with no issues.
>
> We are running a full EAP-TLS deployment with Aruba Controllers running
> 6.4.2.8 running an older 2.1 freeradius.
>
> Ryan H Turner
> Senior Network Engineer
> The University of North Carolina at Chapel Hill
> CB 1150 Chapel Hill, NC 27599
> +1 919 445 0113 Office
> +1 919 274 7926 Mobile
>
> -Original Message-
> From: The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto:
> WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Lee H Badman
> Sent: Monday, July 27, 2015 8:48 AM
> To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
> Subject: Re: [WIRELESS-LAN] Apple OSX 10.11 beta
>
> I'm polling our Apple adventurists on this. I did talk to one valued
> colleague who said he ran 10.11 for a bit on one machine and had no issues
> on our WPA2 Cisco campus networks. He's going to build another test machine
> and try it again, and hopefully I'll hear from at least a couple of other
> bleeding edgers on this end.
>
> Lee Badman | Network Architect
> Information Technology Services
> 206 Machinery Hall
> 120 Smith Drive
> Syracuse, New York 13244
> t 315.443.3003   f 315.443.4325   e lhbad...@syr.edu w its.syr.edu
> SYRACUSE UNIVERSITY syr.edu
>
> -Original Message-
> From: The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto:
> WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Julian Y Koh
> Sent: Monday, July 27, 2015 8:01 AM
> To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
> Subject: Re: [WIRELESS-LAN] Apple OSX 10.11 beta
>
> On Mon Jul 27 2015 01:27:57 CDT, Jason Cook 
> wrote:
> >
> > Also seems worth noting that certs will need to be 1024bit. Our certs
> > are 1024 so expecting that to be ok for us
> > http://superuser.com/questions/935756/mac-os-el-capitan-10-11-not-able
> > -to-connect-to-wifiwpa-2-enterprise
> >
>
> Note that the certificate bit length is different from the Diffie-Hellman
> group bit length; the latter is what is referred to in that document.
>
> Also worth noting is that there are other Apple documents that say that OS
> X 10.10.4 and iOS 8.4 require a 2048-bit DH group, so there appears to be
> some discrepancy at least in the docs.
>
> We had to upgrade both ClearPass (6.5.2 plus a patch) and our Aruba
> controller code (6.4.2.9) to get both iOS 9 and OS X 10.11 to work with our
> 802.1X network.
>
>
> --
> Julian Y. Koh
> Associate Director, Telecommunications and Network Services Northwestern
> University Information Technology (NUIT)
>
> 2001 Sheridan Road #G-166
> Evanston, IL 60208
> 847-467-5780
> NUIT Web Site: <http://www.it.northwestern.edu/> PGP Public Key:<
> http://bt.ittns.northwestern.edu/julian/pgppubkey.html>
>
> **
> Participation and subscription information for this EDUCAUSE Constituent
> Group discussion list can be found at http://www.educause.edu/groups/.
>
> **
> Participation and subscription information for this EDUCAUSE Constituent
> Group discussion list can be found at http://www.educause.edu/groups/.
>
> **
> Participation and subscription information for this EDUCAUSE Constituent
> Group discussion list can be found at http://www.educause.edu/groups/.
>

**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/groups/.

RE: [WIRELESS-LAN] Apple OSX 10.11 beta

[Jason Cook]

Thanks everyone for the input, greatly appreciated. We are freeradius 2.2.6 and 
I’m not sure what openssl off the top of my head but it certainly seems a good 
chance that this is our problem.

Time to get fixing with all this info ☺

--
Jason Cook
The University of Adelaide, AUSTRALIA 5005
Ph: +61 8 8313 4800

From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
[mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Walter Reynolds
Sent: Tuesday, 28 July 2015 2:49 AM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: Re: [WIRELESS-LAN] Apple OSX 10.11 beta


The problem we had was because we were running freeradius 2.2.6 and I do not 
remember version of openssl (1.something) which does support TLSv1.2. There 
would be a problem after authentication with the 4 way handshake. So you would 
see a user authenticate every 6 second or so and not receive an IP from the Mac 
paint of view.

Running freeradius 2.2.6 with an older version of openssl (.9 something) would 
not support TLSv1.2 so no problem.

Freeradius 2.2.7 fixes some TLS issues which fixed the issue.

I know aruba's clearpass is based on freeradius but not sure how close it is so 
as one person said they did need to upgrade that as well.
On Jul 27, 2015 10:20 AM, "Turner, Ryan H" 
mailto:rhtur...@email.unc.edu>> wrote:
I have also just pinged our campus users.  Already have a lot of users running 
the platform with no issues.

We are running a full EAP-TLS deployment with Aruba Controllers running 6.4.2.8 
running an older 2.1 freeradius.

Ryan H Turner
Senior Network Engineer
The University of North Carolina at Chapel Hill
CB 1150 Chapel Hill, NC 27599
+1 919 445 0113 Office
+1 919 274 7926 Mobile

-Original Message-
From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
[mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>]
 On Behalf Of Lee H Badman
Sent: Monday, July 27, 2015 8:48 AM
To: 
WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>
Subject: Re: [WIRELESS-LAN] Apple OSX 10.11 beta

I'm polling our Apple adventurists on this. I did talk to one valued colleague 
who said he ran 10.11 for a bit on one machine and had no issues on our WPA2 
Cisco campus networks. He's going to build another test machine and try it 
again, and hopefully I'll hear from at least a couple of other bleeding edgers 
on this end.

Lee Badman | Network Architect
Information Technology Services
206 Machinery Hall
120 Smith Drive
Syracuse, New York 13244
t 315.443.3003   f 315.443.4325   e lhbad...@syr.edu<mailto:lhbad...@syr.edu> w 
its.syr.edu<http://its.syr.edu> SYRACUSE UNIVERSITY syr.edu<http://syr.edu>

-Original Message-
From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
[mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>]
 On Behalf Of Julian Y Koh
Sent: Monday, July 27, 2015 8:01 AM
To: 
WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>
Subject: Re: [WIRELESS-LAN] Apple OSX 10.11 beta

On Mon Jul 27 2015 01:27:57 CDT, Jason Cook 
mailto:jason.c...@adelaide.edu.au>> wrote:
>
> Also seems worth noting that certs will need to be 1024bit. Our certs
> are 1024 so expecting that to be ok for us
> http://superuser.com/questions/935756/mac-os-el-capitan-10-11-not-able
> -to-connect-to-wifiwpa-2-enterprise
>

Note that the certificate bit length is different from the Diffie-Hellman group 
bit length; the latter is what is referred to in that document.

Also worth noting is that there are other Apple documents that say that OS X 
10.10.4 and iOS 8.4 require a 2048-bit DH group, so there appears to be some 
discrepancy at least in the docs.

We had to upgrade both ClearPass (6.5.2 plus a patch) and our Aruba controller 
code (6.4.2.9) to get both iOS 9 and OS X 10.11 to work with our 802.1X network.


--
Julian Y. Koh
Associate Director, Telecommunications and Network Services Northwestern 
University Information Technology (NUIT)

2001 Sheridan Road #G-166
Evanston, IL 60208
847-467-5780
NUIT Web Site: <http://www.it.northwestern.edu/> PGP Public 
Key:<http://bt.ittns.northwestern.edu/julian/pgppubkey.html>

**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/groups/.

**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/groups/.

**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/groups/.
** Participation and subscription information for this EDUCAUSE 
Constituent Group discussion list can be found at 
http://www.educause.edu/groups/.

**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/groups/.

Re: [WIRELESS-LAN] Apple OSX 10.11 beta

[Fligor, Debbie]

This went out to our campus IT community last Friday, it has some nice details 
about what the wireless/radius team was seeing:

Greetings,

Earlier this week we sent a communication about issues that the iOS 9 and El 
Capitan betas had connecting to the campus network.  We are happy to announce 
that the issue has been resolved. While Technology Services does not encourage 
customers to rely on betas for production or every-day work, both of the 
current beta releases are able to connect to IllinoisNet. If you have questions 
regarding this message please contact wirel...@illinois.edu.

*For those with a desire to better understand the technical changes and their 
impacts, feel free to read the additional detail below.

On 2015-07-23 a set of security updates was deployed to the RADIUS 
servers which handle logins for IllinoisNet and eduroam wireless.  One 
of these changes was an upgrade to the latest version of Net::SSLeay 
(which provides perl bindings for OpenSSL) to allow clients to negotiate 
TLSv1.1 and TLSv1.2 (as well as TLSv1.0) for the EAP-TTLS tunnel used in 
WPA2 Enterprise authentication.  Many modern wireless clients still use 
TLSv1.0 in practice, but Apple OS X El Capitan and iOS 9 do use TLSv1.2, 
and as a result of this upgrade they are now able to successfully 
connect to IllinoisNet and eduroam.

What remains surprising is that, prior to deploying these updates, our 
test iOS 9 client was able to successfully make it all the way through 
the RADIUS authentication stage of 802.11i (producing a RADIUS 
Access-Accept); it failed only during the subsequent four-way handshake 
to construct the PTK (by which point the RADIUS server is no longer 
involved, leading us to believe that the problem resided elsewhere). 
Subsequent re-testing reveals that even with the older Net:SSLeay 
installed, the RADIUS server would respond to the TLSv1.2 Client Hello 
with a TLSv1.2 Server Hello, and side by side comparisons of the 
unencrypted portions of traffic captures in a lab environment show no 
obvious differences in the ensuing conversation depending on which 
Net:SSLeay is installed.  We can only speculate at this point that 
perhaps the combination of a modern openssl library with an old 
Net:SSLeay was somehow superficially _appearing_ to correctly support 
TLSv1.2 while in fact producing some subtly different behavior which 
eventually caused iOS 9 to give up on the connection process.




> On Jul 27, 2015, at 18:55, Jason Cook  wrote:
> 
> Thanks everyone for the input, greatly appreciated. We are freeradius 2.2.6 
> and I’m not sure what opensslchance that this is our problem.
> 
>  
> 
> Time to get fixing with all this infoJ
> 
>  
> 
> --
> 
> Jason Cook
> 
> The University of Adelaide, AUSTRALIA 5005
> 
> Ph: +61 8 8313 4800
> 
>  
> 
> From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
> [mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Walter Reynolds
> Sent: Tuesday, 28 July 2015 2:49 AM
> To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
> Subject: Re: [WIRELESS-LAN] Apple OSX 10.11 beta
> 
>  
> 
> The problem we had was because we were running freeradius 2.2.6 and I do not 
> remember version of openssl (1.something) which does support TLSv1.2. There 
> would be a problem after authentication with the 4 way handshake. So you 
> would see a user authenticate every 6 second or so and not receive an IP from 
> the Mac paint of view.
> 
> Running freeradius 2.2.6 with an older version of openssl (.9 something) 
> would not support TLSv1.2 so no problem. 
> 
> Freeradius 2.2.7 fixes some TLS issues which fixed the issue.
> 
> I know aruba's clearpass is based on freeradius but not sure how close it is 
> so as one person said they did need to upgrade that as well.
> 
> On Jul 27, 2015 10:20 AM, "Turner, Ryan H"  wrote:
> 
> I have also just pinged our campus users.  Already have a lot of users 
> running the platform with no issues.
> 
> We are running a full EAP-TLS deployment with Aruba Controllers running 
> 6.4.2.8 running an older 2.1 freeradius.
> 
> Ryan H Turner
> Senior Network Engineer
> The University of North Carolina at Chapel Hill
> CB 1150 Chapel Hill, NC 27599
> +1 919 445 0113 Office
> +1 919 274 7926 Mobile
> 
> -Original Message-
> From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
> [mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Lee H Badman
> Sent: Monday, July 27, 2015 8:48 AM
> To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
> Subject: Re: [WIRELESS-LAN] Apple OSX 10.11 beta
> 
> I'm polling our Apple adventurists on this. I did talk to one valued 
> colleague who said he ran 10.11 for a bit on one machine and had no issues on 
> our WPA2 Cisco campus networks. He's going to build another test machine and 

Re: [WIRELESS-LAN] Apple OSX 10.11 beta

[Jon Scot Prunckle]

Debbie,

Is your group also running freeradius?

Sincerely,


J. Scot Prunckle
Network Engineer
UITS Network and Operations Services
University of Wisconsin-Milwaukee
Office Mobile: (414) 416-9709
E-mail: prunc...@uwm.edu

> On Jul 28, 2015, at 8:57 AM, Fligor, Debbie  wrote:
> 
> This went out to our campus IT community last Friday, it has some nice 
> details about what the wireless/radius team was seeing:
> 
> Greetings,
> 
> Earlier this week we sent a communication about issues that the iOS 9 and El 
> Capitan betas had connecting to the campus network.  We are happy to announce 
> that the issue has been resolved. While Technology Services does not 
> encourage customers to rely on betas for production or every-day work, both 
> of the current beta releases are able to connect to IllinoisNet. If you have 
> questions regarding this message please contact wirel...@illinois.edu.
> 
> *For those with a desire to better understand the technical changes and their 
> impacts, feel free to read the additional detail below.
> 
> On 2015-07-23 a set of security updates was deployed to the RADIUS 
> servers which handle logins for IllinoisNet and eduroam wireless.  One 
> of these changes was an upgrade to the latest version of Net::SSLeay 
> (which provides perl bindings for OpenSSL) to allow clients to negotiate 
> TLSv1.1 and TLSv1.2 (as well as TLSv1.0) for the EAP-TTLS tunnel used in 
> WPA2 Enterprise authentication.  Many modern wireless clients still use 
> TLSv1.0 in practice, but Apple OS X El Capitan and iOS 9 do use TLSv1.2, 
> and as a result of this upgrade they are now able to successfully 
> connect to IllinoisNet and eduroam.
> 
> What remains surprising is that, prior to deploying these updates, our 
> test iOS 9 client was able to successfully make it all the way through 
> the RADIUS authentication stage of 802.11i (producing a RADIUS 
> Access-Accept); it failed only during the subsequent four-way handshake 
> to construct the PTK (by which point the RADIUS server is no longer 
> involved, leading us to believe that the problem resided elsewhere). 
> Subsequent re-testing reveals that even with the older Net:SSLeay 
> installed, the RADIUS server would respond to the TLSv1.2 Client Hello 
> with a TLSv1.2 Server Hello, and side by side comparisons of the 
> unencrypted portions of traffic captures in a lab environment show no 
> obvious differences in the ensuing conversation depending on which 
> Net:SSLeay is installed.  We can only speculate at this point that 
> perhaps the combination of a modern openssl library with an old 
> Net:SSLeay was somehow superficially _appearing_ to correctly support 
> TLSv1.2 while in fact producing some subtly different behavior which 
> eventually caused iOS 9 to give up on the connection process.
> 
> 
> 
> 
>> On Jul 27, 2015, at 18:55, Jason Cook  wrote:
>> 
>> Thanks everyone for the input, greatly appreciated. We are freeradius 2.2.6 
>> and I’m not sure what opensslchance that this is our problem.
>> 
>> 
>> 
>> Time to get fixing with all this infoJ
>> 
>> 
>> 
>> --
>> 
>> Jason Cook
>> 
>> The University of Adelaide, AUSTRALIA 5005
>> 
>> Ph: +61 8 8313 4800
>> 
>> 
>> 
>> From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
>> [mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Walter Reynolds
>> Sent: Tuesday, 28 July 2015 2:49 AM
>> To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
>> Subject: Re: [WIRELESS-LAN] Apple OSX 10.11 beta
>> 
>> 
>> 
>> The problem we had was because we were running freeradius 2.2.6 and I do not 
>> remember version of openssl (1.something) which does support TLSv1.2. There 
>> would be a problem after authentication with the 4 way handshake. So you 
>> would see a user authenticate every 6 second or so and not receive an IP 
>> from the Mac paint of view.
>> 
>> Running freeradius 2.2.6 with an older version of openssl (.9 something) 
>> would not support TLSv1.2 so no problem. 
>> 
>> Freeradius 2.2.7 fixes some TLS issues which fixed the issue.
>> 
>> I know aruba's clearpass is based on freeradius but not sure how close it is 
>> so as one person said they did need to upgrade that as well.
>> 
>> On Jul 27, 2015 10:20 AM, "Turner, Ryan H"  wrote:
>> 
>> I have also just pinged our campus users.  Already have a lot of users 
>> running the platform with no issues.
>> 
>> We are running a full EAP-TLS deployment with Aruba Controllers running 
>> 6.4.2.8 running an older 2.1 freeradius.
>> 
>> Ryan H Turner
>> Senior Network Engin

Re: [WIRELESS-LAN] Apple OSX 10.11 beta

[Fligor, Debbie]

> On Jul 28, 2015, at 10:26, Jon Scot Prunckle  wrote:
> 
> Debbie,
> 
> Is your group also running freeradius?

We run OSC Radiator.  Sorry, I should have included that.

-debbie

> 
> Sincerely,
> 
> 
> J. Scot Prunckle
> Network Engineer
> UITS Network and Operations Services
> University of Wisconsin-Milwaukee
> Office Mobile: (414) 416-9709
> E-mail: prunc...@uwm.edu
> 
>> On Jul 28, 2015, at 8:57 AM, Fligor, Debbie  wrote:
>> 
>> This went out to our campus IT community last Friday, it has some nice 
>> details about what the wireless/radius team was seeing:
>> 
>> Greetings,
>> 
>> Earlier this week we sent a communication about issues that the iOS 9 and El 
>> Capitan betas had connecting to the campus network.  We are happy to 
>> announce that the issue has been resolved. While Technology Services does 
>> not encourage customers to rely on betas for production or every-day work, 
>> both of the current beta releases are able to connect to IllinoisNet. If you 
>> have questions regarding this message please contact wirel...@illinois.edu.
>> 
>> *For those with a desire to better understand the technical changes and 
>> their impacts, feel free to read the additional detail below.
>> 
>> On 2015-07-23 a set of security updates was deployed to the RADIUS 
>> servers which handle logins for IllinoisNet and eduroam wireless.  One 
>> of these changes was an upgrade to the latest version of Net::SSLeay 
>> (which provides perl bindings for OpenSSL) to allow clients to negotiate 
>> TLSv1.1 and TLSv1.2 (as well as TLSv1.0) for the EAP-TTLS tunnel used in 
>> WPA2 Enterprise authentication.  Many modern wireless clients still use 
>> TLSv1.0 in practice, but Apple OS X El Capitan and iOS 9 do use TLSv1.2, 
>> and as a result of this upgrade they are now able to successfully 
>> connect to IllinoisNet and eduroam.
>> 
>> What remains surprising is that, prior to deploying these updates, our 
>> test iOS 9 client was able to successfully make it all the way through 
>> the RADIUS authentication stage of 802.11i (producing a RADIUS 
>> Access-Accept); it failed only during the subsequent four-way handshake 
>> to construct the PTK (by which point the RADIUS server is no longer 
>> involved, leading us to believe that the problem resided elsewhere). 
>> Subsequent re-testing reveals that even with the older Net:SSLeay 
>> installed, the RADIUS server would respond to the TLSv1.2 Client Hello 
>> with a TLSv1.2 Server Hello, and side by side comparisons of the 
>> unencrypted portions of traffic captures in a lab environment show no 
>> obvious differences in the ensuing conversation depending on which 
>> Net:SSLeay is installed.  We can only speculate at this point that 
>> perhaps the combination of a modern openssl library with an old 
>> Net:SSLeay was somehow superficially _appearing_ to correctly support 
>> TLSv1.2 while in fact producing some subtly different behavior which 
>> eventually caused iOS 9 to give up on the connection process.
>> 
>> 
>> 
>> 
>>> On Jul 27, 2015, at 18:55, Jason Cook  wrote:
>>> 
>>> Thanks everyone for the input, greatly appreciated. We are freeradius 2.2.6 
>>> and I’m not sure what opensslchance that this is our problem.
>>> 
>>> 
>>> 
>>> Time to get fixing with all this infoJ
>>> 
>>> 
>>> 
>>> --
>>> 
>>> Jason Cook
>>> 
>>> The University of Adelaide, AUSTRALIA 5005
>>> 
>>> Ph: +61 8 8313 4800
>>> 
>>> 
>>> 
>>> From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
>>> [mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Walter Reynolds
>>> Sent: Tuesday, 28 July 2015 2:49 AM
>>> To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
>>> Subject: Re: [WIRELESS-LAN] Apple OSX 10.11 beta
>>> 
>>> 
>>> 
>>> The problem we had was because we were running freeradius 2.2.6 and I do 
>>> not remember version of openssl (1.something) which does support TLSv1.2. 
>>> There would be a problem after authentication with the 4 way handshake. So 
>>> you would see a user authenticate every 6 second or so and not receive an 
>>> IP from the Mac paint of view.
>>> 
>>> Running freeradius 2.2.6 with an older version of openssl (.9 something) 
>>> would not support TLSv1.2 so no problem. 
>>> 
>>> Freeradius 2.2.7 fixes some TLS issues which fixed the issue.
>>> 
>>> I know aruba'

RE: [WIRELESS-LAN] Apple OSX 10.11 beta

[Jason Cook]

Thanks Debbie. Wish we could include some technical detail in some of our comms 
like that.



--
Jason Cook
The University of Adelaide, AUSTRALIA 5005
Ph    : +61 8 8313 4800

-Original Message-
From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
[mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Fligor, Debbie
Sent: Tuesday, 28 July 2015 11:28 PM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: Re: [WIRELESS-LAN] Apple OSX 10.11 beta

This went out to our campus IT community last Friday, it has some nice details 
about what the wireless/radius team was seeing:

Greetings,

Earlier this week we sent a communication about issues that the iOS 9 and El 
Capitan betas had connecting to the campus network.  We are happy to announce 
that the issue has been resolved. While Technology Services does not encourage 
customers to rely on betas for production or every-day work, both of the 
current beta releases are able to connect to IllinoisNet. If you have questions 
regarding this message please contact wirel...@illinois.edu.

*For those with a desire to better understand the technical changes and their 
impacts, feel free to read the additional detail below.

On 2015-07-23 a set of security updates was deployed to the RADIUS servers 
which handle logins for IllinoisNet and eduroam wireless.  One of these changes 
was an upgrade to the latest version of Net::SSLeay (which provides perl 
bindings for OpenSSL) to allow clients to negotiate
TLSv1.1 and TLSv1.2 (as well as TLSv1.0) for the EAP-TTLS tunnel used in
WPA2 Enterprise authentication.  Many modern wireless clients still use
TLSv1.0 in practice, but Apple OS X El Capitan and iOS 9 do use TLSv1.2, and as 
a result of this upgrade they are now able to successfully connect to 
IllinoisNet and eduroam.

What remains surprising is that, prior to deploying these updates, our test iOS 
9 client was able to successfully make it all the way through the RADIUS 
authentication stage of 802.11i (producing a RADIUS Access-Accept); it failed 
only during the subsequent four-way handshake to construct the PTK (by which 
point the RADIUS server is no longer involved, leading us to believe that the 
problem resided elsewhere). 
Subsequent re-testing reveals that even with the older Net:SSLeay installed, 
the RADIUS server would respond to the TLSv1.2 Client Hello with a TLSv1.2 
Server Hello, and side by side comparisons of the unencrypted portions of 
traffic captures in a lab environment show no obvious differences in the 
ensuing conversation depending on which Net:SSLeay is installed.  We can only 
speculate at this point that perhaps the combination of a modern openssl 
library with an old Net:SSLeay was somehow superficially _appearing_ to 
correctly support
TLSv1.2 while in fact producing some subtly different behavior which eventually 
caused iOS 9 to give up on the connection process.




> On Jul 27, 2015, at 18:55, Jason Cook  wrote:
> 
> Thanks everyone for the input, greatly appreciated. We are freeradius 2.2.6 
> and I’m not sure what opensslchance that this is our problem.
> 
>  
> 
> Time to get fixing with all this infoJ
> 
>  
> 
> --
> 
> Jason Cook
> 
> The University of Adelaide, AUSTRALIA 5005
> 
> Ph: +61 8 8313 4800
> 
>  
> 
> From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
> [mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Walter 
> Reynolds
> Sent: Tuesday, 28 July 2015 2:49 AM
> To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
> Subject: Re: [WIRELESS-LAN] Apple OSX 10.11 beta
> 
>  
> 
> The problem we had was because we were running freeradius 2.2.6 and I do not 
> remember version of openssl (1.something) which does support TLSv1.2. There 
> would be a problem after authentication with the 4 way handshake. So you 
> would see a user authenticate every 6 second or so and not receive an IP from 
> the Mac paint of view.
> 
> Running freeradius 2.2.6 with an older version of openssl (.9 something) 
> would not support TLSv1.2 so no problem. 
> 
> Freeradius 2.2.7 fixes some TLS issues which fixed the issue.
> 
> I know aruba's clearpass is based on freeradius but not sure how close it is 
> so as one person said they did need to upgrade that as well.
> 
> On Jul 27, 2015 10:20 AM, "Turner, Ryan H"  wrote:
> 
> I have also just pinged our campus users.  Already have a lot of users 
> running the platform with no issues.
> 
> We are running a full EAP-TLS deployment with Aruba Controllers running 
> 6.4.2.8 running an older 2.1 freeradius.
> 
> Ryan H Turner
> Senior Network Engineer
> The University of North Carolina at Chapel Hill CB 1150 Chapel Hill, 
> NC 27599
> +1 919 445 0113 Office
> +1 919 274 7926 Mobile
> 
> -Original Message-
> From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
>

Re: [WIRELESS-LAN] Apple OSX 10.11 beta

[Michael Dickson]

Same here.

Mike

Michael Dickson
Network Analyst
Information Technology
University of Massachusetts Amherst
michael.dick...@umass.edu
413-545-9639 

On Jul 28, 2015, at 8:26 PM, Jason Cook  wrote:

> Thanks Debbie. Wish we could include some technical detail in some of our 
> comms like that.
> 
> 
> 
> --
> Jason Cook
> The University of Adelaide, AUSTRALIA 5005
> Ph: +61 8 8313 4800
> 
> -Original Message-
> From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
> [mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Fligor, Debbie
> Sent: Tuesday, 28 July 2015 11:28 PM
> To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
> Subject: Re: [WIRELESS-LAN] Apple OSX 10.11 beta
> 
> This went out to our campus IT community last Friday, it has some nice 
> details about what the wireless/radius team was seeing:
> 
> Greetings,
> 
> Earlier this week we sent a communication about issues that the iOS 9 and El 
> Capitan betas had connecting to the campus network.  We are happy to announce 
> that the issue has been resolved. While Technology Services does not 
> encourage customers to rely on betas for production or every-day work, both 
> of the current beta releases are able to connect to IllinoisNet. If you have 
> questions regarding this message please contact wirel...@illinois.edu.
> 
> *For those with a desire to better understand the technical changes and their 
> impacts, feel free to read the additional detail below.
> 
> On 2015-07-23 a set of security updates was deployed to the RADIUS servers 
> which handle logins for IllinoisNet and eduroam wireless.  One of these 
> changes was an upgrade to the latest version of Net::SSLeay (which provides 
> perl bindings for OpenSSL) to allow clients to negotiate
> TLSv1.1 and TLSv1.2 (as well as TLSv1.0) for the EAP-TTLS tunnel used in
> WPA2 Enterprise authentication.  Many modern wireless clients still use
> TLSv1.0 in practice, but Apple OS X El Capitan and iOS 9 do use TLSv1.2, and 
> as a result of this upgrade they are now able to successfully connect to 
> IllinoisNet and eduroam.
> 
> What remains surprising is that, prior to deploying these updates, our test 
> iOS 9 client was able to successfully make it all the way through the RADIUS 
> authentication stage of 802.11i (producing a RADIUS Access-Accept); it failed 
> only during the subsequent four-way handshake to construct the PTK (by which 
> point the RADIUS server is no longer involved, leading us to believe that the 
> problem resided elsewhere). 
> Subsequent re-testing reveals that even with the older Net:SSLeay installed, 
> the RADIUS server would respond to the TLSv1.2 Client Hello with a TLSv1.2 
> Server Hello, and side by side comparisons of the unencrypted portions of 
> traffic captures in a lab environment show no obvious differences in the 
> ensuing conversation depending on which Net:SSLeay is installed.  We can only 
> speculate at this point that perhaps the combination of a modern openssl 
> library with an old Net:SSLeay was somehow superficially _appearing_ to 
> correctly support
> TLSv1.2 while in fact producing some subtly different behavior which 
> eventually caused iOS 9 to give up on the connection process.
> 
> 
> 
> 
>> On Jul 27, 2015, at 18:55, Jason Cook  wrote:
>> 
>> Thanks everyone for the input, greatly appreciated. We are freeradius 2.2.6 
>> and I’m not sure what opensslchance that this is our problem.
>> 
>> 
>> 
>> Time to get fixing with all this infoJ
>> 
>> 
>> 
>> --
>> 
>> Jason Cook
>> 
>> The University of Adelaide, AUSTRALIA 5005
>> 
>> Ph    : +61 8 8313 4800
>> 
>> 
>> 
>> From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
>> [mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Walter 
>> Reynolds
>> Sent: Tuesday, 28 July 2015 2:49 AM
>> To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
>> Subject: Re: [WIRELESS-LAN] Apple OSX 10.11 beta
>> 
>> 
>> 
>> The problem we had was because we were running freeradius 2.2.6 and I do not 
>> remember version of openssl (1.something) which does support TLSv1.2. There 
>> would be a problem after authentication with the 4 way handshake. So you 
>> would see a user authenticate every 6 second or so and not receive an IP 
>> from the Mac paint of view.
>> 
>> Running freeradius 2.2.6 with an older version of openssl (.9 something) 
>> would not support TLSv1.2 so no problem. 
>> 
>> Freeradius 2.2.7 fixes some TLS issues which fixed the issue.
>> 
>> I know aruba's clearpass is based on freeradius but not sure how close it is 
>> so as one person sa

RE: [WIRELESS-LAN] Apple OSX 10.11 beta

[Jason Cook]

Thanks for all the responses on this. Upgrade worked a treat.

Was a better response than vendor support but to be fair we hadn’t logged one 
with freeradius

--
Jason Cook
The University of Adelaide, AUSTRALIA 5005
Ph: +61 8 8313 4800

From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
[mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Jason Cook
Sent: Tuesday, 28 July 2015 9:25 AM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: Re: [WIRELESS-LAN] Apple OSX 10.11 beta

Thanks everyone for the input, greatly appreciated. We are freeradius 2.2.6 and 
I’m not sure what openssl off the top of my head but it certainly seems a good 
chance that this is our problem.

Time to get fixing with all this info ☺

--
Jason Cook
The University of Adelaide, AUSTRALIA 5005
Ph: +61 8 8313 4800

From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
[mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Walter Reynolds
Sent: Tuesday, 28 July 2015 2:49 AM
To: 
WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>
Subject: Re: [WIRELESS-LAN] Apple OSX 10.11 beta


The problem we had was because we were running freeradius 2.2.6 and I do not 
remember version of openssl (1.something) which does support TLSv1.2. There 
would be a problem after authentication with the 4 way handshake. So you would 
see a user authenticate every 6 second or so and not receive an IP from the Mac 
paint of view.

Running freeradius 2.2.6 with an older version of openssl (.9 something) would 
not support TLSv1.2 so no problem.

Freeradius 2.2.7 fixes some TLS issues which fixed the issue.

I know aruba's clearpass is based on freeradius but not sure how close it is so 
as one person said they did need to upgrade that as well.
On Jul 27, 2015 10:20 AM, "Turner, Ryan H" 
mailto:rhtur...@email.unc.edu>> wrote:
I have also just pinged our campus users.  Already have a lot of users running 
the platform with no issues.

We are running a full EAP-TLS deployment with Aruba Controllers running 6.4.2.8 
running an older 2.1 freeradius.

Ryan H Turner
Senior Network Engineer
The University of North Carolina at Chapel Hill
CB 1150 Chapel Hill, NC 27599
+1 919 445 0113 Office
+1 919 274 7926 Mobile

-Original Message-
From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
[mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>]
 On Behalf Of Lee H Badman
Sent: Monday, July 27, 2015 8:48 AM
To: 
WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>
Subject: Re: [WIRELESS-LAN] Apple OSX 10.11 beta

I'm polling our Apple adventurists on this. I did talk to one valued colleague 
who said he ran 10.11 for a bit on one machine and had no issues on our WPA2 
Cisco campus networks. He's going to build another test machine and try it 
again, and hopefully I'll hear from at least a couple of other bleeding edgers 
on this end.

Lee Badman | Network Architect
Information Technology Services
206 Machinery Hall
120 Smith Drive
Syracuse, New York 13244
t 315.443.3003   f 315.443.4325   e lhbad...@syr.edu<mailto:lhbad...@syr.edu> w 
its.syr.edu<http://its.syr.edu> SYRACUSE UNIVERSITY syr.edu<http://syr.edu>

-Original Message-
From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
[mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>]
 On Behalf Of Julian Y Koh
Sent: Monday, July 27, 2015 8:01 AM
To: 
WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>
Subject: Re: [WIRELESS-LAN] Apple OSX 10.11 beta

On Mon Jul 27 2015 01:27:57 CDT, Jason Cook 
mailto:jason.c...@adelaide.edu.au>> wrote:
>
> Also seems worth noting that certs will need to be 1024bit. Our certs
> are 1024 so expecting that to be ok for us
> http://superuser.com/questions/935756/mac-os-el-capitan-10-11-not-able
> -to-connect-to-wifiwpa-2-enterprise
>

Note that the certificate bit length is different from the Diffie-Hellman group 
bit length; the latter is what is referred to in that document.

Also worth noting is that there are other Apple documents that say that OS X 
10.10.4 and iOS 8.4 require a 2048-bit DH group, so there appears to be some 
discrepancy at least in the docs.

We had to upgrade both ClearPass (6.5.2 plus a patch) and our Aruba controller 
code (6.4.2.9) to get both iOS 9 and OS X 10.11 to work with our 802.1X network.


--
Julian Y. Koh
Associate Director, Telecommunications and Network Services Northwestern 
University Information Technology (NUIT)

2001 Sheridan Road #G-166
Evanston, IL 60208
847-467-5780
NUIT Web Site: <http://www.it.northwestern.edu/> PGP Public 
Key:<http://bt.ittns.northwestern.edu/julian/pgppubkey.html>

**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.

Re: [WIRELESS-LAN] Apple OSX 10.11 beta

[Arran Cudbard-Bell]

> On Aug 11, 2015, at 1:37 AM, Jason Cook  wrote:
> 
> Thanks for all the responses on this. Upgrade worked a treat.
> 
> Was a better response than vendor support but to be fair we hadn’t logged one 
> with freeradius

And you wouldn't need to of, as we had stable versions with the MPPE 
calculation issues fixed prior to the release of iOS9.

We've known about it for the past six months:


https://github.com/FreeRADIUS/freeradius-server/blob/v2.x.x/doc/ChangeLog#L56

Prior to any of the attention it got due to iOS9/Google/Android/Marshmallow.

The later fix for EAP-TTLS was due to some (mostly) duplicate code missed in 
the first round of patches. EAP-TLS and PEAP have worked fine since 2.2.7.

The reason why you see an Access-Accept and the same unencrypted portion is 
because they are the same.  What differs is the method used to derive the 
session keys returned to the NAS in the MPPE Key attributes.

TLS 1.2 uses a different method to TLS < 1.2.  As a result of that change the 
server and the supplicant were deriving different values for the encryption 
keys used for WPA/WPA2 and that was causing the session to fail.

In the case of Radiator, it was the crypto library that had not been updated to 
use the new method of key derivation.

The reason why the final release of iOS9 worked, was because Apple discovered 
the compatibility issues and disabled TLS 1.2

Google also discovered the compatibility issues, but decided that they hated 
their users and did not disable TLS 1.2.  Result here:

https://code.google.com/p/android/issues/detail?id=188867

-Arran

**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/groups/.



signature.asc
Description: Message signed with OpenPGP using GPGMail