All, We have been battling this issue with EAP-MSCHAPv2/PEAP on our BYOD network since September just after the iOS 11.0.0 release. We never had issues before with onboarding any iOS 10.x versions. We have a few Cisco TAC cases open on the issue and have gone down the path of it being it being Cisco ISE(running 2.1 patch 5) related or even EAP-AUTH certificate trust related with our external CA Comodo. As of this morning, we tried iOS 11.1.0 and it works as expected to onboard devices just like in iOS 10.x with our two SSID BYOD process. The supplicant is configured correctly via ISE profile install and is able to attach to the BYOD network after registering. The popups for incorrect password, prompts for a password without location to enter the password or the failure to onboard via BYOD have been resolved. The issue seems to be totally the iOS 11.0.x series of code and the fix is in as of 11.1.0+. Here are some links concerning this issue for your records and history:
https://communities.cisco.com/thread/86199?start=0&tstart=0 https://forums.developer.apple.com/thread/87403 https://origin-discussions-us.apple.com/thread/8106481 Related bugs: https://bst.cloudapps.cisco.com/bugsearch/bug/CSCve97765 https://bst.cloudapps.cisco.com/bugsearch/bug/CSCvg22344 I hope this info helps someone else, Joe From: The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Becker, Jason Sent: Tuesday, October 31, 2017 11:53 AM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: Re: [WIRELESS-LAN] IOS 11 problem with eap-mschapv2/peap authentication We are seeing the same issue here on our Cisco deployment. I've been telling users to reboot or forget it and reconnect unfortunately. After this they've been good, but I see your point with several certs. Jason ________________________________ From: The EDUCAUSE Wireless Issues Constituent Group Listserv <WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>> on behalf of Cappalli, Tim (Aruba Security) <t...@hpe.com<mailto:t...@hpe.com>> Sent: Tuesday, October 31, 2017 9:33:35 AM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU> Subject: Re: [WIRELESS-LAN] IOS 11 problem with eap-mschapv2/peap authentication Just curious. Why aren't you using the same EAP server certificate across all of your RADIUS servers? From: The EDUCAUSE Wireless Issues Constituent Group Listserv <WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>> on behalf of Linchuan Yang <linchuan.y...@concordia.ca<mailto:linchuan.y...@concordia.ca>> Reply-To: The EDUCAUSE Wireless Issues Constituent Group Listserv <WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>> Date: Tuesday, October 31, 2017 at 10:28 AM To: "WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>" <WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>> Subject: [WIRELESS-LAN] IOS 11 problem with eap-mschapv2/peap authentication Dear All Good morning. All of our IOS users start having authentication problem after they upgrading to IOS 11. The devices keep asking the user name and password. The only way we can fix for now is that “forget” the old profile, and manually create a new one, after trusting the certificate, the IOS 11 devices can connect to the wireless network. However, we have more than three radius servers, if the clients go to other buildings, they have to do this again. In some case, the clients have to repeat the procedure every morning when they come back to the office. We noticed that some related discussion on Cisco and Apple Communities. But there is not any solution for it. Do you have the same problem for your wireless network? Could you please give us some suggestions? Thank you, and have a nice day. Yours, Linchuan Yang (Antony) MEng, ACMP Wireless Networking Analyst Network Assessment and Integration, IITS-Concordia University Tel: (514)848-2424 ext. 7664 ********** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/discuss. ********** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/discuss. ________________________________ The materials in this message are private and may contain Protected Healthcare Information or other information of a sensitive nature. If you are not the intended recipient, be advised that any unauthorized use, disclosure, copying or the taking of any action in reliance on the contents of this information is strictly prohibited. If you have received this email in error, please immediately notify the sender via telephone or return mail. ********** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/discuss. ********** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/discuss.