Apple devices choosing wrong encryption

martinbuffleo — Sun, 04 Jul 2021 06:55:04 GMT

I have two Cisco 1200AP.

I have it configured with two SSIDs, one corporate (802.1x) one using WPA2 Personal.

I have no issues on the corporate, but I have found that Apple devices appear to detect it as a WPA2 Enterprise, and request a username and password.

If I enter the network manualy as WPA2Personal the devices joins the network ok.

Then ocasionaly the device looses its link to the network and fails to pass traffic.

Building configuration...

Current configuration : 5134 bytes

version 12.2

no service pad

service timestamps debug datetime msec

service timestamps log datetime msec

service password-encryption

hostname BCB-WIFI-ENG

enable secret 5 <removed>

username Cisco password 7 <removed>

username spectra privilege 15 secret 5 <removed>

username CiscoCA privilege 15 secret 5 <removed>

ip subnet-zero

ip domain name spectra.local

ip name-server 10.0.1.2

ip name-server 10.0.2.2

aaa new-model

aaa group server radius rad_eap

server 10.0.1.5 auth-port 1645 acct-port 1646

aaa group server radius rad_mac

aaa group server radius rad_acct

aaa group server radius rad_admin

aaa group server tacacs+ tac_admin

aaa group server radius rad_pmip

aaa group server radius dummy

aaa authentication login eap_methods group rad_eap

aaa authentication login mac_methods local

aaa authorization exec default local

aaa authorization ipmobile default group rad_pmip

aaa accounting network acct_methods start-stop group rad_acct

aaa session-id common

dot11 network-map

bridge irb

interface Dot11Radio0

no ip address

no ip route-cache

encryption mode ciphers tkip

encryption vlan 5 mode ciphers tkip

encryption vlan 1001 mode ciphers tkip

ssid S-Guest-Wifi

vlan 5

authentication open

authentication key-management wpa

guest-mode

wpa-psk ascii 7 062702245E470A180B361E180D10232A2A7A67657041574751

ssid s

vlan 1001

authentication open eap eap_methods

authentication key-management wpa

speed basic-1.0 2.0 5.5 6.0 9.0 11.0 12.0 18.0 24.0 36.0 48.0 54.0

rts threshold 2312

station-role root

no dot11 extension aironet

no cdp enable

interface Dot11Radio0.5

encapsulation dot1Q 5

no ip route-cache

no cdp enable

bridge-group 5

bridge-group 5 subscriber-loop-control

bridge-group 5 block-unknown-source

no bridge-group 5 source-learning

no bridge-group 5 unicast-flooding

bridge-group 5 spanning-disabled

interface Dot11Radio0.1001

encapsulation dot1Q 1001 native

no ip route-cache

no cdp enable

bridge-group 1

bridge-group 1 subscriber-loop-control

bridge-group 1 block-unknown-source

no bridge-group 1 source-learning

no bridge-group 1 unicast-flooding

bridge-group 1 spanning-disabled

interface Dot11Radio1

no ip address

no ip route-cache

encryption mode ciphers tkip

encryption vlan 5 mode ciphers tkip

encryption vlan 1001 mode ciphers tkip

ssid S-Guest-Wifi

vlan 5

authentication open

authentication key-management wpa

wpa-psk ascii 7 047A06031D284F4F07380904131F0505247970786167724255

ssid s

vlan 1001

authentication open eap eap_methods

authentication key-management wpa

speed basic-6.0 9.0 12.0 18.0 24.0 36.0 48.0 54.0

rts threshold 2312

station-role root

no dot11 extension aironet

no cdp enable

interface Dot11Radio1.5

encapsulation dot1Q 5

no ip route-cache

no cdp enable

bridge-group 5

bridge-group 5 subscriber-loop-control

bridge-group 5 block-unknown-source

no bridge-group 5 source-learning

no bridge-group 5 unicast-flooding

bridge-group 5 spanning-disabled

interface Dot11Radio1.1001

encapsulation dot1Q 1001 native

no ip route-cache

no cdp enable

bridge-group 1

bridge-group 1 subscriber-loop-control

bridge-group 1 block-unknown-source

no bridge-group 1 source-learning

no bridge-group 1 unicast-flooding

bridge-group 1 spanning-disabled

interface FastEthernet0

no ip address

no ip route-cache

duplex auto

speed auto

ntp broadcast client

interface FastEthernet0.5

encapsulation dot1Q 5

no ip route-cache

bridge-group 5

no bridge-group 5 source-learning

bridge-group 5 spanning-disabled

interface FastEthernet0.1001

encapsulation dot1Q 1001 native

no ip route-cache

bridge-group 1

no bridge-group 1 source-learning

bridge-group 1 spanning-disabled

interface BVI1

ip address 10.0.1.203 255.255.255.0

no ip route-cache

ip http server

ip http help-path http://www.cisco.com/warp/public/779/smbiz/prodconfig/help/eag/ivory/1100

ip http authentication local

ip radius source-interface BVI1

logging trap notifications

access-list 22 remark SNMP Access List

access-list 22 permit 10.0.1.3 log

access-list 22 deny any log

snmp-server community <removed> RO 22

snmp-server enable traps snmp authentication linkdown linkup coldstart warmstart

snmp-server enable traps tty

snmp-server enable traps entity

snmp-server enable traps disassociate

snmp-server enable traps deauthenticate

snmp-server enable traps authenticate-fail

snmp-server enable traps dot11-qos

snmp-server enable traps wlan-wep

snmp-server enable traps config

snmp-server enable traps syslog

snmp-server enable traps aaa_server

snmp-server enable traps switch-over

snmp-server enable traps rogue-ap

snmp-server host 10.0.1.3 <removed>

radius-server host 10.0.1.5 auth-port 1645 acct-port 1646 key 7 <removed>

radius-server attribute 32 include-in-access-req format %h

radius-server authorization permit missing Service-Type

radius-server vsa send accounting

bridge 1 route ip

line con 0

line vty 5 15

ntp server 91.208.177.20

end

Apple devices choosing wrong encryption

Scott Fella — Mon, 15 Apr 2013 14:10:37 GMT

What are you actually seeing... if they are trying to connect using 802.1x, the apple devices will ask for a username and password. If the Apple devices detect the SSID as a preshared key, then it will just ask for a password.

Thanks,

Scott

Help out other by using the rating system and marking answered questions as "Answered"

Apple devices choosing wrong encryption

martinbuffleo — Mon, 15 Apr 2013 14:19:00 GMT

When discovering "S-Guest-Wifi" and then connecting, the device prompts for username and password. There is no username and password that is authorised.

If I enter the network manual I set it to personal and enter the correct password. It connect ok.

I just want to simplifiy the join process for the user.

I don't even mind if I have to get users to have a username and password for guest access. That would stop me having to rotate my Guest PSK.

Apple devices choosing wrong encryption

Scott Fella — Mon, 15 Apr 2013 16:19:49 GMT

Can you try to change the Guest SSID to: Guest-Wifi

See if this helps... might be the S causing issues, but want to make sure.

Thanks,

Scott

Help out other by using the rating system and marking answered questions as "Answered"

Apple devices choosing wrong encryption

wjenkins — Tue, 16 Apr 2013 01:47:10 GMT

I would first hghly recommend upgrading the IOS image on the 1200 Access Points. The current image installed 12.2 is no longer even available for download from Cisco. The latest 12.3 image available for the 1200 is c1200-k9w7-tar.123-8.JEE.tar with a release date of 10-DEC-2010. The first non-deferred release available is c1200-k9w7-tar.123-4.JA2.tar with a release date of 06-APR-2006. The 12.3 IOS image will allow you to define each SSID globally instead of on each radio interface which will allow you to define guest-mode on both radios.

topic Apple devices choosing wrong encryption in Wireless

Apple devices choosing wrong encryption

Apple devices choosing wrong encryption

Apple devices choosing wrong encryption

Apple devices choosing wrong encryption

Apple devices choosing wrong encryption