Apple devices choosing wrong encryption

martinbuffleo · ‎04-15-2013

I have two Cisco 1200AP.

I have it configured with two SSIDs, one corporate (802.1x) one using WPA2 Personal.

I have no issues on the corporate, but I have found that Apple devices appear to detect it as a WPA2 Enterprise, and request a username and password.

If I enter the network manualy as WPA2Personal the devices joins the network ok.

Then ocasionaly the device looses its link to the network and fails to pass traffic.

Building configuration...

Current configuration : 5134 bytes

!

version 12.2

no service pad

service timestamps debug datetime msec

service timestamps log datetime msec

service password-encryption

!

hostname BCB-WIFI-ENG

!

enable secret 5 <removed>

!

username Cisco password 7 <removed>

username spectra privilege 15 secret 5 <removed>

username CiscoCA privilege 15 secret 5 <removed>

ip subnet-zero

ip domain name spectra.local

ip name-server 10.0.1.2

ip name-server 10.0.2.2

!

aaa new-model

!

aaa group server radius rad_eap

server 10.0.1.5 auth-port 1645 acct-port 1646

!

aaa group server radius rad_mac

!

aaa group server radius rad_acct

!

aaa group server radius rad_admin

!

aaa group server tacacs+ tac_admin

!

aaa group server radius rad_pmip

!

aaa group server radius dummy

!

aaa authentication login eap_methods group rad_eap

aaa authentication login mac_methods local

aaa authorization exec default local

aaa authorization ipmobile default group rad_pmip

aaa accounting network acct_methods start-stop group rad_acct

aaa session-id common

dot11 network-map

!

bridge irb

!

interface Dot11Radio0

no ip address

no ip route-cache

!

encryption mode ciphers tkip

!

encryption vlan 5 mode ciphers tkip

!

encryption vlan 1001 mode ciphers tkip

!

ssid S-Guest-Wifi

vlan 5

authentication open

authentication key-management wpa

guest-mode

wpa-psk ascii 7 062702245E470A180B361E180D10232A2A7A67657041574751

!

ssid s

vlan 1001

authentication open eap eap_methods

authentication key-management wpa

!

speed basic-1.0 2.0 5.5 6.0 9.0 11.0 12.0 18.0 24.0 36.0 48.0 54.0

rts threshold 2312

station-role root

no dot11 extension aironet

no cdp enable

!

interface Dot11Radio0.5

encapsulation dot1Q 5

no ip route-cache

no cdp enable

bridge-group 5

bridge-group 5 subscriber-loop-control

bridge-group 5 block-unknown-source

no bridge-group 5 source-learning

no bridge-group 5 unicast-flooding

bridge-group 5 spanning-disabled

!

interface Dot11Radio0.1001

encapsulation dot1Q 1001 native

no ip route-cache

no cdp enable

bridge-group 1

bridge-group 1 subscriber-loop-control

bridge-group 1 block-unknown-source

no bridge-group 1 source-learning

no bridge-group 1 unicast-flooding

bridge-group 1 spanning-disabled

!

interface Dot11Radio1

no ip address

no ip route-cache

!

encryption mode ciphers tkip

!

encryption vlan 5 mode ciphers tkip

!

encryption vlan 1001 mode ciphers tkip

!

ssid S-Guest-Wifi

vlan 5

authentication open

authentication key-management wpa

wpa-psk ascii 7 047A06031D284F4F07380904131F0505247970786167724255

!

ssid s

vlan 1001

authentication open eap eap_methods

authentication key-management wpa

!

speed basic-6.0 9.0 12.0 18.0 24.0 36.0 48.0 54.0

rts threshold 2312

station-role root

no dot11 extension aironet

no cdp enable

!

interface Dot11Radio1.5

encapsulation dot1Q 5

no ip route-cache

no cdp enable

bridge-group 5

bridge-group 5 subscriber-loop-control

bridge-group 5 block-unknown-source

no bridge-group 5 source-learning

no bridge-group 5 unicast-flooding

bridge-group 5 spanning-disabled

!

interface Dot11Radio1.1001

encapsulation dot1Q 1001 native

no ip route-cache

no cdp enable

bridge-group 1

bridge-group 1 subscriber-loop-control

bridge-group 1 block-unknown-source

no bridge-group 1 source-learning

no bridge-group 1 unicast-flooding

bridge-group 1 spanning-disabled

!

interface FastEthernet0

no ip address

no ip route-cache

duplex auto

speed auto

ntp broadcast client

!

interface FastEthernet0.5

encapsulation dot1Q 5

no ip route-cache

bridge-group 5

no bridge-group 5 source-learning

bridge-group 5 spanning-disabled

!

interface FastEthernet0.1001

encapsulation dot1Q 1001 native

no ip route-cache

bridge-group 1

no bridge-group 1 source-learning

bridge-group 1 spanning-disabled

!

interface BVI1

ip address 10.0.1.203 255.255.255.0

no ip route-cache

!

ip http server

ip http help-path http://www.cisco.com/warp/public/779/smbiz/prodconfig/help/eag/ivory/1100

ip http authentication local

ip radius source-interface BVI1

logging trap notifications

access-list 22 remark SNMP Access List

access-list 22 permit 10.0.1.3 log

access-list 22 deny any log

snmp-server community <removed> RO 22

snmp-server enable traps snmp authentication linkdown linkup coldstart warmstart

snmp-server enable traps tty

snmp-server enable traps entity

snmp-server enable traps disassociate

snmp-server enable traps deauthenticate

snmp-server enable traps authenticate-fail

snmp-server enable traps dot11-qos

snmp-server enable traps wlan-wep

snmp-server enable traps config

snmp-server enable traps syslog

snmp-server enable traps aaa_server

snmp-server enable traps switch-over

snmp-server enable traps rogue-ap

snmp-server host 10.0.1.3 <removed>

radius-server host 10.0.1.5 auth-port 1645 acct-port 1646 key 7 <removed>

radius-server attribute 32 include-in-access-req format %h

radius-server authorization permit missing Service-Type

radius-server vsa send accounting

bridge 1 route ip

!

line con 0

line vty 5 15

!

ntp server 91.208.177.20

end

Scott Fella · ‎04-15-2013

What are you actually seeing... if they are trying to connect using 802.1x, the apple devices will ask for a username and password. If the Apple devices detect the SSID as a preshared key, then it will just ask for a password.

Thanks,

Scott

Help out other by using the rating system and marking answered questions as "Answered"

-Scott
*** Please rate helpful posts ***

martinbuffleo · ‎04-15-2013

When discovering "S-Guest-Wifi" and then connecting, the device prompts for username and password. There is no username and password that is authorised.

If I enter the network manual I set it to personal and enter the correct password. It connect ok.

I just want to simplifiy the join process for the user.

I don't even mind if I have to get users to have a username and password for guest access. That would stop me having to rotate my Guest PSK.

Scott Fella · ‎04-15-2013

Can you try to change the Guest SSID to: Guest-Wifi

See if this helps... might be the S causing issues, but want to make sure.

Thanks,

Scott

Help out other by using the rating system and marking answered questions as "Answered"

-Scott
*** Please rate helpful posts ***

wjenkins · ‎04-15-2013

I would first hghly recommend upgrading the IOS image on the 1200 Access Points. The current image installed 12.2 is no longer even available for download from Cisco. The latest 12.3 image available for the 1200 is c1200-k9w7-tar.123-8.JEE.tar with a release date of 10-DEC-2010. The first non-deferred release available is c1200-k9w7-tar.123-4.JA2.tar with a release date of 06-APR-2006. The 12.3 IOS image will allow you to define each SSID globally instead of on each radio interface which will allow you to define guest-mode on both radios.