Federico,

Thank you for the reply.

We had to update the certificate on the domain controller which is also the IAS server in order to get secure LDAP to work for another service.  Seems like we have had these issues ever since then.  I created a new certificate specifically just for wireless but the issue remains.  I don't fully understand why we even need a certificate on the IAS server since we don't use it.  My only thought is it must be used for encryption between the WLC and IAS.

The error message on IAS is as follows:

Source IAS

Event ID: 3

Reason Code = 96

Reason The authentication request was not processed because the session timed out.

I have also attached the debug logs when trying to connect the iPhone.  Hopefully this will provide some insight as to what the issue is.  I stopped the debug as soon as the iPhone said "unable to connect to network."  Then of course right after that it was able to connect to the network.  As you can see it's quite random as to when it will or won't work.

Thanks!

Thank you Alan

From the debugs on the WLC, it looks like the Radius server at a certain stage stops replying:

Thu Jan  6 21:27:43 2011: 5c:59:48:2c:6e:6e Max retransmission of Access-Request (id 99) to 172.16.73.150 reached for mobile 5c:59:48:2c:6e:6e
Thu Jan  6 21:27:43 2011: 5c:59:48:2c:6e:6e [Error] Client requested no retries for mobile 5C:59:48:2C:6E:6E
Thu Jan  6 21:27:43 2011: 5c:59:48:2c:6e:6e Returning AAA Error 'Timeout' (-5) for mobile 5c:59:48:2c:6e:6e
Thu Jan  6 21:27:43 2011: AuthorizationResponse: 0xbabff8c4
Thu Jan  6 21:27:43 2011: structureSize................................28
Thu Jan  6 21:27:43 2011: resultCode...................................-5
Thu Jan  6 21:27:43 2011: protocolUsed.................................0xffffffff
Thu Jan  6 21:27:43 2011: proxyState...................................5C:59:48:2C:6E:6E-02:09
Thu Jan  6 21:27:43 2011: Packet contains 0 AVPs:
Thu Jan  6 21:27:43 2011: 5c:59:48:2c:6e:6e Processing AAA Error 'Timeout' (-5) for mobile 5c:59:48:2c:6e:6e
Thu Jan  6 21:27:43 2011: 5c:59:48:2c:6e:6e Sent Deauthenticate to mobile on BSSID 00:0b:85:6e:e0:50 slot 1(caller 1x_auth_pae.c:1033)

This occurrence repeats many times throughout the debugs.
From what we got so far, we may suspect the following:

1. The IAS Radius server presents the client (iPhone) with its certificate.
2. You need to validate the server certificate on the iPhone.
3. By the time you validate the server certificate on the iPhone, the server declares a timeout and it does not reply anymore.
4. The WLC does not receive a response from the server and it times out the iPhone.

When doing PEAP authentication, a server certificate is required: that's as per RFC.
This is used so that the client can decide to verify the identity of the server against well known Certification Authorities. So the certificate is used as a sort of further verification between the client and the Radius server, not between the WLC and the Radius server.

In standard PCs, under the PEAP settings, we have for example the option not to validate the server certificate.
This means that the client will not care about the certification authority that issued the server certificate, so this check will be skipped.
Are you using such an option on your laptops?
If so, you may want to find the equivalent settings on the iPhone. I understand this sounds more like a workaround, but it may get things working in the meantime.

So far, I'd tend to suspect that the root cause is to be searched in the IAS Radius server.

Regards,

Fede

--
If  this helps you and/or answers your question please mark the question as  "answered" and/or rate it, so other users can easily find it.

Thanks for all of the information.  I have been poking around with IAS all afternoon but to no avail.  I have also been doing a bit of reading and it looks like iOS (Apple) is supposed to ignore these type of certificates but I don't know how accurate that is as it was just a 3rd party source.  On our laptops we have the option disabled to validate the certificate which is probably why they work and the mobile devices don't.  From what I can tell this option is not available on the iPhone.  Might be time to ditch IAS and try a different solution so see if the issue still exists.

By chance do you think having a valid (not self signed) certificate resolve this issue all together?

Thanks!

Thank you Alan,

Involving the IAS administrator/support would definitely be a good idea at this stage.
In case you'd like to give it a shot with a different Radius server, as a test, you could also install an evaluation version of either ACS 4.2 for Windows or ACS 5.

A self-signed certificate on the Radius serveris as valid as a CA signed one from the functionality perspective, as long as the client either trusts the certificate or chooses not to validate it.
In case you'd like a client to trust a self-signed certificate, you should simply import the very same self-signed certificate to the client and use it as the root CA certificate.
Self-signed certificates are in fact both a server certificate (from the server's perspective) and a root CA certificate (from the client's perspective).

Regards,

Fede

--
If  this helps you and/or answers your question please mark the question as  "answered" and/or rate it, so other users can easily find it.