Buy or Renew
Buy or Renew
Cisco Virtual Engineer generative AI bot now active in Wireless Discussion Forum. Learn more.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
7271
Views
0
Helpful
5
Replies

802.1x authentication on Macbooks running Lion..

jonmo2578
Level 1
Level 1

‎12-06-2011 05:31 AM - edited ‎07-03-2021 09:11 PM

Hi Guys,

I was wondering if anyone has experienced problems with 802.1x authentication on their Cisco Wifi network using Macbook Pro/Airs running Lion.

We have..

2x Controllers with WiSMs running 7.0.116.0

A mixture of 1131 and 1142 APs..  ( APs mainly in HREAP mode with some APs located on the same local network as the Controller in Local Mode )

Macbook Airs/ Pro running Lion

The symptoms we are experiencing are very similar to those described in this thread.. https://supportforums.cisco.com/message/3485552

In summary, we are finding that when our MacBooks are coming out of sleep/standby or roaming between APs, the devices get stuck during the 802.1x authentication process and will either get the self assigned 169 address or continuously try to authenticate.

This can occasionally be solved by turning the wifi interface off and on or manually stopping and starting the 802.1x process on the Mac

From reading various online forums, we have tried the following to resolve this..

- Disabled WPA across our wifi network as we don't use it anymore.. We now just use WPA2 with AES and Dot1x authentication.

- Disabled Client Load Balancing on the SSID configuration… this does not seem to have made things any better or worse although we are seeing more Load Profile threshold notification alerts for some of our APs which are used heavily.

- The 802.1x time out is currently set at 20secs.

- Some APs which are in Local mode ( due to them being on the same local network as our wifi controllers ) have been changed to HREAP mode and assigned a static IP address.. We found that this was required at our spoke sites where we were originally experiencing issues with our old Windows based devices.. Incidentally, we have not experienced any of these delayed authentication issues with our Window laptops, all our problems seem to be with our MacBooks running Lion..

As I mentioned earlier, there seems to be many discussions online regarding problems with the Lion OS and 802.1x authentication..

Has anyone experienced these problems in the past on there Cisco Aps and successfully managed to resolve it.. ?

Any ideas would be appreciated..

Many thanks.

Jon.

Labels:
0 Helpful
5 Replies 5

BRYN JONES
Level 1
Level 1

‎12-07-2011 01:40 AM

Is this link helpful? We post this on our page for users of Apple devices who compain of something similar to what you describe:

https://discussions.apple.com/thread/1352518?threadID=1352518&start=885&tstart=1

0 Helpful

jonmo2578
Level 1
Level 1
In response to BRYN JONES

‎12-19-2011 01:44 PM

Hi Bryn,

sorry for the late reply and thanks for the link..

That apple link is infact one of the many threads I have already read through regarding this problem.. Unfortanately I had tried the solutions listed on there ( most of them are listed on my original post above ! ) and had no luck..

Since my post, we have created a new SSID using just a PSK as an experiment to see if the above issues dissapeared..

We found that the connectivity issues vanished straight away and as soon as 802.1x was enabled on this new SSID, our macbooks ( running Lion ) started getting stuck authenticating again when brought out of standby or roaming.

Current plan is to build a new radius server dedicated for this process to see if that has any effect..

0 Helpful

Viten Patel
Cisco Employee
Cisco Employee
In response to jonmo2578

‎12-19-2011 08:13 PM

you can try increasing the EAPOL key timeout and EAPOL key retries and see if that makes any difference ..

show advanced eap

config advanced eap

http://www.cisco.com/en/US/docs/wireless/controller/7.0MR1/command/reference/cli70MR1commands.html#wp9681830

But i think its just apple devices that are impatient in general and does not like to wait too long for authentication and or dhcp process.

can you send the output of the commands >

> debug client

> debug aaa events enable

> debug dhcp packets enable

0 Helpful

vluu2
Level 1
Level 1
In response to Viten Patel

‎05-27-2012 12:57 PM

jon,

were you able to find any resolution to this issue? we are experiencing similar issues with mac's dropping intermittently.

0 Helpful

wayne.jeffers
Level 1
Level 1

‎10-29-2014 11:13 AM

Ran across this old post while researching this same issue. For us, the problem appears to be with the Mac's trying to request an IPv6 address if set to Automatically or Link-local only for Configure IPv6 under the TCP/IP tab. When we changed this to Manually and set a manual link local address, the problem went away and could reconnect after roaming between APs or coming out of sleep/standby.

Enjoy,
Wayne 

 

UPDATE 1: This 'fix' did not solve the issue. After a day, we're still seeing the problem. 

 

UPDATE 2: Found the solution to my problem. It was the cert chain of trust and CRL lookup. The link below describes the problem, but basically the Mac's were unable to check the certs and causing a time out. No network = no CRL lookup = no network......

http://support.apple.com/kb/TS5258?viewlocale=en_US&locale=en_US

 

 

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card