cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
7871
Views
25
Helpful
16
Replies

Apple iOS 8 and LEAP Issue

jeff6strings
Level 1
Level 1

We have an older SSID using LEAP (we are scheduled to migrate away from this BTW, but not soon enough) and existing Apple client devices who upgraded to iOS 8 are having authentication issues.

Just wondering if anyone else is experiencing this same issue.

Thanks.

Jeff

1 Accepted Solution

Accepted Solutions

OK, I have been having this same problem so, I called Apple Enterprise support. The fix is as follows:

- Use Apple Configurator to create a WiFi profile with LEAP enabled

       - Go to Make Profile

       - Click on WiFi Payload for IOS8 or Later except Apple TV

       - and click LEAP as the Authentication type

       - Go to the Prepare screen and find the profile you created and click the Share button. That          exports the profile that can be pushed to the IOS devices or (as in my case) imported into my third party MDM software and pushed out that way. You can also email that profile to the users device.

I hope this helps some of you. 

Cheers

***************************(UPDATE) I have tested this and it works.************************************

View solution in original post

16 Replies 16

ericgarnel
Level 7
Level 7

Per the KB,  it sounds like you need to re-enable it after upgrading to iOS8

 

http://support.apple.com/kb/HT6441

 

Depending on how you configured authentication, it may require pushing out a new profile

 

Eric

Eric,

Thanks for the reply and we are testing this with a device and I will post our results.

Jeff

Thanks for the link Eirc +5

May I know how to enable that in my iOS8 devices? I don't have Mac, so Apple Configurator is not a solution to me. I reset my network in my iOS8 devices, it is not working.

Any thing I need to do?

jeff6strings
Level 1
Level 1

According to the Apple Knowledge base "LEAP is disabled by default". So far we haven't been able to find where to enable it and when adding an SSID LEAP is not an option.

Does anyone know where to enable it?

Thanks.

Jeff

Hi Jeff,

This link may not give answer to your question. But it is a worth document to understand iOS8.0 Security policies.

http://images.apple.com/privacy/docs/iOS_Security_Guide_Sept_2014.pdf

HTH

Rasika

**** Pls rate all useful responses ****

Rasika,

Thanks for the document as it says iOS supports LEAP but we are not able to find where to enable it in ver 8. The Apple KB says LEAP is disabled by default so by this wording it can be enabled. If its removed in iOS 8 then they should have worded it that way.

We are still searching and waiting but its not looking good.

Thanks again.

Jeff

OK, I have been having this same problem so, I called Apple Enterprise support. The fix is as follows:

- Use Apple Configurator to create a WiFi profile with LEAP enabled

       - Go to Make Profile

       - Click on WiFi Payload for IOS8 or Later except Apple TV

       - and click LEAP as the Authentication type

       - Go to the Prepare screen and find the profile you created and click the Share button. That          exports the profile that can be pushed to the IOS devices or (as in my case) imported into my third party MDM software and pushed out that way. You can also email that profile to the users device.

I hope this helps some of you. 

Cheers

***************************(UPDATE) I have tested this and it works.************************************

Thanks for this update...

You're very welcome. We were able to push this to all 94 of our corporate iPads and it works fine. Cheers

I was also stuck with this.  Luckily, I upgraded early so I was able to roll back to 7.1.2 on iPhone because Apple was still signing the previous version.  But I know that I cannot play trial and error because I may not be able to roll back if I upgrade again. Also, the current config utility for iPhone requires OS-X 10.9 which I don't have.

 

My config (12.4(15)T on an old 871W) is many years old, and I had to do a lot of trial and error setting it up since 99% of examples on the internet are "this doesn't work, what is wrong with it" :-(

dot11 ssid VaxinationWiFi
   vlan 10
   authentication open eap eap_list_name
   authentication network-eap eap_list_name
   authentication key-management wpa optional
   guest-mode

(there is a local radio server on the router).

I have no idea whether the above is kosher, but it works fine for my laptop and my iPhones whuch never had problems before until IOS 8.

Unless Apple explicitely states that it has re-enabled LEAP (is LEAP the same as EAP ?), I would rather change my router to another flavour of WPA2 Enterprise. 

within config mode, these are the options given by my router for the authentication command:

 

router1(config-ssid)#authentication ?
  client          LEAP client information
  key-management  key management
  network-eap     leap method
  open            open method
  shared          shared method

 

Note that I do not use "client" in my config.

 

So what would be recommended in terms of ssid config to maintain similar authentication secrity AND please Apple ?

 

 This router caused me no end in headaches because I got the cripped "advanced security" instead of "advanced IP" without knowing there were options.  I realise it is time to replace but not sure by what model yet.

Spent a bit more time on the issue.

Some said that the issue isn't with EAP itself but the encryption used.

Here is what my router can handle: (871W, 12.4(15)T9 IIRC.

router1(config)#int Dot11Radio0router1(config-if)#encryption vlan 10 mode ciphers ?

  aes-ccm  WPA AES CCMP
  tkip     WPA Temporal Key encryption
  wep128   128 bit key
  wep40    40 bit key


Has anyone gotten confirmation from Apple on which of the above is acceptable to "out of the box" IOS8 ? My router is setup with aes-ccm, and that one does not work with IOS-8.

Or are all of the above unacceptable to Apple which means I need to buy a new router if I want to upgrade to IOS8 and not use the configurayion utility (requires 10,9) ?

Thanks for the reply.

We don't use the Apple Configurator as the Apple devices are personally owned. Can we create, export and distribute these profiles for just the SSID without affecting other settings on the device? We don't want to be liable settings caused by a profile we provided and the user imported.

Appreciate the help.

Jeff

That is an excellent question for Apple support. I would like to say yes but, PLEASE verify before attempting. Have a great day.

Review Cisco Networking for a $25 gift card