Solved: Re: iPhone users having to forget WiFi network after changing NAC engine on WLC

Fespino1 · ‎07-22-2021

Hello,

I'm just wondering if anyone has come across this issue before and maybe can provide a solution. We are in the process of replacing our WiFi gear and we have two new engines that provide NAC and as part of our initial testing we moved one of our WLCs to this new NAC/Radius server and we moved a few APs to this controller as well. After doing so only iPhone users had to forget the network to connect successfully. This applies to whatever network/ssid they usually connect to . All other phones associate and authenticate successfully, iPhones only associate but don’t authenticate unless they forget whichever network they usually connect (open or with their username and password). Now, I know there was an issue with some of the recent IOS updates in which the user had to forget the network to be able to connect but this is random and not everyone has been affected. I don’t know if this is how iPhones should work or if there is anything we could do to prevent this. Although an easy fix I know we are going to get a lot of calls once we move all of our WLCs and APs to the new engines hehe

jamesjack · ‎07-22-2021

Cisco has warned that an iOS 14 privacy feature can break some network setups used by corporations, schools, colleges, and retail chains. The potential problems result from the the fact that iPhone and iPads on the latest OS default to using a random MAC address when connecting to Wi-Fi networks … Apple introduced the feature as a privacy protection, primarily against retailers who use MAC addresses to track customers who connect to their Wi-Fi networks. Using a random MAC address breaks that – which most of us would consider to be a good thing – but it can also break device-management systems used in companies and educational establishments. Cisco explained the problem, which also applies to the same feature in Android 10. omegle. The company says it can break Cisco Identity Services Engine (ISE) services as it uses MAC address lookup. This can impact two key systems used by many organizations.

jamesjack

View solution in original post

jamesjack · ‎07-22-2021

Cisco has warned that an iOS 14 privacy feature can break some network setups used by corporations, schools, colleges, and retail chains. The potential problems result from the the fact that iPhone and iPads on the latest OS default to using a random MAC address when connecting to Wi-Fi networks … Apple introduced the feature as a privacy protection, primarily against retailers who use MAC addresses to track customers who connect to their Wi-Fi networks. Using a random MAC address breaks that – which most of us would consider to be a good thing – but it can also break device-management systems used in companies and educational establishments. Cisco explained the problem, which also applies to the same feature in Android 10. omegle. The company says it can break Cisco Identity Services Engine (ISE) services as it uses MAC address lookup. This can impact two key systems used by many organizations.

jamesjack

Fespino1 · ‎07-23-2021

thank you that was very helpful. So I've been looking some more and it appears that there is really not a solution that doesn't involve the user having to manually reset the network or turn off random mac address. Thank you for taking the time to respond.

Arshad Safrulla · ‎07-23-2021

What’s the controller model,code, AP models? Also what’s the eap mechanism you’re using?

___________________________________________
TAC recommended codes for AireOS WLC's
Best Practices for AireOS WLC's
TAC recommended codes for 9800 WLC's
Best Practices for 9800 WLC's
Cisco Wireless compatibility matrix
___________________________________________
Arshad Safrulla

Fespino1 · ‎07-23-2021

WLC 5508 and AIR-CAP3502I-A-K9 APs. We are using AVAYA IDE and we will be using Extreme NAC soon for all our WLCs. We will be using extreme WLCs but right now we are just testing the rules so we have Cisco WLCs and cisco APs using extreme NAC for Radius and security Policies for both hardwired and Wireless.

We moved one of our WLCs to point to this new NAC engine to start testing. We have two wlans that are the most one is open using web-passthrough and the other one is internal with 802.1x but we have a rule that when the user connects to this ssid it puts them on an outside vlan for basic internet access not internal. iPhone users are not able to connect unless the network is forgotten. One idea in our group is to export the certificate that is in our avaya IDE engine to our new extreme NAC since iPhone users do not have a setting like android phones do when trying to connect to our ssid that is to not validate the certificate, but i dont know if this will help at all since this is also affecting the open ssid. I've been searching but like i was telling jamesjack no other solution is mention other than to either forget the network or turn off randomize mac addresses on their iPhones.

Arshad Safrulla · ‎07-24-2021

I do not think randomized MAC address is causing the issue, it is more to do with the Radius server configuration. What the EAP mechanism are you using? Depending on the EAP mechanism you will have to deploy the correct certs to your Radius server.

Please share a debug client output from one of the clients, so we can see why it is failing. When the IPhone tries to connect do you get any logs at Radius server?

___________________________________________
TAC recommended codes for AireOS WLC's
Best Practices for AireOS WLC's
TAC recommended codes for 9800 WLC's
Best Practices for 9800 WLC's
Cisco Wireless compatibility matrix
___________________________________________
Arshad Safrulla

Fespino1 · ‎07-24-2021

We are using eap tls and with Android since we have the option to select do not validate cert i think that's why we are not seen the issue? I'll try to get that Monday and see if I can share it. Just a quick question I understand how the cert would affect the connection to our secure network but why it would also prevent the connection to the open network? Thanks in advance

Arshad Safrulla · ‎07-24-2021

You need to speak to the team deploying your NAC, are you sure that they are using EAP-TLS, if that's the case you need the certificate to be installed in the clients. Without a certificate installed in the Radius server and also in the client side EAP-TLS will be broken. If it is EAP-PEAP you don't need the certificate installed in the client, but for the server side also you can deploy without the certificate but it is not recommended in production networks as your secure network will be vulnerable to certain attacks.

For the open SSID, is the Captive portal provided by WLC itself (LWA) or by the NAC solution? Did you deploy a publicly signed certificate for the Web portal? Did you check that the client is added client exclusion list. Can you post a debug client output from WLC if possible or speak to TAC.

___________________________________________
TAC recommended codes for AireOS WLC's
Best Practices for AireOS WLC's
TAC recommended codes for 9800 WLC's
Best Practices for 9800 WLC's
Cisco Wireless compatibility matrix
___________________________________________
Arshad Safrulla