iPhones auto associate to L3 protected wlan, can't receive iMessages

ledzepp817 · ‎08-31-2012

Hello everyone,

We have a Cisco 2504 deployed here with 5 1131 APs. We have a WLAN setup with Layer3 web auth that hits an LDAP server. All that is working fine. The issue we have is iPhones that auto-associate to this WLAN. They are not authenticated thru the controller but the iPhones think they are connected to the Internet. So iMessages don't come thru. This would be bad if someone didn't know if they unable to get texts and someone was desperately trying to reach them.

Does anyone else have this problem? If so, how did you fix?

I've looked into the following solutions:

- auto dis-associating clients that don't authenticate within a certain time frame - doesn't look like this is an option

- create an acl to allow imessage traffic from iphones - port 80,443 and 5223. Would never get authenticated then!

If anyone has any advice, it would be greatly appreciated. Thanks!

George Stefanick · ‎08-31-2012

I think I am a little unclear with yout question. If I understand you correctly the iPhone is conencting to your network and you dont want it to connect, correct ?

A few quick ideas:

Dont broadcast your SSID is one option

Delete the WiFi network from the iphone

"Satisfaction does not come from knowing the solution, it comes from knowing why." - Rosalind Franklin
___________________________________________________________

ledzepp817 · ‎08-31-2012

Hi George,

The iPhones should be allowed to connect to the wireless network when they want to. However, iPhones "remember" wireless networks and associate to them automatically if they "see" them. So if an iPhone sees the network, it associates and joins the network but it has not authenticated thru the L3 web auth page, so no data is allowed to pass to it. Hence, imessages are not allowed to be received. The iphone is not smart enough to say I can't get data off this Wlan so I am going to use 3G for now.

Yes I could manually go to each iphone and "forget this network" every day, but that is a nightmare scenario.

George Stefanick · ‎08-31-2012

Gotcha .. You are correct and your statement is accurate. There is no magical way that I know to fix this without manual interaction or punching holes in your design. This is where Apples moto "it just works", sometime doesnt work so well. This is also a problem with ISE when CoA kicks in and moves VLANS. The apple devices arent smart enough to realize they lost IP connectivity and they should re-IP.

"Satisfaction does not come from knowing the solution, it comes from knowing why." - Rosalind Franklin
___________________________________________________________

fbarboza · ‎08-31-2012

Hi,

When working with a WLAN with no layer 2 encryption any wireless device that sees the SSID will by default try to connect and get an IP address from the DHCP server which is expected when working with layer 3 web authentication but as you are seeing the wireless client will not be able to pass traffic until it gets authenticated via the web authentication option.

Here you could set the SSID not to broadcast but every time you have a wireless client trying to connect to the WIFI you will need to add the SSID and then once they go remove it becasue they will still have it in memorry.

Or if someone gives it to them they will be able to re add it.

The only option would be that you enable layer 2 authentication with layer 3 web authentication at the same time.

Leo Laohoo · ‎08-31-2012

So iMessages don't come thru.  This would be bad if someone didn't know if they unable to get texts and someone was desperately trying to reach them.

This is NOT a wireless issue.

If iMessages don't come thru then the messages come in as ordinary SMS/Text message. There is no option in iPhone that you ONLY send iMessage. The option available is either standard SMS/Text message and if iMessage is unavailable, fallback is SMS/Text message.

The only iDevice that will accept ONLY iMessage is the iPad with Wi-Fi ony.