Main Nav

Message from jhealy@logn.net

Hello all, Over the past weeks/months there have been a few threads about Mac OS X, and various tidbits about tweaks, configs, changes, and other items that help with the different problems. I'm hoping to roll these all together on this thread for easier reference. We're an all-Apple campus with an Aruba setup and 802.1X (PEAP) for our primary SSID. We push the server cert out to all clients, and then they authenticate with their normal LDAP credentials. It works "most of the time", but there are always issues here and there. I just want to make sure we're doing what we should to help the user experience. I'd appreciate any: - Apple configs (settings on the client) - Aruba configs (if they are specific settings there) - General Wifi configs (e.g., raising auth timers, band steering, certificate sizes, etc). Please share any changes you make to a vanilla system to help the Macs along... Thanks, Jason ********** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.

Comments

  Since these questions get to what people are doing to deal with Apple MacOS and iOS clients, I'm curious as to what, if any issues others on the list are seeing.  Here's mine.
  • MacOS mid-2012 to recent macbooks are randomly dropping off the wlan
  • The above macbooks take 30 seconds or more to reconnect with roamed to APs
   Apple has produced a patch specifically for mid-2013 MacbookAirs, but nothing for the other models.

   If you are also seeing these issue on your campus, what eap-type, certificate size and wireless vendor are you using?

    We are using eap-ttls, 2048 bit certificates and Aruba wireless.

   To Jason's question:
Apple configs, none that I know of (except cert settings below).

Aruba configs, in the 802.1x profile, turn off OKC (Apple doesn't support it anyway), turn on Validate PMKID.

General Wifi configs, turn on band-steering (may or may not help depending on your coverage), client certificates should always trust EAP and SSL, and remove revocation settings.  Also see Travis Schick's in depth post regarding the ID request timer.

- Don Wright
Brown University


We have same setup as yours, not sure who is your cert issuer, we use Thawte.  I was able to fix the issue by adding the intermediate cert (Thawte SSL CA) as a root cert in the client keychain, and changing the trust level for SSL to Always Trust.  We use XpressConnect for provisioning clients, so I was able to add the Thawte SSL CA as a root cert automatically, but XpressConnect still does not have a way of trusting the SSL part of the cert, only EAP.  So for clients with issues, we do it manually for now.  Not sure why the SSL tweak would work since it should be the EAP setting the one coming into play.

Marcelo Lew
Wireless Network Architect & Engineer
University Technology Services
University of Denver
Desk: (303) 871-6523
Cell: (303) 669-4217
Fax:  (303) 871-5900
Email: mlew@du.edu
From: The EDUCAUSE Wireless Issues Constituent Group Listserv [WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] on behalf of Wright, Don [donald_wright@BROWN.EDU]
Sent: Wednesday, October 23, 2013 9:40 PM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: Re: [WIRELESS-LAN] Mac OS X Best Current Practices

  Since these questions get to what people are doing to deal with Apple MacOS and iOS clients, I'm curious as to what, if any issues others on the list are seeing.  Here's mine.
  • MacOS mid-2012 to recent macbooks are randomly dropping off the wlan
  • The above macbooks take 30 seconds or more to reconnect with roamed to APs
   Apple has produced a patch specifically for mid-2013 MacbookAirs, but nothing for the other models.

   If you are also seeing these issue on your campus, what eap-type, certificate size and wireless vendor are you using?

    We are using eap-ttls, 2048 bit certificates and Aruba wireless.

   To Jason's question:
Apple configs, none that I know of (except cert settings below).

Aruba configs, in the 802.1x profile, turn off OKC (Apple doesn't support it anyway), turn on Validate PMKID.

General Wifi configs, turn on band-steering (may or may not help depending on your coverage), client certificates should always trust EAP and SSL, and remove revocation settings.  Also see Travis Schick's in depth post regarding the ID request timer.

- Don Wright
Brown University


Forgot to mention, for this tweak to work, we had to enable both OKC and PMKID.

Marcelo Lew
Wireless Network Architect & Engineer
University Technology Services
University of Denver
Desk: (303) 871-6523
Cell: (303) 669-4217
Fax:  (303) 871-5900
Email: mlew@du.edu
From: The EDUCAUSE Wireless Issues Constituent Group Listserv [WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] on behalf of Marcelo Lew [Marcelo.Lew@DU.EDU]
Sent: Wednesday, October 23, 2013 10:21 PM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: Re: [WIRELESS-LAN] Mac OS X Best Current Practices

We have same setup as yours, not sure who is your cert issuer, we use Thawte.  I was able to fix the issue by adding the intermediate cert (Thawte SSL CA) as a root cert in the client keychain, and changing the trust level for SSL to Always Trust.  We use XpressConnect for provisioning clients, so I was able to add the Thawte SSL CA as a root cert automatically, but XpressConnect still does not have a way of trusting the SSL part of the cert, only EAP.  So for clients with issues, we do it manually for now.  Not sure why the SSL tweak would work since it should be the EAP setting the one coming into play.

Marcelo Lew
Wireless Network Architect & Engineer
University Technology Services
University of Denver
Desk: (303) 871-6523
Cell: (303) 669-4217
Fax:  (303) 871-5900
Email: mlew@du.edu
From: The EDUCAUSE Wireless Issues Constituent Group Listserv [WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] on behalf of Wright, Don [donald_wright@BROWN.EDU]
Sent: Wednesday, October 23, 2013 9:40 PM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: Re: [WIRELESS-LAN] Mac OS X Best Current Practices

  Since these questions get to what people are doing to deal with Apple MacOS and iOS clients, I'm curious as to what, if any issues others on the list are seeing.  Here's mine.
  • MacOS mid-2012 to recent macbooks are randomly dropping off the wlan
  • The above macbooks take 30 seconds or more to reconnect with roamed to APs
   Apple has produced a patch specifically for mid-2013 MacbookAirs, but nothing for the other models.

   If you are also seeing these issue on your campus, what eap-type, certificate size and wireless vendor are you using?

    We are using eap-ttls, 2048 bit certificates and Aruba wireless.

   To Jason's question:
Apple configs, none that I know of (except cert settings below).

Aruba configs, in the 802.1x profile, turn off OKC (Apple doesn't support it anyway), turn on Validate PMKID.

General Wifi configs, turn on band-steering (may or may not help depending on your coverage), client certificates should always trust EAP and SSL, and remove revocation settings.  Also see Travis Schick's in depth post regarding the ID request timer.

- Don Wright
Brown University


Close
Close


Annual Conference
September 29–October 2
Register Now!

Events for all Levels and Interests

Whether you're looking for a conference to attend face-to-face to connect with peers, or for an online event for team professional development, see what's upcoming.

Close

Digital Badges
Member recognition effort
Earn yours >

Career Center


Leadership and Management Programs

EDUCAUSE Institute
Project Management

 

 

Jump Start Your Career Growth

Explore EDUCAUSE professional development opportunities that match your career aspirations and desired level of time investment through our interactive online guide.

 

Close
EDUCAUSE organizes its efforts around three IT Focus Areas

 

 

Join These Programs If Your Focus Is

Close

Get on the Higher Ed IT Map

Employees of EDUCAUSE member institutions and organizations are invited to create individual profiles.
 

 

Close

2014 Strategic Priorities

  • Building the Profession
  • IT as a Game Changer
  • Foundations


Learn More >

Uncommon Thinking for the Common Good™

EDUCAUSE is the foremost community of higher education IT leaders and professionals.