[RADIATOR] Mac OS High Sierra: Reauth issues and/or roaming
Amândio Antunes Gomes Silva
amandio at scom.uminho.pt
Mon Feb 26 12:20:29 UTC 2018
Hi, list!
Here, at University of Minho, we are struggling with an issue related to re-authentication on wi-fi network eduroam, situation that only occurs on MacBooks running the most recent OS X versions. Every time the session expires, users are prompted to insert (again) the credentials, what, actually, is not necessary since if you click 'Cancel' or press the 'Esc' key, re-authentication occurs successfully. Our infrastructure is configured with a session timeout of 1800 seconds so, as you already guess, every 30 minutes the affected users face this 'problem'. It also happens when devices roam to another Access Point - when in roaming, you don't have to wait 30 minutes, you experience the problem as soon as the device associates to another AP.
I've checked the RADIUS logs and realized that the first time re-authentication occurs, the inner authentication method is no longer the one used the first time the device connected (MSCHAPv2), using GTC instead. I managed to configure Radiator so support GTC, which, at first, seemed to have solved the problem, until I realized that the second time re-authentication occurs, the inner method has changed to MD5-Challenge - it looks like the MacBook is trying all authentication methods it supports in a round-robin way.
This behavior is very odd and I suppose (nearly 100% sure) that the problem is on MacBook side, but maybe some of you have already deal with it and have some kind of tip that can help us.
I may say that if we use a configuration profile (created with Apple Configurator 2), defined with a supported authentication method (PEAP, TTLS/PAP, TTLS/MSCHAPv2 and, most recently, TTLS/GTC), re-authentication and roaming are transparent, the device does not prompt you to insert the credentials, and everything works just fine. If the profile is defined with the option 'OS Default', then the problem persists.
We would prefer not to use the configuration profiles due to the burden it carries itself - we want our infrastructure to allow users to connect just by inserting their credentials, what we achieved long time ago and want to keep going this way.
I've been googling around and found nothing that could help me. I'll post this message on Apple mailing lists also (which appears to be the most wise thing to do...)
Best regards,
Amândio Antunes Gomes da Silva
-----------------------------------------------------------------------------------------------------------------------------------
Serviços de Comunicações da Universidade do Minho
Campus de Gualtar, 4710-057 Braga - Portugal
Tel.: + 351 253 60 40 20, Fax: +351 253 60 40 21
email: amandio at scom.uminho.pt<mailto:amandio at scom.uminho.pt> | http://www.scom.uminho.pt<http://www.scom.uminho.pt/>
-----------------------------------------------------------------------------------------------------------------------------------
This email is confidential. If you are not the intended recipient,
you must not disclose or use the information contained in it.
If you have received this mail in error, please tell us immediately
by return email and delete the document.
--
Este email é confidêncial. Se não é o destinatário do mesmo,
não deve nem revelar, nem usar o seu conteúdo.
Se recebeu esta mensagem por engano, por favor informe-nos
Imediatamente, devolvendo e apagando este email.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.open.com.au/pipermail/radiator/attachments/20180226/9532afcc/attachment.html>
More information about the radiator
mailing list