[162133] in North American Network Operators' Group
Re: MikroTik + EAP-TLS + Non-Channel 1 / Apple iOS issues
daemon@ATHENA.MIT.EDU (Duncan Turnbull)
Wed Apr 3 16:21:00 2013
From: Duncan Turnbull <duncan@e-simple.co.nz>
In-Reply-To: <007101ce3072$e9410300$bbc30900$@fuhell.com>
Date: Thu, 4 Apr 2013 09:20:47 +1300
To: "Thomas York" <straterra@fuhell.com>
Cc: nanog@nanog.org
Errors-To: nanog-bounces+nanog.discuss=bloom-picayune.mit.edu@nanog.org
We had some issues with apple devices recently on a new MT using WPA2 =
and preshared key - might not be the same but...
The preamble mode was important plus the auth types needed to drop any =
older auth options types as apple seems to only accept the latest =
versions
We had iphones, macbook airs and some macs not connect=20
These were the settings that made everything spring to life as best I =
recall
ht-basic-mcs=3Dmcs-0,mcs-1,mcs-2,mcs-3,mcs-4,mcs-5,mcs-6,mcs-7 =
ht-guard-interval=3Dany ht-rxchains=3D0,1 ht-txchains=3D0,1
preamble-mode=3Dlong proprietary-extensions=3Dpost-2.9.25
eap-methods=3Dpassthrough group-ciphers=3Daes-ccm=20
unicast-ciphers=3Daes-ccm=20
Cheers Duncan
On 4/04/2013, at 2:55 AM, "Thomas York" <straterra@fuhell.com> wrote:
> I know a few of you guys are using MikroTik offerings in the =
enterprise, so
> I hope to pick your brain(s). I have many, many RB433UAH's deployed
> worldwide as simple WAPs. I've been looking to move to 802.1x EAP-TLS =
via an
> external FreeRadius server. I have our HP Procurves using the =
FreeRadius
> server without issue. Infact, the only devices that seem to have =
issues are
> the MikroTik devices.=20
>=20
> For one, only channel 1 seems to work with 802.1x. If I change the =
channel
> to ANYTHING else, clients refuse to auth. Secondly, newer iOS devices =
(iOS 5
> and newer, I believe) refuse to auth entirely. I have an older iPod =
touch
> that is on iOS4 that can authenticate on channel 1.=20
>=20
> Have any of you guys seen issues like this? Thanks.
>=20
> -- Thomas York
>=20
