WPA2 / Cisco 1231s / Apple iPhone issues

Unanswered Question
Mar 31st, 2009

We have an issue with iPhones and 1G iPods on our WiFi network. (Other devices seem to work fine including: BSD, Linux, XP, Vista, OS-X, and 2G iPods.)

We needed multiple VLANs on the backend and have configured our 1200's with several VLANS and broadcast a single SSID as documented using PEAP / WPA/WPA2, and enabled a hidden open SSID with the legacy captive portal. The iPhone and 1G iPod will not connect to the broadcast SSID so we created a hidden WPA SSID and they associate. (However they won't reconnect to it.) We would really like them to connect to the broadcast SSID, or auto reconnect to either the open or WPA hiddens, but nothings seems to work correctly.

I posted to the APPLE forums as well.


We have a WPA/WPA2 Enterprise (PEAP) network and are having trouble with our users iPhones. (They work fine on the open network SSID, but would like to migrate to the somewhat more secure WPA or WPA2 model.)

Apple iPhones 2.2.1 5H111

Apple iPods 2.2.1 5H11a

Cisco APs 12.3(8)JA2 or 12.3(3)JEC2 (same results) (WPA TKIP and AES support enabled)

OUR STANDARD AP CONFIG: and our results

OPEN SSID (hidden) = iPhones works fine

WPA2 SSID (broadcast) = iPhones fail to connect (occasionally after certificate)

(BUT iPods work just fine!, as does Ubuntu, XP, etc.)

TESTED config 1: (but this setup is incompatible with our network design)

OPEN SSID (broadcast) = iPhone works

WPA2 SSID (broadcast) = iPhone works

TESTED config2: (not desired configuration)

OPEN SSID (broadcast) = iPhone Works

WPA2 SSID (hidden) = iPhone Works

The Standard config needs to be implemented and supported for a variety of reasons. (We use .1X to move clients to various VLANs behind that SSID so can't enable multi-broadcast on our equipment.) We need to broadcast our WPA network SSID instead of the OPEN SSID, but are having issues.

As this problem ONLY seems to impact our iPhone users, and not iPods, (with the same version of software) suspect there may be a simple setting on the phones or APs that we are missing. Anyone else ran into this and have any pointers?

We have also noted the very same problem with 1G iPod Touch. (Several users pointed this out after deployment.)

We have implemented a work-around by having a WPA2#2 SSID as a hidden so these iPhones and iPods can attach to the network. This now allows them to associate without a problem.

However on the hidden ID they seem to connect/disconnect from the network, and may require a user to go to the networks area to get connected after the device is left alone for some time.


On of our users summed the problem up best:

There are two problems (either one will leave us with a workable solution):

1) An iPhone 3G connecting to a hidden SSID on a Cisco 1200AP will be able to connect, but as soon as the phone goes to sleep it will drop the connection. Once that the phone is woken back up it will not reestablish the connection to the hidden SSID unless you go to Settings->Wi-Fi and wait for it to show up on the list of available network. If you fire up safari before doing this you will be presented with only SSIDs that are broadcast, canceling from that list will cause the iPhone to not look for a wi-fi network and use the Edge network instead. It's worth noting that in the Settings->Wi-Fi available networks list that the hidden SSID (once learned) will show up every couple of seconds and then disappear only to show back up a few seconds later (this is not the standard iPhone behavior for hidden SSIDs)

2) An iPhone 3G does not seem to be able to connect to a broadcasted beacon on a Cisco 1200AP if the Cisco is set for single beacon broadcast mode. The phone can connect to hidden SSIDs (see #1 for problems with this) and can also connect to broadcasted beacons if there are more than one. The iTouch does not show this problem in newer hardware (older iTouchs do show this problem)

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Leo Laohoo Tue, 03/31/2009 - 15:42

I have a Voice WLAN and this is what I've configured the authentication features: [WPA][Auth(802.1X + CCKM)]

I have a number of colleagues who use the iPhone to use Wireless VoIP successfully.

Hope this helps.

According to our experience, multiple SSIDs per AP seem to be doing this to all the iPhone generations and firmware versions that we have here in our IT department. It seems the phone gets "confused" with two or more SSIDS per one MAC address. We actually have three different wireless networks on each access point, one being the free public wireless network with no encryption, second being the old WEP and the third being the enterprise PEAP, and the latter two SSIDs are not being broadcast. We usually connect our iPhones to WEP (can't get it to work with PEAP), and we get the same behavior as you described. Also, once the phone connects, in its settings it sometimes displays the name of the public wireless network even though it is only connected to the other secure one (we can tell by the IP address), so the smartphone is not that smart in this case.

We just discovered a workaround "trick" - since we have multiple access points per floor, we first removed all other networks from one access point and all the iPhones connected happily to it. Once we re-enabled the other SSIDs, the old behavior started again.

Then we disabled broadcasting of the public unencripted SSID on one of them and again all the iPhones close to that access point started working and "remembering" the network connection when coming back from sleep.

Having in mind the known case with iPhones and Cisco/Apple/Duke University network (Google it for more information), I don't want to explicitly blame either Cisco or Apple, although my first guess would be that iPhone has a problem with distinguishing multiple SSIDs on same Access Point/MAC address.

jowillet Thu, 10/29/2009 - 09:17

Thanks Aaron, changing to MBSSID fixed the problem.. I was really banging my head on the wall with this one..

Matt Smeltzer Thu, 09/29/2011 - 07:18

Hi There,

I am having the same issue, are you able to point me in right direction where to setup the MBSSID in the GUI?




This Discussion



Trending Topics - Security & Network