Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Community Member

OS X clients being denied on Cisco WiFi

We had to setup our wifi controller again and we had no problems before until it was setup this 2nd time.  iPhones, Androids, Windows computers all work fine, but OS X will not connect.  Turning on debugging on the Cisco controller and then trying to connect doesn't even log anything.  Tried OS 10.8.5 and 10.9.2 and same issue.  You can see the airport flashing the bars trying to connect and then nothing. 

On the 10.8.5 client its asking for Enterprise Credentials and we don't even have  802.1x on anywhere.  Tried 3 different Macs, two iMacs and a Macbook.

APs: AIR-CAP3602E-A-K9

Cisco IOS Version: 7.4.121.0

show wlan 2

WLAN Identifier.................................. 2

Profile Name..................................... wifiit

Network Name (SSID).............................. wifiit

Status........................................... Enabled

MAC Filtering.................................... Disabled

Broadcast SSID................................... Disabled

AAA Policy Override.............................. Disabled

Network Admission Control

  Client Profiling Status ....................... Disabled

   DHCP ......................................... Disabled

   HTTP ......................................... Disabled

  Radius-NAC State............................... Disabled

  SNMP-NAC State................................. Disabled

  Quarantine VLAN................................ 0

Maximum number of Associated Clients............. 0

Maximum number of Clients per AP Radio........... 200

Number of Active Clients......................... 3

Exclusionlist Timeout............................ 60 seconds

Session Timeout.................................. 86400 seconds

User Idle Timeout................................ 14400 seconds

User Idle Threshold.............................. 0 Bytes

NAS-identifier………………………….. vWLC

CHD per WLAN..................................... Enabled

Webauth DHCP exclusion........................... Disabled

Interface………………………………… vlan2

Multicast Interface.............................. Not Configured

WLAN IPv4 ACL.................................... unconfigured

WLAN IPv6 ACL.................................... unconfigured

mDNS Status...................................... Disabled

mDNS Profile Name................................ unconfigured

DHCP Server...................................... Default

DHCP Address Assignment Required................. Disabled

Static IP client tunneling....................... Disabled

Quality of Service............................... Silver

Per-SSID Rate Limits............................. Upstream    Downstream

Average Data Rate................................   0          0

Average Realtime Data Rate.......................   0          0

Burst Data Rate..................................   0          0

Burst Realtime Data Rate.........................   0          0

Per-Client Rate Limits........................... Upstream    Downstream

Average Data Rate................................   0          0

Average Realtime Data Rate.......................   0          0

Burst Data Rate..................................   0          0

Burst Realtime Data Rate.........................   0          0

Scan Defer Priority.............................. 4,5,6

Scan Defer Time.................................. 100 milliseconds

WMM.............................................. Allowed

WMM UAPSD Compliant Client Support............... Disabled

Media Stream Multicast-direct.................... Disabled

CCX - AironetIe Support.......................... Disabled

CCX - Gratuitous ProbeResponse (GPR)............. Disabled

CCX - Diagnostics Channel Capability............. Disabled

Dot11-Phone Mode (7920).......................... Disabled

Wired Protocol................................... None

Passive Client Feature........................... Disabled

Peer-to-Peer Blocking Action..................... Disabled

Radio Policy..................................... All

DTIM period for 802.11a radio.................... 1

DTIM period for 802.11b radio.................... 1

Radius Servers

   Authentication................................ Disabled

   Accounting.................................... Disabled

   Dynamic Interface............................. Disabled

   Dynamic Interface Priority.................... wlan

Local EAP Authentication......................... Disabled

802.11 Authentication:........................ Open System

   FT Support.................................... Enabled

   Static WEP Keys............................... Disabled

   802.1X........................................ Disabled

   Wi-Fi Protected Access (WPA/WPA2)............. Enabled

      WPA (SSN IE)............................... Disabled

      WPA2 (RSN IE).............................. Enabled

         TKIP Cipher............................. Disabled

         AES Cipher.............................. Enabled

                                                               Auth Key Management

         802.1x.................................. Disabled

         PSK..................................... Enabled

         CCKM.................................... Disabled

         FT-1X(802.11r).......................... Disabled

         FT-PSK(802.11r)......................... Enabled

         PMF-1X(802.11w)......................... Disabled

         PMF-PSK(802.11w)........................ Disabled

      FT Reassociation Timeout................... 20

      FT Over-The-DS mode........................ Enabled

      GTK Randomization.......................... Disabled

      SKC Cache Support.......................... Disabled

      CCKM TSF Tolerance......................... 1000

WAPI.......................................... Disabled

   Wi-Fi Direct policy configured................ Disabled

   EAP-Passthrough............................... Disabled

   CKIP ......................................... Disabled

   Web Based Authentication...................... Disabled

   Web-Passthrough............................... Disabled

   Conditional Web Redirect...................... Disabled

   Splash-Page Web Redirect...................... Disabled

   Auto Anchor................................... Disabled

   FlexConnect Local Switching................... Enabled

   flexconnect Central Dhcp Flag................. Disabled

   flexconnect nat-pat Flag...................... Disabled

   flexconnect Dns Override Flag................. Disabled

   FlexConnect Vlan based Central Switching ..... Disabled

   FlexConnect Local Authentication.............. Disabled

   FlexConnect Learn IP Address.................. Enabled

   Client MFP.................................... Optional

   PMF........................................... Disabled

   PMF Association Comeback Time................. 1

   PMF SA Query RetryTimeout..................... 200

   Tkip MIC Countermeasure Hold-down Timer....... 60

AVC Visibilty.................................... Disabled

AVC Profile Name................................. None

Flow Monitor Name................................ None

Call Snooping.................................... Disabled

Roamed Call Re-Anchor Policy..................... Disabled

SIP CAC Fail Send-486-Busy Policy................ Enabled

SIP CAC Fail Send Dis-Association Policy......... Disabled

KTS based CAC Policy............................. Disabled

Assisted Roaming Prediction Optimization......... Enabled

802.11k Neighbor List............................ Enabled

802.11k Neighbor List Dual Band.................. Disabled

Band Select...................................... Disabled

Load Balancing................................... Disabled

Multicast Buffer................................. Disabled

 Mobility Anchor List

 WLAN ID     IP Address            Status

 -------     ---------------       ------

802.11u........................................ Disabled

MSAP Services.................................. Disabled

 

We are using WPA+WPA2 with WPA 2 Policy checked and AES checked along with "PSK" and "FT PSK" checked with our PSK set as ASCII.  Everything looks correct.  Anyone know what setting would not let OS X not even try and connect with our Wifi network?  Is it ok to have "PSK" and "FT PSK" enabled on same WLAN?

 

Thank you in advance!!

1 ACCEPTED SOLUTION

Accepted Solutions
VIP Purple

No, I am not sure, I thought

No, I am not sure, I thought you would able to test & see.

When you tick that check box you are enabling 802.11r, & if client is not supporting that, then client won't be able to join. Below is from the 7.4 config guide under guidelines & limitation section.

Legacy clients cannot associate with a WLAN that has 802.11r enabled if the driver of the supplicant that is responsible for parsing the Robust Security Network Information Exchange (RSN IE) is old and not aware of the additional AKM suites in the IE. Due to this limitation, clients cannot send association requests to WLANs. These clients, however, can still associate with non-802.11r WLANs. Clients that are 802.11r capable can associate as 802.11i clients on WLANs that have both 802.11i and 802.11r Authentication Key Management Suites enabled.

1. The workaround is to enable or upgrade the driver of the legacy clients to work with the new 802.11r AKMs, after which the legacy clients can successfully associate with 802.11r enabled WLANs.

2. Another workaround is to have two SSIDs with the same name but with different security settings (FT and non-FT).

HTH

Rasika

**** Pls rate all useful responses ****

7 REPLIES
VIP Purple

Hi,Did you test without FT

Hi,

Did you test without FT PSK ? Give it a try & see

 

HTH

Rasika

*** Pls rate all useful responses ****

Community Member

No because I'm not allowed to

No because I'm not allowed to change anything, have to make a case first. Fun Fun!  Is it a known problem to have FT PSK with OS X that you know of?

VIP Purple

No, I am not sure, I thought

No, I am not sure, I thought you would able to test & see.

When you tick that check box you are enabling 802.11r, & if client is not supporting that, then client won't be able to join. Below is from the 7.4 config guide under guidelines & limitation section.

Legacy clients cannot associate with a WLAN that has 802.11r enabled if the driver of the supplicant that is responsible for parsing the Robust Security Network Information Exchange (RSN IE) is old and not aware of the additional AKM suites in the IE. Due to this limitation, clients cannot send association requests to WLANs. These clients, however, can still associate with non-802.11r WLANs. Clients that are 802.11r capable can associate as 802.11i clients on WLANs that have both 802.11i and 802.11r Authentication Key Management Suites enabled.

1. The workaround is to enable or upgrade the driver of the legacy clients to work with the new 802.11r AKMs, after which the legacy clients can successfully associate with 802.11r enabled WLANs.

2. Another workaround is to have two SSIDs with the same name but with different security settings (FT and non-FT).

HTH

Rasika

**** Pls rate all useful responses ****

Community Member

Well you sorta answered my

Well you sorta answered my next question, step 2 is what I want to do!  Thanks!

Community Member

Ok turning off FT-PSK did

Ok turning off FT-PSK did make things work!

Having FT-PSK on and OS X not working is that more of a hardware radio issue not supporting it or is it the Software/Drivers in OS X not supporting FT-PSK??

 

Doing another WLAN with the same SSID - Is that a supported method to do?  How does a client that works with FT-PSK know which one to pick, will it always pick the WLAN that has FT-PSK on?

 

 

VIP Purple

Hi Glad to see you get it

Hi 

Glad to see you get it working by disabling 802.11r.

"Having FT-PSK on and OS X not working is that more of a hardware radio issue not supporting it or is it the Software/Drivers in OS X not supporting FT-PSK??"

This is because MAC OS does not support 802.11r, When Apple release an update to support this it will work like anyother iOS devices. Here is a link to 802.11r supported iOS devices.

http://support.apple.com/kb/HT5535

"Doing another WLAN with the same SSID - Is that a supported method to do?  How does a client that works with FT-PSK know which one to pick, will it always pick the WLAN that has FT-PSK on?"

Yes this is a workaround, if you want to enable 802.11r where you have mixed mode clients where some does supports 802.11r & some doesn't.

I am not sure, if you have two SSIDs (with FT & without FT support) & Client is supporting 802.11r, which one client prefer to connect. Here is a good article about 802.11r with some useful packet captures as well

http://wireless-richard.blogspot.com.au/2012/09/sniffer-of-80211r-roaming.html

 

HTH

Rasika

*** Pls rate all useful responses ***

Community Member

Thanks for the help and quick

Thanks for the help and quick responses!  Greatly appreciated!

 

TAC has been open with Cisco and Bug report to Apple.  Hopefully Apple fixes this soon.  Easy workaround, but Apple should be supporting Industry standards, especially ones from 2008 that are viable today and when Windows and other OS's and devices do.

1913
Views
10
Helpful
7
Replies
CreatePlease to create content