Does anyone know how well MAC's work with Cisco AP's. Second, the issue I am having is that the EAP authentication method regardless of using LEAP, EAP-FAST, or MD5 continously flaps on the auth for this user. Our AP's hands off the authentication to a Cisco ACS server. Does anyone know of any issue's between Cisco and Apple?
There are no such issues that we're aware of. We work together with Apple, just like any other large vendor, to make sure there are no interoperability issues. There were some reports that 10.5.1 and 10.4.10 had some "wireless issues" but with the release of 10.4.11 and 10.5.2, we've heard of numerous success stories (internally and externally - note, Cisco has a few thousand Apple users!)
No issues here, in fact quite the opposite. OSX 10.4 and 10.5.x have all worked perfectly. I've had significant issues on XP clients without a supplicant, but Vista works well (as pertaining to being a wireless client).
Hardware-wise we are running mostly 1130's and a 4402 on the latest. Security side, its pretty much a PEAP (WPA2/cert/radius) setup with IAS doing the actual authentication. No flapping, no ap transfer issues at all.
Its funny, I had the OSX clients on the network instantly, no config needed.
Cisco wireless network and Apple play very nice together when they work. Our network services about 18,000 unique MACaddress a week. A fair number of those are Apples and I would say that they have keyring issues that cause them to break. In a given week it would only be about 3-4 Apples so its very few issues. Our windows and Linux issues are 99.9% misconfiguration vs the Apple issues are almost always keyring related. 10.4.11? and 10.5.2 seem to work pretty solid but we do have had Apple down to take some captures of macbooks and macbook pros that were having issues and could never connect but thus far no specific build or nic has been identified as the offender.
Thank you all for the postings. What kind of symptoms are you seeing with the keyring issue? What I am seeing is a continuous flap on the authentication process. I am using WPA TKIP with EAP authentication methods (LEAP specifically) to an ACS server. What the ACS server logs is EAP authentication flaps. I have Windows and Linux nodes running error free but I am having an issue is with this 1 MAC node that is exhibiting the above mentioned symptoms.
The issues we see vary. Some users will experience the continuous flap where as others will have a fully configured and working system which then decides it no longer wants to authenticate. We are using WPA(tkip)/WPA2-ENT(AES) with PEAP/MS-ChapV2 with an ACS server and a LDAP DB. First off I am not a MAC experienced person but from what I have found troubleshooting them. Turning the Airport card off and then removing the perfered connection. Then remove the key ring and certificates and 802.1x setup. Then Turing the card back on and then let the MAC auto determine its connection parameters. After cycling through that process it seems to work. We did have one user that seemed to get prompt for his password constantly, approx every 5 mins, with no connection drop so why he needed to reauthenicate is beyond me. The only other major issue we have seen with Apples is the power settings for the network card. With the new Intel card that are being used, CAM and PSM are not configurable options in Apples. There are third party drivers that let you configure things but I have no experience with them. Essentially the problem is that the Apples were trying to save power and then losing connection because they powered down to far.
Justin, thanks for the information. That at least gives me some additional things to try. When I get this figured out I will do a posting. Thanks again.
Hey there boss,
I am not sure if my information will help resolve your issues, but I'll share some observations that I've made:
My environment consists of about 120 Cisco AP's (1131 &1231's), controlled by 4 WiSMs across 3 buildings. It uses EAP-FAST authentication, and we do have quite a few Mac users, including myself. Macs deffinetly do work in my case rather well, but I did have a couple of issues:
When I went from 10.4 to 10.5, there are two distinct issues that I had (verified with other users as well) that may be somewhat relevent to your questions. The first is that the 802.1X configuration is somewhat counter-intuitive (imho). In the Leopard 802.1X panel, you have to select "user" from the drop down panel on the left hand side for non-domain credentials (at least for EAP-FAST, I think you would have to do the same), then set your credentials accordingly. After this is done, a profile is placed within the wireless associations. This default entry was invalid for me, as the encryption scheme wasn't set properly. Once I deleted this entry, then re-configured it with the proper autherntication and encryption scheme, it would work correctly.
The second (and most likely relevent to your post) is that I (and other users) would have to cycle the radio on and off in order to authenticate and associate properly. Once I upgraded to 10.5.2, this behavior went away. I would check the version of OSX on your Mac user's system, and consider upgrading if it is a lower version.
I'm not quite sure if this is going to help you or not, I don't quite think that your issues are the same as mine. Since they are similar though, thought I would share them with you.
We're having a different problem at our facility. We have two networks, one secured with WPA2 and no braodcast, and one using web-auth, and broadcasting an SSID.
With MacBook Pros, we cannot see the guest network at all. Period. If I drop webauth and turn on plain old PSK, it works fine, but if I turn web-auth on, it vanishes from the network list.
All windows machines work fine with this, all other Apple Macintosh portables seem to work fine (MacBook, iPhone, iBook, etc.) It's just these newer MacBook Pros.
One of them is mine, so I have a vested interest in getting this going.
I don't even see the MBP's MAC addresses show up in WCS (5.0) However, if I examine the syslogs for the WLC, I see this:
VALIDATE_DOT11i_CIPHERS_FAILED: Could not validate Dot11i security IE. Received an unsupported Multicast 802.11i OUI code from mobile.Mobile:
so obviously the AP is seeing my machine, or the others.
Any ideas? I know there are some flaws with this model MacBook Pro and wireless, but this works fine from my laptop and another one in other places that use web-auth for wireless (may or may not use Cisco)