Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
New Member

Apple iOS 8 and LEAP Issue

We have an older SSID using LEAP (we are scheduled to migrate away from this BTW, but not soon enough) and existing Apple client devices who upgraded to iOS 8 are having authentication issues.

Just wondering if anyone else is experiencing this same issue.

Thanks.

Jeff

1 ACCEPTED SOLUTION

Accepted Solutions
New Member

OK, I have been having this

OK, I have been having this same problem so, I called Apple Enterprise support. The fix is as follows:

- Use Apple Configurator to create a WiFi profile with LEAP enabled

       - Go to Make Profile

       - Click on WiFi Payload for IOS8 or Later except Apple TV

       - and click LEAP as the Authentication type

       - Go to the Prepare screen and find the profile you created and click the Share button. That          exports the profile that can be pushed to the IOS devices or (as in my case) imported into my third party MDM software and pushed out that way. You can also email that profile to the users device.

I hope this helps some of you. 

Cheers

***************************(UPDATE) I have tested this and it works.************************************

16 REPLIES

Per the KB,  it sounds like

Per the KB,  it sounds like you need to re-enable it after upgrading to iOS8

 

http://support.apple.com/kb/HT6441

 

Depending on how you configured authentication, it may require pushing out a new profile

 

Eric

New Member

Eric,Thanks for the reply and

Eric,

Thanks for the reply and we are testing this with a device and I will post our results.

Jeff

VIP Purple

Thanks for the link Eirc +5

Thanks for the link Eirc +5

New Member

May I know how to enable that

May I know how to enable that in my iOS8 devices? I don't have Mac, so Apple Configurator is not a solution to me. I reset my network in my iOS8 devices, it is not working.

Any thing I need to do?

New Member

According to the Apple

According to the Apple Knowledge base "LEAP is disabled by default". So far we haven't been able to find where to enable it and when adding an SSID LEAP is not an option.

Does anyone know where to enable it?

Thanks.

Jeff

VIP Purple

Hi Jeff,This link may not

Hi Jeff,

This link may not give answer to your question. But it is a worth document to understand iOS8.0 Security policies.

http://images.apple.com/privacy/docs/iOS_Security_Guide_Sept_2014.pdf

HTH

Rasika

**** Pls rate all useful responses ****

New Member

Rasika,Thanks for the

Rasika,

Thanks for the document as it says iOS supports LEAP but we are not able to find where to enable it in ver 8. The Apple KB says LEAP is disabled by default so by this wording it can be enabled. If its removed in iOS 8 then they should have worded it that way.

We are still searching and waiting but its not looking good.

Thanks again.

Jeff

New Member

OK, I have been having this

OK, I have been having this same problem so, I called Apple Enterprise support. The fix is as follows:

- Use Apple Configurator to create a WiFi profile with LEAP enabled

       - Go to Make Profile

       - Click on WiFi Payload for IOS8 or Later except Apple TV

       - and click LEAP as the Authentication type

       - Go to the Prepare screen and find the profile you created and click the Share button. That          exports the profile that can be pushed to the IOS devices or (as in my case) imported into my third party MDM software and pushed out that way. You can also email that profile to the users device.

I hope this helps some of you. 

Cheers

***************************(UPDATE) I have tested this and it works.************************************

VIP Purple

Thanks for this update...

Thanks for this update...

New Member

You're very welcome. We were

You're very welcome. We were able to push this to all 94 of our corporate iPads and it works fine. Cheers

New Member

I was also stuck with this. 

I was also stuck with this.  Luckily, I upgraded early so I was able to roll back to 7.1.2 on iPhone because Apple was still signing the previous version.  But I know that I cannot play trial and error because I may not be able to roll back if I upgrade again. Also, the current config utility for iPhone requires OS-X 10.9 which I don't have.

 

My config (12.4(15)T on an old 871W) is many years old, and I had to do a lot of trial and error setting it up since 99% of examples on the internet are "this doesn't work, what is wrong with it" :-(

dot11 ssid VaxinationWiFi
   vlan 10
   authentication open eap eap_list_name
   authentication network-eap eap_list_name
   authentication key-management wpa optional
   guest-mode

(there is a local radio server on the router).

I have no idea whether the above is kosher, but it works fine for my laptop and my iPhones whuch never had problems before until IOS 8.

Unless Apple explicitely states that it has re-enabled LEAP (is LEAP the same as EAP ?), I would rather change my router to another flavour of WPA2 Enterprise. 

within config mode, these are the options given by my router for the authentication command:

 

router1(config-ssid)#authentication ?
  client          LEAP client information
  key-management  key management
  network-eap     leap method
  open            open method
  shared          shared method

 

Note that I do not use "client" in my config.

 

So what would be recommended in terms of ssid config to maintain similar authentication secrity AND please Apple ?

 

 This router caused me no end in headaches because I got the cripped "advanced security" instead of "advanced IP" without knowing there were options.  I realise it is time to replace but not sure by what model yet.

New Member

Spent a bit more time on the

Spent a bit more time on the issue.

Some said that the issue isn't with EAP itself but the encryption used.

Here is what my router can handle: (871W, 12.4(15)T9 IIRC.

router1(config)#int Dot11Radio0router1(config-if)#encryption vlan 10 mode ciphers ?

  aes-ccm  WPA AES CCMP
  tkip     WPA Temporal Key encryption
  wep128   128 bit key
  wep40    40 bit key


Has anyone gotten confirmation from Apple on which of the above is acceptable to "out of the box" IOS8 ? My router is setup with aes-ccm, and that one does not work with IOS-8.

Or are all of the above unacceptable to Apple which means I need to buy a new router if I want to upgrade to IOS8 and not use the configurayion utility (requires 10,9) ?

New Member

Thanks for the reply.We don't

Thanks for the reply.

We don't use the Apple Configurator as the Apple devices are personally owned. Can we create, export and distribute these profiles for just the SSID without affecting other settings on the device? We don't want to be liable settings caused by a profile we provided and the user imported.

Appreciate the help.

Jeff

New Member

That is an excellent question

That is an excellent question for Apple support. I would like to say yes but, PLEASE verify before attempting. Have a great day.

New Member

Apple Configurator worked for

Apple Configurator worked for us. We created the profile then emailed it to affected users. The documentation is a little thin so it took some experimenting with settings but finally got it working.

Thanks for all the replies.

jeff

Thank you Ivan for sharing

Thank you Ivan for sharing this useful information 5+ :-).

This discussion has been converted into document.

Regards,

Vinay Sharma

Community Manager,

CCIE#44972

Thanks & Regards
4769
Views
25
Helpful
16
Replies
CreatePlease to create content