of Mac and Men

Arran Cudbard-Bell a.cudbard-bell at sussex.ac.uk
Tue Apr 7 15:40:30 CEST 2009 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Alan,
> thanks for the list
>
>
> I can confirm all of these issues.  Also, if you have WPA/AES
> turned on, then the Mac wont touch the lovely WPA2/AES
I haven't seen this. We have WPA/WPA2 TKIP/AES, and the Mac appears to
always pick WPA2. Unfortunately I don't know what cipher it's using,
as the controller won't tell me, and they got rid of the airport
utility in leopard (grrr).

If you can get some Beacon frames with your Cisco APs, I can send you
some from our HP kit, see if there's anything obvious about the way
it's advertising supported ciphers/ security standards.
> - ie it wont do 802.11n properly.  if you reratify the wifi so you
> only do WPA/TKIP and WPA2/AES then the Mac is a _little_ happier
>
> I can also confirm the DHCP issu e- if you set the client ID then
> the Mac gets a DHCP address faster. not the speed expected...but
> faster. (we use ISC DHCPD and I've been looking for ANYTHING that
> will speed the Mac client up!)
Packet traces.... You should be able to take these on the Mac with
tcpdump or Wireshark. DHCP is a relatively easy protocol to debug; if
there are issues, report them to Apple.

It might be something stupid like the event generated by the
supplicant that prods the DHCP client into trying to get a lease, is
generated when the supplicant gets an EAP-Success *not* when the 4-Way
handshake completes. From my experience Macs usually try and renew
their previous lease before requesting a new one, so this may add some
additional latency.
> we've put in another Cisco TAC case regarding Apple kit. I blame
> cisco as much as apple (the apple stuff works in different ways on
> Trapeze and netgear APs)
Yes, i've found them to work more reliably on Trapeze. Mine was
connecting fine using WPA2-Enterprise at NW to an Aruba 802.11n AP...
hmm actually it did take a few 'Turn offs' 'Turn ons' to get an IP
with those.... But then the Cambridge infrastructure seemed to be
pretty sucky anyway.

With the ProCurve 530s we used to have, the Macs would sometimes go
blind to all networks other than the one they were currently connected
to. I.e. when you click the little wireless Icon, you'd only see the
network you were connected to.
>
> back onto topic: I've noticed RADIUS stuff on the Mac is quite
> sucky...it seems to go through PEAP or TTLS at least once too many
> times. almost like its ignoring a reply or 'having another go' - is
> this something engineered into the OS so they work better with
> Airports ? :-(
>
Have you actually traced the wireless traffic (passively), are you
sure it's the Macs at fault with this one?

We saw the 'having another go' issue, but it was due to a timer
problem on our WESM (Wireless Edge Service Module). The WESM would
send ST Nonce to the Mac, then restart authentication by sending an
EAP-Identity-Request, it'd do this a ~13 times before letting the Mac
respond with ST Nonce.
This may not be a RADIUS issue at all.

Arran
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.9 (Darwin)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iEYEARECAAYFAknbV84ACgkQcaklux5oVKIHqQCcCwLelr4pJ71c0JlkKU+Yf3uv
6wgAn2t7ww0+5nX6un73XfUP9DWaORYI
=1hdq
-----END PGP SIGNATURE-----

More information about the Freeradius-Users mailing list