of Mac and Men

[Alexander Clouter]

A.L.M.Buxey at lboro.ac.uk wrote:
> 
> thanks for the list
>
Not a problem.
 
> I can confirm all of these issues.  Also, if you have WPA/AES turned 
> on, then the Mac wont touch the lovely WPA2/AES - ie it wont do 
> 802.11n properly.  if you reratify the wifi so you only do WPA/TKIP 
> and WPA2/AES then the Mac is a _little_ happier
>
Cheers for this, I just turned off AES for WPA Enterprise this morning 
trying to further minimise my 'exposure' :)

> I can also confirm the DHCP issu e- if you set the client ID then the Mac 
> gets a DHCP address faster. not the speed expected...but faster.
> (we use ISC DHCPD and I've been looking for ANYTHING that will
> speed the Mac client up!)
>
Strange, our's connects *really* quickly with no problems with ISC 
DHCPD.  What was the issue I found was more with the Cisco WLC 
controller and *any* DHCP client.  You have to disable that ghastly DHCP 
Proxying rubbish and then be *very* careful, depending on your local 
'topology', about how to specify your DHCP relay servers and enforcement 
policies related to those.  This sort of stuff is not FreeRADIUS related 
and I'm happy to take this offlist; it bug work arounds for the WLC.
 
Anyway, I just took a DHCP capture from both the Mac end and the two 
DHCP servers we run and it all looks okay:

http://stuff.digriz.org.uk/mac-dhcp/

You might want to compare it to your captures and see if there is 
anything interesting.

> we've put in another Cisco TAC case regarding Apple kit. I blame
> cisco as much as apple (the apple stuff works in different ways on
> Trapeze and netgear APs)
> 
> back onto topic: I've noticed RADIUS stuff on the Mac is quite
> sucky...it seems to go through PEAP or TTLS at least once too
> many times. almost like its ignoring a reply or 'having another go'
>
Got any packet captures of that or -X output spiel, I'll be interested 
to have a nosey (off list if need be[1])?  This does sound like it's 
trying to automatically test the inner authentication type.  For 
example, first tries CHAP and then PAP....I know the moment I enable 
CHAP here at SOAS that all the Mac users were able to automagically 
connect to the wireless network here without any priming (other than 
saying 'yeah, this cert is good).

> - is this something engineered into the OS so they work better with
> Airports ? :-(
> 
I think it's more down to the 'eco-system' that Apple have setup; and to 
be frank that's why they are so popular with the users.  The 
combinations of 'stuff' is low and so managable and all really Apple 
have to do is test their kit with their own stuff and the users are 
generally happy with "sorry, it does not have an Apple badge on it".  
Cisco *obviously* do the same with their kit and only test their stuff 
really with Intel cards...it's what probably makes up 60% of the NIC's 
our there at an organisation (particular if you have Dell desktops 
without the ghastly Broadcom or Realtek cack).

All (hardware|software) sucks...some just sucks less.  Maybe it's time 
to crack out the Plan9 ISO again.

Cheers

[1] should this not be a JRS Support query ;)

-- 
Alexander Clouter
.sigmonster says: Causes moderate eye irritation.