Some Apple BYOD having problems connecting to 802.1x EAP WPA2 AES

  • 2
  • Question
  • Updated 1 week ago
  • Answered
  • (Edited)
We have a ZD3000 w/ R600s and R700 APs. Lately, with all the issues presented from Win 10, we've been struggling to keep a handle on our BYOD. One thing I changed that helped a lot with the Win 10 devices was setting our NPS to identify with its machine Cert over our corporate wildcard cert. I'm finding, now, that some of the Apple devices (iPhone 6, 7 MacBook Pro) do not like this at all and fail to receive an address from DHCP. -Others do not. I can't seem to find a rhyme or reason as to inconsistency of this problem. I'm considering purchasing a stand alone certificate for the radius/nps box, but thought I would seek some advice before trying that. Any suggestions would be greatly appreciated.
Photo of Garrett Collier

Garrett Collier

  • 18 Posts
  • 1 Reply Like

Posted 3 weeks ago

  • 2
Photo of Victor Cenac

Victor Cenac

  • 6 Posts
  • 1 Reply Like
We had the exact same thing!
Leave your RADIUS server alone :)
The issue is caused by the ZD not recognizing the latest Windows 1803 as... Windows, but "Other".
You most likely have a filter in place that only allows certain OS types on that SSID. Allow all, or other and your win 10 machines will get on fine....
You'll find this setting under Roles for each role you configured for use with your 802.1x WLAN
...or upgrade your ZD to the latest version, as this issue is fixed in it and Windows 10 is recognized properly.

Photo of Garrett Collier

Garrett Collier

  • 18 Posts
  • 1 Reply Like
Victor, thanks for the tip! I have a few outliers, but this has gotten more devices on!
Photo of Francis Aromin

Francis Aromin

  • 6 Posts
  • 0 Reply Likes
Have you resolved your issues with the Apple devices?

We have a similar issue.
On one of our WLANs with 802.1x EAP (using NPS), a few iOS devices will connect and receive an IP, but after about a minute or two, they will just disconnect.  On the device, while it still appears connected, it can't access anything anymore.  ZD will report "User[xxx] leave WLAN[xxx] at AP[xxx] with Session Time..."  

So far, it seems to be limited to iOS - some on iOS 11, some on 12.  We've only seen this in about 15 out of about 2,000 iPads though.    No issues with Windows or Android.    We don't filter by device OS too.

It's pretty hard to diagnose as they're all BYOD of our students.  Not much info in the logs too. 
As a workaround, we just made another WLAN with web authentication.  Not ideal as we can't put them in their correct VLANs.

We have a ZD3000 on 9.12.3.0 build 61.   


Photo of Victor Cenac

Victor Cenac

  • 6 Posts
  • 1 Reply Like
We had constantly have had issues with Apple devices, iOS and MacOS. The only thing that kept bringing fixes was upgrading the Ruckus software. You are one a pretty old version. I would strongly recommend upgrading, although version 10 attempts to modernize the web gui and makes everything very big so the interface is harder to navigate, cause it does not fit on the screen.

Mac OS dropping off of the wifi was fixed by trying different combinations of settings having to do with radios and channels.

From what I can see in the NPS log, the MAC and iOS re-login very often, while Windows seems to take advantage of the caching feature. It is possible that during network congestion or NPS high utilisation a few authentications get dropped. But if it happens consistently to the same clients, I would suspect it isn't this.

Last, your NPS server would update its certificate automatically from your AD CA. I would assume that's not a trusted CA, so the user would have to agree to trust the cert in their own devices. I observed this behaviour on my own phone, after the NPS auto-renewed the cert.

But, I would upgrade the ZD, if you can do it and if your APs are still supported.
Photo of Francis Aromin

Francis Aromin

  • 6 Posts
  • 0 Reply Likes
Thanks for the tip!  Apple has always been notorious for breaking compatibility with their updates.  It's just strange that we can't pinpoint an iOS version that's causing it this time.  
We managed to upgrade to the latest 9.12 build.  We still have about 40 ZF7363s on our network, but hopefully we can replace those soon so we can upgrade to 9.13 or even 10.