Q: IOS 5 wifi wpa2 enterprise problem (bug?)

Hello John/Sk1pper,

While I agree with you that it may not be an iOS issue it is still very weird that it only happens with iOS devices. At the company i work for i've tried with several devices and the only ones having this problem is our iOS devices (iPhones/iPad/NewiPads all running iOS 4.2.1 up to 5.1). Also while it happens about 95% of the times i've seen it where it connects faster maybe within 2-3 mins but for the most part it is taking about 5-10mins or just doesn't connect and the flower keeps spinning "forever" . I've been collecting Logs for apple while replicating the issue so their engineers can confirm if it may be a problem with the iOS, which i would assume it is as regardless of the APs configuration if all other non-iOS devices connect then iOS devices shouldn't have a problem connecting either. I'm still waiting for Apple engineers to analyze the logs, once they get back to me i'll give you guys an update

We too have this issue in our environment; IOS devices only have issues connecting to wireless. While not an answer to the actual issue, here is some more detail on what we saw and how we provided a workaround.

The wireless is WPA2 Enterprise with EAP-TLS. It uses AP's that point to a RADIUS server for authentication. There are 4 sites with many AP's within each site. At one of the sites, there are no issues connecting at all. Moving to a secondary site, devices could not connect.

Using the iPhone Configuration Utility to make testing consistent, we created two Configuration Profiles.

• CERT ONLY - This contains the certificate for ONLY user (User certificate)
• CERTS ONLY - This contains the certificates for each object within the certificate chain for the user certifcate (Root CA, Policy CA, Issuing CA and User certificate)
• SSID with CERTS - This contains the certificates for each object within the certificate chain for the user certifcate (Root CA, Policy CA, Issuing CA and User certificate). Adding the WiFi connection information to include Service Set Identifier (SSID), Security Type (Any Enterprise), Protocol (TLS; This is EAP-TLS as selected within the iOS.) and Identification Certificate (selecting the User certificate).

Testing (Each time deleting all Profiles, deleting the WiFi connection, and disabling and re-enabling WiFi to clear settings):

Apply CERT ONLY Configuration Profile to an iPhone. The device was not able to connect in the secondary site.

Apply SSID with CERTS Configuration Profile to an iPhone. The device was able to connect in the secondary site.

Apply CERTS ONLY Configuration Profile to an iPhone. The device was prompted to accept the certificate for the RADIUS server it was authenticating to. Accepting the certificate, the device was able to connect in the secondary site.

For us, the issue appears to be iOS and certificate related.

Hello,

Just wanted to inform you that unfortunately i have not received any updates or answer to the ticket i raised with apple back in march regarding this issue even though at the beginning they were working hard at it. Not sure if they are resolving it on their new iOS 6 but i think it wouldnt hurt for anyone experiencing the same issue to raise a bug report ticket with Apple :) maybe if they get enought tickets theyll see how many ppl are being affected :).   Their site for reporting issues is bugreport.apple.com

Please update us here if anyone is able to get a solution thanks

Hello all,

I have a sulotion to Iphone with WPA2 AES.

Check with Iphone 4 IOS 5.1.1 and AP HP MSM-430.

You just need to change 802.1x ttl to 10

Global 802.1X settings ?   Supplicant time-out: seconds

ITs test aand work.

Where is the Supplicant time-out setting on my phone? I dont see where to change it to 10 seconds....

Is not on the phone it has to be changed on the router that you are connecting to.

Hello,

I know that this is an old thread, but I stumbled across it while looking for something else.  I just wanted to say that Apple dropping support for MD5-signed certificates is not a bug; it's sensible.  MD5 is a hashing algorithm that was broken years ago.  Using MD5 for security is equivalent to using no security at all.  SHA-1 is a much more secure algorithm that has not been broken. 

Similarly, you should never "downgrade" from WPA2 to WPA or WEP, as both of those older security schemes have been broken as well.  Stick with WPA2 and you will be much safer.

- Steve