Question: Mac OS High Sierra: wi-fi eduroam Reauth issues and/or roaming
Here, at University of Minho, we are struggling with an issue related to re-authentication on wi-fi network eduroam, situation that only occurs on MacBooks running the most recent OS X versions. Every time the session expires, users are prompted to insert (again) the credentials, what, actually, is not necessary since if you click ‘Cancel’ or press the ‘Esc’ key, re-authentication occurs successfully. Our infrastructure is configured with a session timeout of 1800 seconds so, as you already guess, every 30 minutes the affected users face this ‘problem’. It also happens when devices roam to another Access Point – when in roaming, you don’t have to wait 30 minutes, you experience the problem as soon as the device associates to another AP.
I’ve checked the RADIUS logs and realized that the first time re-authentication occurs, the inner authentication method is no longer the one used the first time the device connected (MSCHAPv2), using GTC instead. I managed to configure Radiator so support GTC, which, at first, seemed to have solved the problem, until I realized that the second time re-authentication occurs, the inner method has changed to MD5-Challenge – it looks like the MacBook is trying all authentication methods it supports in a round-robin way.
This behavior is very odd and I suppose (nearly 100% sure) that the problem is on MacBook side, but maybe some of you have already deal with it and have some kind of tip that can help us.
I may say that if we use a configuration profile (created with Apple Configurator 2), defined with a supported authentication method (PEAP, TTLS/PAP, TTLS/MSCHAPv2 and, most recently, TTLS/GTC), re-authentication and roaming are transparent, the device does not prompt you to insert the credentials, and everything works just fine. If the profile is defined with the option ‘OS Default’, then the problem persists.
We would prefer not to use the configuration profiles due to the burden it carries itself – we want our infrastructure to allow users to connect just by inserting their credentials, what we achieved long time ago and want to keep going this way.
I’ve been googling around and found nothing that could help me.