Most compatible iOS SSID configuration

Autumn
Getting noticed

Most compatible iOS SSID configuration

Hey guys,

 

I know iOS is a pain, plenty of articles asking why they keep deauthenticating on the wireless. As you can see, out of the 5 device types and 26 client devices with issues, only 3 are non iOS:

 

iOS.PNG

 

I've done a little testing on one of my sites to see if I could find the most compatible iOS configuration for dashboard. At this point the guest wifi is in a simple NAT mode.

 

My plan, if the wireless health doesn't get any better, is to isolate a bridge mode SSID for guest wifi and enable 802.11r adaptive to see if it gets any better. Any thoughts on that? I don't see many incompatible devices on-site and, if it solves the iOS issues, it would be worth it.

 

I'd like to crowd source some answers. How have you handled iOS devices deauthenticating on the wireless and, if you're not experiencing any issues, what's your setup?

 

Thanks!


Autumn

12 REPLIES 12
Adam2104
Building a reputation

Are you using WPA2 Enterprise or PSK? If PSK then 802.11r, in any mode, is not recommended because it is a security issue. Dashboard will warn you if you deploy this type of config.

I was under the impression this was only an issue if the PSK was something that needed to be secure, it's going to be for guest wifi where guests can just ask what the password is to get in.

 

From: https://meraki.cisco.com/blog/2018/08/protecting-your-networks-from-the-latest-wpa1-wpa2-psk-vulnera...

 

"allowing attackers to obtain the PSK being used for the particular SSID."

 

What would be the security risk in an isolated bridge mode SSID where the PSK is given out?

Sorry if it's a newbie question!

 

Autumn

PhilipDAth
Kind of a big deal
Kind of a big deal

If there is more than one access point then bridge mode gives the best roaming experience.

 

NAT mode causes the users TCP sessions to be torn down every time a roam is done.

The problem I’m having in particular is not the roaming but the initial association. Do you think there would be any improvement if I did try the bridge mode or is there something you’re using besides NAT mode that you would recommend?

PhilipDAth
Kind of a big deal
Kind of a big deal

Whether you use bridge or NAT mode will have no impact on initial authentication.  It may have an impact on re-association due to roaming.

 

I don't see association issues like this normally (except when using 802.1x, the user has changed their password, but not updated it on their device yet).

 

What method of authentication (if any) are you using at the moment?

WPA2 with PSK no splash page, RADIUS server or anything like that. 

PhilipDAth
Kind of a big deal
Kind of a big deal

You shouldn't be having any authentication issues.

 

Any chance this is simply user error, and people typing in the PSK wrong the first couple of times?

Sorry I meant association not authentification

vassallon
Kind of a big deal

One thing to remember is that iOS versions are very important when it comes to WiFi connectivity. Apple has released multiple versions of iOS with WiFi issues and fixes recently so if a device is on one of these iOS versions it's not a surprise there is WiFi issues.

Found this helpful? Give me some Kudos! (click on the little up-arrow below)

Finally made the switch from NAT mode to Bridge 802.11r adaptive for the guest wifi, all association problems stopped as soon as I made the switch. Went from ~25% failing to associate to around ~1% failing.

 

Wooooooooooooooooooooooooooo

 

Now my only worry is that I misread that warning stating not to enable 802.11r on bridge mode for security risks.

 

Since this is for the guest wifi and anyone can get the password that walks up to the front desk, it's not an issue, right?

 

Any input would be appreciated!

PhilipDAth
Kind of a big deal
Kind of a big deal

I would stick with 802.11r.  It's not an issue since you have not confidential to protect.

Thanks for the reassurance 🙂
Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels