Reply
Emerging Member
Posts: 65
Registered: ‎08-11-2014
Kudos: 6

Random disconnects Apple devices on 802.1x

Hi! 

 

I have been researching a strange phenomenon for a while now. We have a couple of UniFi AC Pro at our Office for internal use. We currently have two SSID's defined; one with wpa-eap connected with radius to our Windows NPS, the other one with wpa-psk for our guests.

 

Connecting and using both networks works fine. When connecting to wpa-eap it correctly prompts for credentials and in the NPS logs i can see the devices getting access. Here is where it gets weird; the android devices (Samsung and Xiaomi phones) connect and work fine. The Apple devices seem to connect and reconnect fine, but sometimes lose the credentials for EAP. Sometimes after a day, sometimes after a week. Here is what i have been able to rule out:

 

- Happens only to iOS based devices

- Happens only on WPA-EAP based networks.

- Happens to various iOS versions

- Happens to various iOS hardware (iPhone SE, iPhone 6s and iPhone X)

- No weird or excessive characters in the SSID

 

We have done implementations like this before (UniFi AP + EAP + NPS) that work without any issues. I replaced the UAP and recently recreated the SSID's and NPS policies from scratch. I read a ton of threads that usually don't quite cover the issue non the less. I have been shifting through the NPS logs, other then multiple log lines onconnecting mentioning the Network policy or Connection request policy, i don't see any weird activity. 

 

A while back i thought i tackled the problem, by replacing the certificate used by the network policy. But alas, the issue had returned.

 

Anybody else been experiencing this strange issue?

 

Kind regards, 

 

John.

Senior Member
Posts: 23,839
Registered: ‎08-04-2017
Kudos: 4507
Solutions: 1171

Re: Random disconnects Apple devices on 802.1x

Hello @GoAdvised,

 

Could you include your system config?

Settings > Maintenance > Support Info > Show System Config

 

 

Regards,

Glenn R.

Cloud Hosted Controllers | Glenn R. | UniFi Installation/Easy Update Scripts | UniFi-Video Installation Scripts | UniFi-VoIP Installation Scripts
USG-XG-8 • USG-4-PRO • USG
US-XG-16 • US-48-500W • US-24-POE-250W 2x • US-16-POE-150W 3x • US-24 • US-8-150W • US-8
UAP XG • UAP-SHD • UAP-HD • UAP-NanoHD 2x • UAP-AC-PRO 2x • UAP-AC-LITE • UAP-AC-IW • UAP-AC-M • UAP-AC-M-PRO 2x
UAS-XG • UCK-G2-PLUS • UCK-G2 • UCK
Emerging Member
Posts: 65
Registered: ‎08-11-2014
Kudos: 6

Re: Random disconnects Apple devices on 802.1x

Well, i would if the bloody download button would work.

 

So here is a screenshot of it, does that provide you with the info you want?

 

 

unifi_systemconfig.PNG
Established Member
Posts: 819
Registered: ‎01-21-2016
Kudos: 119
Solutions: 25

Re: Random disconnects Apple devices on 802.1x

Never put AUTO, give the following radio settings a try.

 

2.4 GHz
Channel width: HT20
Chanel: 1/6/11 (Any of these, do a RF scan to get the most clear one)
Transmit Power: Low/Medium

5GHz
Channel width: VHT40
Chanel: 36/40/44/48 (Any of these, do a RF scan to get the most clear one (Avoid DFS))
Transmit Power: High


You could also modify your DTIM Periods if you have more modern devices on the network.
Settings > Wireless Network > SSID > 802.11 Rate And Beacon Controls

DITM 2G Period: 3
DITM 5G Period: 3

 

 

Regards,

Glenn R.
Controller (5.10.23): CK 1.0.1
Unifi (4.0.42.10433 ): UAP-AC-IW-Pro, UAP-AC-LR, UAP-AC-M & USW8-60W (4.0.42.10433)

Better WiFi coverage is not achieved by increasing transmission power, but by increasing the number of accesspoints.
Senior Member
Posts: 23,839
Registered: ‎08-04-2017
Kudos: 4507
Solutions: 1171

Re: Random disconnects Apple devices on 802.1x

Hallo @GoAdvised,

 

Seems like @elinden  posted my recommendations Man Tongue

Also please upgrade both of your UAPs to 3.9.45

 

 

Regards,

Glenn R.

Cloud Hosted Controllers | Glenn R. | UniFi Installation/Easy Update Scripts | UniFi-Video Installation Scripts | UniFi-VoIP Installation Scripts
USG-XG-8 • USG-4-PRO • USG
US-XG-16 • US-48-500W • US-24-POE-250W 2x • US-16-POE-150W 3x • US-24 • US-8-150W • US-8
UAP XG • UAP-SHD • UAP-HD • UAP-NanoHD 2x • UAP-AC-PRO 2x • UAP-AC-LITE • UAP-AC-IW • UAP-AC-M • UAP-AC-M-PRO 2x
UAS-XG • UCK-G2-PLUS • UCK-G2 • UCK
Emerging Member
Posts: 65
Registered: ‎08-11-2014
Kudos: 6

Re: Random disconnects Apple devices on 802.1x

Hi elinden,

 

Thank you for your reply! I'll gove those settings a try and monitor the outcome!

Member
Posts: 164
Registered: ‎05-21-2018
Kudos: 5

Re: Random disconnects Apple devices on 802.1x

I thought I was alone with this problem and even thought the the pfsense RADIUS server that I have is the one causing the issue but it turns out that the commonality between us are the Ubiquiti AP's and the Apple devices! Here's my post in the pfsense forum:

 

https://forum.netgate.com/topic/133502/802-1x-wifi-random-disconnection-from-apple-devices

 

So basically, all our apple devices in our home are affected and yes, it only happens when they connect with 802.1x authentication. So the question here is if it's an iOS issue or a Ubiquiti issue. Although, I have an ASUS router in another house using the same pfsense RADIUS server and Apple devices don't experience the same issue in that house. So it's gotta be the Ubiquiti AP's causing the issue.

 

@UBNT-DavidSWhat logs do you need from me to troubleshoot this?

Emerging Member
Posts: 65
Registered: ‎08-11-2014
Kudos: 6

Re: Random disconnects Apple devices on 802.1x

Hi Kevin,

 

Yes, i knew i couldn't be the only one! To figure out what is causing this i am trying solutions one step at a time. First thing i have done now is changing the DTIM to 3 as @elinden suggested. I changed this last thursday and haven't had any disconnects since. Perhaps you could try this too?

Member
Posts: 164
Registered: ‎05-21-2018
Kudos: 5

Re: Random disconnects Apple devices on 802.1x


@GoAdvised wrote:

Hi Kevin,

 

Yes, i knew i couldn't be the only one! To figure out what is causing this i am trying solutions one step at a time. First thing i have done now is changing the DTIM to 3 as @elinden suggested. I changed this last thursday and haven't had any disconnects since. Perhaps you could try this too?


I surely can, but what does it exactly do?

Senior Member
Posts: 2,742
Registered: ‎04-21-2015
Kudos: 406
Solutions: 108

Re: Random disconnects Apple devices on 802.1x

[ Edited ]

Check this out, though don't see a relation of this setting to the 802.1x auh
https://community.arubanetworks.com/t5/Controller-Based-WLANs/What-is-the-wireless-DTIM-And-how-do-w...

Thanks,
Myky
CWNA
--------------------------------------------------------------------------------------------------------------------------------------------------
Don`t blame the device as it`s always doing what you have asked it to do, this is not always the same as what you want.
Senior Member
Posts: 2,742
Registered: ‎04-21-2015
Kudos: 406
Solutions: 108

Re: Random disconnects Apple devices on 802.1x

Maybe it is UniFi issue, but l am trying to figure out on how AP can instruct the client to forget the EAP profile credentials.
Thanks,
Myky
CWNA
--------------------------------------------------------------------------------------------------------------------------------------------------
Don`t blame the device as it`s always doing what you have asked it to do, this is not always the same as what you want.
Member
Posts: 164
Registered: ‎05-21-2018
Kudos: 5

Re: Random disconnects Apple devices on 802.1x

@UBNT-DavidS

 

Can you please reply to this issue?

Member
Posts: 164
Registered: ‎05-21-2018
Kudos: 5

Re: Random disconnects Apple devices on 802.1x

@UBNT-DavidS

 

I'm sure you're being notified when I mention you in this thread but it seems that you're ignoring it. Again, can you please say something about this?

 

@UBNT-jeff

 

Can you also please help here?

 

 

Ubiquiti Employee
Posts: 536
Registered: ‎04-03-2017
Kudos: 206
Solutions: 9

Re: Random disconnects Apple devices on 802.1x

Hi @kevindd992002

 

Thanks for the page here. 

 

I am discussing this internally with our teammates. Once I have some information, I will give an update here. 

 

Thanks,

David S


UBNT_Alternate_Logo.png

Ubiquiti Networks Enterprise Team

Check out our ever-evolving Help Center for answers to many common questions!

FREE UBWA Student Guide-Great RF Primer!

FREE UBRSS Student Guide-Great Intro to Routing & Switching!

Having connectivity issues? See: UniFi Debugging Intermittent Connectivity Issues on your UAP

Learn How to Establish a Connection Using SSH Here

Emerging Member
Posts: 65
Registered: ‎08-11-2014
Kudos: 6

Re: Random disconnects Apple devices on 802.1x

Hi! 

 

Although i thought that the DTIM tweak resolved my issue; begin this week the iPhones where thrown off the network again. It does seem that it is less frequent though. Good to know that this issue is taken up by you guys, thanks!

 

Kind regards.

New Member
Posts: 11
Registered: ‎04-06-2015
Kudos: 1

Re: Random disconnects Apple devices on 802.1x

Did anyone get this to a stable state? I've been having the issue for over a year now, purchased new APs, rebuilt my configurations, manually set the Channels/Advanced options/etc.

 

It sounds like the issue is unique to Unifi devices - I've asked other network admins using off-the-shelf hardware and others with Cisco and they haven't had the kinds of problems I'm having specifically with iOS devices and WPA2 EAP.

 

Android/Windows devices on the network have no issues.

Member
Posts: 164
Registered: ‎05-21-2018
Kudos: 5

Re: Random disconnects Apple devices on 802.1x

Nobody from Ubiquiti is willing to help us in this stupid issue. @UBNT-DavidS used to be very helpful but know he just ignores these support questions!

Senior Member
Posts: 2,742
Registered: ‎04-21-2015
Kudos: 406
Solutions: 108

Re: Random disconnects Apple devices on 802.1x

[ Edited ]

Sounds odd. AP will always start with EAP Request Identity message. Device should supply this info with EAP Response Identity packet (silently if the profile already exists for the particular SSID). Full traffic flow below:

 

rep.JPG

 

Monitor mode PCAP that shows EAP Request Identity and EAP Response Identity packets:

 

rep1.JPG

 

Username was: TEST. 

Anyway, it is difficult to attack this issue. Would be nice to see if AP receives the EAP Response Identity packet with username and password when this happens.

Thanks,
Myky
CWNA
--------------------------------------------------------------------------------------------------------------------------------------------------
Don`t blame the device as it`s always doing what you have asked it to do, this is not always the same as what you want.
Emerging Member
Posts: 65
Registered: ‎08-11-2014
Kudos: 6

Re: Random disconnects Apple devices on 802.1x

I am too still experiencing this issue. It seems to have its good weeks and bad. Last week i was kicked off twice, this week four times already. I just can’t seem to isolate the cause... 

 

what at kind of certificate do you guys use in your nps or radius? Self-signed or bought?

 

 

New Member
Posts: 11
Registered: ‎04-06-2015
Kudos: 1

Re: Random disconnects Apple devices on 802.1x

I use self-signed cert with NPS (have a PKI in place) and I was going to try purchased next. I manually trust the certificates on devices and the behavior I see is random dropoffs or consant "Incorrect Password" prompts. What's weird is that eventually, sometimes, especially by moving physically to another AP, they can authenticate again and it holds for a bit (days?) but I don't want my users to monitor their WiFi and move physically to authenticate before going back to their desks. Why would moving APs make any sort of difference? Toggling WiFi on/off, forgetting the network, restarting the phone makes no difference if they stay in one spot.

 

One thing to note is I do push the wireless profiles via MDM. It just preloads the server CA root certificate and SSID/auth type where the user then enters their username/password. I don't know if that's relevant but I can't imagine its an unusual use-case.

 

I do remember having this setup some time ago with no issues, it wasn't until about 1-2 years ago that this really became a problem. 

Reply