Apple TV and Enterprise WPA2 WiFi Network with Time requirement

perrycj
Contributor III

Hey guys...searched some discussions on here but didn't come across anything I could use. Has anyone had any luck with putting and keeping an Apple TV on an Enterprise WPA2 WiFi network with a time requirement?

We can get all the certificates, trusts, etc on the Apple TV through Apple Configurator but it cannot join our wireless because the Apple TV (at first) doesn't know the correct time. It cannot connect to the network wirelessly to grab the time either.

Anyone come across a way to get this to work without resorting to a hard wire ethernet connection? Any feedback would be appreciated.

1 ACCEPTED SOLUTION

bentoms
Release Candidate Programs Tester

We had the same.

Need to plug into Ethernet to get the time & then we disconnect the Ethernet & the wireless works as the Certs have valid dates.

I think this is an AppleTV OS 7 issue. (Or rather, wasn't an issue before the last major update).

View solution in original post

20 REPLIES 20

bentoms
Release Candidate Programs Tester

We had the same.

Need to plug into Ethernet to get the time & then we disconnect the Ethernet & the wireless works as the Certs have valid dates.

I think this is an AppleTV OS 7 issue. (Or rather, wasn't an issue before the last major update).

gburgess
New Contributor III

Do you do a full wipe of the Apple TV to skip the setup steps and the naming of the device? I had a problem before where our firewall was blocking the port for the Network Time Server.

The firewall still does this, but after I did everything in configurator, I didn't have an issue connecting to the wireless setup that we have.

bentoms
Release Candidate Programs Tester

@gburgess, does it still connect after 30-60 seconds of being powered off?

gburgess
New Contributor III

Yes, I just plugged in my test Apple TV on my desk. It's been off for over a week now and it connected without any issue. Are you running the most up to date software on the Apple TV? Is there anything else that you can say about your set up that can help us?

bentoms
Release Candidate Programs Tester

Don't mean to hijack... But ours is certificate based RADIUS authentication.

The AppleTV's clock seems to reset to 1970, meaning that the Certs are not trusted & so can't authenticate.

We saw this as the wireless profile would have an install date of 1970.

Is that similar to you setup @gburgess?

Also, maybe it's an AppleTv model thing, or software as you've mentioned.

perrycj
Contributor III

I work for a very large corporation and basically, we have a RADIUS server which has a time requirement of +/- 5 mins to be able to join the network, in addition to AD credentials.

So with brand new ATVs, after pushing the certificates through Configurator, it cannot join the network. The certs don't expire until 2036, so it isn't that. I'm pretty certain it is the time requirement and as we all know, the ATV has no way to store the time or obtain the time when it's brand new (or freshly imaged) without a network connection. It seems for now the alternative is to connect via wired connection at setup and then unplug when ready for production. Not ideal but it does seem to work.

perrycj
Contributor III

By the way... @bentoms thanks, as always, for your suggestion. I'm going to make it as an answer for now.

gburgess
New Contributor III

We don't have a RADIUS setup here that would require certificates. We just have them connect to an SSID with WPA2.

I do know the issue that you are talking about though with the 1969ish date. I've had that hit me with not being able to use certain profiles in the Apple TV. I find it odd though that the Apple TV's that I'm setting up with my machine are sending out the correct date to the Apple TV. I just checked our firewall, and it is still blocking the 123 port for the Apple Time server. The payloads are showing the correct date on which they were received from the config machine.

Currently, I do a two stage loading of the profiles on to my Apple TV's. One for the config of wireless and name of the Apple TV. And then I do a quick add of the MDM profile to add it to the JSS.

I wonder if you could set up a hidden SSID for setting up the Apple TV's and then remove that and add the RADIUS items after the first config run-through.

bentoms
Release Candidate Programs Tester

@perrycj now worries!

@gburgess, we're looking at using a non-RADIUS authenticated SSID for the AppleTV's & then using Bonjour Gateways to advertise them across SSIDs for AirPlay.

calum_carey
Contributor

interested to hear which bonjour gateway you use and how it works for you. We used the aerohive AP's and found that once you had approx 10-12 ATV's it would start intermittently broadcasting some and not others.
We had 3 vlans we were broadcasting over. Approx 400 client devices (ipads)
Went to a Ubuntu box with avahi and the reflector option, which worked but caused other issues such as the naming of the apple tv's always changing and then different names showing up on different devices and so some devices were unable to connect to the apple tv using airplay. for example: AppleTV Library would randomly change to AppleTV Library (23) or some other number. We assumed this to be a stale mDNS record on a device somewhere causing mDNS to create a new dns record for that appleTV

gburgess
New Contributor III

@calum_carey We currently are using Ruckus with our network and have the bonjour gateway set up. Limited testing right now. We have over 50 Apple TV's over 3 SSID's that are also broadcasting to a 4th SSID. So far in my testing, I've only seen 1 issue in one area of the building that is having a delay of about 20 seconds. Not crossing over the gateway seems fine though...so as I said, testing the waters with it currently.

For you to not get those numerical names, you'll want to reserve IP address for each of your Apple TV's. That what we did to stop this issue. That and set the devices to never sleep.

SFUHSTECH
New Contributor

@gburgess We also use Ruckus, I would be interested in how you set up your bonjour gateway. We have a multi-vlan environment here.

Not applicable

I keep seeing error 4001 when trying to install a .mobileconfig to my 3rd-gen aTV and get it to connect to my 802.1x PEAP wireless. Tried profiles that both included and excluded the cert, no dice; was able to install the cert separately.

My network guys claim that they whitelisted that aTV's wireless MAC so that it doesn't need to authenticate, but it seems that neither Configurator or iPCU can get the aTV to accept a profile with blank username & password fields for PEAP authentication. Now, if they'd just create a service account..

bentoms
Release Candidate Programs Tester

@pete_c, you need the whole certificate trust chain on the AppleTV as per: https://jamfnation.jamfsoftware.com/discussion.html?id=6495

This quotes a KB that has been updated without the quoted text, but afaik still holds true.

dpenny
New Contributor III

@calum_carey, if this isn't on a separate thread, maybe we should move it there. We are using Aerohive APs and their Bonjour Gateway and are seeing the exact same behavior you described. I've been troubleshooting this on and off since September and we can not seem to find any rhyme or reason as to which Apple TVs disappear. Most of the time, simply turning AirPlay off and then back on, on the Apple TV, seems to make it reappear in the AirPlay list on the iPads. We have about 80 Apple TVs being shared across 9 different VLANS.

dpenny
New Contributor III

@calum_carey][/url, be sure to check out the discussion I just posted about a new feature in iOS 7.1 related to AirPlay.

iOS 7.1 and AirPlay

andyparkernz
New Contributor III

@dpenny We saw similar issues with Aerohive bonjour gateway, the solution we've been given by AH is to run a separate BG on a different VM from our regular HiveManager. 46 Apple TVs across 4 VLANS - seems to have fixed the issue.

dpenny
New Contributor III

@andyparkernz Did that end up solving the issues? Are all of your Apple TVs consistently showing up in the AirPlay list now?

We just finished upgrading all of our Apple TVs and have turned off the Bonjour Gateway. The new bluetooth initiated connection method seems to be much more reliable so far, but time will tell.

andyparkernz
New Contributor III

@dpenny - yes, they show consistently, and the other issue we had that they would rename (by adding an increasing number after the Apple TV name) was also solved.

Haven't tried the new bluetooth method yet, but it seems preferable to an increasingly long list of Apple TVs to choose from.

dpenny
New Contributor III

@andyparkernz - wish I had tried that 6 months ago! We had good results today with the bluetooth method... hopefully it holds up! Thanks for the info on the separate Bonjour Gateway.