we have an issue with our wi-fi. A lot devices disconnect from our wi-fi when they are in standby for 5-10 minutes. They also don't auto-join although the payload is set up with auto-join. That's a big problem because we want to region based behavior. We also have a good amount of access points (every 15-20 meters).
Any ideas to fix our connection issues?
I had to switch to WEP security for the time being. We have almost 4k iPads and we don't have the manpower to deal with them all at once.
In my findings and testing its related to IOS 15 for sure. Even the latest update doesn't fix the issue. I've had several tickets into JAMF support and basically didn't get much help. We're stuck to WEP still...
I'll gladly collab with any of you to come up with a solution. Just reach out to me.....
First things first: Please excuse my bad English.
It seems to be an issue with certain firewalls. If you connect your device with a wifi that hasn't full access to the internet the device will (somehow) remember that and won't auto join in the future. In this case completely wipe your wifisettings in the settings menu. (or simply create a new ssid and activate the firewall when every device joined)
We run Sonicwall firewalls here in the school district where I am at. And I don't think the firewall has much to do with our situation here. Like I said above. This didn't happen till IOS15.
And a full wipe doesn't do much for us. However....on the topic of the firewall. That potentially is something we can test here. I might have a VLAN thats free that I can point a new SSID at and then give it full access.
Interesting, I wonder if it could be access to https://www.apple.com/library/test/success.html is failing or not allowing access fast enough. I'm not sure that URL is still current, but I believe iOS / iPadOS use that to check if the WiFi is working and will drop it if not. So, that could make sense that some firewalls / filters are blocking that or delaying access for new devices like an SSO check from the firewall. Maybe iOS15 has a new process for checking that connectivity exists or is just more sensitive to any kind of inspection or filtering delays.
Sway, I have a few more questions.
1) Do you use Radius for your WiFi security or is this a plain text WPA2 configuration?
2) Do you disable the "MAC Address Randomization" in the WiFi configuration profile payload?
3) Is there any kind of dynamic VLAN assignment in your WiFi system in use?
1. Yes we use RADIUS
2. We have it turned off. And kinda thought this had something to do with it when we started.
3. Not exactly sure what you mean by this.
On a side note. My WIFI system is Ubiquiti.
We also use Ubiquiti, but don't currently use Radius. We use a plain text WiFi WPA2 SSID directly mapped to a VLAN dedicated for student iPads. We do not have the problem so far with over 200 student iPads on v15. Does the problem happen if you setup a test SSID without Radius?
Side note: I've been thinking about implementing Radius to use dynamic VLAN assignment to we could reduce our number of SSIDs. Dynamic VLAN assignment allows your Radius server to pick which VLAN the device ends up on.
The dynamic VLAN assignment sounds good. But that would kind of defeat the purpose of the autojoin and this issue all together. I think in the long run for us. We're going to MAC filter. Since we are a school district k-12 we have to filter the internet and keep personal devices off the network. Ubiquiti only allows 4 SSID's and oddly enough we are using all of them. We could design our network better probably but we have multiple buildings all kinda segregated now so it works for us.
As for the radius questions. We didn't do the SSID without it I don't think. its all a blur at this point.
The dynamic VLAN assignment uses MAC addresses so it could be used to accomplish the same thing as a MAC filter. You could put any non-matching devices on an isolated network with no Internet access.
We use more than 4 SSIDs with our Ubiquiti setup. If you disable the Uplink Connectivity Monitor (site settings) you can do that. Be careful if you try it, I think it will cause a re-provision and knock everyone off of WiFi for a little bit. However, I would still try to limit SSID that use 2.4ghz to 2-3 max. With our student iPads we use a SSID that broadcast on 5ghz only. It works well for us, but we do have an AP in every classroom.
We started looking at doing it by MAC address only but the limit was only 499 per SSID if I remember correctly. Our Middle and High School have more devices than that. So we couldn't do it. If I understand it correctly of course.
Sway, If you don't mind sharing, what Firewall, WiFi Access points, and filtering are you using? Sure does sound like it could be related to your specific firewall / filtering setup. Do you know if your firewall uses any kind of SSO for user detection? If so, I recommend you try to exclude the iPads from that check.