09-15-2014 07:19 AM
I know this is going to be a braindump,but here goes:
I have been experiencing many problems this semester with some odd behavior on Mac OS X clients ranging from 10.7.5 to 10.9.
My current environment is as follows:
Mixture of AP-105/205 mostly, tunneled
1 x 802.1x PEAP SSID running against MSFT NPS (soon to be clearpass I hope)
1 x Guest Open SSID running against AOS captive portal (soon to be clearpass I hope)
1 x WPA2-PSK legacy SSID that requires mac address registration
Lately I have been having several students bring Mac OS X devices in that worked previously that one day just deciede to stop authenticating against the 802.1x network. They simply say "invalid password." When these clients get in this state, in last year or so we have attempted to clear the keychain because for some reason they were becoming corrupted on our networks, but that doesn't seem to fix the problem anymore.
Oddly enough, the clients also seem to be unable to get the captive portal to load after they get an IP address on that network, but the WPA2-PSK network works fine.
Honestly, I know onboarding is better, but there is a lot of infrastructure around that I can't afford at the moment. There have been days I have wanted to drop the 802.1x network and just go to an open network, especially since mobility is only 1/6th my job :(
Any ideas on where to go to troubleshoot MAC OSX (I don't even have on of these devices to test)
Solved! Go to Solution.
09-15-2014 12:32 PM
You probably need to:
- Start user debug on the Aruba Controller.
config t logging level debug user-debug <mac address of client>
To see the debug logs for that client:
show log user-debug all | include <mac address of that client>
- Look at the radius server messages that correspond to that client
- Start wifi debugging on the MAC OSX device to see what is wrong while this is occurring.
sudo /usr/libexec/airportd debug +alluserland +alldriver +allvendor
The output should be on the MAC OSX console.
You would want to look at all of the logs in 3 places for that device to have a starting point to understand what is going on. You could also of course, open a TAC case.
Answers and views expressed by me on this forum are my own and not necessarily the position of Aruba Networks or Hewlett Packard Enterprise.