Wireless Access

last person joined: yesterday 

Access network design for branch, remote, outdoor, and campus locations with HPE Aruba Networking access points and mobility controllers.
Back to discussions
Expand all | Collapse all

MAC OS X and 802.1x Issues

This thread has been viewed 2 times

  • 1.  MAC OS X and 802.1x Issues

    Posted Sep 15, 2014 10:19 AM

    I know this is going to be a braindump,but here goes:

     

    I have been experiencing many problems this semester with some odd behavior on Mac OS X clients ranging from 10.7.5 to 10.9.

     

    My current environment is as follows:

     

    7210 Controllers

    AOS 7.4.1.0

    Mixture of AP-105/205 mostly, tunneled

    1 x 802.1x PEAP SSID running against MSFT NPS (soon to be clearpass I hope)

    1 x Guest Open SSID running against AOS captive portal (soon to be clearpass I hope)

    1 x WPA2-PSK legacy SSID that requires mac address registration

     

    Lately I have been having several students bring Mac OS X devices in that worked previously that one day just deciede to stop authenticating against the 802.1x network. They simply say "invalid password." When these clients get in this state, in last year or so we have attempted to clear the keychain because for some reason they were becoming corrupted on our networks, but that doesn't seem to fix the problem anymore.

     

    Oddly enough, the clients also seem to be unable to get the captive portal to load after they get an IP address on that network, but the WPA2-PSK network works fine.

     

    Honestly, I know onboarding is better, but there is a lot of infrastructure around that I can't afford at the moment. There have been days I have wanted to drop the 802.1x network and just go to an open network, especially since mobility is only 1/6th my job :(

     

    Any ideas on where to go to troubleshoot MAC OSX (I don't even have on of these devices to test)


    #7210


  • 2.  RE: MAC OS X and 802.1x Issues
    Best Answer

    EMPLOYEE
    Posted Sep 15, 2014 03:32 PM

    alamey,

     

    You probably need to:

     

    - Start user debug on the Aruba Controller.

    config t
logging level debug user-debug <mac address of client>

     To see the debug logs for that client:

    show log user-debug all | include <mac address of that client>

     

    - Look at the radius server messages that correspond to that client

    - Start wifi debugging on the MAC OSX device to see what is wrong while this is occurring.

    sudo /usr/libexec/airportd debug +alluserland +alldriver +allvendor

     The output should be on the MAC OSX console.

     

    You would want to look at all of the logs in 3 places for that device to have a starting point to understand what is going on.  You could also of course, open a TAC case.

     

     

     



  • 3.  RE: MAC OS X and 802.1x Issues

    Posted Feb 25, 2019 03:38 PM

    @cjoseph I'm also seeing this issue.  It appears at least to me to be entirely related to the way that MacOS handles storing the wireless SSID, username, and password.

     

    The problem can be replicated by having a MacOS user change their username/password.  Suddenly our ClearPass platform gives an error code of 216 indicating an AD authentication failure.  Only by forgetting the network and re-entering the username/password does the issue go away.

     

    Numerous other forum posts indicate that sometimes even deleting mentions of the SSID in the user keychain is required.  This is extremely cumbersome and time consuming as our tier 1 has to stop what they are doing to help with this problem.

     

    Does anyone else have any ideas on how to resolve this, or is this solely on Apple MacOS? Since nothing has changed on our ClearPass service policy, I'm inclined to think it is not an Aruba 802.1x problem.