Wireless Access

Contributor I

MAC OS X and 802.1x Issues

I know this is going to be a braindump,but here goes:


I have been experiencing many problems this semester with some odd behavior on Mac OS X clients ranging from 10.7.5 to 10.9.


My current environment is as follows:


7210 Controllers


Mixture of AP-105/205 mostly, tunneled

1 x 802.1x PEAP SSID running against MSFT NPS (soon to be clearpass I hope)

1 x Guest Open SSID running against AOS captive portal (soon to be clearpass I hope)

1 x WPA2-PSK legacy SSID that requires mac address registration


Lately I have been having several students bring Mac OS X devices in that worked previously that one day just deciede to stop authenticating against the 802.1x network. They simply say "invalid password." When these clients get in this state, in last year or so we have attempted to clear the keychain because for some reason they were becoming corrupted on our networks, but that doesn't seem to fix the problem anymore.


Oddly enough, the clients also seem to be unable to get the captive portal to load after they get an IP address on that network, but the WPA2-PSK network works fine.


Honestly, I know onboarding is better, but there is a lot of infrastructure around that I can't afford at the moment. There have been days I have wanted to drop the 802.1x network and just go to an open network, especially since mobility is only 1/6th my job :(


Any ideas on where to go to troubleshoot MAC OSX (I don't even have on of these devices to test)

Guru Elite

Re: MAC OS X and 802.1x Issues



You probably need to:


- Start user debug on the Aruba Controller.

config t
logging level debug user-debug <mac address of client>

 To see the debug logs for that client:

show log user-debug all | include <mac address of that client>


- Look at the radius server messages that correspond to that client

- Start wifi debugging on the MAC OSX device to see what is wrong while this is occurring.

sudo /usr/libexec/airportd debug +alluserland +alldriver +allvendor

 The output should be on the MAC OSX console.


You would want to look at all of the logs in 3 places for that device to have a starting point to understand what is going on.  You could also of course, open a TAC case.




*Answers and views expressed by me on this forum are my own and not necessarily the position of Aruba Networks or Hewlett Packard Enterprise.*
ArubaOS 8.4 User Guide
InstantOS 8.3 User Guide
Airheads Knowledgebase
Airheads Learning Videos
Aruba Central Documentation
Sign up for Security Alerts
Aruba Technical Webinars
Frequent Contributor II

Re: MAC OS X and 802.1x Issues

@cjoseph I'm also seeing this issue.  It appears at least to me to be entirely related to the way that MacOS handles storing the wireless SSID, username, and password.


The problem can be replicated by having a MacOS user change their username/password.  Suddenly our ClearPass platform gives an error code of 216 indicating an AD authentication failure.  Only by forgetting the network and re-entering the username/password does the issue go away.


Numerous other forum posts indicate that sometimes even deleting mentions of the SSID in the user keychain is required.  This is extremely cumbersome and time consuming as our tier 1 has to stop what they are doing to help with this problem.


Does anyone else have any ideas on how to resolve this, or is this solely on Apple MacOS? Since nothing has changed on our ClearPass service policy, I'm inclined to think it is not an Aruba 802.1x problem.

rwin = 0
Search Airheads
Showing results for 
Search instead for 
Did you mean: