Good evening Tim thank you for the reply,

It may be a misunderstanding from my part but currently with devices running iOS10 if a user changes their password they don't need to re-enter a new password  on the iPad which I though was because of a certificate when using EAP-MSCHAPv2 ?

Although i'm unable to determine it look like iOS11 has an issue with EAP-MSCHAPv2 and tries to use EAP-TLS as when a user changes their password the authentication fails and the iPads look for a device identity certificate.

If we were to change the authentication method would you recommend EAP-TLS ? 

Good evening George,

The only options under mode are Automatic and EAP-TLS which is what lead me to believe it may be an issue with iOS11 as we don't need to re-enter AD password once it changed in iOS10.

Not sure if the issue is iOS 11 can no longer determine the payload sent within the Wi-Fi profile or if iOS11 can no longer support EAP-MSCHAPv2.

Afternoon Hslai,

Just as a bit of an update on my description above  iOS10 does request the user to enter new password when it changed however it look like this issue may be an apple problem as on ipads running iOS10 when a user changes their password they get the following screen which is current:

in iOS 11.0.3 they get this screen asking for identity:

and now since iOS11.1 bata 3 some progress has been made and the following screen is displayed:

Issue back with apple and im waiting on a reply from support

Will keep the post updated when I hear back from Apple

Any reply yet?

I have the same issue I think...

IOS 11 came out and now devices can't connect to my 802.1X SSID when they were working prior.  It appears they're trying to do EAP-TLS when they should be doing EAP-MSCHAPv2.  It just says "can't connect" when I try.  Uname/Pword are pushed down from an MDM policy.

Afternoon Adam,

Sound like the same issue to me, although the ticket with Cisco TAC still open they believe it an Apple problem. The last update I got from the Apple Enterprise Support Team on the 27th October was that their engineers have had this behavior reported to them and it being worked on however they cannot confirm a patch date. 

I have asked them for a bug number in the hope to track it better however i'm hoping by the reply I got Apple have taken ownership of the fault.

Currently the only work around I have is for the users on iOS11 to upgrade to iOS11.1 and remove any WiFi profiles that may be on the devices. for us our ISE pushed out the WiFi profile with a CA certificate.

The issue still remains however that the iPads try to connect a number of times each time the password authentication fails as seen in the the radius logs but it seems to me that the ipads are unable to recognize an incorrect password. eventually after pressing to connect to the wifi a few times the incorrect password notification appears and allows you to enter username and password. 

It would be worth you raising the fault with the Apple Enterprise Support Team and reference my call to put some more pressure on Apple our case id is 20000002095460

Unfortunately some supplicants don’t be have that well

Have you considered using certificate authentication instead?

If ISE 2.0 Patch 5 also fixes Windows 10, then it seems you are hitting CSCuw88770. And, that might not be the same discussed here.

Agreed, I was working on Win10 issues related to CSCuw88770, but in our case, it also happened to fix IOS devices running IOS 11..

Apple iOS 11 negotiates to use TLSv1.2 when connecting to an ISE running 2.0+ so CSCuw88770 applies.