Solved: MacBook 802.1X Initialization Delay

nplusplus · ‎10-18-2023

Good Day, All,

We are currently encountering a problem where a small number of MacBooks are failing to process Identity Request packets for wired authentication before the connected ports are falling back to MAB. This seems to occur when the devices are awakened from sleep or upon reboot and are connected to the wired network through Dell WD19TBS or DA300 docks. It seems very clear to me, after taking a number of packet captures, that the devices are not able to process such packets for somewhere between 40 and 70 seconds after link-up. Our retransmissions are currently set to occur at most twice with intervening 10-second timeouts, such that the switch will not retransmit again beyond 20 seconds after link-up. This configuration seems to be in line with best practice.

I know I could extend the number of retransmissions and/or the timer to encompass the 70-second delay that our MacBooks may encounter, but we are heavily reliant on MAB for non-dot1X-capable devices, some of which I expect may stop doing DHCP after 60 seconds. We are also operating in closed mode, such that if I stretch the timers and retransmissions as far as possible within a 60-second window, then I may be essentially allowing our MAB devices only one chance to perform DHCP upon initialization.

So, I guess my question is, has anyone else run into this problem with Macs, successfully tackled it, and if so, how? Our endpoint support team will be opening a ticket with Apple to request troubleshooting of the initialization delay.

Thank you,

Nathan

nplusplus · ‎10-15-2024

So, this turned out to be a problem with Filevault. Prior to disk decryption, Macs do not have access to locally configured profile information, so they cannot participate in EAP-TLS for wired 802.1X. As such, it really comes down to timing. If a user connects to Ethernet and logs in immediately, if you have default authentication timers configured on your switchports, Filevault decryption may occur quickly enough to allow the Mac to respond before the final switch retry. Most of the time though, this does not appear to be the case.

I messed around with a couple of timing settings, but nothing could really accomplish what I wanted because it was always dependent on when the user elected to login after connecting to Ethernet. You know, they may connect to the dock then walk off to grab a cup of coffee.

What I finally landed on was a MAB policy that matched on an "Apple-Device" endpoint profile condition to pass in a 60-second reauthentication timer authorization result to cause the attached switchport to attempt to reauthenticate the attached device every 60 seconds. This has worked well so far. I guess now we'll just have to see if there are any scaling problems as we expand our wired .1X footprint.

Thank you,

Nathan

View solution in original post

ahollifield · ‎10-18-2023

This sounds like an issue with those docks. Are they compatible with MacOS? Are there driver updates available?

nplusplus · ‎10-15-2024

So, this turned out to be a problem with Filevault. Prior to disk decryption, Macs do not have access to locally configured profile information, so they cannot participate in EAP-TLS for wired 802.1X. As such, it really comes down to timing. If a user connects to Ethernet and logs in immediately, if you have default authentication timers configured on your switchports, Filevault decryption may occur quickly enough to allow the Mac to respond before the final switch retry. Most of the time though, this does not appear to be the case.

I messed around with a couple of timing settings, but nothing could really accomplish what I wanted because it was always dependent on when the user elected to login after connecting to Ethernet. You know, they may connect to the dock then walk off to grab a cup of coffee.

What I finally landed on was a MAB policy that matched on an "Apple-Device" endpoint profile condition to pass in a 60-second reauthentication timer authorization result to cause the attached switchport to attempt to reauthenticate the attached device every 60 seconds. This has worked well so far. I guess now we'll just have to see if there are any scaling problems as we expand our wired .1X footprint.

Thank you,

Nathan