cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
495
Views
0
Helpful
4
Replies

Apple MacOS Dynamic assignment doesn't work on WPA3 only

Hello,

We are experiencing some strange behaviour on our MacOS laptops, basically we have DNAC + ISE + 9800 WLC integrated and we have posture policies for our devices, for MAC we choosing PEAP (as MAC doesn't have machine certificate as on Windows) for Network-Access-EaPTunnel

When MacOS laptop connecting using WPA2 we can see that laptop going to compliant state during ISE posture check, it initially takes a Quarantine IP, when compliant switching to our Campus IP subnet, no issues with it

When MacOS laptop connecting using WPA3 we can see that laptop going through ISE posture check, getting its IP from Quarantine, getting compliant status but doesnt switch IP to Campus IP subnet, this happens only on WPA3, we have WPA2 + WPA3 transition mode enabled 

When I check logs on WPA3, I see:

 VLAN Override after WebauthNo 

Policy Manager StateWebauth Pending
Last Policy Manager StateIP Learn Complete

 

Anyone faced such issue? is it a bug or we missing something in configuration?

           

4 Replies 4

marce1000
VIP
VIP

 

              >... is it a bug or we missing something in configuration?
   Checkout the 9800 WLC configuration using the CLI command show tech wireless and feed the output from that into Wireless Config Analyzer

    You can also  use full client debugging according  to : https://logadvisor.cisco.com/logadvisor/wireless/9800/9800ClientConnectivity  client debugs (so called RadioActive Traces) can be further analyzed with Wireless Debug Analyzer
    For looking at a summarized view at potential client issues have a look at  : https://www.cisco.com/c/en/us/support/docs/wireless/catalyst-9800-series-wireless-controllers/217738-monitor-catalyst-9800-kpis-key-performa.html#anc5

     - Check 9800 WLC controller software version  ; advising to go for 17.9.5 and check again ,

 M.



-- Each morning when I wake up and look into the mirror I always say ' Why am I so brilliant ? '
    When the mirror will then always repond to me with ' The only thing that exceeds your brilliance is your beauty! '

Our WLC is 17.9.4a and its managed via DNA, this is pretty strange issue as the only difference is WPA2 and WPA3, WPA2 works fine for both Windows and MacOS hosts, but enabling WPA3 only brings up this stuck issue on MacOSx and sometimes on Windows laptops

 

 

 

                 - Executing the tasks from my first reply is still pending....

 M.



-- Each morning when I wake up and look into the mirror I always say ' Why am I so brilliant ? '
    When the mirror will then always repond to me with ' The only thing that exceeds your brilliance is your beauty! '

JPavonM
VIP
VIP

You can use the same certificates in your MacOS by using MDM solutions (like JamF, Intune or even the Apple one).

With regards of the issue, this is really weird but, have you tried to connect to a WLAN not provisioned from DNA-C? Maybe added a feture that does not like to MacOS like WPA3 NSA grade. Can you paste the WLAN profile config here?

Check with Apple support if this could be a defect on the WPA3 implementation.

Review Cisco Networking for a $25 gift card