Solved: macOS authentications failing

eglinsky2012 · ‎08-01-2023

It’s our favorite time of year again – renewal of the expiring EAP authentication certificate. Since switching to the new cert last Wednesday, we have an issue where some (three that I know of so far) MacBooks are unable to authenticate to our vanity SSID. Nothing else has change in WLC or RADIUS (ISE) configuration since then. The error on the client is “Authentication failed on network [SSID]” and is displayed immediately upon clicking Connect after entering the user’s credentials.

The two I’ve looked at can successfully get on eduroam, which uses the same SSID security settings as the vanity SSID and the same certificate, as well as our open guest network. We’ve tried forgetting both SSIDs and removing our certificate from Keychain, restarting, installing updates (from 13.4.1 to 13.5), moving to different APs on different controllers (AireOS 8.10.183.0 and IOS 17.9.3) and ISE nodes…. No go. One is an M1(?) processor, the other is Intel.

Client logs on the controller show the Mac attempting to authenticate with the username in the format of: [domain]\[Mac’sSerialNumber]$ sometimes, and sometimes just the NetID (which is expected).

ISE logs show the following:

Event	5400 Authentication failed
Failure Reason	12322 PEAP failed SSL/TLS handshake after a client alert
Resolution	Check whether the proper server certificate is installed and configured for EAP in the Local Certificates page ( Administration > System > Certificates > Local Certificates ). Also ensure that the certificate authority that signed this server certificate is properly installed in client's supplicant. Check the previous steps in the log for this EAP-TLS conversation for a message indicating why the handshake failed. Check the OpenSSLErrorMessage and OpenSSLErrorStack for more information.

Also, the ISE live logs show just "PEAP" for the authentication protocol for the failed authentications on the vanity SSID, but on eduroam, they show PEAP (EAP-MSCHAPv2).

I’ve brought this issue to TAC since I have a case open for an ISE-specific issue with the cert change and am waiting to hear back. I was wondering if anyone here has seen this issue or might know what else to look at.

eglinsky2012 · ‎08-02-2023

Issue resolved, apparently these particular Macs had the old certificate deployed with JAMF. I had asked the JAMF team if they used JAMF to configure WiFi connections on Macs and they said no, only on iPads. Turns out that's not the case! Thank you for the pointers, Marce.

View solution in original post

marce1000 · ‎08-01-2023

- You can do client debugging with :
https://www.cisco.com/c/en/us/support/docs/wireless/aironet-1200-series/100260-wlc-debug-client.html (AireOS)
https://logadvisor.cisco.com/logadvisor/wireless/9800/9800ClientConnectivity (IOS-XE)

Client debugs can be processed with : https://cway.cisco.com/tools/WirelessDebugAnalyzer/

M.

-- Each morning when I wake up and look into the mirror I always say ' Why am I so brilliant ? '
When the mirror will then always repond to me with ' The only thing that exceeds your brilliance is your beauty! '

eglinsky2012 · ‎08-02-2023

I did that. As I mentioned, the WLC's view is authentication failure. But again, different SSIDs but same settings and certificate in use on ISE and one works one doesn't.

TimeTaskTranslated

2023/08/01 08:22:19.469	client-orch-sm	Client made a new Association to an AP/BSSID: BSSID 70df.2f5d.382b, WLAN xxx, Slot 1 AP xxx, xxx
2023/08/01 08:22:19.470	dot11	Association success for client, assigned AID is: 7
2023/08/01 08:22:19.683	errmsg	Client failed EAP authentication with following reason: Cred Fail
2023/08/01 08:22:19.684	client-orch-sm	Controller initiated client deletion with code: CO_CLIENT_DELETE_REASON_CLIENT_CREDENTIAL_FAILURE. Explanation: Wrong username or password. Actions: Check client side user configuration

marce1000 · ‎08-02-2023

- Check the radius server(s) logs for more info's

M.

-- Each morning when I wake up and look into the mirror I always say ' Why am I so brilliant ? '
When the mirror will then always repond to me with ' The only thing that exceeds your brilliance is your beauty! '

eglinsky2012 · ‎08-02-2023

I included the RADIUS error for the client in my original post, or was there something more specific you were looking for?

eglinsky2012 · ‎08-02-2023

Issue resolved, apparently these particular Macs had the old certificate deployed with JAMF. I had asked the JAMF team if they used JAMF to configure WiFi connections on Macs and they said no, only on iPads. Turns out that's not the case! Thank you for the pointers, Marce.