WiFi EAP-TLS errors

Wanted to see if anyone else is having issues connecting to their enterprise wifi. A setup that is working just fine in Mavericks and Yosemite no longer works in El Capitan, instead we get the following errors:


Jun 9 15:30:25 mac eapolclient[2803]: [eaptls_plugin.c:397] eaptls_handshake(): SSLHandshake failed, <unknown> (-9850)

Jun 9 15:30:25 mac eapolclient[2803]: en0 EAP-TLS: authentication failed with status 1001

Jun 9 15:30:25 mac eapolclient[2803]: State=Held Status=SecurityError (1001): <unknown> (-9850):


This loops until I turn off the adaptor.


Tried the following and have not been able to get it working so far

Yosemite machine - fully enrolled and able to use the wifi network - upgraded to El Capitan

Yosemite machine - unenrolled - upgraded to El Capitan and enrollment attempted (failed)


Need to try a fresh 10.11 install and will update after

Replies

I haven't gotten a chance to try it in OS X, but iOS 9 on my 5S fails to work with enterprise wi-fi.

Our mobile team is having issues as well. The logs show the same errors for iOS 9 as in 10.11 for this.

Similar issues here https://forums.developer.apple.com/thread/3758

Having this problem on all the latest apple betas. IOS 9 & 8.4 and OSX 10.10 and 10.11 betas. I found this in our clearpass server for onboarding, i wonder if the new updates are actually impementing this added trust requirement -


The server certificate is used by ClearPass to secure web (HTTPS) and authentication (RADIUS) traffic. It can be configured in Policy Manager under Administration » Certificates » Server Certificate.


The optimal configuration for Onboard is a server certificate issued by a trusted commercial certificate authority. A list of certificate authorities trusted by iOS devices can be found at http://support.apple.com/kb/HT5012


Alternatively if you only wish to use a single Onboard Certificate Authority then you can use that Certificate Authority to sign the server certificate. Users will then have to install the certificate as part of the provisioning process. Refer to the Deployment Guide for more information.


For testing purposes you can disable the requirement for HTTPS on the Authentication configuration page. However this is an insecure configuration that should not be used in a production environment.

The problem can be solved by renewing the SSL certificate handed out by the Radius server. We had the same issue at our company (the cert was expired), and renewing it solved the problem.


Somehow, OS X 10.10.4 14E33b and El Capitan now check that the SSL certificate is valid on WPA2 EAP-TLS / 802.1x authentication. This wasn't the case before.