Enterprise WiFi failing in 14E33b - WPA2 EAP-TLS

Posted similar in the 10.11 forums, but we're seeing it in 10.10.4 (and iOS 8.4 / iOS 9):


https://forums.developer.apple.com/thread/3758

https://forums.developer.apple.com/thread/4022


10.10.4 and iOS 8.4 are WAY more worrisome since 10.10.4 is coming much sooner, and will be much more readily updated by people.

Up vote post of ykirks77 Down vote post of ykirks77
2.3k views
Posted by
ykirks77
Reply
Add a Comment

Replies

Can confirm this is in the public beta for iOS 8.4 (12H4125a) too. Both my iPhone 5S and iPad Mini 2 will no longer connect to my university's WiFi as it uses WPA2 Enterprise.

Posted by
francehopper
Up vote reply of francehopper Down vote reply of francehopper
Add a Comment

Another wifi connectivity issue confirmed for build 14E33b on WPA2 Enterprise. It will not authenticate. Same issue happens with iOS 9 as stated above. This is a pretty big issue.

Posted by
kballestrini
Up vote reply of kballestrini Down vote reply of kballestrini
Add a Comment

It's definitely TLS related. across all 4 of the most recent betas- ios & osx.

Posted by
jschaefer
Up vote reply of jschaefer Down vote reply of jschaefer
Add a Comment

maybe associated with the switch from discoveryd to mDNSresponder?

Posted by
rnbwd
Up vote reply of rnbwd Down vote reply of rnbwd
Add a Comment

The problem can be solved by renewing the SSL certificate handed out by the Radius server. We had the same issue at our company (the cert was expired), and renewing it solved the problem.


Somehow, OS X 10.10.4 14E33b and El Capitan now check that the SSL certificate is valid on WPA2 EAP-TLS / 802.1x authentication. This wasn't the case before.

Posted by
ManuCH
Up vote reply of ManuCH Down vote reply of ManuCH
Add a Comment

We are using a fully trusted cerificcate for our radius server when we get prompted to accept the certifcate it gives a big green tick saying its fully verified but we are still unable to connect.


Are you able to confirm you fixed the issue by using a different certificate?


If so can you please provide a little more detail about how you did it?


Thanks!

Posted by
kyleheading
Up vote reply of kyleheading Down vote reply of kyleheading
Add a Comment

Working with Apple got us pointed to this article here: https://support.apple.com/en-us/HT204932


The DH setting was less than required (requirement for the first few 10.10.4 betas was 768bits, and our clearpass/client negotiation was using 512). We're told the jump to this requirement will not actually take place in the public 10.10.4, but they also won't be releasing another 10.10.4 before that comes out so they cannot - and I cannot - confirm that bit of news. I know for sure iOS9 and 10.11 releases will all continue to have that updated requirement for the Diffie-Hellman key exchange.


We upgraded our clearpass environment (to 6.5.0) so this particular issue is taken care of for us on both ends (clearpass, and OS X 10.10.4). Since we upgraded clearpass our OS X 10.11 and iOS 9 tests are working, as well for this particular exchange


Perhaps @ManuCH you renewing the cert jiggled that key exchange handle on its own, or maybe it wasn't the same issue?

Posted by
ykirks77
Up vote reply of ykirks77 Down vote reply of ykirks77
Add a Comment