cancel
Showing results for 
Search instead for 
Did you mean: 

Apple devices not bringing up certificate when connecting via WIFI using Extreme AP 305C

Apple devices not bringing up certificate when connecting via WIFI using Extreme AP 305C

Asifi
New Contributor II

Hello Community,

I have an issue with Apple devices connecting to Extreme 305C AP's.  The Apple devices when connecting to an Extreme 305C AP should bring up a certificate which is then trusted.  This is not happening.

I have 2x AP controllers in use.  The other controller brings up the certificate for the same connecting device albeit connecting to a non Extreme AP.

I have checked all the Radius and NPS settings and these are similar for the old and new AP's.

I am using Extreme Cloud IQ for management of the Extreme 305C AP's.

I will summarise below:

What is working:

  • Apple and Android device connecting to the old controller and a different brand AP.
  • This brings back the certificate which is then trusted.
  • I can see the user details in the Radius logs.
  • Access is available.

What is not working:

  • Apple devices connecting to Extreme 305C AP's.  
  • Android devices work OK with a certificate prompt.
  • No certificate prompt.
  • No details in Radius logs.
  • Says Cannot connect to this network.

Any thoughts on this please?

Thanks,

Asif

 

1 ACCEPTED SOLUTION

AntonScholz
New Contributor II

Hi Asif,

The Packet-Capture is under:
Manage -> Client Monitor & Diagnose -> Packet Capture

With this, you can capture all traffic at different interfaces from all managed Wifi-APs you want.
I recommend capturing at the wireless interface.

Thanks for your update.
This message appears normally when any security setting in your SSID denies the Client.
Please check the following in your used SSID.

Configure -> Network Policy -> YOUR-POLICY -> STAGE 2 WIRELESS -> YOUR-SSID -> Additional Settings (At the buttom):

Advanced Access Security Controls -> 802.11w (Protected Management Frame) enabled ? -> Try with disabled -> Older Clients don't support this option

Optional Settings -> Following enabled ? -> Try with disabled

  • Enable 802.11k
  • Enable 802.11v
  • Enable 802.11r

Optional Settings -> DOS Prevention -> MAC Filtering enabled? -> Disable it or change the sequence (SSID before MAC)

Last talk about the NPS.
Do you have a separate Policy for the Apple Client?
There are differences between the Android and the Apple Policy? (EAP-Settings, Certificate, Returned Attributes)?

Best Regards

Anton Scholz

View solution in original post

11 REPLIES 11

AntonScholz
New Contributor II

Hi Asif,

If you do a packet capture, can you see any EAP-Packets ?! Or only discovery and association.

Because Android devices work, this sounds to me like compatibility problems between your Apple Devices and your Wireless Settings.
Please deactivate all none essential features like 802.11 w,r,k,mc and try it again.

The certificate shouldn't be part of the 802.1x authentication. I know, with BYOD and self-signed certificates it's difficult to implement.
Try to pre-install and trust the Radius-Cert or the signing CA-Cert.

Best Regards
Anton Scholz

Asifi
New Contributor II

Hello @AntonScholz (Anton)

 

Do you mean a wcap capture.  Sorry, I'm new with these AP's so will need to work out what's where etc?

Thanks,

Asif

 

Asifi
New Contributor II

HI Anton,

I am also seeing some security policy issues please see below.  However, I have searched and cannot see where this security is or what this relates to.  However, it is on the SSID I am having issues with.

Asifi_0-1727100110561.png

Thanks,

Asif

 

AntonScholz
New Contributor II

Hi Asif,

The Packet-Capture is under:
Manage -> Client Monitor & Diagnose -> Packet Capture

With this, you can capture all traffic at different interfaces from all managed Wifi-APs you want.
I recommend capturing at the wireless interface.

Thanks for your update.
This message appears normally when any security setting in your SSID denies the Client.
Please check the following in your used SSID.

Configure -> Network Policy -> YOUR-POLICY -> STAGE 2 WIRELESS -> YOUR-SSID -> Additional Settings (At the buttom):

Advanced Access Security Controls -> 802.11w (Protected Management Frame) enabled ? -> Try with disabled -> Older Clients don't support this option

Optional Settings -> Following enabled ? -> Try with disabled

  • Enable 802.11k
  • Enable 802.11v
  • Enable 802.11r

Optional Settings -> DOS Prevention -> MAC Filtering enabled? -> Disable it or change the sequence (SSID before MAC)

Last talk about the NPS.
Do you have a separate Policy for the Apple Client?
There are differences between the Android and the Apple Policy? (EAP-Settings, Certificate, Returned Attributes)?

Best Regards

Anton Scholz

GTM-P2G8KFN