cancel
Showing results for 
Search instead for 
Did you mean: 

Apple devices not bringing up certificate when connecting via WIFI using Extreme AP 305C

Apple devices not bringing up certificate when connecting via WIFI using Extreme AP 305C

Asifi
New Contributor II

Hello Community,

I have an issue with Apple devices connecting to Extreme 305C AP's.  The Apple devices when connecting to an Extreme 305C AP should bring up a certificate which is then trusted.  This is not happening.

I have 2x AP controllers in use.  The other controller brings up the certificate for the same connecting device albeit connecting to a non Extreme AP.

I have checked all the Radius and NPS settings and these are similar for the old and new AP's.

I am using Extreme Cloud IQ for management of the Extreme 305C AP's.

I will summarise below:

What is working:

  • Apple and Android device connecting to the old controller and a different brand AP.
  • This brings back the certificate which is then trusted.
  • I can see the user details in the Radius logs.
  • Access is available.

What is not working:

  • Apple devices connecting to Extreme 305C AP's.  
  • Android devices work OK with a certificate prompt.
  • No certificate prompt.
  • No details in Radius logs.
  • Says Cannot connect to this network.

Any thoughts on this please?

Thanks,

Asif

 

1 ACCEPTED SOLUTION

AntonScholz
New Contributor II

Hi Asif,

The Packet-Capture is under:
Manage -> Client Monitor & Diagnose -> Packet Capture

With this, you can capture all traffic at different interfaces from all managed Wifi-APs you want.
I recommend capturing at the wireless interface.

Thanks for your update.
This message appears normally when any security setting in your SSID denies the Client.
Please check the following in your used SSID.

Configure -> Network Policy -> YOUR-POLICY -> STAGE 2 WIRELESS -> YOUR-SSID -> Additional Settings (At the buttom):

Advanced Access Security Controls -> 802.11w (Protected Management Frame) enabled ? -> Try with disabled -> Older Clients don't support this option

Optional Settings -> Following enabled ? -> Try with disabled

  • Enable 802.11k
  • Enable 802.11v
  • Enable 802.11r

Optional Settings -> DOS Prevention -> MAC Filtering enabled? -> Disable it or change the sequence (SSID before MAC)

Last talk about the NPS.
Do you have a separate Policy for the Apple Client?
There are differences between the Android and the Apple Policy? (EAP-Settings, Certificate, Returned Attributes)?

Best Regards

Anton Scholz

View solution in original post

11 REPLIES 11

Asifi
New Contributor II

Hello @AntonScholz 

Many thanks for your email reply.  I have captured the packets and have downloaded the captures.  I noticed the protocol 802.11w was enabled.  However, I cannot toggle the switch to turn this off please see screenshot below.  Any ideas how I can do this please?

Asifi_0-1727183157452.png

All the other protocols are not enabled.

I do not have a separate Apple policy within NPS.  My original policy that supports the Fortinet AP's works with both Apple and Android clients with no issues and uses a wildcard certificate.

AntonScholz
New Contributor II

Hello Asif,

If you use a WPA3-Enterprise Network the 802.11w is a necessity and cannot be disabled.
Please try it with a WPA2-Enterprise authenticated network.
You wrote you use the NPS from Microsoft as Radiusserver. A wildcard certificate will always result in a certificate issue, because the Hostname must match exactly with the common name in the certificate. Wildcards are not valid here.

I'm looking forward to hearing from you.

Regards

Anton Scholz

Asifi
New Contributor II

Hello @AntonScholz 

Disabling the 802.11w looks to be working for me.  I will also have a look at the certificate name in due course.  I'll test over the next couple of days to be certain.

Many thanks for your help and suggestions on this issue.

Kind Regards,

Important question - do you see authentication requests in Event Log for NPS service? "Client Denied by Security" looks like problems with STA associations

Asifi
New Contributor II

Hello @Bartek 

I can see in the NPS server logs that the NPS granted access to a user and Audit Success. 

Asifi_0-1727174885401.png

Asifi_1-1727174916312.png

 

However, as previously stated, for Apple devices using the Extreme AP's, the certificate option does not appear and I see the "Unable to join this network" message.  However, using our other Fortinet AP's the same Apple device connects and the certificate appears and is trusted with no issues.

Thanks,

GTM-P2G8KFN