This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Apple devices not bringing up certificate when connecting via WIFI using Extreme AP 305C

Apple devices not bringing up certificate when connecting via WIFI using Extreme AP 305C

Go to solution
Asifi
New Contributor II

‎09-23-2024 03:02 AM - edited ‎09-23-2024 03:06 AM

Hello Community,

I have an issue with Apple devices connecting to Extreme 305C AP's.  The Apple devices when connecting to an Extreme 305C AP should bring up a certificate which is then trusted.  This is not happening.

I have 2x AP controllers in use.  The other controller brings up the certificate for the same connecting device albeit connecting to a non Extreme AP.

I have checked all the Radius and NPS settings and these are similar for the old and new AP's.

I am using Extreme Cloud IQ for management of the Extreme 305C AP's.

I will summarise below:

What is working:

  • Apple and Android device connecting to the old controller and a different brand AP.
  • This brings back the certificate which is then trusted.
  • I can see the user details in the Radius logs.
  • Access is available.

What is not working:

  • Apple devices connecting to Extreme 305C AP's.  
  • Android devices work OK with a certificate prompt.
  • No certificate prompt.
  • No details in Radius logs.
  • Says Cannot connect to this network.

Any thoughts on this please?

Thanks,

Asif

 

0 Kudos
1 ACCEPTED SOLUTION

Go to solution
AntonScholz
New Contributor II
In response to Asifi

‎09-24-2024 05:31 AM

Hi Asif,

The Packet-Capture is under:
Manage -> Client Monitor & Diagnose -> Packet Capture

With this, you can capture all traffic at different interfaces from all managed Wifi-APs you want.
I recommend capturing at the wireless interface.

Thanks for your update.
This message appears normally when any security setting in your SSID denies the Client.
Please check the following in your used SSID.

Configure -> Network Policy -> YOUR-POLICY -> STAGE 2 WIRELESS -> YOUR-SSID -> Additional Settings (At the buttom):

Advanced Access Security Controls -> 802.11w (Protected Management Frame) enabled ? -> Try with disabled -> Older Clients don't support this option

Optional Settings -> Following enabled ? -> Try with disabled

  • Enable 802.11k
  • Enable 802.11v
  • Enable 802.11r

Optional Settings -> DOS Prevention -> MAC Filtering enabled? -> Disable it or change the sequence (SSID before MAC)

Last talk about the NPS.
Do you have a separate Policy for the Apple Client?
There are differences between the Android and the Apple Policy? (EAP-Settings, Certificate, Returned Attributes)?

Best Regards

Anton Scholz

View solution in original post

0 Kudos
11 REPLIES 11

Go to solution
Bartek
Contributor
In response to Asifi

‎09-26-2024 01:46 AM

Apple devices have some issues with WPA3 and I've heard about it from Extreme SE. From my in-field tests on customer site with AP305C (mostly macs) WPA2 with 802.11w is fine (tested with MacBook  Air 2017 and new M1/M2) but be cautious with older devices (Mac mini from 2012 seems that doesn't support it and some Windows machines). Preauthentication and proactive PMK-ID response settings seems working fine.

0 Kudos

Go to solution
Asifi
New Contributor II
In response to Bartek

‎09-26-2024 05:15 AM

Hello @Bartek 

Yes I dropped down to WPA2 Enterprise and had to turn off 802.11w for the older iPads we have to connect (ver 12). Didn't work at all with 802.11w enabled I'm afraid.

Thanks,

0 Kudos
GTM-P2G8KFN