2 weeks ago - last edited 2 weeks ago
Hello Community,
I have an issue with Apple devices connecting to Extreme 305C AP's. The Apple devices when connecting to an Extreme 305C AP should bring up a certificate which is then trusted. This is not happening.
I have 2x AP controllers in use. The other controller brings up the certificate for the same connecting device albeit connecting to a non Extreme AP.
I have checked all the Radius and NPS settings and these are similar for the old and new AP's.
I am using Extreme Cloud IQ for management of the Extreme 305C AP's.
I will summarise below:
What is working:
What is not working:
Any thoughts on this please?
Thanks,
Asif
Solved! Go to Solution.
2 weeks ago
Hi Asif,
The Packet-Capture is under:
Manage -> Client Monitor & Diagnose -> Packet Capture
With this, you can capture all traffic at different interfaces from all managed Wifi-APs you want.
I recommend capturing at the wireless interface.
Thanks for your update.
This message appears normally when any security setting in your SSID denies the Client.
Please check the following in your used SSID.
Configure -> Network Policy -> YOUR-POLICY -> STAGE 2 WIRELESS -> YOUR-SSID -> Additional Settings (At the buttom):
Advanced Access Security Controls -> 802.11w (Protected Management Frame) enabled ? -> Try with disabled -> Older Clients don't support this option
Optional Settings -> Following enabled ? -> Try with disabled
Optional Settings -> DOS Prevention -> MAC Filtering enabled? -> Disable it or change the sequence (SSID before MAC)
Last talk about the NPS.
Do you have a separate Policy for the Apple Client?
There are differences between the Android and the Apple Policy? (EAP-Settings, Certificate, Returned Attributes)?
Best Regards
Anton Scholz
2 weeks ago
Hi Asif,
If you do a packet capture, can you see any EAP-Packets ?! Or only discovery and association.
Because Android devices work, this sounds to me like compatibility problems between your Apple Devices and your Wireless Settings.
Please deactivate all none essential features like 802.11 w,r,k,mc and try it again.
The certificate shouldn't be part of the 802.1x authentication. I know, with BYOD and self-signed certificates it's difficult to implement.
Try to pre-install and trust the Radius-Cert or the signing CA-Cert.
Best Regards
Anton Scholz
2 weeks ago
Hello @AntonScholz (Anton)
Do you mean a wcap capture. Sorry, I'm new with these AP's so will need to work out what's where etc?
Thanks,
Asif
2 weeks ago
HI Anton,
I am also seeing some security policy issues please see below. However, I have searched and cannot see where this security is or what this relates to. However, it is on the SSID I am having issues with.
Thanks,
Asif
2 weeks ago
Hi Asif,
The Packet-Capture is under:
Manage -> Client Monitor & Diagnose -> Packet Capture
With this, you can capture all traffic at different interfaces from all managed Wifi-APs you want.
I recommend capturing at the wireless interface.
Thanks for your update.
This message appears normally when any security setting in your SSID denies the Client.
Please check the following in your used SSID.
Configure -> Network Policy -> YOUR-POLICY -> STAGE 2 WIRELESS -> YOUR-SSID -> Additional Settings (At the buttom):
Advanced Access Security Controls -> 802.11w (Protected Management Frame) enabled ? -> Try with disabled -> Older Clients don't support this option
Optional Settings -> Following enabled ? -> Try with disabled
Optional Settings -> DOS Prevention -> MAC Filtering enabled? -> Disable it or change the sequence (SSID before MAC)
Last talk about the NPS.
Do you have a separate Policy for the Apple Client?
There are differences between the Android and the Apple Policy? (EAP-Settings, Certificate, Returned Attributes)?
Best Regards
Anton Scholz