EAP-TLS WiFi errors

bbot
Contributor

This may be a long shot as our environment may be different, but I figure it would be worth posting.

Last week our network team performed some maintenance and Casper began re-deploying our configuration profile for wifi.

For about 80% of machines, there was no impact, but the remainder had issues connecting to wifi. We've removed and re-added all the certificates required to reconnect to wifi but it would not work. For some machines, waiting half an hour and reconnecting will work.For others, removing the certificates and re-importing the same configuration profile (with the same certs) works.

On the cisco side, it's saying the connection failed SSL/TLS handshake because of an expired certificate in the client certificates keychain. But strangely, without touching the certs, it works 20-30 minutes later. Is it possible that something on the client is still caching the old cert that doesn't get released for 20-30 minutes?

Has anyone had experience working with Macs and eap-tls and can possibly explain what is going on?

2 REPLIES 2

djwojo
Contributor

That sounds like the Radius server could be keeping the connection information cached, or like you said something is caching locally. Maybe a timeout setting?

Is there any commonality among the failing machines?

bbot
Contributor

Would there be a setting on the Mac clients that we can change or a command we can run to clear that cache on a Mac?

Also found this is affecting some Windows machines. While capturing network traffic using Wireshark, we find that some Mac and PC clients are not attempting any authentication.

The two issues I've found among both mac and pc clients are:
1) The Macs and PCs when attempting to connect are not trying to authenticate at all. (using wireshark, no packets being captured. After re-adding certs or waiting some time, it begins to try and authenticate.
2) The clients authenticate to the network, but the Cisco authentication says it has an invalid or expired cert in the cert chain.