Jamf Nation Community

bbot · ‎05-01-2017

I'm installing a config profile that pulls down AD machine certs and connects to our wifi.

On some machines, the cisco ise server returns "Endpoint abandoned EAP session and started new" and will fail out. On the client machine, if I delete the SSID from the preferred network list, manually connect and use the same certificate that the config profile pushes out, it'll connect successfully.

Any idea why some clients will connect and others won't?

JustDeWon · ‎05-01-2017

What type of template are you using for your AD Cert?

bbot · ‎05-01-2017

We're using computer certificates.

On an affected machine, I tried deleting the SSID that the config profile puts in there, then manually connecting and manually selecting the certificate that was requested and it connects to wifi. It leads me to believe it's not liking something about the .mobileconfig.

The strange thing is that our old configuration profile has the same exact settings but with a different SSID and those never received the same error.

JustDeWon · ‎05-01-2017

I would check the EAP Timers on the Wireless Lan controller, may have to adjust the timeout setting. I think it maxes like 120 or something.

bbot · ‎05-01-2017

I'm having our network team open a case with Cisco. I also mentioned your suggestion. Thanks.

bbot · ‎05-01-2017

Is there a way of checking to see which certificate is being used when connecting to an SSID? The configuration profile is set to use the "AD Certificate" to authenticate, but I wanted to validate it.

If i remove the SSID from the preferred network and pick the cert that was generated from the .mobileconfig, i'm able to connect.

bbot · ‎05-01-2017

Since I know the new cert works if I manually do it -- does anyone know how I can script assigning that cert to use for the SSID?

I'm assuming I'd have to be looking into the "security" command.

Nevermind, I figured it out using.

Jamf Nation Community

Installing config profile / WiFi issues using Cisco ISE