WiFi 802.1x reconnect issue after waking from sleep

jlong
New Contributor II

We recently acquired one of the new MacBook's in our environment, and due to the USB-C port opted to manually configure it rather than image, as our imaging method only works via ethernet at the moment. For some reason the laptop would not reconnect via WiFi after waking the computer from sleep. Specially the 802.1x component failed to reconnect (we use PEAP in our environment).

The user of the computer is technical and was trying to use AppleScript to automatically reconnect, but could not find a way to specify the "Connect" button in Network Preferences. Modifying a script I found here, this worked for him. He suggested I pass it along as we came across others in the wild with a similar problem, and the link listed above was a little tricky to find. Hope someone finds it helpful.

do shell script "/usr/sbin/networksetup -setairportpower en0 on"
delay 2
tell application "System Preferences" activate reveal pane id "com.apple.preference.network" reveal anchor "Wi-Fi" of pane id "com.apple.preference.network"
end tell
tell application "System Events" tell window 1 of process "System Preferences" click button 2 of group 1

if title of button 2 of group 1 begins with "Connect" then

click button 2 of group 1 end if end tell
end tell

50 REPLIES 50

Look
Valued Contributor III

It's probably pretty widespread actually.
I am trying to work a way around this issue as well, as far as I can tell it's a bug in Yosemite as 10.9 does not seem to do it.

alexjdale
Valued Contributor III

Interesting, turning Airport off and on again won't make it autojoin the wifi network?

Look
Valued Contributor III

We are using PEAP with AD authentication from the login screen and when it tries to rejoin after waking for some reason it doesn't seem to try and reauthenticate and gets stuck in a kind of halfway none working state, turning the Wi-Fi on and off it just comes back to the same state with no improvement. You can generally get arount it by fast user switching to the login screen (ie: reauthenticating) or clicking connect from the network preferences pane (at which point if there are no saved credentials it will ask for them).

plawrence
Contributor II

@jlong @Look

We are seeing the same issue on 10.10.x machines in our environment when using Configuration Profiles with a Wi-Fi payload with 'Use as a LoginWindow configuration' ticked.

I strongly suggest you all contact your local Apple Engineer and/or file a bug at https://bugreport.apple.com/ regarding this issue and list the amount of machines affected. The more people reporting this issue, the more attention it should get.

Unfortunately, the latest 10.10.4 beta exhibits the same issue, even with the apparent removal of 'discoveryd'

Look
Valued Contributor III

@plawrence

Yeah tested 10.10.4 the other day still no go, quick google shows it to be pretty widespread really.
Appears to be a failure to provide credentials (or perhaps supplying expired credentials) when reconnecting to a PEAP/AD enabled network after waking from sleep.

nessts
Valued Contributor II

have you tried adding your Root certificates to the system keychain as per this Apple Support Document

jlong
New Contributor II

@nessts, the computer exhibiting this was enrolled in JAMF, which is how we're pushing out the root CA, and I double-checked just to make sure the computer has it.

What's weird is this is the only computer in our environment with this issue, and the only known difference is that it wasn't imaged with Casper Imaging. I'm glad this issue is only affecting one machine based on the above, but it is worrisome to hear this problem is so widespread.

Thanks for the feedback everyone.

Look
Valued Contributor III

@jlong What OS are the imaged ones running? Yosemite of some flavour?
We to are pushing the certs with Casper.

jlong
New Contributor II

@Look We're imaging with 10.10.3 currently, but we have JAMF imaged OS' going back to 10.9.5 (and many imaged with 10.10, 10.10.1, and 10.10.2.) We also have machines imaged with our previous system going back to 10.7. So it doesn't appear to be OS-specific. The only one that's experiencing this issue is the MacBook that we had to setup manually.

russeller
Contributor III

This might help. You can enable advanced logging for 802.1x auth that might shed some light on the issue. Not sure if it works in Yosemite. Take a look inside that folder location for a similar plist if that one doesn't exist.

Enabling eapolclient Logging (Authentication)
--Open Terminal
--Type:

sudo defaults write /Library/Preferences/SystemConfiguration/com.apple.eapolclient LogFlags -int -1

--Exit
--Close Terminal.
--Restart the Computer.
--The eapolclient is the 802.1X supplicant on Mac OS X. This setting will have it dump copious logs to /var/log/eapolclient.<interface>.log. Where the interface is something like en1, or whatever the particular network adaptor, wired or wireless, you're trying to use. You can also find them in Console.log
Note: To disable the logging you just set the integer back to 0

Source: http://prowiki.isc.upenn.edu/wiki/Enabling_Advanced_Logging_for_Wireless_in_Mac_OS_X

pnbahry
New Contributor III

We have had this problem since 10.8 and have found no work around at all. As soon as the profile is installed (JSS or OSX Server) on the machine we see saw similar problems to what you are seeing. The problems were intermittent and we were not happy with it at all.

Some of the things we tried:
Tried different hardware, built new Radius servers, tried different versions of Mac OS, tried the 802.1x profile with different Casper versions, tried OSX Servers running different OS's we even changed AP's across the whole school and the problem was still there. - We had to change AP's anyway not because of this issue :)

Even after all of the changes anytime we had a 802.1x login profile installed we had problems with the machine authenticating to our Radius server, we received help from Casper, Apple and our AP Vendor also.

At the moment we are not seeing these issues at all anymore, this is what we have done to work around this issues we were seeing:

When we roll out machines to students we setup an Enrol SSID WPA2, this is a restricted SSID which only allows the user to login using their AD Credentials. Once the user has logged in we get them to manually join our network (802.1x) and authenticate and removed the Enrol SSID.

After the rollout I also pull the Enrol SSID profile off the users machines incase any of them did not remove it manually.

CGundersen
Contributor III

We have a case open with Apple. It's been indicated a fix is a priority ... whatever that means these days. No workarounds have been offered and I don't see 10.10.4 being the solution. We do not have the issue with 10.9.5 clients.

TheSeans
New Contributor

We're in the process of moving over to 802.1x and are running into the same problems.

cvangorp
New Contributor III

We have tested with the latest build of 10.10.4 and have the same issue. We have also downloaded 10.11 and tested, the issue is not fixed. We have entered a bug for the 10.11 so it may get fixed. I encourage others to do the same, more voices maybe they will fix it.

TheSeans
New Contributor

Our Apple SE responded telling me to try 10.11, claiming it was fixed. Guess not. Thanks for the heads up @cvangorp

plawrence
Contributor II

There was a new 10.11 beta released (15A204h) and in my initial testing the issue appears to be fixed, my mobile account reconnects to 802.1x wifi after waking from sleep. Can someone else please test and let me know and let me know your findings?

cvangorp
New Contributor III

I also updated yesterday and found it not to work, but try it again today and it is working. Interesting. Will test some more.

mm2270
Legendary Contributor III

I just updated my test 10.11 system to the new build that showed up yesterday but did not get a chance to test out anything related to Wi-Fi yet. I'll be sure to test this as its encouraging to hear there are better results people are experiencing.
The whole Wi-Fi experience in Yosemite was and continues to be such a giant mess, I almost can't wait for 10.11 if its going to finally resolve all or most of the issues.

CGundersen
Contributor III

So, reconnect to WiFi after sleep seems solid. That is good news.

I did have some reliability issues with a manually installed (JSS generated) 802.1x/PEAP/LoginWindow config profile we use successfully with 10.9.5 ... basically iterating (logging on/off) through accounts not very consistent with drops into mobile/cached account instead of picking up WiFi/kerb ticket.

If I use a Profile Manager (4.1) config profile the aforementioned process seems reliable.

Not applicable

Same here - 15A204h on a 13" MBP reconnects fine after waking from sleep to my 802.1X via EAP-PEAP (MSCHAPv2), although unfortunately that profile is now being installed locally rather than as a configuration profile etc.

bentoms
Release Candidate Programs Tester

@CGundersen User level auth?

I'm going to double check, but our JSS delivered EAP-PEAP seems to be working fine. But it's a computer level profile.

CGundersen
Contributor III

Hey @bentoms

We are using JSS generated/delivered computer level config profiles with 10.9.x successfully/reliably. Applying that same config profile to 10.10.x does NOT work for us.

The config profile is pretty simple: Computer-Level, Wi-Fi, SSID provided, Auto Join, WPA/WPA2 Enterprise, "Use as Login Window configuration" checked, EAP Type is PEAP only, NOT using Directory/computer auth, necessary certificates are also part of config profile payload and trusted.
-I would like to add Directory/computer auth to the mix, but network group has slowed that plan down a bit.

I need to test the recent Profile Manager (4.1) generated config profile against 10.10.x (and 10.9.x), but it works reliably against 10.11 beta 2 (15A2014h).

As an aside, in testing the latest build of 10.11 (15A2014h), the reconnect to WiFi after sleep is good to go. That's been a separate issue for us with 10.10.x, and I'm hoping Apple doesn't just point to 10.11 for resolution. Even when I can get a manually rolled (or Profile Manager generated) config profile to work with 10.10.x, the inability to reconnect after sleep has been a deal breaker.

Not a Configuration Profile guru, so riddle me this ... the Profile Manager generated config profile was created against a Device Group, so computer level (?). The difference that I can see right away is that the Profile Manager config profile has a single Enterprise Mode entry which is "Login Window" while the JSS profile has 2 entries for Enterprise Mode ... both "Login Window" and "System"

bentoms
Release Candidate Programs Tester

@CGundersen Hmm.. I wonder if it's ticking "Use as Login Window configuration" that's the issue.

We don't have that ticked, & seems to work well.

(We do have use directory credentials with the variable $COMPUTERNAME set).

bentoms
Release Candidate Programs Tester

@CGundersen Actually, I'd speak to your TAM.. there might be a known defect for this..

CGundersen
Contributor III

@bentoms Yeah, I've made our TAM aware of some of the issues we've seen. I guess I'll need to put in a request to get in on 9.73 beta. I've also been working for (or with) Apple Enterprise support (for a significant amount of time) on a few items.

I did test my Profile Manager generated config profile successfully on 10.9.5 and 10.10.3 (in addition to 10.11), so I guess I can upload that signed profile to the JSS and migrate folks to that ... I'll just lose some agility. However, with 10.10 still being in the dumpster due to the WiFi reconnect bug I'm still SOL.

plawrence
Contributor II

10.10.4 has been released, but the 802.1x wifi behaviour is still faulty. If a profile is installed with a wifi payload with "Use as Login Window configuration" ticked, the wifi will connect on login, but it does not reconnect after waking from sleep.

Looks like we will have to wait for 10.11 to be released if we want reliable 802.1x connectivity.

CGundersen
Contributor III

Yep, 10.11 it is. Sorry folks the park's closed ... impact data not sufficient to warrant a fix in Yosemite OS.

Use computer auth as workaround ...

tomt
Valued Contributor

I'm still having the reconnect after sleep issue on the latest 10.11 beta. Initial connection works perfectly but after a wake the client machine just shows continuous attempts to authenticate but the AP and ACS logs show no attempts are actually getting through.

Cisco network running 802.1x PEAP and using a Login Window profile.

CGundersen
Contributor III

@tomt

I'm just getting around to testing what I believe to be the latest (15A216G). I'm using a JSS generated config profile (what we have working reliably with 10.9.5) and successfully reconnecting to WiFi after sleep. Are you sure you are using the latest 10.11 beta build? I was having some poor luck yesterday, but wasn't on the latest (and I think Apple regressed for a bit). We are also Cisco/PEAP and the aforementioned config profile is using Login Window (alone, no Computer/Dir Auth added).

Edit:
I do experience some "misses" when iterating through accounts where it drops user in to cached account. However, when successfully grabbing wireless on login, reconnecting to WiFi after sleep has been reliable with build 15A216G. I still seem to have better login reliability with Profile Manager profile than JSS generated using 10.11 (reconnect to WiFi after sleep aside).

tomt
Valued Contributor

@CGundersen I'm running 15A178W that I built two days ago. I'll see if there is a newer one available for my test system (13" Retina MBP). If so I'll try that and post the results.

Thanks

CGundersen
Contributor III

@tomt

I believe that build (15A178W) was troublesome for me as well. Look forward to hearing your results.

tomt
Valued Contributor

Updated to 15A216G and it immediately connected with the PEAP network. Put it to sleep for 10 minutes and it reconnected on wake. Put it to sleep again for roughly half an hour (or a bit longer) and it reconnected happily.

Now we just need someone to reverse engineer the fix so I can get Yosemite to actually work. :-)

plawrence
Contributor II

I've updated to 15A216G too and tested our wifi profile (configured with use as a loginwindow configuration). Wifi connects on login and also after waking from sleep, so its still looking good! Pretty sure there is no hope for Yosemite though.

plawrence
Contributor II

It was quite a surprise to see a beta for 10.10.5 drop today. Unfortunately there is no change in the "wifi reconnecting after waking from sleep" behaviour.

cvangorp
New Contributor III

I see in the 9.73 release notes this defect that is fixed. D-008688 - Did Jamf fix Apple's problem? Interested in testing soon. http://resources.jamfsoftware.com/documents/products/documentation/Casper-Suite-9.73-Release-Notes.pdf

boberito
Valued Contributor

I just installed 9.73 and we had the problem here at the school I work at. I repushed the Configuration Profile. I'll report back if we seem to continue running into the problem.

plawrence
Contributor II

I upgraded the JSS to 9.73, edited and saved our wireless profile, removed and re-added the profile on a laptop running 10.10.5 but it still doesn't connect to the wireless after waking from sleep.

boberito
Valued Contributor

After a full day and some change I almost feel like the problem is worse now post 9.73 :(

Why's Apple gotta break wifi every other major revision of the system 10.7 was great, 10.8 not so great, 10.9 great, 10.10 been not so great.

Araneta
New Contributor III

Anyone found a solution for this yet? :(