We recently acquired one of the new MacBook's in our environment, and due to the USB-C port opted to manually configure it rather than image, as our imaging method only works via ethernet at the moment. For some reason the laptop would not reconnect via WiFi after waking the computer from sleep. Specially the 802.1x component failed to reconnect (we use PEAP in our environment).
The user of the computer is technical and was trying to use AppleScript to automatically reconnect, but could not find a way to specify the "Connect" button in Network Preferences. Modifying a script I found here, this worked for him. He suggested I pass it along as we came across others in the wild with a similar problem, and the link listed above was a little tricky to find. Hope someone finds it helpful.
do shell script "/usr/sbin/networksetup -setairportpower en0 on"
tell application "System Preferences" activate reveal pane id "com.apple.preference.network" reveal anchor "Wi-Fi" of pane id "com.apple.preference.network"
tell application "System Events" tell window 1 of process "System Preferences" click button 2 of group 1
if title of button 2 of group 1 begins with "Connect" then
click button 2 of group 1
We are using PEAP with AD authentication from the login screen and when it tries to rejoin after waking for some reason it doesn't seem to try and reauthenticate and gets stuck in a kind of halfway none working state, turning the Wi-Fi on and off it just comes back to the same state with no improvement. You can generally get arount it by fast user switching to the login screen (ie: reauthenticating) or clicking connect from the network preferences pane (at which point if there are no saved credentials it will ask for them).
We are seeing the same issue on 10.10.x machines in our environment when using Configuration Profiles with a Wi-Fi payload with 'Use as a LoginWindow configuration' ticked.
I strongly suggest you all contact your local Apple Engineer and/or file a bug at https://bugreport.apple.com/ regarding this issue and list the amount of machines affected. The more people reporting this issue, the more attention it should get.
Unfortunately, the latest 10.10.4 beta exhibits the same issue, even with the apparent removal of 'discoveryd'
@nessts, the computer exhibiting this was enrolled in JAMF, which is how we're pushing out the root CA, and I double-checked just to make sure the computer has it.
What's weird is this is the only computer in our environment with this issue, and the only known difference is that it wasn't imaged with Casper Imaging. I'm glad this issue is only affecting one machine based on the above, but it is worrisome to hear this problem is so widespread.
Thanks for the feedback everyone.
@Look We're imaging with 10.10.3 currently, but we have JAMF imaged OS' going back to 10.9.5 (and many imaged with 10.10, 10.10.1, and 10.10.2.) We also have machines imaged with our previous system going back to 10.7. So it doesn't appear to be OS-specific. The only one that's experiencing this issue is the MacBook that we had to setup manually.
This might help. You can enable advanced logging for 802.1x auth that might shed some light on the issue. Not sure if it works in Yosemite. Take a look inside that folder location for a similar plist if that one doesn't exist.
sudo defaults write /Library/Preferences/SystemConfiguration/com.apple.eapolclient LogFlags -int -1
--Restart the Computer.
--The eapolclient is the 802.1X supplicant on Mac OS X. This setting will have it dump copious logs to /var/log/eapolclient.<interface>.log. Where the interface is something like en1, or whatever the particular network adaptor, wired or wireless, you're trying to use. You can also find them in Console.log
Note: To disable the logging you just set the integer back to 0
We have had this problem since 10.8 and have found no work around at all. As soon as the profile is installed (JSS or OSX Server) on the machine we see saw similar problems to what you are seeing. The problems were intermittent and we were not happy with it at all.
Some of the things we tried:
Tried different hardware, built new Radius servers, tried different versions of Mac OS, tried the 802.1x profile with different Casper versions, tried OSX Servers running different OS's we even changed AP's across the whole school and the problem was still there. - We had to change AP's anyway not because of this issue :)
Even after all of the changes anytime we had a 802.1x login profile installed we had problems with the machine authenticating to our Radius server, we received help from Casper, Apple and our AP Vendor also.
At the moment we are not seeing these issues at all anymore, this is what we have done to work around this issues we were seeing:
When we roll out machines to students we setup an Enrol SSID WPA2, this is a restricted SSID which only allows the user to login using their AD Credentials. Once the user has logged in we get them to manually join our network (802.1x) and authenticate and removed the Enrol SSID.
After the rollout I also pull the Enrol SSID profile off the users machines incase any of them did not remove it manually.
We have a case open with Apple. It's been indicated a fix is a priority ... whatever that means these days. No workarounds have been offered and I don't see 10.10.4 being the solution. We do not have the issue with 10.9.5 clients.
We have tested with the latest build of 10.10.4 and have the same issue. We have also downloaded 10.11 and tested, the issue is not fixed. We have entered a bug for the 10.11 so it may get fixed. I encourage others to do the same, more voices maybe they will fix it.
There was a new 10.11 beta released (15A204h) and in my initial testing the issue appears to be fixed, my mobile account reconnects to 802.1x wifi after waking from sleep. Can someone else please test and let me know and let me know your findings?
I just updated my test 10.11 system to the new build that showed up yesterday but did not get a chance to test out anything related to Wi-Fi yet. I'll be sure to test this as its encouraging to hear there are better results people are experiencing.
The whole Wi-Fi experience in Yosemite was and continues to be such a giant mess, I almost can't wait for 10.11 if its going to finally resolve all or most of the issues.
So, reconnect to WiFi after sleep seems solid. That is good news.
I did have some reliability issues with a manually installed (JSS generated) 802.1x/PEAP/LoginWindow config profile we use successfully with 10.9.5 ... basically iterating (logging on/off) through accounts not very consistent with drops into mobile/cached account instead of picking up WiFi/kerb ticket.
If I use a Profile Manager (4.1) config profile the aforementioned process seems reliable.
Same here - 15A204h on a 13" MBP reconnects fine after waking from sleep to my 802.1X via EAP-PEAP (MSCHAPv2), although unfortunately that profile is now being installed locally rather than as a configuration profile etc.
We are using JSS generated/delivered computer level config profiles with 10.9.x successfully/reliably. Applying that same config profile to 10.10.x does NOT work for us.
The config profile is pretty simple: Computer-Level, Wi-Fi, SSID provided, Auto Join, WPA/WPA2 Enterprise, "Use as Login Window configuration" checked, EAP Type is PEAP only, NOT using Directory/computer auth, necessary certificates are also part of config profile payload and trusted.
-I would like to add Directory/computer auth to the mix, but network group has slowed that plan down a bit.
I need to test the recent Profile Manager (4.1) generated config profile against 10.10.x (and 10.9.x), but it works reliably against 10.11 beta 2 (15A2014h).
As an aside, in testing the latest build of 10.11 (15A2014h), the reconnect to WiFi after sleep is good to go. That's been a separate issue for us with 10.10.x, and I'm hoping Apple doesn't just point to 10.11 for resolution. Even when I can get a manually rolled (or Profile Manager generated) config profile to work with 10.10.x, the inability to reconnect after sleep has been a deal breaker.
Not a Configuration Profile guru, so riddle me this ... the Profile Manager generated config profile was created against a Device Group, so computer level (?). The difference that I can see right away is that the Profile Manager config profile has a single Enterprise Mode entry which is "Login Window" while the JSS profile has 2 entries for Enterprise Mode ... both "Login Window" and "System"
@bentoms Yeah, I've made our TAM aware of some of the issues we've seen. I guess I'll need to put in a request to get in on 9.73 beta. I've also been working for (or with) Apple Enterprise support (for a significant amount of time) on a few items.
I did test my Profile Manager generated config profile successfully on 10.9.5 and 10.10.3 (in addition to 10.11), so I guess I can upload that signed profile to the JSS and migrate folks to that ... I'll just lose some agility. However, with 10.10 still being in the dumpster due to the WiFi reconnect bug I'm still SOL.
10.10.4 has been released, but the 802.1x wifi behaviour is still faulty. If a profile is installed with a wifi payload with "Use as Login Window configuration" ticked, the wifi will connect on login, but it does not reconnect after waking from sleep.
Looks like we will have to wait for 10.11 to be released if we want reliable 802.1x connectivity.
I'm still having the reconnect after sleep issue on the latest 10.11 beta. Initial connection works perfectly but after a wake the client machine just shows continuous attempts to authenticate but the AP and ACS logs show no attempts are actually getting through.
Cisco network running 802.1x PEAP and using a Login Window profile.
I'm just getting around to testing what I believe to be the latest (15A216G). I'm using a JSS generated config profile (what we have working reliably with 10.9.5) and successfully reconnecting to WiFi after sleep. Are you sure you are using the latest 10.11 beta build? I was having some poor luck yesterday, but wasn't on the latest (and I think Apple regressed for a bit). We are also Cisco/PEAP and the aforementioned config profile is using Login Window (alone, no Computer/Dir Auth added).
I do experience some "misses" when iterating through accounts where it drops user in to cached account. However, when successfully grabbing wireless on login, reconnecting to WiFi after sleep has been reliable with build 15A216G. I still seem to have better login reliability with Profile Manager profile than JSS generated using 10.11 (reconnect to WiFi after sleep aside).
Updated to 15A216G and it immediately connected with the PEAP network. Put it to sleep for 10 minutes and it reconnected on wake. Put it to sleep again for roughly half an hour (or a bit longer) and it reconnected happily.
Now we just need someone to reverse engineer the fix so I can get Yosemite to actually work. :-)
I've updated to 15A216G too and tested our wifi profile (configured with use as a loginwindow configuration). Wifi connects on login and also after waking from sleep, so its still looking good! Pretty sure there is no hope for Yosemite though.
I see in the 9.73 release notes this defect that is fixed. D-008688 - Did Jamf fix Apple's problem? Interested in testing soon. http://resources.jamfsoftware.com/documents/products/documentation/Casper-Suite-9.73-Release-Notes.pdf
I upgraded the JSS to 9.73, edited and saved our wireless profile, removed and re-added the profile on a laptop running 10.10.5 but it still doesn't connect to the wireless after waking from sleep.
After a full day and some change I almost feel like the problem is worse now post 9.73 :(
Why's Apple gotta break wifi every other major revision of the system 10.7 was great, 10.8 not so great, 10.9 great, 10.10 been not so great.