Wireless 802.1x fails after credentials updated

New Contributor II

We recently implemented 802.1x in our environment and have just noticed an issue. When a user updates their directory password, instead of the Mac prompting the user for a new password, authentication fails with an obscure message, see attached.
We have Meraki AP's and we are using Foxpass radius server which delegates authentication to OKTA. I'm not sure if this set up is a factor.

If I manually delete the Keychain entry, the authentication prompt comes back as expected and I am able to enter my updated password and connect as usual.


Valued Contributor

Look in the user's keychain and clear any entries related to your SSID. You can't script this removal, as the user's keychain is secured and not accessible even as root. You can, however, delete the user's keychain.

New Contributor II

Hey @ryan.ball Thanks! however, you will see in my original post that manually deleting the keychain resolved the issue. However, instructing users to delete the SSID from the keychain every time they update their password is not a long term solution.
There must be a solution?

New Contributor

I've been dealing with this issue for years. I've just made sure to plaster all password change notices (before and after) with instructions on how to fix keychain. I'd love a more automated solution.

Valued Contributor

It is scriptable, just not (easily) in the context of the root user. Since Jamf Pro runs scripts as root, you can use sudo -s $3 -c "command goes here" to execute something in the context of the user account passed into Jamf Pro (via Self Service, etc.). We used to do that fairly often to clear out Keychain entries for our non-Kerberized web proxy.