Help

802.1x wifi and High Sierra Upgrade

boberito
Valued Contributor

Posted on ‎11-08-2017 09:22 AM

I'm seeing an 802.1x connectivity problem when upgrading to High Sierra in my testing....when I do the upgrade.

I have a configuration profile pushed to the machine to connect to our wireless. The MacBook Air will connect perfectly before the upgrade. But then once it upgrades, it will no longer connect to our 802.1x network. Looking deep into the logs I see "en0 EAP-PEAP: authentication failed with status 1". Looking at our wireless logs it seems like it's not able to authenticate with AD properly.

If I delete the network out of the Preferred Network, then manually re-connect it'll work. But I'm really trying to avoid that.

These are freshly imaged machines on 10.12 that I'm then trying to upgrade to 10.13. So it isn't a machine that's been mucked up over multiple upgrades or anything. I've had very similar issues previously with Sierra and El Capitan but usually connecting to another network would solve it(no idea why that would), not so lucky with High Sierra.

0 Kudos
7 REPLIES 7

miregan
Contributor II

Posted on ‎11-08-2017 09:31 AM

Make sure that your cert is using SHA-2. SHA1 is not supported on High Sierra

boberito
Valued Contributor

Posted on ‎11-08-2017 11:14 AM

It is. 256 in fact.

0 Kudos

boberito
Valued Contributor

Posted on ‎11-10-2017 11:23 AM

Turns out it works if "Use as a Login Window configuration" is checked...which is uncheckable in 9.101, so I had to spin up a VM and get 9.100 installed. Then download the profile and re-upload it to 9.101.

I feel like in the past I've had this box checked and it's caused weird issues before with people not being able to authenticate to the wifi maybe from sleep?

0 Kudos

MrRoboto
Contributor III

Posted on ‎02-01-2018 10:11 AM

Did you find a solution to this? I'm in the same boat right now.

0 Kudos

boberito
Valued Contributor

Posted on ‎02-01-2018 10:14 AM

Nope :(

Since we're all laptops, if people upgrade while off campus, it works. No idea why. None of it makes sense.

0 Kudos

MrRoboto
Contributor III

Posted on ‎02-01-2018 12:11 PM

If I temporarily connect one of these laptops to ethernet or another internal SSID then the 802.1x works again. Seems like they need to talk to AD to update the computer password or get an updated token.

0 Kudos

PhillyPhoto
Valued Contributor

Posted on ‎02-01-2018 12:42 PM

@boberito

Turns out it works if "Use as a Login Window configuration" is checked...which is uncheckable in 9.101, so I had to spin up a VM and get 9.100 installed. Then download the profile and re-upload it to 9.101. I feel like in the past I've had this box checked and it's caused weird issues before with people not being able to authenticate to the wifi maybe from sleep?

We were having wired 802.1x issues with JSS created profiles, so I've moved to creating the network profile in Profile Manager, downloading it and signing it, then installing it in a package. Sometimes the network profile would get removed from the machine entirely with no management command in the inventory. Installing it that way means the MDM can't remove it.

0 Kudos