First Wi-Fi connection to EAP-TTLS with PAP takes too long and prompts for password on 3rd attempt
Originator: | michalm.mac | ||
Number: | rdar://FB9948356 | Date Originated: | 2022-03-07 |
Status: | Open | Resolved: | |
Product: | macOS | Product Version: | 12.3 |
Classification: | Incorrect/Unexpected Behavior | Reproducible: | Always |
# Intro We currently work on Wi-Fi transition from SSID: OLDWIFI (WPA2 Personal) to SSID: NEWWIFI (WPA2 Enterprise EAP-TTLS with PAP). We want to use EAP-TTLS with PAP inner authentication method so our user can use Okta credentials to authenticate when connecting to Wi-Fi. macOS won't connect to EAP-TTLS with PAP by default unless explicitly configured in configuration profile. We provide the configuration profile via MDM (VMware Workspace ONE UEM). # Problem When user want to connect to NEWWIFI (EAP-TTLS with PAP) for the first time, prompt for password appears after long 6 seconds. This happens because macOS connects to NEWWIFI 3 times but asks for the credentials only during the 3rd attempt. See ttls_longwait.mov. Not ideal user experience. Same behavior occurs with both SYSTEM and USER scoped configuration profile. # Steps to reproduce 1. Send SYSTEM scope configuration profile wifi_system_scope.mobileconfig or (USER scope configuration profile wifi_user_scope.mobileconfig) to managed Macs via MDM (Profiles can be installed manually for the purpose of this bug report). 2. Profile is delivered and configuration applied. 3. If the profile is SYSTEM scope macOS will automatically try to connect to NEWWIFI, fail and reconnect back to OLDWIFI. FB9947906 4. User opens the Wi-Fi menu and clicks on the NEWWIFI SSID. # Expected result macOS prompts the user for credentials within reasonable time frame (3 seconds?). # Actual result It takes about 6 seconds before credentials prompt appears. Here is why: 1. macOS tries to connect to NEWWIFI for the first time. Does not prompt for credentials: 2022-03-04 16:43:19.038582+0100 0x7be2 Default 0x0 3765 0 eapolclient: [com.apple.eapol:Client] en0: 802.1X User Mode 2022-03-04 16:43:19.892771+0100 0x7be2 Default 0x0 3765 0 eapolclient: [com.apple.eapol:Client] Authenticating: can't prompt for missing properties ( UserPassword ) 2022-03-04 16:43:19.893871+0100 0x7be2 Info 0x0 3765 0 eapolclient: [com.apple.eapol:Client] State=Held Status=UserInputNotPossible (15): 2. macOS tries to connect to NEWWIFI for the second time. Does not prompt for credentials: 2022-03-04 16:43:21.003193+0100 0x7c21 Default 0x0 3767 0 eapolclient: [com.apple.eapol:Client] en0: 802.1X System Mode 2022-03-04 16:43:21.380395+0100 0x7c21 Default 0x0 3767 0 eapolclient: [com.apple.eapol:Client] Acquired: cannot prompt for missing user name 2022-03-04 16:43:21.413920+0100 0x7c21 Info 0x0 3767 0 eapolclient: [com.apple.eapol:Client] State=Held Status=UserInputNotPossible (15): 2. macOS tries to connect to NEWWIFI for the third time. Finally prompts for credentials: 2022-03-04 16:43:22.549605+0100 0x7c39 Default 0x0 3769 0 eapolclient: [com.apple.eapol:Client] en0: 802.1X User Mode 2022-03-04 16:43:23.373531+0100 0x7c39 Info 0x0 3769 0 eapolclient: [com.apple.eapol:Client] Authenticating: user input required for properties ( UserPassword ) 2022-03-04 16:43:23.373737+0100 0x7c39 Info 0x0 3769 0 eapolclient: [com.apple.eapol:Client] State=Authenticating Status=UserInputRequired (3): I thinks this is way too much connection attempts especially since the username is provided by the configuration profile ("cannot prompt for missing user name" message is particularly weird). # Affected systems Both M1 and Intel MacBook Pro running macOS 12 Monterey. Tested with - MacBookPro14,1 running 12.2.1 (21D62) Test occured at 2022-03-04 15:46:34 CET - MacBookPro17,1 running 12.3 Beta 5 (21E5227a) Test occurred (System scope profile) at 2022-03-04 14:03:44 CET Test occurred (User scope profile) at 2022-03-04 16:43:19. CET To provide more detailed logs we turned on extended logging via sudo wdutil log +wifi +eapol.
Comments
Please note: Reports posted here will not necessarily be seen by Apple. All problems should be submitted at bugreport.apple.com before they are posted here. Please only post information for Radars that you have filed yourself, and please do not include Apple confidential information in your posts. Thank you!
Were you ever able to get this working? I’m trying the same thing and it keeps failing.