First Wi-Fi connection to EAP-TTLS with PAP takes too long and prompts for password on 3rd attempt

Originator:michalm.mac
Number:rdar://FB9948356 Date Originated:2022-03-07
Status:Open Resolved:
Product:macOS Product Version:12.3
Classification:Incorrect/Unexpected Behavior Reproducible:Always
 
# Intro

We currently work on Wi-Fi transition from SSID: OLDWIFI (WPA2 Personal) to SSID: NEWWIFI (WPA2 Enterprise EAP-TTLS with PAP).
We want to use EAP-TTLS with PAP inner authentication method so our user can use Okta credentials to authenticate when connecting to Wi-Fi.
macOS won't connect to EAP-TTLS with PAP by default unless explicitly configured in configuration profile. We provide the configuration profile via MDM (VMware Workspace ONE UEM).

# Problem

When user want to connect to NEWWIFI (EAP-TTLS with PAP) for the first time, prompt for password appears after long 6 seconds. This happens because macOS connects to NEWWIFI 3 times but asks for the credentials only during the 3rd attempt. See ttls_longwait.mov. Not ideal user experience.

Same behavior occurs with both SYSTEM and USER scoped configuration profile.

# Steps to reproduce

1. Send SYSTEM scope configuration profile wifi_system_scope.mobileconfig or (USER scope configuration profile wifi_user_scope.mobileconfig) to managed Macs via MDM (Profiles can be installed manually for the purpose of this bug report).
2. Profile is delivered and configuration applied.
3. If the profile is SYSTEM scope macOS will automatically try to connect to NEWWIFI, fail and reconnect back to OLDWIFI. FB9947906
4. User opens the Wi-Fi menu and clicks on the NEWWIFI SSID.

# Expected result

macOS prompts the user for credentials within reasonable time frame (3 seconds?).

# Actual result

It takes about 6 seconds before credentials prompt appears.

Here is why:

1. macOS tries to connect to NEWWIFI for the first time. Does not prompt for credentials:

2022-03-04 16:43:19.038582+0100 0x7be2     Default     0x0                  3765   0    eapolclient: [com.apple.eapol:Client] en0: 802.1X User Mode
2022-03-04 16:43:19.892771+0100 0x7be2     Default     0x0                  3765   0    eapolclient: [com.apple.eapol:Client] Authenticating: can't prompt for missing properties (
    UserPassword
)
2022-03-04 16:43:19.893871+0100 0x7be2     Info        0x0                  3765   0    eapolclient: [com.apple.eapol:Client] State=Held Status=UserInputNotPossible (15):

2. macOS tries to connect to NEWWIFI for the second time. Does not prompt for credentials:

2022-03-04 16:43:21.003193+0100 0x7c21     Default     0x0                  3767   0    eapolclient: [com.apple.eapol:Client] en0: 802.1X System Mode
2022-03-04 16:43:21.380395+0100 0x7c21     Default     0x0                  3767   0    eapolclient: [com.apple.eapol:Client] Acquired: cannot prompt for missing user name
2022-03-04 16:43:21.413920+0100 0x7c21     Info        0x0                  3767   0    eapolclient: [com.apple.eapol:Client] State=Held Status=UserInputNotPossible (15):

2. macOS tries to connect to NEWWIFI for the third time. Finally prompts for credentials:

2022-03-04 16:43:22.549605+0100 0x7c39     Default     0x0                  3769   0    eapolclient: [com.apple.eapol:Client] en0: 802.1X User Mode
2022-03-04 16:43:23.373531+0100 0x7c39     Info        0x0                  3769   0    eapolclient: [com.apple.eapol:Client] Authenticating: user input required for properties (
    UserPassword
)
2022-03-04 16:43:23.373737+0100 0x7c39     Info        0x0                  3769   0    eapolclient: [com.apple.eapol:Client] State=Authenticating Status=UserInputRequired (3):

I thinks this is way too much connection attempts especially since the username is provided by the configuration profile ("cannot prompt for missing user name" message is particularly weird).



# Affected systems
Both M1 and Intel MacBook Pro running macOS 12 Monterey. Tested with
- MacBookPro14,1 running 12.2.1 (21D62)
  Test occured at 2022-03-04 15:46:34 CET
- MacBookPro17,1 running 12.3 Beta 5 (21E5227a)
  Test occurred (System scope profile) at 2022-03-04 14:03:44 CET
  Test occurred (User scope profile) at 2022-03-04 16:43:19. CET

To provide more detailed logs we turned on extended logging via sudo wdutil log +wifi +eapol.

Comments

Were you ever able to get this working? I’m trying the same thing and it keeps failing.


Please note: Reports posted here will not necessarily be seen by Apple. All problems should be submitted at bugreport.apple.com before they are posted here. Please only post information for Radars that you have filed yourself, and please do not include Apple confidential information in your posts. Thank you!