We have a small office with ~20 people, each using a MacBook, and optionally connecting with a mobile phone too. Previously we used usual Wi-Fi with a shared key, but recently I reconfigured it to WPA Enterprise, where all users received their own credentials: login/password pair. Authentication goes through a freeradius service running on an AWS EC2 box.
RADIUS server is not configured to use any certificates, every user has an entry in /etc/freeradius/users file that looks like this:
john.doe Cleartext-Password := "my_password"
RADIUS client has been configured in a minimalistic way - here is our /etc/freeradius/clients.conf
client RADIUSClient {
ipaddr = <our office external IP>
secret = <secret key shared with the Access Point>
require_message_authenticator = no
}
This setup seems to work fine with all mobile phones and most of the MacBooks. MacBooks first complain about an untrusted self-signed certificate (which is understandable), yet after setting this certificate as trusted, everything works smoothly.
Yet some MacBooks, after getting successfully connected, start displaying authentication errors in random intervals (1-30 minutes):
Authentication failed on network “Network SSID”.
The authentication server is unresponsive. Contact your network administrator to check the network infrastructure.
There is a single "Disconnect" button in this dialog. Yet until the user presses this button, the MacBook stays perfectly connected. The window can be moved away from the screen, but it springs up to the center again and again, irritating the users. Clicking "Disconnect" disconnects the laptop from Wi-Fi, and then in a couple of seconds the Mac reconnects to the same network, leaving a successful login record in RADIUS server logs.
While trying to investigate, I saw that when connected to WPA Enterprise network, MacBook displays additional entry in network setting named 802.1X. When normally connected, it says "Authenticated via EAP-PEAP (MSCHAPv2)" all the time since connected (see screenshot). Hitting "Disconnect" button immediately disconnects the laptop from Wi-Fi.
On those laptops that have this problems with authentication issue window popping up, after some random period the "Authenticated via..." message disappears, and new authentication attempt starts (see screenshot). After some while the message changes to "Authentication server is not responding". I looked at RADIUS server logs: every time when a user connects to Wi-Fi, there is a successful authentication record, yet nothing gets logged during these authentication attempts displayed under "802.1X" section.
After several cycles between "Authenticating..." and "Authentication server is not responding" messages the dialog pops up.
Since this only happens on a couple of laptops, I don't think this is a server issue, but I have no idea how to fix the problem for those who have it. I didn't have it initially, but when I started experimenting with switching networks, deleting and re-creating networks, I managed to reproduce the issue, and now can't get rid of it :)
Can anyone please suggest the right direction of investigation?
UPDATE (03.03.2017). It was eventually decided to switch to an enterprise-class access point. We bought and installed UniFi APAC PRO, and the issue was gone.
This is a well known bug in a mac, but they fixed that a few months ago. If you have the latest update check the router instead or buy a cheap router. Select extender mode when setting it up, then once set up change the name of the extender so its some sort of bridge to the current network. That way, when you connect to it the router keeps redirecting your connection to the enterprise network.
Have you run through WiFi diagnostics on one of your affected Macs? It might reveal something outside your network, like a nearby access point that doesn't have its country code properly configured. This happened to us when FiveGuys moved in downstairs and set up an improperly-configured hotspot. Your switch to a UniFi AP while a good choice could still be covering up the root cause.
Another option is that the MacOS likes to scan for available networks periodically. To do this, there is a brief disconnection from your WiFi. There is a setting in the Mac to connect automatically to nearby networks and this can be turned off. There is also a wifi configuration (I can't recall it) to keep it from trying to jump from AP to AP frequently. These jumps can interrupt the network.