How to Troubleshoot 802.1x Mac Authentication Issues

It is quite complex to troubleshoot 802.1x authentication issues for Mac. Here are a few sections you can look for errors:

1. RADIUS Server Log

This is the most convenient and efficient way to troubleshot 802.1x issues . Just send Mac address to your network engineer and ask for the authentication log 🙂

If you just use FQDN_computername, it will fail for sure

The correct name should be computername$

Or you can use host/FQDN_computername

 

2. EAPOLClient Log

If you cannot find your network engineer easily, here is the perfect log to troubleshoot for you. Just open terminal and use this command will show you the last 5minute mac authentication log:

sudo defaults write /Library/Preferences/SystemConfiguration/com.apple.eapolclient LogFlags -int -1

log show –style syslog –predicate ‘processImagePath contains “eapolclient” and subsystem contains “com.apple.eapol”‘ –last 30m > ~/Desktop/eapolclient.log

You will get this if someone remove the network configuration profile:

You will get this if your network identity preference is not correctly linked to your mac client certificate:

Your EAP Response Identity should be computername$ or host/FQDN_computername

3. Keychains

 

You should have these items inside your Keychain:

  1. Identity Preference for Wifi under your “login” folder

2. Identity Preference for Ethernet under “System”

3.802.1x Password for WIFI under “System”

3. 802.1x Password for ethernet under “System”

4. Root CA certificate

 

 

 

4. Configuration Profile Installation Issues

If you see this message when trying to install the configuration profile:

The ‘Active Directory Certificate’ payload could not be installed. The certificate request failed.

Enable the log mode and then check from there:

sudo defaults write /Library/Preferences/com.apple.MCXDebug debugOutput -2
sudo defaults write /Library/Preferences/com.apple.MCXDebug collateLogs 1

And then check log from /Library/Logs/ManagedClient/ManagedClient.log

 

If everything is fixed, you should able to see these from your network connection:

 

Leave a Reply