Apple MacBook Pro dropping wireless connection

Answered Question
Nov 7th, 2011


We have many MacBook pros that are having a hard time staying connected on wireless.  Often times a user can be connected for only minutes at a time.  Our wireless environment consists of 1142s and 3502 series access points.  We use WPA2 Enterprise for authentication via ACS server 5.x.

The Windows 7 machines usually never have an issue.  Can someone please provide some insight.?

*we use Lion OSX on our Macs.

This Discussion has been converted into a Document:-    

Correct Answer by Scott Fella about 5 years 3 months ago

Disable client load balancing and I bet your problems goes away... I'm 99% sure:). Always got to leave that 1%!

Sent from Cisco Technical Support iPhone App

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (2 ratings)
Scott Fella Mon, 11/07/2011 - 20:02

What WLC version are you on and can you attach a screen shot of your WLAN advanced tab on your SSID?

Sent from my iPhone

s-pirrello Mon, 11/07/2011 - 21:00

Thanks for the quick response Scott.  We're using  I've attached a screenshot of the Advanced tab as well.

Scott Fella Mon, 11/07/2011 - 21:07

By the way... I never use that feature anymore. It's not just Mac Books, but some HP and Dell laptops have had issues also.

Sent from my iPhone

Correct Answer
Scott Fella Mon, 11/07/2011 - 21:03

Disable client load balancing and I bet your problems goes away... I'm 99% sure:). Always got to leave that 1%!

Sent from Cisco Technical Support iPhone App

s-pirrello Mon, 11/07/2011 - 21:05

Can you provide some detail behind this suggestion?  Also, don't we need this option enabled if we wish to leverage the full throughput of 802.11n?

Scott Fella Mon, 11/07/2011 - 21:10

You don't need this for 802.11N. It's a feature that tries to reject the client and have the client try to associate to another AP. Well in high density environments with it seems 10+ clients, this feature causes issues with various devices. Again, I don't ever deploy this in any of my installs anymore.

Sent from my iPhone

Scott Fella Wed, 11/09/2011 - 02:06

Were you able to verify if disabling that feature worked?

Sent from Cisco Technical Support iPhone App

s-pirrello Wed, 11/09/2011 - 05:07

I think it's very early to assess the impact.  My wireless is 100% better but I'm seeing an oddity where getting my 1st wireless connection for the day takes several minutes.  Once it's established it works great, but when I arrive to the office and open the lid it takes roughly 5 minutes to get a wireless connection.  I grabbed a packet capture and exported the logs from the WCS via the troubleshooting tool.  Are you interested in looking at this?

Scott Fella Wed, 11/09/2011 - 05:11

Sure... Disabling that feature will not have any impact on what you are experiencing and must be something else. You might try to disable client band select to see if that helps your clients associate better.

Is your environment high user count. I see this type of behavior in education where many users try to login to the network first thing in the day.

Sent from my iPhone

s-pirrello Wed, 11/09/2011 - 05:29

Funny you mention the "Client Band Select", it was recommended to me to enable it when I attended training.  As far as high user count, I will say we have don't have too many users associated early in the morning.  Overall, we have about 900 WIFI clients but only about ~50% is associated form.

Attached are the logs and packet capture.

Scott Fella Wed, 11/09/2011 - 05:41

It's varies... Depending on the client device, the client still decides what band it wants to use. This feature also tries to 'force' devices to associate on the 5ghz, but I have also seen many devices that don't connect on the 5ghz and prefers the 2.4ghz and at times we also see client devices not associating well because of this feature.

Testing helps, but doesn't cover everything in a production environment.

Sent from my iPhone

Scott Fella Wed, 11/09/2011 - 05:47

By any chance do you have both wpa/tkip and wpa2/aes enabled on the SSID?

Scott Fella Wed, 11/09/2011 - 06:15

Do you see this issue with certain clients or certain clients with the same driver version? The AP's and WLC are locate in the same location?

Sent from my iPhone

s-pirrello Sat, 11/12/2011 - 21:28

Only with MacBook pros and MacBook airs.  The aps and wlc are not in the same location.  The wlc is in our data center and the aps are in an office.

Scott Fella Sun, 11/13/2011 - 06:55

Okay so disabling client load balancing fixed the issue with the MacBook and MacBook Air when joining. Now you have another issue of taking a long time for these devices to obtain an ip when they first connect in the day?

Sent from Cisco Technical Support iPhone App

s-pirrello Mon, 11/14/2011 - 05:09

Exactly.  The oddity is that this happens even early in the morning when we barely have anyone in the office.

s-pirrello Mon, 11/14/2011 - 11:24

Scott, I checked the link you sent but I didn't see anything regarding authentication or timers.

Scott Fella Mon, 11/14/2011 - 11:30

Consol, telnet or ssh to the WLC and enter this command:

config advanced eap ?

bcast-key-interval Configures EAP-broadcast key renew interval time in seconds.
eapol-key-retries Configures EAPOL-Key Max Retries.
eapol-key-timeout Configures EAPOL-Key Timeout in milliseconds.
identity-request-retries Configures EAP-Identity-Request Max Retries.
identity-request-timeout Configures EAP-Identity-Request Timeout in seconds.
key-index      Configure the key index used for dynamic WEP (802.1x) unicast key (PTK).
max-login-ignore-identity-response Configure to ignore the same username count reaching max in the EAP identity response
request-retries Configures EAP-Request Max Retries.
request-timeout Configures EAP-Request Timeout in seconds.

Might of sent the wrong link:

Scott Fella Mon, 11/14/2011 - 11:33

Or you can change the 802.11 Authentication Response Timeout in the GUI:

Under Wireless | Timers|

George Stefanick Mon, 11/14/2011 - 11:36

+5 Scott...

I always enjoy following your post as you bring things to my attention I didnt know ...

Scott Fella Mon, 11/14/2011 - 11:44

Haha... I learn the hard way:) that is what I like about this forum too... I learn things that you guys post also.

Sent from my iPhone

jonmo2578 Tue, 12/06/2011 - 04:36

Hi guys,

I am interested to know the outcome of this Macbook, Lion and wifi problem as we are experiencing a similar issue with our Macs..

We have a mixture of 1131 and 1142 APs around the building and have a similar problem with Macs failing to authenciate on 802.1x during roaming or Macs coming out of standby mode.

I have tried the above suggestions with the disabling Clients Loads balancing and it does not appear to have made any difference ( although I do seem to see more notifcations about Loads Profile failures now ).

We are currently experimenting with putting some APs into H-Reap mode ( instead of Local ) and on static ips to see if that makes any difference..

Did the above suggestions make any difference to your Macbook or have you tried anything futher ?..



s-pirrello Tue, 12/06/2011 - 06:42

Jon, disabling "client load balancing" did the trick.  I suggest you try and please update us all on your progress.

jonmo2578 Tue, 12/06/2011 - 07:00

Cool.. thanks for the reply Scott..

yes, we disabled "Client Load balacing " last week but we are still experiencing issues with Macbooks reauthenticating after coming out of standby mode..

Are you still having problems with delay on the 802.1x authentication or has that now good too ?..

Did you change the timeout timer or disable the Client Band selector option too ?

Ive actually opened up my own discussion on this I didnt want to barge my problems onto yours !..

Any opinions welcome..



George Stefanick Tue, 12/06/2011 - 07:18

If your client is in standby mode it is safe to say its not passing traffic. If its not passing traffic then by default the WLC should delete your client record in 300 seconds (5 minutes). This can be changed of course. Look under the controller TAB. Idle session timeout.

Just my 2 cents.. something worth testing

sxepjensen Fri, 05/18/2012 - 09:52

Hi Scott,

We have been experiencing similar issues, but also including Apple IOS devices and occasionally Windows systems...   however, we have two SSIDs with both client load balancing and client band select enabled, and we have only been experiencing the issues on one of the two SSIDs.  I will most likely try disabling the client load balancing, but in reading through this discussion, this comment caught my eye since we do have both WPA/TKIP and WPA2/AES enabled on the SSID which has been experiencing the issue.  I was hoping you could expound upon what sort of issues this might be causing?

Thanks a bunch!

s-pirrello Fri, 05/18/2012 - 10:02

I would try disabling Client Load Balancing and Band Select.  Once we did this it cleared up much of our troubles.  Also, there is a bug with Intel driver 14.x that is resolved in 15.x so you may want to research this too.  We had to upgrade several of our client machines with 15.x and since then that helped tremendously.

Another issue we had on our end was that our APs were not setup in HReap groups.  We enabled this feature as a best practice and haven't looked back since.

Scott Fella Fri, 05/18/2012 - 10:40

It's really the client that has issues with both encryptions in the beacons being sent. I have seen many iOS devices freak out when I have had both configured. One other thing is that 802.11n requires wpa2/aes or open. WPA/TKIP is not supported in 802.11n. Most devices do support wpa2/aes and removing wpa/tkip shoul not be a problem. If you do require both, then create another WLAN with a different profile name but same SSID. One WLAN will be for wpa2/aes and the other WLAN will be for wpa/tkip.


Scott Fella

Sent from my iPhone

sxepjensen Fri, 05/18/2012 - 10:53

Thanks Scott and s-pirrello,

I'll be discussing these issues with some of my coworkers and probably scheduling up some changes.  I'm hopeful about this resolving the rather befuddling issues we've been seeing for quite some time!  Thanks for your time and input,


s-pirrello Tue, 12/06/2011 - 06:40

Scott, you are a champion!  Disabling "client load balancing" has resolved the issue.

Scott Fella Tue, 12/06/2011 - 06:54

Glad you have it working. Since I have a Mac, I find out the hard way:)

Sent from Cisco Technical Support iPhone App

GNOC-Caraustar Sun, 02/03/2013 - 19:10

Hi All,

We are facing same issue with Apple users. Suddenly  users drop from the network and only way to reconnect back is to restart  the user machine. When user drops the SSID singal strength is full.

The option "Client Load Balancing" is already unchecked.

Could you please help/suggest with some solution.

Our product detail:


S/W Code :

Scott Fella Sun, 02/03/2013 - 19:13

Well that code has been deferred so you might want to upgrade to the latest 7.0.x.

Sent from Cisco Technical Support iPhone App

GNOC-Caraustar Sun, 02/03/2013 - 21:05

Hi Scott,

Thanks for the information but could you please let us know if there is any known buy in this version that is leading to the issue.

jonabaker Mon, 05/06/2013 - 11:53

I am also seeing this problem and running

AIR-CT5500-K9-7-2-103-0.aes code on my controller and the latest version of OS on my mac.  I have disabled client load balacing and client band select on the SSID in question.  It's  a WPA2 8021x active directory authenticated WLAN. Does anyone have any ideas for me.?  I see the issue on certain MacBookPro's and certain MacBookAir devices but not all.  There is not an issue with signal strength as the AP is near enough.  The AP's are  AIR-CAP3502I-A-K9 models.  Thanks for any hekp you can give!

Scott Fella Mon, 05/06/2013 - 12:00

First off can you verify that you are only using WPA2/AES not TKIP also. Also disable session timeout on the WLAN advanced tab and see if the problem goes away.

Sent from Cisco Technical Support iPhone App

jonabaker Tue, 05/07/2013 - 09:34

Thanks Scott.  I can verify that I am using WPA/WPA2 with AES.  After I saw your post I disabled session timeout and unfortunately am seeing the same issue today after that change.  To be specific, I can be connected for an entire day on other wireless networks without dicsonnect but on this one, best case scenario I can be connected for a few hours and often far less before I get diconnected and then sometimes auto-reconnected and other times seems I need to shut down my wireless and turn it back on to get reconnected. 

jonabaker Thu, 05/16/2013 - 06:04

So does anyone have any further input for me on this issue with dropping connections?

Scott Fella Thu, 05/16/2013 - 08:38

I have a macbook pro and a macair along with an iPad and iPhone and what I have to do is make sure session timeout is disabled, load balancing is disabled, I only use WPA2/AES and I also have only use All Radios Policies, which shouldn't make a difference.  This is what I setup in my home lab and at my customers with Apple devices.



Help out other by using the rating system and marking answered questions as "Answered"

Saravanan Lakshmanan Wed, 05/15/2013 - 17:55

#Load balacing feature is generally trouble in high density environment.

#Also not useful when client supports 2.4ghz only.

#This is a native cisco feature that require ccx certified client, since apple is not part of ccx this will not work as expected.


I am having the same problem with two iPhone 4s's dropping out but not my ipad which is on the 5gig the iPhones are only on the 2.4gig.

I have looked to try and disable the client load balancing but cant seem to find it in the web interface at all i have software version 15.2(2)JB, the client band selection is disabled.

I am using an 1142n AP

Anyone got any ideas please?


This Discussion



Trending Topics: Other Wireless Mobility

client could not be authenticated
Network Analysis Module (NAM) Products
Cisco 6500 nam
reason 440 driver failure
Cisco password cracker
Cisco Wireless mode