Cisco Support Community
Community Member

802.1X EAP-PEAP with Apple devices

We have deployed a variety of wireless networks using Cisco WLC (2504, 5508 and Virtual WLCs) with (1550e, 1260, 2602 access points) and we have been unable to get apple device to successfully authenticate to corporate SSID's that use 802.1X against a Microsoft IAS server. We have spent numerous hours building different profiles with OS-X Server and other profile configuration utilities with no luck.

Apple devices authenticate just fine to corporate SSIDs if we use autonomous access points using 802.1x against the same Microsoft Radius server but continue to fail when we attempt the same through any of the WLC options referenced above.

Can anyone shed some light into this issue? It seems that radius request only show up on the IAS logs when something is entered in the "outer identity field"

Thanks in advance.

Ivan Chacon

Everyone's tags (1)

802.1X EAP-PEAP with Apple devices

Complete these steps to troubleshoot the configurations:

1.    Use the debug lwapp events enable command in order to check if the AP registers with the WLC.

2.    Check if the RADIUS server receives and validates the authentication request from the wireless client. Check the NAS-IP- Address, date and time in order to verify if the WLC was able to reach the Radius server.

Check the Passed Authentications and Failed Attempts reports on the Radius server in order to accomplish this.

3.    You can also use these debug commands in order to troubleshoot AAA authentication:

•    debug aaa all enable—Configures the debug of all AAA messages.

•    debug dot1x packet enable—Enables the debug of all dot1x packets.

Here is a sample output from the debug 802.1x aaa enable command:

(Cisco Controller) >debug dot1x aaa enable

4.    Monitor the logs on the WLC in order to check if the RADIUS server receives the user credentials. Click Monitor in order to check the logs from the WLC GUI. From the left-hand side menu, click Statistics and click Radius server from the list of options.

This is very important because in some cases, the RADIUS server never receives the user credentials if the RADIUS server configuration on the WLC is incorrect.

This is how the logs appear on the WLC if the RADIUS parameters are configured incorrectly:

You can use a combination of the show wlan summary command in order to recognize which of your WLANs employ RADIUS server authentication. Then you can view the show client summary command in order to see which MAC addresses (clients) are successfully authenticated on RADIUS WLANs. You can also correlate this with your Raduis attempts or failed attempts logs.

•    Verify on the controller that RADIUS server is in active state, and not on standby or disabled.

•    Use the ping command in order to check if the Radius server is reachable from the WLC.

•    Check if the RADIUS server is selected from the drop down menu of the WLAN (SSID).

Community Member

802.1X EAP-PEAP with Apple devices

Hello Thanks for your response. I probably forgot to mention that this issue only applies to apple devices, all windows clients authenticate through the same SSID and Radius server without issues. So the Radius configuration on the controller is good. For some reason mac books, ipads or iphones never get prompt for the server certificate as other devices do.

As I mentioned on my post, the only time I see logs o the radius server is when something "other than the user ID" is entered on the outer identity field of the network configuration profile used on the MAC books.

Thanks again.

802.1X EAP-PEAP with Apple devices

what version of Mac OS X is being used?

From what I've seen mac tends to just work, and work well even with no profile created.  You just select the SSID and it prompts you for credentials, or if you need to accept a certificate.

What is the error you are seeing in your IAS server?


Please remember to rate useful posts, and mark questions as answered

HTH, Steve ------------------------------------------------------------------------------------------------ Please remember to rate useful posts, and mark questions as answered
Community Member

802.1X EAP-PEAP with Apple devices

This was resolved. It turns out that WLC Version 7.5 and above has a bug affecting how the controller sends out the Server certificate used during PEAP authentication, this only seems to affect some hardware (i.e. apple and andriod). I've worked with Cisco TAC, downgraded the controller to 7.4.110 and all worked without issues.

No profiles needed at all.

Thanks for those who replied to the post

CreatePlease to create content