macOS attempts to connect to EAP-TTLS Wi-Fi after profile deployment when password is not known and does not prompt

Originator:michalm.mac
Number:rdar://FB9947906 Date Originated:2022-03-07
Status:Open Resolved:
Product:macOS Product Version:12.3
Classification:Incorrect/Unexpected Behavior Reproducible:Always
 
# Intro

We currently work on Wi-Fi transition from SSID: OLDWIFI (WPA2 Personal) to SSID: NEWWIFI (WPA2 Enterprise EAP-TTLS with PAP).
We want to use EAP-TTLS with PAP inner authentication method so our user can use Okta credentials to authenticate when connecting to Wi-Fi.
macOS won't connect to EAP-TTLS with PAP by default unless explicitly configured in configuration profile. We provide the configuration profile via MDM (VMware Workspace ONE UEM).

# Problem

When we push SYSTEM scope configuration profile (wifi_system_scope.mobileconfig) with Wi-Fi payload (EAP-TTLS + PAP configuration) to our devices, they immediately try to connect to the new SSID. However password is not know at this time so this attempts fails. In this situation we would expect macOS to prompt for credentials but that is not the case. Instead macOS reconnect to previously used SSID after this failed attempt.

Imagine you deploy the configuration profile and kick everyone out of the Wi-Fi for about 20-30 seconds. They might be in very important meeting.

# Steps to reproduce

1. Send SYSTEM scope configuration profile wifi_system_scope.mobileconfig to managed Macs via MDM
2. Profile is delivered and configuration applied

# Expected result

One of:
A. macOS prompts for credentials when it tries to connect to the newly configured network
B. macOS won't try to connect automatically

# Actual result

macOS tries to connect to the SSID but fails and does not prompt for password.

From m1_eapol.log (see attachment)
2022-03-04 13:53:01.741576+0100 0x6d7d     Default     0x0                  2773   0    eapolclient: [com.apple.eapol:Client] Authenticating: can't prompt for missing properties (
    UserPassword
)
2022-03-04 13:53:01.742627+0100 0x6d7d     Info        0x0                  2773   0    eapolclient: [com.apple.eapol:Client] State=Held Status=UserInputNotPossible (15):

# Workaround

When we deploy the configuration profile within USER scope instead (wifi_user_scope.mobileconfig) macOS won't try to automatically connect to newly configured network.

# Affected systems
Both M1 and Intel MacBook Pro running macOS 12 Monterey. Tested with
- MacBookPro14,1 running 12.2.1 (21D62)
  Test occured at 2022-03-04 15:36:12 CET
- MacBookPro17,1 running 12.3 Beta 5 (21E5227a)
  Test occured at 2022-03-04 13:53:00 CET

To provide more detailed logs we turned on extended logging via sudo wdutil log +wifi +eapol.

Comments


Please note: Reports posted here will not necessarily be seen by Apple. All problems should be submitted at bugreport.apple.com before they are posted here. Please only post information for Radars that you have filed yourself, and please do not include Apple confidential information in your posts. Thank you!