Confusing system message when user enters bad password for EAP TTLS + PAP authentication

Originator:michalm.mac
Number:rdar://FB9948414 Date Originated:2022-03-07
Status:Open Resolved:
Product:macOS Product Version:12.3
Classification:Incorrect/Unexpected Behavior Reproducible:Always
 
# Intro

We currently work on Wi-Fi transition from SSID: OLDWIFI (WPA2 Personal) to SSID: NEWWIFI (WPA2 Enterprise EAP-TTLS with PAP).
We want to use EAP-TTLS with PAP inner authentication method so our user can use Okta credentials to authenticate when connecting to Wi-Fi.
macOS won't connect to EAP-TTLS with PAP by default unless explicitly configured in configuration profile. We provide the configuration profile via MDM (VMware Workspace ONE UEM).

# Problem

When user provides bad password during connection attempt for EAP TTLS + PAPm very confusing system message appears "The Wi-Fi network NEWWIFI could not be joined. Try moving closer to the wireless router. Alternatively run Wireless Diagnostics to troubleshoot." (See bad_password_message.png)

# Steps to reproduce

1. Send SYSTEM scope configuration profile wifi_system_scope.mobileconfig or USER scope wifi_user_scope.mobileconfig (Profiles can be installed manually for the purpose of this bug report).
2. Profile is delivered and configuration applied.
3. If the profile is SYSTEM scope macOS will automatically try to connect to NEWWIFI, fail and reconnect back to OLDWIFI. FB9947906
4. User opens the Wi-Fi menu and clicks on the NEWWIFI SSID.
5. Macs prompts for credentials on the the third connection attempt. FB9948356
6. User enters authentication credentials BUT provides wrong password.

# Expected result

macOS informs the user that provided password was wrong and reprompts so user can enter it again.

If macOS does not know what was the reason behind unsuccessful authentication we would at least expect better worded message informing user about the possibility that the password was wrong.

# Actual result

Following message is displayed: "The Wi-Fi network NEWWIFI could not be joined. Try moving closer to the wireless router. Alternatively run Wireless Diagnostics to troubleshoot." (See bad_password_message.png) 

# Affected systems
Both M1 and Intel MacBook Pro running macOS 12 Monterey. Tested with
- MacBookPro14,1 running 12.2.1 (21D62)
- MacBookPro17,1 running 12.3 Beta 5 (21E5227a)

To provide more detailed logs we turned on extended logging via sudo wdutil log +wifi +eapol.

Comments


Please note: Reports posted here will not necessarily be seen by Apple. All problems should be submitted at bugreport.apple.com before they are posted here. Please only post information for Radars that you have filed yourself, and please do not include Apple confidential information in your posts. Thank you!