User profile for user: Juha Otava2
Juha Otava2 Author
User level: Level 1
27 points

Wi-Fi WPA2 EAP failure on macOS Sequoia 15.3.1

After updating we have had problems connecting WiFi. Clients updated to 15.3.1 can't connect, clients running older MacOS versions connect without any problem.


We are using WPA2 Enterprise/Radius authentication. (Network Policy Server running on Windows Server).


While narrowing issue I found from the NPS Server logs that when a client running MacOS 15.3.1 there audit failure related to EAP. Authentication type is empty:


Authentication Type: EAP

EAP Type: -


Reason Code: 22

Reason: The client could not be authenticated because the Extensible Authentication Protocol (EAP) Type cannot be processed by the server.


Clients connecting succesfully there's EAP Type specified:


Authentication Type: EAP

EAP Type: Microsoft: Smart Card or other certificate


I have also checked certificates starting from root CA to user Certificate. Certificates are valid and installed to each Mac. There's also no problem between wireless access points or WLAN policy/configuration server communicating with NPS or CA.


I've tried connecting from Network preferences and from the Menu bar. In the end result is "The Wi-Fi network "xxxxxx" could not be joined" and suggestion to run network diagnostics. Network diagnostics don't give any useful information.


[Re-Titled By Moderator]

Posted on Feb 21, 2025 8:40 AM

Reply
Question marked as Top-ranking reply
User profile for user: SimoRi
SimoRi
User level: Level 1
14 points

Posted on Mar 19, 2025 1:20 AM

Finally figured this one out I believe.


Microsoft now requires strong certificate mapping for PKCS and SCEP certificates. If you deliver certificates with Intune like we do and use you local DC as the radius server this requires some changes:


Intune certificate connector must be updated to at least version 6.2406.0.1001


In addition, the following registry key must be configured on the connector server:


Key: HKLM\Software\Microsoft\MicrosoftIntune\PFXCertificateConnector

Name: EnableSidSecurityExtension

Type: DWORD

Value: 1


If your certificates are SCEP certificates you must also add the following into the certificate configurations Subject Alternative Name part:


Attribute: URI

Value: {{OnPremisesSecurityIdentifier}}


With these changes all our iOS and MacOS devices once again connect to our WPA2 Enterprise network.

View in context
1 reply
Question marked as Top-ranking reply
User profile for user: SimoRi
SimoRi
User level: Level 1
14 points

Mar 19, 2025 1:20 AM in response to Juha Otava2

Finally figured this one out I believe.


Microsoft now requires strong certificate mapping for PKCS and SCEP certificates. If you deliver certificates with Intune like we do and use you local DC as the radius server this requires some changes:


Intune certificate connector must be updated to at least version 6.2406.0.1001


In addition, the following registry key must be configured on the connector server:


Key: HKLM\Software\Microsoft\MicrosoftIntune\PFXCertificateConnector

Name: EnableSidSecurityExtension

Type: DWORD

Value: 1


If your certificates are SCEP certificates you must also add the following into the certificate configurations Subject Alternative Name part:


Attribute: URI

Value: {{OnPremisesSecurityIdentifier}}


With these changes all our iOS and MacOS devices once again connect to our WPA2 Enterprise network.

Reply

This thread has been closed by the system or the community team. You may vote for any posts you find helpful, or search the Community for additional answers.

Wi-Fi WPA2 EAP failure on macOS Sequoia 15.3.1

Welcome to Apple Support Community
A forum where Apple customers help each other with their products. Get started with your Apple Account.
Learn more Sign up