Share via

macOS EAP-TLS(SCEP) WiFi profile is causing a problem

Fahd Alawsi 20 Reputation points
2026-02-16T12:56:58.72+00:00
  • Hello,

I am trying to understand why the macOS refuses to connect to the Radius Wi-Fi once I deploy the Wi-Fi profile(linked to SCEP and Root cert). It asks me to select the SCEP certificate at first, and after doing so, it will throw an error: “Contact your administrator".

Fun fact: the configuration is working on the Windows devices and no issues so far on that side.

Also, once I remove the Wi-Fi profile from the macOS devices, they can connect manually by selecting the SCEP certificate and trusting the Root certificate(in case they authenticate for the first time).

SAN attributes:

  • Any Purpose 2.5.29.37.0
  • Client Authentication 1.3.6.1.5.5.7.3.2
Windows for business | Windows 365 Enterprise
0 comments
Answer accepted by question author
  1. Chen Tran 8,220 Reputation points Independent Advisor
    2026-02-16T13:51:09.44+00:00

    Hello Alawsi,

    Thank you for posting question on Microsoft Windows Forum!

    Based on the issue description. Well! Since your manual connection works, the hardware and the RADIUS server are technically fine. The issue probably lies in the strict "Trust" requirements defined (or missing) within the mobileconfig profile itself.

    When you connect manually, macOS prompts you to "Trust" the certificate, and you click "Continue." However, when a Profile is installed, macOS expects that trust to be predefined. It will not fail over to a manual prompt easily. It just kills the connection. The suggestion here is inside your Wi-Fi payload in your MDM (or Apple Configurator), look for the Trust tab. You must explicitly check the boxes for your Root CA and any Intermediate CAs that signed the RADIUS server's certificate. Also, you must list the Common Name (CN) or Subject Alternative Name (SAN) of your RADIUS server's certificate (e.g., radius.yourdomain.com) in the Trusted Server Certificate Names field. If this field is empty, macOS might reject the server even if the Root CA is present.

    Another point worth mentioning here is that macOS is asking you to select the SCEP certificate. Actually, in a fully functional MDM deployment, the user should probably not be prompted to choose a certificate. Try to ensure the Wi-Fi payload is explicitly linked to the SCEP payload. In the "Identity Certificate" dropdown of the Wi-Fi configuration, you must select the certificate produced by the SCEP payload. If it is set to "None". The handshake will stall.

    Also, it is worth checking the potential TLS Version Mismatch. Windows 10/11 is happy to downgrade to TLS 1.1 or 1.2 if needed. Recent versions of macOS (especially on Sonoma or Sequoia) are increasingly aggressive about requiring TLS 1.2 or 1.3. If your RADIUS server (like an older version of FreeRADIUS or an unpatched NPS) is trying to use an older protocol, macOS will terminate the connection without a specific error message.

    Hope the above information is helpful! If it is. Free feel to hit "Accepted" for benefitting others in community having the same issue too.

    1 person found this answer helpful.

1 additional answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. Q&A Assist
    2026-02-16T12:57:14.7366667+00:00
    AI generated content. This question contains an answer created with AI from Q&A Assist. Learn more

    The issue you are experiencing with the macOS device refusing to connect to the Radius Wi-Fi after deploying the Wi-Fi profile linked to SCEP and the Root certificate could be related to several factors:

    1. SCEP Certificate Selection: Ensure that the SCEP certificate is correctly issued and available on the macOS device. The prompt for selecting the SCEP certificate indicates that the system is not able to automatically use the certificate, which may suggest a misconfiguration in the certificate profile or deployment channel.
    2. Root Certificate Trust: The macOS device must trust the Root certificate that is being used for the Radius server. If the Root certificate is not properly installed or trusted on the macOS device, it could lead to connection failures. Ensure that the Root certificate is deployed correctly and is present in the system keychain.
    3. Profile Configuration: Review the configuration of the Wi-Fi profile in Intune, specifically the settings related to EAP-TLS. Ensure that the certificate server names are correctly specified and that the root certificate for server validation is selected appropriately. This can help avoid the dynamic trust window issue that may arise during connection attempts.
    4. Deployment Channel: Check the deployment channel selected for the certificate profiles. If the user channel is selected, ensure that the user certificate profiles are being used correctly. If the device channel is selected, ensure that device certificate profiles are being utilized. Mismatched channels can lead to authentication issues.
    5. Logs and Troubleshooting: Utilize the logs available on the macOS device to identify any specific error messages or issues during the connection process. This can provide more insight into what might be going wrong during the authentication phase.

    Since the configuration works on Windows devices, it suggests that the issue may be specific to how the macOS handles the certificates or the Wi-Fi profile settings.

    References:

    0 comments

Your answer

Answers can be marked as 'Accepted' by the question author and 'Recommended' by moderators, which helps users know the answer solved the author's problem.