Secure Connect: Mac - Wifi drops or certificate conflicts when using Intune


Problem

You receive a pop-up asking for a certificate when connecting to the UCSD Protected network or you frequently drop connection from the UCSD Protected network while using a MacOS endpoint. 

Cause

This issue occurs when the system used to authenticate your endpoint for connection to the UCSD Protected network chooses the wrong certificate. Before the implementation of Secure Connect, a username and password certificate was used by the system to perform authentication. This certificate is still stored on many devices that were connected to the UCSD Protected network at any point before the Secure Connect rollout, which can cause the system to choose the wrong certificate for authentication. 

Solution

  1. Verify the endpoint has the new Secure Connect certificates in the keychain.
    1. Navigate to Applications > Utilities > Keychain Access or search for Keychain Access in Spotlight. 
    2. There should be a certificate ending in @ucsd.edu that is preceded with a long string. E.g. 9573184a-725e-498a-9317-798a7de91fed@ucsd.edu. Depending on the Mobile Device Manager (MDM) used for enrollment, Keychain Access should look something like the following: 
    3. Screenshot of MAC Keychain Access with a UCSD-issued device certificate highlighted
  2. Choosing the correct certificate when connecting to UCSD Protected.
    1. When prompted for certificate selection, choose the certificate that matches the certificate verified earlier (the long string that ends in @ucsd.edu).
    2. Sometimes, there may be duplicate certificates shown in the drop down menu. Therefore, when choosing the certificate, please select the original certificate (duplicates will have (2), (3), etc. appended to the end of the certificate).
  3. Deleting old User/Pass certificate.
    1. Sometimes the old user/pass credentials will try to override the new endpoint certificate used to authenticate on Cisco ISE. These old cached credentials can be deleted so it is no longer used for authentication when connecting on UCSD Protected.
    2. Press the COMMAND key + SPACE BAR at the same time to open the spotlight search.
    3. Type in “Keychain Access”.
    4. In the window that opens click on “login” on the left sidebar and “Passwords” along the top bar. It may take a few minutes for the data to populate.
    5. Once the data populates, look for the entry name “UCSD-PROTECTED”. The “Kind” should be “802.1X Password”.
    6. Right-click the entry and click “Delete “UCSD-PROTECTED””.
    7. Screenshot of a Macbook Keychain Access with "login" and "Passwords" selected and the "UCSD-PROTECTED" login selected
  1. Boot into safe mode to clear the endpoint’s cache. 
    1. How To Boot Into Safe Mode

If you still have questions or need additional assistance, please contact the ITS Service Desk. You can call us at (858) 246-4357, email us at support@ucsd.edu, or submit a ticket at support.ucsd.edu.