Secure Connect: Mac - Wifi drops or certificate conflicts when using Intune


Problem

You receive a pop-up asking for a certificate when connecting to the UCSD Protected network or you frequently drop connection from the UCSD Protected network while using a MacOS endpoint. 

Cause

This issue occurs when the system used to authenticate your endpoint for connection to the UCSD Protected network chooses the wrong certificate. Before the implementation of Secure Connect, a username and password certificate was used by the system to perform authentication. This certificate is still stored on many devices that were connected to the UCSD Protected network at any point before the Secure Connect rollout, which can cause the system to choose the wrong certificate for authentication. 

Solution

  1. Verify the endpoint has the new Secure Connect certificates in the keychain.
    1. Navigate to Applications > Utilities > Keychain Access or search for Keychain Access in Spotlight. 
    2. There should be a certificate ending in @ucsd.edu that is preceded with a long string. E.g. 9573184a-725e-498a-9317-798a7de91fed@ucsd.edu. Depending on the Mobile Device Manager (MDM) used for enrollment, Keychain Access should look something like the following: 

Screenshot of MAC Keychain Access with a UCSD-issued device certificate highlighted

  1. Choosing the correct certificate when connecting to UCSD Protected. 
    1. When prompted for certificate selection, choose the certificate that matches the certificate verified earlier (the long string that ends in @ucsd.edu). 
    2. Sometimes, there may be duplicate certificates shown in the drop down menu. Therefore, when choosing the certificate, please select the original certificate (duplicates will have (2), (3), etc. appended to the end of the certificate). 
  2. Deleting old User/Pass certificate. 
    1. Sometimes the old user/pass certificate will try to override the new endpoint certificate used to authenticate on Cisco ISE. This old certificate can be deleted so it is no longer used for authentication when connecting on UCSD Protected. 
    2. Delete the auth.ucsd.edu certificate by navigating to Keychain Access > login (in the sidebar). 
  3. Boot into safe mode to clear the endpoint’s cache. 
    1. How To Boot Into Safe Mode

If you still have questions or need additional assistance, please contact the ITS Service Desk. You can call us at (858) 246-4357, email us at support@ucsd.edu, or submit a ticket at support.ucsd.edu.