OS X: Intermittent delay while authenticating to TLS, PEAP, or TTLS protected Wi-Fi network
When authenticating to a Wi-Fi network that uses TLS, PEAP, or TTLS for authentication, there may be a delay of up to ten seconds before authentication completes. This can happen if the RADIUS server certificate, or any certificate in the chain that signed the RADIUS server certificate, is configured with extensions for Certificate Revocation List (CRL) and/or Online Certificate Status Protocol (OCSP). This delay may occur when first joining the network or while roaming between access points.
Set SSL as always trusted for the RADIUS server certificate.
- Open /Applications/Utilities/Keychain Access.
- Locate the RADIUS server certificate in either the login or System keychain (It should have a common name matching the fully qualified domain name of the RADIUS server).
- Double-click the RADIUS server certificate.
- Click the triangle next to Trust.
- Choose "Always Trust" in the pop-up menu next to Secure Sockets Layer (SSL).
- Close the window, then enter credentials to authorize the change if prompted.
The following commands can also be used to install a certificate into the System keychain and set the custom trust.
For a root or leaf certificate:
sudo /usr/bin/security add-trusted-cert -d -r trustAsRoot -p basic -p eap -p ssl -k /Library/Keychains/System.keychain <cert file>
For a self-signed certificate:
sudo /usr/bin/security add-trusted-cert -d -p basic -p eap -p ssl -k /Library/Keychains/System.keychain <cert file>
Repeat the above steps for any certificate in the signing chain of the RADIUS server certificate that also has extensions for CRL or OCSP.