Firmware MN 14.33 causing wireless Radius authentication issue.

SOLVED
Nickj3234
Here to help

Firmware MN 14.33 causing wireless Radius authentication issue.

Last week meraki updated the firmware on our MS225 switches, since then our MS42 wireless AP radius SSID is not working at all of our 4 sites. I enabled WPA2 wireless which works and guest works, I can test the radius SSID and it passes. but when connecting a PC they can't connect and event log shows

802.11 disassociation
unspecified reason

 Whats weird is I see an iphone and an ipad connected but any pc i've tried to connect fails. Anyone else seeing this issue?

 

1 ACCEPTED SOLUTION
PhilipDAth
Kind of a big deal
Kind of a big deal

I think this issue is highly unlikely to be related to the switch firmware.  It may be that a reboot of the switches caused a reboot of the access points, and something around that has caused an issue.

 

Does the PC WiFI settings for the SSID match what is configured with the RADIUS server?  For example, PEAP+MSCHAPv2 ?

I'm guessing these settings don't match.

 

Does the RADIUS server say it is allowing the connection?  If not, why not?

View solution in original post

17 REPLIES 17
alemabrahao
Kind of a big deal
Kind of a big deal

Do you have tried to perform a Radius test on this SSID? Just to check de communication.

alemabrahao_1-1647284745239.png

 

 

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.

Yes testing is successful.

Nickj3234_0-1647284941833.png

 

PhilipDAth
Kind of a big deal
Kind of a big deal

I think this issue is highly unlikely to be related to the switch firmware.  It may be that a reboot of the switches caused a reboot of the access points, and something around that has caused an issue.

 

Does the PC WiFI settings for the SSID match what is configured with the RADIUS server?  For example, PEAP+MSCHAPv2 ?

I'm guessing these settings don't match.

 

Does the RADIUS server say it is allowing the connection?  If not, why not?

Sorry, was an accident clicking as a solution, The problem started after the firmware upgrade, and is happening at 4 different sites, you don't configure PC wifi for Radius you just log in with windows creds.

>you don't configure PC wifi for Radius you just log in with windows creds.

 

That means you are using the default configuration of PEAP+MSCHAPv2.  Have you checked your PEAP certificate on your RADIUS server?  Maybe it has expired.

 

Did you maybe manually load in the IP addresses as RADIUS clients (instead of loading in subnets), while the APs were set to DHCP, the switch upgrade happened, the APs rebooted, got new IP addresses, and now don't match the RADIUS client IP addresses configured?

@PhilipDAth , I don't think that's the case, because it works well on mobile devices. I recommended that he perform a manual configuration.

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.
BlakeRichardson
Kind of a big deal
Kind of a big deal

Have the PC's had any windows updates during that time?

 

What firmware version did you update to?

Has nothing to do with the PC's, and the firmware is in the title of the post, slightly misspelled it's MS 14.33.  I have a case open with meraki. Have updated firmware on the AP and rebooted the AP a few times, it worked fine since configuring radius authentication for wireless until the firmware upgrade.

@Nickj3234, It doesn't make sense, I have upgraded my networks to the same version and It works fine. Can you share your SSID configuration?

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.

Network access is set to My Radius Server

WPA encryption mode set to WPA2 only

802.11r and 802.11w disabled

no splash page

Defaults for all the timeouts and retries

RADIUS testing - disabled
RADIUS CoA support - disabled
RADIUS attribute specifying group policy name - Filter ID
RADIUS accounting - disabled
RADIUS proxy - do not use meraki proxy
Assign group policies by device type - disbled

Bridged mode: make clients part of the Lan

VLAN tagging - Don't use vlan tagging
RADIUS override - ignore vlan attribute in radius responses
Content filtering - don't filter content
Bonjour forwarding - disable
Mandatory DHCP - disable

🙂

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.
alemabrahao
Kind of a big deal
Kind of a big deal

What is the Minimum bitrate applied in your RF profile? Have you tried to configure your connection manually?

 

https://documentation.meraki.com/MR/Encryption_and_Authentication/Configuring_Clients_for_802.1X_and...

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.

Bit rate is set to 11 for Radius, for Guest and the wpa2 it is 18. Haven't tried manual connection, not in the office today, will try it tomorrow.

Tried the manual connection and I was able to connect, thanks for the tip. It will be a pain to do this for all the users though, but I have something I can go back to the meraki tech with working my case.

Are you using Windows systems? Are your machines integrated into a domain? If yes, you can create a GPO in your Active Directory to add the connection.

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.

Thanks, I'll look into that.

Nickj3234
Here to help

So turned out was never an issue with the switch firmware updates, it was the NPS certificate expired, coincidentally expired the same day meraki did the firmware updates so they got the blame. Weird that testing the radius server still passed with the expired cert. Anyway thought I'd fess up it was my fault all along.

Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.