Alert - Recent 802.1X Failure

Dupros
Conversationalist

Alert - Recent 802.1X Failure

The above error have recently appeared in relation to some of our APs across a number of our offices. 

 

- When a Radius Access test is conducted from the SSID  it confirms that all the MRs are able to connect to the             RADIUS server .

 

- There are also clients actively connected  to the APs despite the alert.  

-  I do not see any errors on the RADIUS server and it is actively authentication users.

 

- RADIUS Server - Cisco ISE

- APs - MR45,MR46 and MR55

 

Has anyone seen this kind of behavior before ?

 

Thanks in advance.

7 REPLIES 7
RaphaelL
Kind of a big deal
Kind of a big deal

Well ! I was about to post here.

 

I have the exact same issue and this is the response from Meraki Support : 

 

I would recommend looking at some of the historical logging on ISE. RADIUS traffic is also UDP, so there is a potentially that it may not have arrived and could be the cause of this alert showing.

Although this feature is not available to see syslog or logs in dashboard for recent 802.1X failure, we take our customer feedback seriously. We encourage you to use the Meraki dashboard to "give your feedback" and submit a feature request. You can submit a feature request at the bottom of any dashboard page.

Any wish that is made sends an email to our Product Managers and Development Teams. These wishes are taken into consideration and are used to help shape our product roadmaps. The most wished-for items are incorporated into product development.

My response somewhere around : You are offering me a health checking service that has no logs , so no way to see what went wrong, how it went wrong. This is basically useless. 

RaphaelL
Kind of a big deal
Kind of a big deal

We just found out that the user test is missing from our Cisco ISE config : 

 

RaphaelL_0-1634908189656.png

 

I would advise you to verify your RADIUS server

PhilipDAth
Kind of a big deal
Kind of a big deal

The test user does not need to exist.  It is only used to verify that the RADIUS server is responding.

RaphaelL
Kind of a big deal
Kind of a big deal

@PhilipDAth  Seems to be right once again : A test is considered successful if the Meraki device receives any kind of legitimate RADIUS response (i.e. Access-Accept/Reject/Challenge) from the server.

Dupros
Conversationalist

Hi All,

 

Thanks for the feedback.  This is more than I am getting from Meraki support.

 

I am still seeing the alert on the dashboard.  

 

The alert suggests that the AP was unable to communicate with the RADIUS server when the test was conducted.  I have tried replicating the issue and the APs connected on all occasions. 

 

I am going to try and get this escalated with meraki - This alert  seems cosmetic as we are not experiencing any client authentication issues. 

 

Thanks gain for your input. Much appreciated.

nst1
Building a reputation

 

I have the same problem, do you have any idea what could be happening???

Bettencourt
Meraki Employee
Meraki Employee

As @PhilipDAth mentioned the test user does not need to exist.

If you are seeing this error message it is because at least one user recently failed to authenticate with the radius server or a recent dashboard radius server test failed.

Each SSID that has radius enabled will have an option in the setting called "Radius Testing", by default this option is set to enabled.

If enabled, the Meraki devices will send every 24 hours an Access-Request message to these RADIUS servers using  'meraki_8021x_test' to ensure that the RADIUS servers are reachable. 

If a RADIUS test fails for a given device it will be tested again every hour until a passing result occurs. A subsequent pass will mark the server reachable and clear the alert, returning to the 24-hour testing cycle.

Therefore if you are seeing this alert, one or more of your radius servers failed to respond or took too long to respond, if you do not want the dashboard to run these tests you can disable the option under your SSID settings.

https://documentation.meraki.com/General_Administration/Cross-Platform_Content/Alert_-_Recent_802.1X...

✌️



Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels