Lots of wireless authentication failures

AnythingHosted
Building a reputation

Lots of wireless authentication failures

Hello!

 

With the improved wireless health screens, I've been trying to diagnose some issues. I am seeing a lot of authentication errors (mainly with iPhone / iPads). Some are static and some roam from one AP to another. 

 

I've cleared the network settings and removed the wifi ssid from the phone and it's still happening.

 

Any ideas? I am testing and will soon deploy Identity PSK with RADIUS -will that address the problem?

 

Thanks,

Chris

 

AnythingHosted_0-1584524671614.png

 

28 REPLIES 28
cmr
Kind of a big deal
Kind of a big deal

What MR model and firmware are you running.   Is it causing an actual problem, or simply a log issue?

AnythingHosted
Building a reputation

Both APs are MR52 and latest firmware (26.7)

 

I do notice that sometimes my iPhone is on 4G and then switches back to wifi, is that an issue probably not. 

 

I do have wifi calling set up and sometimes notice if I roam between the APs the signal degrades quite a lot (normal phone signal is pretty weak). 

 

I do have 802.11r set to Adaptive (and just PSK WPA2). I do understand the security issue and hence moving to iPSK.

PawelG
Building a reputation

I have similar problems with MR45s and mostly iPhones and iPads. Firmware 26.7.
I'm using 802.1x with Meraki authentication - thought that might be Meraki radius availability problem.

br, Pawel.

AnythingHosted
Building a reputation

This morning, iPhone now says incorrect password and won't even join. 

 

No configuration changes have been made at all.

 

Worth raising a case with Meraki support to have it logged?

After upgrading to 26.7 I had constant and repeated problems with authentication, both standard WPA2 and RADIUS. Rolling back to 26.6.1 fixed the issues - I'd try that first and wait for a stable release to come out instead of the RC.

PawelG
Building a reputation

I've did a bit of debugging of this issue today and found out some curious thing:

It seems that failures reported by Wireless Health are fake. When I look at access logs there is no such event (there is a Radius authentication event, but it is not fail - just roaming re-auth)

 

Opened case about that.

 

Br, Pawel. 

 

Hi!

 

Any replay from TAC about this behavior?

 

BR

frenz

Wireless, what else?
PawelG
Building a reputation

I've opened a case.

I've got reply that they are not aware of such issue and I need to call them to make real-time packet capture.

The problem is that those errors are random and it is not easy to reproduce them during such session.

 

Pawel.

VasanthKumar
Just browsing

I have seen similar issue with Apple and Non Apple devices as well. My MR is set for WPA2-PSK and the device is failing with WPA-PSK auth. It doesn't seem like an issue as my device connects fine later. I would hope if I enable WPA and WPA2 I will not see this error. I discarded it as a false alarm.

PawelG
Building a reputation

One question to anyone that still have this issue:

Do you have corresponding event log entries to health-reported authentication errors. In may case there aren't any. 

I've noiticed TAC about that, but they simply ignored it.

 

Br, Pawel. 

Wayner
Getting noticed

I ma having the same issues Just replying so i can follow the answers

PawelG
Building a reputation

I'v downgraded APs to 26.6.1 and problem still exists on both WPA2-PSK and WPA2-Enterprise networks. Authentication failures are only with Apple iOS devices - and the is no trace of them in device event logs - only in Wireless Health pages in dashboard.

 

BR, Pawel.

Seeing the same thing here and have also downgraded which made no difference.

Has anyone seen any improvements with this?  I recently update to 26.6.1 and started having auth issues with my RADIUS and WPA2 SSID's.  Prior to this firmware version I had no issues so I am looking to roll back but was wondering if any of you had found a resolution to this yet.

PawelG
Building a reputation

In my case no difference between 26.6.1 and 26.7.

I've read reports that those are false-positives and those events are only visible in health status not in real event logs. 

Not sure about that, as my devices sometimes really report "bad password" messages - especially when roaming.

 

br, Pawel.

 

 

AnythingHosted
Building a reputation

I'm installing 26.8 now to see if this resolves the problem. 

PawelG
Building a reputation

I'm on 26.8 and I have already seen some bunch of those auth errors. So no change...

 

At least they fixed the foreign SSID signal strength on MR45s - I took them only one year...

 

Br, Pawel. 

Thank you, I rolled back to 25.13 yesterday afternoon and have not had an issue with Authentication since on WPA2 PSK or Enterprise.  My biggest issue was the devices on PSK auth, I had devices that have had the passphrase saved for quite some time and never an issue but after 26.6.1 they were consistently failing to auth intermittently all day long.  I'm at about 24 hours now without an issue.  When I have more time to test I will raise a case with support.

I am having this same issue.  Have you had any more issues since rolling back the firmware?

 

Does not seem to be resolved in latest stable version 27.6. Upgraded it last night. Even though mentioned fixed under bug fixes of release note.

 

Still seeing authentication error logs under 'Connection Logs' for only 1 SSID.

Called support again and toggling SSID for them look at backend logs in production environment not feasible option! And famous quote of taking wireshark capture from a non-IT user device

 

Please help!

PawelG
Building a reputation

I'v had some spare time today, so I've made lots of testing.

In case of 802.1x authentication errors - those are NOT false positives. In my network it only happens when iOS device tries to roam from one AP to another (but I does not happen always). On iOS device there is wifi connection all the time, but it cannot roam to another AP which has much better signal. On the same time Authentication Errors (with some delay) appear on wireless health dashboard. There is NO sign of such errors in event log (for AP and client).  When I disable wifi on iOS device and re-enble it - it correctly connects to AP it failed to connect when roaming. I can't say what are the circumstances it happens. I've seen lots of successful roamings when testing.

 

Br, Pawel

 

PawelG
Building a reputation

After further testing I've found out that its the 802.11r that is causing the problems (wether enabled or adaptive).

After disabling it on my 802.1x SSID - no authentication errors any more, no messages on iOS devices about bad password. 

 

Br, Pawel. 

cmr
Kind of a big deal
Kind of a big deal

So the feature designed to assist roaming breaks it! 🤦‍♂️

PawelG
Building a reputation

Yep, exactly.

But as it applies only to iOS devices - it might be a shared Meraki/Apple problem in implementation.

 

Even with 802.11r disabled all iOS devices roam with PKMSA cache - which is also quite fast (and with lack of all those auth errors much more robust and reliable than 802.11r FT)

 

Br, Pawel. 

hlima
Conversationalist

We are on version MR 27.5.1 and still having same issues. Disabling 802.11r was a consistent solution? After disabling this, were those messages completely dissapeared?

redsector
Head in the Cloud

I have got the same issue with Apple devices not with Win10 notebooks.

Roaming takes sometimes minutes to work. Sometimes it helps to switch off and on again wireless on the device.

I am using MR34, MR42, MR46 on different networks with MR26.7 or now MR26.8 software.

micahtangelo
New here

also experiencing this general issue, replying to follow. 

 

is disabling 802.1r the recommended step? what's the downside? 

You can refer to here https://support.apple.com/en-us/HT202628 or the article about 802.11r

802.11r uses the PSK method, which may be risky in special circumstances.

Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels