With the improved wireless health screens, I've been trying to diagnose some issues. I am seeing a lot of authentication errors (mainly with iPhone / iPads). Some are static and some roam from one AP to another.
I've cleared the network settings and removed the wifi ssid from the phone and it's still happening.
Any ideas? I am testing and will soon deploy Identity PSK with RADIUS -will that address the problem?
Both APs are MR52 and latest firmware (26.7)
I do notice that sometimes my iPhone is on 4G and then switches back to wifi, is that an issue probably not.
I do have wifi calling set up and sometimes notice if I roam between the APs the signal degrades quite a lot (normal phone signal is pretty weak).
I do have 802.11r set to Adaptive (and just PSK WPA2). I do understand the security issue and hence moving to iPSK.
This morning, iPhone now says incorrect password and won't even join.
No configuration changes have been made at all.
Worth raising a case with Meraki support to have it logged?
After upgrading to 26.7 I had constant and repeated problems with authentication, both standard WPA2 and RADIUS. Rolling back to 26.6.1 fixed the issues - I'd try that first and wait for a stable release to come out instead of the RC.
I've did a bit of debugging of this issue today and found out some curious thing:
It seems that failures reported by Wireless Health are fake. When I look at access logs there is no such event (there is a Radius authentication event, but it is not fail - just roaming re-auth)
Opened case about that.
I've opened a case.
I've got reply that they are not aware of such issue and I need to call them to make real-time packet capture.
The problem is that those errors are random and it is not easy to reproduce them during such session.
I have seen similar issue with Apple and Non Apple devices as well. My MR is set for WPA2-PSK and the device is failing with WPA-PSK auth. It doesn't seem like an issue as my device connects fine later. I would hope if I enable WPA and WPA2 I will not see this error. I discarded it as a false alarm.
One question to anyone that still have this issue:
Do you have corresponding event log entries to health-reported authentication errors. In may case there aren't any.
I've noiticed TAC about that, but they simply ignored it.
I'v downgraded APs to 26.6.1 and problem still exists on both WPA2-PSK and WPA2-Enterprise networks. Authentication failures are only with Apple iOS devices - and the is no trace of them in device event logs - only in Wireless Health pages in dashboard.
Has anyone seen any improvements with this? I recently update to 26.6.1 and started having auth issues with my RADIUS and WPA2 SSID's. Prior to this firmware version I had no issues so I am looking to roll back but was wondering if any of you had found a resolution to this yet.
In my case no difference between 26.6.1 and 26.7.
I've read reports that those are false-positives and those events are only visible in health status not in real event logs.
Not sure about that, as my devices sometimes really report "bad password" messages - especially when roaming.
I'm on 26.8 and I have already seen some bunch of those auth errors. So no change...
At least they fixed the foreign SSID signal strength on MR45s - I took them only one year...
Thank you, I rolled back to 25.13 yesterday afternoon and have not had an issue with Authentication since on WPA2 PSK or Enterprise. My biggest issue was the devices on PSK auth, I had devices that have had the passphrase saved for quite some time and never an issue but after 26.6.1 they were consistently failing to auth intermittently all day long. I'm at about 24 hours now without an issue. When I have more time to test I will raise a case with support.
Does not seem to be resolved in latest stable version 27.6. Upgraded it last night. Even though mentioned fixed under bug fixes of release note.
Still seeing authentication error logs under 'Connection Logs' for only 1 SSID.
Called support again and toggling SSID for them look at backend logs in production environment not feasible option! And famous quote of taking wireshark capture from a non-IT user device
I'v had some spare time today, so I've made lots of testing.
In case of 802.1x authentication errors - those are NOT false positives. In my network it only happens when iOS device tries to roam from one AP to another (but I does not happen always). On iOS device there is wifi connection all the time, but it cannot roam to another AP which has much better signal. On the same time Authentication Errors (with some delay) appear on wireless health dashboard. There is NO sign of such errors in event log (for AP and client). When I disable wifi on iOS device and re-enble it - it correctly connects to AP it failed to connect when roaming. I can't say what are the circumstances it happens. I've seen lots of successful roamings when testing.
After further testing I've found out that its the 802.11r that is causing the problems (wether enabled or adaptive).
After disabling it on my 802.1x SSID - no authentication errors any more, no messages on iOS devices about bad password.
But as it applies only to iOS devices - it might be a shared Meraki/Apple problem in implementation.
Even with 802.11r disabled all iOS devices roam with PKMSA cache - which is also quite fast (and with lack of all those auth errors much more robust and reliable than 802.11r FT)
We are on version MR 27.5.1 and still having same issues. Disabling 802.11r was a consistent solution? After disabling this, were those messages completely dissapeared?
I have got the same issue with Apple devices not with Win10 notebooks.
Roaming takes sometimes minutes to work. Sometimes it helps to switch off and on again wireless on the device.
I am using MR34, MR42, MR46 on different networks with MR26.7 or now MR26.8 software.
You can refer to here https://support.apple.com/en-us/HT202628 or the article about 802.11r
802.11r uses the PSK method, which may be risky in special circumstances.