Meraki authentication behaviour with Macs

Solved
LG
Getting noticed

Meraki authentication behaviour with Macs

Hi guys, please, does anybody here uses Macs with Meraki authentication? I'm not having a good experience with the authentication speeds (even worse when roaming between APs), maybe because of a big delay between my network and Meraki (about 200ms, 250ms)

 

Thanks in advance,

LG

1 Accepted Solution

Definitely not an RF problem so 

Then I would suggest opening a ticket on the Meraki support to get an official statement from them whether or not this  Radius delay is normal or not... 👨‍💻

Linkedin |Twitter@ThibaultHenry
Ch'timi from the heart

View solution in original post

11 Replies 11
ThibaultH
Here to help

Hi LG 

 

I've used it in the past or in lab environment without any trouble, we'll find a way to make it work 👊

 

Could you give us more precision about your situation

Do you experience latency only with Mac OS clients ? (Or does it concerns all clients over your network ?)

Is it an overall latency between your client and the WAN, or between your client and the AP ?

 

Are we talking about latency only during the authentication phase ? Or also once authenticated ?

As you're mentioning roaming, I believe we're talking about an overall experience of latency between your Mac & Meraki AP, isn't it ?

MacBooks tends to be quite sticky in their roaming experience...

 

Are you connected using 2.4GHz or 5GHz ?

Did you check your Channel utilizations ?

 

Do you have some metrics to share with us gathered from a client with trouble (RSSI, Channel selection, Channel width, Channel Utilization, SNR, ...) 



I would suggest first to test : 

- Raising the minimum bitrate of your SSID (the value should depend on your clients 802.11 oldest compatibility)
https://documentation.meraki.com/MR/Radio_Settings/Minimum_Bitrate_Control
This would influence a bit the roaming decision from the client

 

- Disabling the client balancing (except if you have A LOT of active clients)
This functionality is sometimes misinterpreted by clients and behaviours could be affected

 

- If your channels seems to be jammed : Forcing your channel width to 20MHz 
https://documentation.meraki.com/MR/Radio_Settings/RF_Profiles#Channel_Width_-_Available_only_on_5_G...

 

Furthermore, I'd look into setting up 802.11r & 802.11k standards, but not as a first pick here 
https://documentation.meraki.com/MR/WiFi_Basics_and_Best_Practices/802.11k_and_802.11r_Overview

 

Let us know

🤘

Linkedin |Twitter@ThibaultHenry
Ch'timi from the heart
LG
Getting noticed

Thanks for replying Henry!

I use here at my home network...

 

Well, iOS and MacBooks, but I'm seeing more problems with MacBooks and yeah, I feel that they are complicated at roaming..

Only between client/network and WAN (since I'm in Brazil and the Radius log is showing latency between 200ms and 250ms to authenticate)

 

My network is 5GHz only, very low channel utilization and during my tests I'm walking very slowly between APs and the RSSI is basically ~75dBm for the AP that I'm leaving (and so the MacOS roaming process kicks off) and ~60dBm for the AP that I'm trying to roaming to.

But nevertheless, even with -40dBm, I see the authentication delay, with about two or three retries to get connected to the network

 

This is a dedicated SSID that test, so I'm using just 2 MacBooks and one iPhone...

 

I'm mostly concerned with this WAN latency between me and Meraki cloud that's not good enough, too laggy to perform well the authentications..

Didn't had time to setup a local radius as well to check local 802.1x behaviour..

Ok, makes definitely more sense to me now !

So the laggy part is really for the Meraki platform to process your authentication request ? Is that it ?

 

Could you please confirm the latency between your client and the AP by LAN pinging it from the client ?
So we could definitely exclude the RF environment from the troubleshooting approach

 

Could you confirm the Meraki node your network is using ? I suppose North America, and check the actual latency between your network and the Meraki node ?

If you see same delay as the one you're experiencing with your authentication process, I would definitely head this way

 

If for you this first authentication process delay is acceptable (200ms for a first authentication could be), then II would suggest to have a look at implementing 802.11r over your network to make sure that the authentication is only performed once, thus improving your roaming experience, once authenticated in the first place

 

https://documentation.meraki.com/MR/WiFi_Basics_and_Best_Practices/802.11k_and_802.11r_Overview

 

🤘

 

Linkedin |Twitter@ThibaultHenry
Ch'timi from the heart

Keep in mind that Apple macOS does not support 802.11r or any real fast-roaming technology other than static PMKID (Pairwise Master Key identifier) caching, also known as sticky key caching (fast roam back or PMK Cache), which has limitations in an enterprise environment however Meraki does support that as well.

So essentially when you first connect to AP1, you'll perform a full EAP authentication. When you connect to AP2, you'll again repeat a full EAP authentication. When you roam back to AP1, it will be fast-roam.
Nolan Herring | nolanwifi.com
TwitterLinkedIn

Hey Nolan, thanks for joining the discussion... yeah, that's why I see a better/normal roaming performance with iOS and 802.11r.

 

But, although I have not tested going back to AP1 with my mac (just because the way the APs are installed here), the full EAP authentication is taking too long and failing repeatedly with the mac..

Huge thanks for the precisions  📚

Linkedin |Twitter@ThibaultHenry
Ch'timi from the heart
LG
Getting noticed

Henry, yeah I think so.

client to AP latency is ~3ms, client to Meraki is about ~190ms and here is the RADIUS log.

North America node.

802.11r enabled, even with caveat that the Mac does not do fast roaming as Nolan stated..

Screen Shot 2019-12-02 at 16.49.35.png

Definitely not an RF problem so 

Then I would suggest opening a ticket on the Meraki support to get an official statement from them whether or not this  Radius delay is normal or not... 👨‍💻

Linkedin |Twitter@ThibaultHenry
Ch'timi from the heart
LG
Getting noticed

Will do, just to make sure.

Thanks for the support my friend.

Today I lowered a bit the transmit power of both APs to have a better understanding of the roaming behaviour and set the 802.11r to "Enabled" instead of just Adaptive...

 

Saw a better performance overall..

Hi May i know which part of the meraki console you are able to get the output result regarding the radius 

LG
Getting noticed

In the access point page (not access points list) and in the LAN tab

Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels