OS X Client Failed 802.1X Auth to RADIUS Server

MisterBones
Conversationalist

OS X Client Failed 802.1X Auth to RADIUS Server

Preface:

This is more of a heads up post than one seeking technical support - 

TL;DR Backstory: 

In my college campus environment are were running MR53/55/56 AP's that were running the latest v27 flavor of the month firmware (27.7.1) which was running just fine until we had actual students return to campus for post-covid (for now) operations continue. Upon their return, and attempts to connect to our wireless infra we were getting non-stop RADIUS server auth errors/flapping for OS X clients only (causing constant disconnects/disassociation), Windows based systems connected no issues. 

Upon further investigation, and discovering a few core bugs based on older Windows Server OS, I migrated our RAIDUS & Cert Auth infra up to resolve these problems (known issues with Server 2012r2 running RADIUS as well as converting a standalone CA into a three-tiered Ent CA deployment) and come to find out - the issues with RADIUS auth still existed on the wireless (yes, after confirming full functionality, testing, testing some more, and then testing the tests). 

Digging further into this - I discovered some older community posts found here:
Solved: WIFI dropping several times a day - The Meraki Community

Solved: Wireless Authentication Failure with Radius - The Meraki Community

After reading through and discovering that an older FW version (26.6.1) seemed to be stable for another school environment (see post) I decided to take a chance and do a dreaded downgrade. After speaking to Meraki support several times to get the ball rolling on this, and downgrading to v26.6.1 (MR 53/55) and v26.8 (MR56) 98% of our RADIUS authentication issues for OS X clients have seemingly vanished from our network. Students are able to connect to Wifi - all is well.


So general note to the community - IF you see errors like these (for OS X clients):

 

Client failed 802.1X authentication to the RADIUS server.type='802.1X auth fail' num_eap='6' first_time='0.019391667' associated='false' radio='1' vap='5'

 

Client failed 802.1X authentication to the RADIUS server.type='802.1X auth fail' num_eap='6' first_time='0.012157657' associated='true' radio='1' vap='5'

 

Client failed 802.1X authentication to the RADIUS server.type='802.1X auth fail' num_eap='1' first_time='0.016718229' associated='false' radio='1' vap='5'

 

Client failed 802.1X authentication to the RADIUS server.type='802.1X auth fail' num_eap='6' first_time='0.015364740' associated='false' radio='1' vap='5'

 

Client failed 802.1X authentication to the RADIUS server.type='802.1X auth fail' num_eap='0' associated='true' radio='1' vap='5'

 

Client failed 802.1X authentication to the RADIUS server.type='802.1X auth fail' num_eap='6' first_time='0.018222400' associated='false' radio='1' vap='5'

 

Client failed 802.1X authentication to the RADIUS server.type='802.1X auth fail' num_eap='4' first_time='0.018137656' associated='true' radio='1' vap='5'

 

 

You might consider opening a case & downgrading your FW until this issue gets addressed in v27/28/etc. as it has caused nothing but headaches for me for weeks. It is also worth mentioning that Meraki support stated that staying on an older FW is not a long term solution (duh) but until this RADIUS issue is fixed, our network will be staying in the 'stone ages'.

Hope this helps someone else banging their head against the wall.

 



0 REPLIES 0
Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.