RADIUS server authenticating some users, others randomly losing access

Local_goat
Here to help

RADIUS server authenticating some users, others randomly losing access

Hey there, I'm having a really strange issue with my RADIUS server in my enterprise. 2 Days ago, my laptop stopped responding to our office wireless, then another engineer in the IT dept had the same issue. Just had someone from sales express the same issue. 

 

Checking in the Meraki logs, I get the issue posted below. 

Local_goat_0-1663853891453.png

It looks like it's not being able to respond to requests. We thought it might be a wireless driver issue, and had updated both of them, with no luck. Any ideas? 

 

24 REPLIES 24
Local_goat
Here to help

Also, I believe it's strictly a RADIUS issue. We've got multiple access points that operate off of Meraki, but they all show 802.1X deauthentication issues

WB
Building a reputation

Out of curiosity what OS are the (two?) affected devices running, if Windows what release specifically as well e.g. W11 22H2. Any patching performed on the RADIUS server host?

 

Seems odd that it would just happen out of the blue if all those clients were previously working!

alemabrahao
Kind of a big deal
Kind of a big deal

Hi @Local_goat , 

 

 

I've experienced it a feel time ago, and I resolved It, increasing the server timeout value on my SSID.

 

alemabrahao_0-1663855154573.png

 

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.

Giving this a shot right now

No luck unfortunately. 

Have you noticed any message error on Radius Log Server? 

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.

Also, you can test It putting your machine at the same network that your APs are, and test it with NTradping.

 

https://community.microfocus.com/img/oes/w/oes_tips/9928/ntradping-1-5-radius-test-utility

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.

@Local_goat 

 

Is it possible to test It with Ntraping as I suggested?

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.

Can certainly give it a shot right now

Local_goat_0-1663868413125.png

first off that's an incredibly helpful tool. Secondly, I had gotten no response from the server. Which to me is insane, as the Screenbeams have to reach out to it to actually come back online. 

Cool IT Fun fact: Scans work better when you actually have the ability to run them on your network.

 

Local_goat_1-1663869262631.png

 

ww
Kind of a big deal
Kind of a big deal

I think it says the radius server did not respond. So you would need to check if the radius server responds  to a request, and if that packet makes  it back to the AP

Novice question, how could I monitor that? 

ww
Kind of a big deal
Kind of a big deal

https://documentation.meraki.com/MR/Encryption_and_Authentication/RADIUS_Issue_Resolution_Guide

 

Would first check the radius log if it gets the request and send back a response.  You could additional  run a packet capture on the radius server.

 

From the meraki dashboard you can also take packet captures on the AP. To see if it receives  the response from the radius server  https://documentation.meraki.com/General_Administration/Cross-Platform_Content/Packet_Capture_Overvi...

alemabrahao
Kind of a big deal
Kind of a big deal

It was my previous suggestion 😅

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.

Thank you so much for that suggestion, I ran a packet capture, and had unplugged a Screenbeam in the office, which I know would reach out to the RADIUS server once it starts up, and it had been working before the issue started. I've got my packet capture set for wireless, and all access points. However, my Wireshark outputs are blank when I filter for RADIUS, and I ensured that I had the secret key in the settings. Is there something I'm goofing up on my end?

ww
Kind of a big deal
Kind of a big deal

Try capture the lan interfaces. Radius is between the ap ip and the radius server ip. 

Would I be able to do that in the Meraki tool, or should I do some configuring in wireshark? 

Looks like the radius server is sending an Access:Reject result 

Local_goat_1-1663870100114.png

 

It's probably because you didn't configure your IP address in your Radius client. What is the result if you test It on your SSID? Like that:

 

alemabrahao_1-1663870527972.png

 

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.

You can monitor with a network monitor system, like Zabbix.

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.

I'll see if I can't give that a shot right now, I'll set a box up with Ubuntu to get it going

Local_goat
Here to help

UPDATE: So, this issue has actually been something related to Credential Guard. The newest Windows Update automatically enables this feature, and we've fallen down a rabbit hole with our computer certificates and how to work with them. It's still ongoing, hopefully we'll be able to get this finished off. 

WB
Building a reputation

Windows 11 22H2? I was reading about that the other day if so. Are you running the Enterprise version?

Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels