Spurious Auth errors on 26.6

cmr
Kind of a big deal
Kind of a big deal

Spurious Auth errors on 26.6

As part of another thread I took a look at the wireless health page for one of our sites and saw the below.  The Auth errors are the AP saying the WPA2 password is wrong but these are mainly appliances such as Cisco 8821s and raspberry Pis where the code is not hand entered...  This wasn't happening in the past, is anyone else seeing this?

 

Screenshot_20200120-213322_Chrome.jpg

 

The network is upgrading from 26.6 to 26.6.1 tomorrow morning so let's see if that fixes them!

11 REPLIES 11
NolanHerring
Kind of a big deal

Do yourself a favor and filter it down from all SSID to one at a time. That will narrow down which SSID is the one having the issues. And from there you should be able to see which client(s) are doing it.

I've seen my stats be misrepresented because of one or a few 'bad clients', say with AD credentials for a user that didn't reset their password, or an IT tech who's creds were used on like 10 machines, but person quit, AD gets killed, so the machines keep failing auth, flooding it with failures making things look bad when they are actually fine.
Nolan Herring | nolanwifi.com
TwitterLinkedIn
cmr
Kind of a big deal
Kind of a big deal

Id already taken a look and it was lots of different devices across four SSIDs and where I found one device (an 8821), it was across many different APs but only once for each.  I think it is mainly created by roaming, but the raspberry Pis are fixed devices, so they are even more confusing.

 

I don't think it is actually affecting user experience, more of a technical glitch that maybe should be categorised differently...

NolanHerring
Kind of a big deal

Strange

What model AP are you using? Also you mentioned you were upgrading so let us know how the results look 😃
Nolan Herring | nolanwifi.com
TwitterLinkedIn
cmr
Kind of a big deal
Kind of a big deal

A good mix of APs; 32, 33, 34, 42, 52, 72 and it was across most though I didn't see it on the 72.

 

A snapshot now looks better so I'll keep an eye on it...

 

 

cmr_0-1579620453388.png

 

cmr
Kind of a big deal
Kind of a big deal

Back to plenty of auth errors on devices with pre-programmed PSKs, I think it is possibly a roaming issue as it only fails once and then works.  We are looking to move the frequently roaming devices (Cisco 8821s etc.) away from PSK for faster roaming and maybe this is just part of the reason for psk roaming being slower?

NolanHerring
Kind of a big deal

PSK roaming is pretty fase actually. Only thing faster would be 802.11r or OPEN 😃
Nolan Herring | nolanwifi.com
TwitterLinkedIn
cmr
Kind of a big deal
Kind of a big deal

Exactly, 802.11r but not with WPA2-PSK due to the known vulnerabilities.  We were going to try with WPA-Enterprise but hoping the new iPSK is okay to use with 802.11r.

antonis_sp
Building a reputation

Has anyone found anything else on this?
I'm getting the same issue on 26.7 .
The issue is seen on networks with a sinle AP (so no roaming issues) and on devices that have the correct key set.

I think this is mostly seen on devices coming back from standby, but I'd have to do some wireshark captures to be sure.
PawelG
Building a reputation

Have the same on few network (MR54s, MR45s) not only on WPA2 but also on 802.1x SSIDs.

Mostly with mobile devices - not roaming but coming from sleep. I get "wrong password" for WPA2 SSIDs and "Radius authentication failed" for 802.1x SSIDs (using Meraki authentication). In most cases second or third authentication attempt succeeds (so this is for sure not related to some wrong credentials on devices)

 

All networks on 26.7

 

Br, Pawel

We have a customer hitting this issue. Downgrading to 25.14 did not seem to fix this. I've seen this problem in several threads now so I hope this will be resolved soon.

 

Edit : customer uses MR33s

 

 

It seems to be better on beta 27.x 

Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels