Meraki Community
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Strange behavior about RADIUS authentication on Android 11

BongHo
Conversationalist
‎May 10 2021 7:21 PM
‎May 10 2021 7:21 PM

Strange behavior about RADIUS authentication on Android 11

I just set up the RADIUS authentication with Meraki AP, and there is strange behaviour.

After I disable my AD account, I can still connect to the SSID associate with RADIUS authentication unless I forget the Wifi setting and reconnect, account disables would finally be effective.

And the strange thing is this kind of behaviour only occur on Android 11 device, others like PC and apple device work fine.

 

Is there anyone familiar with this issue? Any suggestions would be much appreciated!

0 Kudos
Subscribe
3 Replies 3
KarstenI
Kind of a big deal
Kind of a big deal
‎May 11 2021 2:14 AM
‎May 11 2021 2:14 AM

I would assume that it is something with caching on the APs. Can you do a capture on the AP to see if the AP sends a RADIUS request to the NPS when the disabled user connects to the SSID?

0 Kudos
Subscribe
In response to KarstenI
BongHo
Conversationalist
‎May 11 2021 2:24 AM
‎May 11 2021 2:24 AM

Thanks for your comment!

 

I did try to capture on the AP, only the android 11 device didn't send any RADIUS request to the NPS after disable the AD account, no idea what's going on.

0 Kudos
Subscribe
In response to BongHo
KarstenI
Kind of a big deal
Kind of a big deal
‎May 11 2021 3:36 AM
‎May 11 2021 3:36 AM

If there is no RADIUS request, it is likely the default PMKsa-caching on the APs. You could:

  1. Ask Meraki Support if they can disable it. Not sure if that is possible.
  2. Reduce the session timeout on the RADIUS-server to limit the amount of time the client could continue with disabled account.
Subscribe
Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels
© 2024 Cisco Systems, Inc.