Wireless - 802.1x auth fail

SOLVED
LC_IT
Here to help

Wireless - 802.1x auth fail

Hi, let me see if anyone saw a situation like this:

 

802.1x PEAP MSCHAPv2 authentication using a laptop windows and a smartphone.

The Radius Server is Cisco ISE and it reply the MR AP with a Access-Accept packet.

Cisco ISE and Access Point are connected to the same L2 domain, same subnet and there is not a firewall on that communication.

The Access Point was added on ISE as NAD and there is not logs of problem on ISE side.

 

I did a packet capture on wired interface of Access Point MR46E and the Access-Accept is delivered but in dashboard I see this error:

"Client 5c:cd:5b:a2:40:ab had a failed connection to SSID Corp on AP POC01 during authentication because the auth server did not respond."

 

How auth server did not reply if I see the access-accept arriving on AP?

 

Someone saw this behavior?

1 ACCEPTED SOLUTION
Make_IT_Simple
Meraki Alumni (Retired)
Meraki Alumni (Retired)

If you guys are not using the new view, please do so and change the radius timeout from the default 2 sec to 10 sec (This is the max value) and it should help with your issue.

 

https://documentation.meraki.com/MR/Access_Control/MR_Meraki_RADIUS_2.0#Server_Timeout_and_Retry_Cou...

View solution in original post

10 REPLIES 10
RaphaelL
Kind of a big deal
Kind of a big deal

Following this thread. 

 

We do have lots of these , but never had the time to troubleshoot it properly. 

Make_IT_Simple
Meraki Alumni (Retired)
Meraki Alumni (Retired)

If you guys are not using the new view, please do so and change the radius timeout from the default 2 sec to 10 sec (This is the max value) and it should help with your issue.

 

https://documentation.meraki.com/MR/Access_Control/MR_Meraki_RADIUS_2.0#Server_Timeout_and_Retry_Cou...

The default is 1s ,  and according to Cisco's documentation it seems to be 5s on Cisco's WLC . Strange to see such a big difference between 2 timeouts.  I will try to adjust it and monitor the difference in the logs

RaphaelL
Kind of a big deal
Kind of a big deal

I just opened a case regarding that. We are on 27.7.1 and 28.5 and I keep seeing "Client made an 802.1X authentication request to the RADIUS server, but it did not respond." 

 

Upon taking a packet capture we can see the Access-Reject from our Radius server. The request was made in 300-400ms which is below the default timeout. 

 

To be continued...

RaphaelL
Kind of a big deal
Kind of a big deal

Update. It seems that the error is not showing the same description from  Wireless -> Health -> Connection log versus Wireless -> Health -> Timeline

 

In the Timeline page you will see :  Client X had a failed connection to SSID Y on AP Z during authentication because the auth server rejected the auth request.

 

In the Connection Log : Client made an 802.1X authentication request to the RADIUS server, but it did not respond.radius_ip='XX.XX.XX.XX' reason='radius_login_failure' radio='1' vap='0' channel='104' rssi='50'

 

I know this case is a bit different from yours , but can you check if you are seeing the same log message in the Timeline page and post the results between Timeline and Connection log. 


Thanks , 

In my case, the both logs are similiar:

Connection Log==> Client made an 802.1X authentication request to the RADIUS server, but it did not respond.auth_mode='wpa2-802.1x' vlan_id='11' radius_proto='ipv4' radius_ip='172.16.x.x' reason='radius_timeout' radio='1' vap='1' channel='149' rssi='30'

 

Timeline==> Client 9a:b0:xx:xx:xx:xx had a failed connection to SSID Y on AP Z during authentication because the auth server did not respond.

RaphaelL
Kind of a big deal
Kind of a big deal

Can you do a packet capture and calculate how long does the request take ?   First packet to the last one ( Access-Accept ). If it is over 1000ms , it will we flagged as didnt respond.

Yes, I did a capture.

Time from first radius package: 16:04:45,239667

Time from last radius package: 16:04:49,287265

 

Almost 5 seconds...

Unfortunately I am not able to test now, but I will try to increase the timeout and verify if solve the problem

 

@RaphaelLDid you try increase radius timeout?

RaphaelL
Kind of a big deal
Kind of a big deal

I will be increasing our timeout to 5 seconds , but we don't have currently issues with timeouts.

However you seem to be having issues with it.

LC_IT
Here to help

Increase the Radius Timeout solved the problem!
Thank you so much!
Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels