cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Wireless Authentication Failure with Radius

SOLVED
Here to help

Wireless Authentication Failure with Radius

I am facing issue with all clients in some branches Association and authentication failure, log as shown below :

 

Associationtype='Association attempts' num='264' associated='true' radio='1' vap='0'

Authenticationtype='802.1X auth fail' num_eap='6' first_time='0.037280881' associated='true' radio='1' vap='0'

Authenticationtype='802.1X auth fail' num_eap='7' first_time='0.037280881' associated='true' radio='1' vap='0'

 

I am wondering what is the num_eap='6' ???

 

Many thanks in advance for help 

 

1 ACCEPTED SOLUTION

Accepted Solutions
Highlighted
Here to help

Re: Wireless Authentication Failure with Radius

Solution found by change the TLS on the RADIUS server to work with TLS 1.2

View solution in original post

6 REPLIES 6
Highlighted
Kind of a big deal

Re: Wireless Authentication Failure with Radius

What does your RADIUS server log say?  If it allowing or denying the users?  If it is denying them what reason is it giving?

Highlighted
Here to help

Re: Wireless Authentication Failure with Radius

RADIUS server allow access !! 

Highlighted
Here to help

Re: Wireless Authentication Failure with Radius

Did you have any idea what is num_eap='?' this numbers should be indication of something
Highlighted
Conversationalist

Re: Wireless Authentication Failure with Radius

I am seeing a similar issue, and am looking for information on the different type of EAP error messages mean:

type='802.1X auth fail' num_eap='13' first_time='0.037608748' associated='false' radio='1' vap='2'

type='802.1X auth fail' num_eap='13' first_time='0.067861253' associated='false' radio='1' vap='2'

type='802.1X auth fail' num_eap='14' first_time='0.036066128' associated='false' radio='1' vap='2'

type='802.1X auth fail' num_eap='13' first_time='0.074911531' associated='false' radio='1' vap='2'

type='802.1X auth fail' num_eap='13' first_time='0.033155373' associated='false' radio='1' vap='2'

type='802.1X auth fail' num_eap='1' first_time='0.074211961' associated='true' radio='1' vap='2'

type='802.1X auth fail' num_eap='13' first_time='0.042235861' associated='false' radio='1' vap='2'

Highlighted
Meraki Employee

Re: Wireless Authentication Failure with Radius

num_eap='X' means the authentication failed at the Xth RADIUS packet exchange between AP and the RADIUS server.

 

Let's say the client shows num_eap='3', the authentication would go something like:

  1. AP sends packet 1 to the RADIUS server
  2. RADIUS server responds to packet 1
  3. AP sends packet 2 to the RADIUS server
  4. RADIUS server responds to packet 2
  5. AP sends packet 3 to the RADIUS server
  6. RADIUS server responds to packet 3 by rejecting the client
  7. The authentication failed at the 3rd packet exchange

Please refer below document for the packet exchange between the client and the radius server,

 

https://documentation.meraki.com/MR/Encryption_and_Authentication/Configuring_RADIUS_Authentication_...

 

let's say a client was trying to authenticate against the RADIUS server and for some reason, the authentication failed at the "RADIUS Access-Request: EAP Response Identity / Access-Challenge: EAP Request MSCHAPv2 Challenge" part, then you would see a log stating num_eap='6', because the authentication failed at the 6th packet sent to the RADIUS server.

 

Does that mean that every time you see num_eap=6 means that the client failed at the RADIUS Access-Request: EAP Response Identity / Access-Challenge: EAP Request MSCHAPv2 Challenge?, not really, as you also have to consider that the AP sometimes will need to re-transmit some packets.

 

So let's say that the AP retransmitted the first RADIUS Access request: EAP response identity 3 times and never got a response, then you may see an 802.1x failure event with num_eap=3, as the AP sent three packets to the RADIUS server and failed.

 

Highlighted
Here to help

Re: Wireless Authentication Failure with Radius

Solution found by change the TLS on the RADIUS server to work with TLS 1.2

View solution in original post

Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.