Wireless Authentication Failure with Radius

SOLVED
HosamHasan
Here to help

Wireless Authentication Failure with Radius

I am facing issue with all clients in some branches Association and authentication failure, log as shown below :

 

Associationtype='Association attempts' num='264' associated='true' radio='1' vap='0'

Authenticationtype='802.1X auth fail' num_eap='6' first_time='0.037280881' associated='true' radio='1' vap='0'

Authenticationtype='802.1X auth fail' num_eap='7' first_time='0.037280881' associated='true' radio='1' vap='0'

 

I am wondering what is the num_eap='6' ???

 

Many thanks in advance for help 

 

1 ACCEPTED SOLUTION
HosamHasan
Here to help

Solution found by change the TLS on the RADIUS server to work with TLS 1.2

View solution in original post

14 REPLIES 14
PhilipDAth
Kind of a big deal

What does your RADIUS server log say?  If it allowing or denying the users?  If it is denying them what reason is it giving?

RADIUS server allow access !! 

Did you have any idea what is num_eap='?' this numbers should be indication of something

I am seeing a similar issue, and am looking for information on the different type of EAP error messages mean:

type='802.1X auth fail' num_eap='13' first_time='0.037608748' associated='false' radio='1' vap='2'

type='802.1X auth fail' num_eap='13' first_time='0.067861253' associated='false' radio='1' vap='2'

type='802.1X auth fail' num_eap='14' first_time='0.036066128' associated='false' radio='1' vap='2'

type='802.1X auth fail' num_eap='13' first_time='0.074911531' associated='false' radio='1' vap='2'

type='802.1X auth fail' num_eap='13' first_time='0.033155373' associated='false' radio='1' vap='2'

type='802.1X auth fail' num_eap='1' first_time='0.074211961' associated='true' radio='1' vap='2'

type='802.1X auth fail' num_eap='13' first_time='0.042235861' associated='false' radio='1' vap='2'

num_eap='X' means the authentication failed at the Xth RADIUS packet exchange between AP and the RADIUS server.

 

Let's say the client shows num_eap='3', the authentication would go something like:

  1. AP sends packet 1 to the RADIUS server
  2. RADIUS server responds to packet 1
  3. AP sends packet 2 to the RADIUS server
  4. RADIUS server responds to packet 2
  5. AP sends packet 3 to the RADIUS server
  6. RADIUS server responds to packet 3 by rejecting the client
  7. The authentication failed at the 3rd packet exchange

Please refer below document for the packet exchange between the client and the radius server,

 

https://documentation.meraki.com/MR/Encryption_and_Authentication/Configuring_RADIUS_Authentication_...

 

let's say a client was trying to authenticate against the RADIUS server and for some reason, the authentication failed at the "RADIUS Access-Request: EAP Response Identity / Access-Challenge: EAP Request MSCHAPv2 Challenge" part, then you would see a log stating num_eap='6', because the authentication failed at the 6th packet sent to the RADIUS server.

 

Does that mean that every time you see num_eap=6 means that the client failed at the RADIUS Access-Request: EAP Response Identity / Access-Challenge: EAP Request MSCHAPv2 Challenge?, not really, as you also have to consider that the AP sometimes will need to re-transmit some packets.

 

So let's say that the AP retransmitted the first RADIUS Access request: EAP response identity 3 times and never got a response, then you may see an 802.1x failure event with num_eap=3, as the AP sent three packets to the RADIUS server and failed.

 

I was seeing the same error with eap='2' and the root cause ended up being a problem with the wired network connection.  HVAC repair people managed to cause problems with the cable connected to the AP.  The big clue I ran into was the fact that the switch port it was connected to was not connected at 1000FDx, and I was seeing Excessive CRC/alignment errors on the port.
That was my reminder to check everything and assume nothing...

HosamHasan
Here to help

Solution found by change the TLS on the RADIUS server to work with TLS 1.2

Hi,

Thank you for the solution.

Just one question about enabling TLS 1.2 on NPS. Should I just add "fc0"(4032) into "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\RasMan\PPP\EAP\13" and restart the server? Or there are some more steps to do?

DanielKritikos
Here to help

How do you solve this issue if you are using Meraki's own radius server.

 

We a few sites under a template.

we are compleatly cloud, nothing in house apart from Meraki.

 

describing 2 of our sites to try keep it simple

ISP fiber 1g up and down on all. 2nd Wan faillover copper 500 500.

Site A (modem mx450 ms210 and a few APs MR 55s 442s 33s etc)

Site B (modem mx84 ms210 and a few APs MR 55s 442s 33s etc)

Site C (modem mx68 ms120 and a few APs MR 55s 442s 33s etc)

 

the config on these sites is simple and basic, no vlans

class c 172.16.0.0/20

 

and on all 3 of them for years now

Client failed 802.1X authentication to the RADIUS server.type='802.1X auth fail' num_eap='x' first_time='0.044370560' associated='false' radio='1' vap='0'

 

the majority of the devices are IOS.

the directory is meraki controlled using meraki's own user db

and 802.11x Meraki Radius

 

all the devices are / have logged in, and are/have worked on the single ssid.

but often through out the day, they loose internet access and when i look at the wireless health i am seeing 

a mid to high %fail to auth.

and the log is flooded with 

Client failed 802.1X authentication to the RADIUS server.type='802.1X auth fail' num_eap='13' first_time='0.044370560' associated='false' radio='1' vap='0'

 

Ive been working with a cisco meraki engineer for a few months on this now and were not making any progress.

So i thought it cant hurt to share my brick wall of a situation with you guys

 

any suggestions.

Ive done so much trouble shooting that there is no point it trying to remember what ive done.

Hit me up with an idea and i will either try it or tell you that i have already tried it.

 

ps monitor mode pcaps for this situation we are having are not possible.

 

any advise or help is extreamly appriciated.


Regards

Dan

Daniel.Kritikos@obs.school.ch

+41763751768

 

I should add that when they loose internet access, it can and mostly does randomly reconnect again after a few mins of trying.

 

sometimes just switching the iPad wifi off and on again get the connection back.

other times however deauthenticating "forgetting ssid" and logging back in is the solution.

 

but in general, even though it shows an auth issue, it has nothing to do with a user logging in "incorrectly".

 

R
Dan

MisterBones
Conversationalist

You know the sad part about this is that the issue still exists in the latest firmware v27.7.1 - Just ran through a rigmarole of troubleshooting steps on my end all the way from rebuilding our radius & CA infra to remove any potential KB conflicts on Microsoft's end - OS X users on current model MBPs could not maintain a stable connection to our campus wireless due to radius auth flapping. 

Downgrading our entire org to 26.6.1 for our MR53/MR55 and 26.8 for MR56 seemingly resolved this issue. After speaking to several Meraki engineers they had advised me that staying on older firmware is not a long term solution, however, unless the radius authentication problem is actually fixed in a future firmware update - our campus will not be moving off of the v26 flavor of MR firmware.

You should make a fresh post.  The original post was solved by enabled TLSv1.2 on their RADIUS server.  Have you done that?

Typing it now friend.

NetworkGuy
New here

Hi,

 

I had the same problem with a laptop not authenticating wirelessly with RADIUS but the logs showed the following error:

type='802.1X auth fail' num_eap='8' first_time='0.047297718' associated='false' radio='1' vap='0'

 

I later found that the laptop did not have the ""Automatically use my Windows logon name and password (and domain if any) checkbox ticked.

 

Remember that these settings are not found on the wireless adaptor settings, they are on the wired ethernet properties.

 

NetworkGuy_0-1652194981023.png

 

Hope this helps

 

Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels