Meraki

Community

30.7 Update Breaks RADIUS

jpeterprarch
Here to help
‎Jul 15 2024 6:16 PM
‎Jul 15 2024 6:16 PM

30.7 Update Breaks RADIUS

We just recently upgraded our eligible APs to 30.7 from 30.5.  Immediately afterward all 802.11 auth attempts to our RADIUS servers failed.  Thus, we rolled back to 30.5.  Has anyone else encountered this issue?  I see in the 30.7 release notes a reference to a fix for RADIUS requests when if they had exited the primary management interface if an AMI was defined.  In our environment we don't have a AMI defined.

45 Replies 45
Brash
Kind of a big deal
Kind of a big deal
‎Jul 15 2024 6:33 PM
‎Jul 15 2024 6:33 PM

What are you using for your RADIUS server?

We have upgraded our fleet to 30.7 and are using RADIUS authentication without issue.

In response to Brash
jpeterprarch
Here to help
‎Sep 2 2024 7:50 AM
‎Sep 2 2024 7:50 AM

Windows NPS

0 Kudos
ammahend
Building a reputation
‎Jul 15 2024 7:43 PM
‎Jul 15 2024 7:43 PM

I have 30.7 in production and a test lab on 31.1.2 no issues with radius, I am using Cisco ISE as radius.

 

can you share more information like, if you are seeing logs on radius and share the logs to understand why radius authentication is failing.

0 Kudos
In response to ammahend
RaphaelL
Kind of a big deal
Kind of a big deal
‎Jul 16 2024 8:16 AM
‎Jul 16 2024 8:16 AM

Exact same setup as @ammahend , running without any issues. 

 

WPA2-Enterprise , Cisco ISE reachable via AutoVPN.

0 Kudos
In response to ammahend
jpeterprarch
Here to help
‎Jul 18 2024 5:37 AM
‎Jul 18 2024 5:37 AM

We're using Windows NPS.  The requests never hit the NPS servers therefore there's nothing to see in the logs.  

0 Kudos
In response to jpeterprarch
ammahend
Building a reputation
‎Jul 24 2024 10:37 PM
‎Jul 24 2024 10:37 PM

out of curiosity re-enter shared secret again on both side and see if it changes anything.

0 Kudos
Mark_S
Meraki Employee
Meraki Employee
‎Jul 16 2024 2:41 AM
‎Jul 16 2024 2:41 AM

Hi jpeterprarch,

 

There is an issue in the 30.7 firmware, under very specific configurations, whereby client balancing rejects clients. This may be what you were seeing when you upgraded.

If you have not already, I would recommend raising a case with Meraki support so they can assist with troubleshooting this issue to help determine whether you were indeed affected by this.
Details on how to raise a case through dashboard or to call the support line can be found within the 'Get help & cases' page which is accessible in the ? icon menu in dashboard.

If you found this post helpful, please give it kudos. If my answer solved your problem, click "accept as solution" so that others can benefit from it.
In response to Mark_S
jpeterprarch
Here to help
‎Jul 18 2024 5:38 AM
‎Jul 18 2024 5:38 AM

Ah, thanks.  I have opened a case and waiting to hear back.

In response to Mark_S
ChristianHenn
Conversationalist
‎Jul 22 2024 1:03 AM
‎Jul 22 2024 1:03 AM

Meraki support said there is no known bug. Difficult to troubleshoot this topic when the manufacture can't confirme the bug.

In response to ChristianHenn
jpeterprarch
Here to help
‎Jul 22 2024 6:01 AM
‎Jul 22 2024 6:01 AM

Well.  @Meraki.  Look again.  I received a single response from support asking the obvious questions.  Haven't heard back.  

In response to Mark_S
redsector
Head in the Cloud
‎Jul 24 2024 5:35 AM
‎Jul 24 2024 5:35 AM

I did open a case but they didn´t really understand the problem.

0 Kudos
skunkytoots
New here
‎Jul 16 2024 8:57 AM
‎Jul 16 2024 8:57 AM

30.7 broke Radius for my org as well

Brad39
Here to help
‎Jul 17 2024 11:13 PM
‎Jul 17 2024 11:13 PM

Hi ,

Adding to this as well, we have upgraded to 30.7 and have seen two networks with the same issue, generic Association errors with SSIDs with Radius Auth. Running Windows NPS. Will Raise a support ticket to investigate. 

In response to Brad39
jpeterprarch
Here to help
‎Jul 18 2024 6:30 AM
‎Jul 18 2024 6:30 AM

I'd be curious to hear what you hear from support.  So far I have yet to hear back.

pjc
A model citizen
‎Jul 18 2024 2:31 AM
‎Jul 18 2024 2:31 AM

@skunkytoots and @Brad39 do you both have client balancing enabled on the affected networks ?  I've scheduled 30.7 upgrades for next week and we run NPS Radius but we don't use client balancing

Thanks

0 Kudos
In response to pjc
jpeterprarch
Here to help
‎Jul 18 2024 6:29 AM
‎Jul 18 2024 6:29 AM

Yes we have Client Balancing enabled.  Perhaps we fall under "very specific configurations".

In response to pjc
Brad39
Here to help
‎Jul 18 2024 4:01 PM
‎Jul 18 2024 4:01 PM

We have it on, however we tested turning this off to try and fix the issue but didn’t help

ChristianHenn
Conversationalist
‎Jul 19 2024 2:09 AM
‎Jul 19 2024 2:09 AM

We had the exact same issue. The only solution was to rollback.

0 Kudos
pjc
A model citizen
‎Jul 19 2024 3:24 AM
‎Jul 19 2024 3:24 AM

I've decided to postpone my planned rollout of 30.7.  Although we don't use client balancing, @Brad39 stating that turning off client balancing didn't solve the issue is enough for me to be nervous about this, despite me running 30.7 in a small live environment (2 x MR44's) for the past week without issues with radius auth (my normal live test firmware update environment)

0 Kudos
Brad39
Here to help
‎Jul 22 2024 6:54 PM
‎Jul 22 2024 6:54 PM

It’s a strange one, in the end this looks to have only affected 2 out of around 30 networks in our org, all very similarly configured. We are just going to hold off on 30.7 for those two and possibly jump to the next release.

In response to Brad39
redsector
Head in the Cloud
‎Jul 24 2024 3:05 AM
‎Jul 24 2024 3:05 AM

I have got the same issue

0 Kudos
redsector
Head in the Cloud
‎Jul 24 2024 3:07 AM
‎Jul 24 2024 3:07 AM

I have got also issues with Cisco ISE 3.2 Errors occured since ugrading ISE from 2.7 to 3.2 and Meraki MR30.6 to MR30.7

0 Kudos
AAABBBCCC
New here
‎Jul 24 2024 7:00 AM
‎Jul 24 2024 7:00 AM

Had this exact issue going from 29.X to 30.7.  Any SSID using radius was broken.  We backend with ISE.  Rolled back to fix for now.

0 Kudos
user61762
Conversationalist
‎Jul 24 2024 11:31 AM
‎Jul 24 2024 11:31 AM

Similar experience here after seven networks with MR42 (and some MR86) APs upgraded from MR 29.5.1 to MR 30.7 overnight.

 

We have various SSIDs configured across the seven networks in question.

 

We experienced at least two networks where an SSID configured for Identity PSK with RADIUS did not permit clients to move past the association step.

 

Event logs showed clients attempting to associate but never moving to the wpa_auth step. After not too long, associations from clients on the SSID in question were failing with reason code 17.

 

Finding this thread (and another thread on Reddit), we disabled client balancing and the symptoms subsided.

 

The remaining networks that have an SSID configured for Identity PSK with RADIUS do not currently have active clients that would be attempting to use that SSID, so we don't yet know if they're affected.

 

Like others, we've opened a case with Meraki support to report the issue and seek more details.

pjc
A model citizen
‎Jul 25 2024 4:47 AM
‎Jul 25 2024 4:47 AM

Being reported on Reddit

https://www.reddit.com/r/meraki/comments/1e35rty/mr_307_causes_association_error_17/

I'm gonna hold of upgrading until confirmed fixed in future release

In response to pjc
jpeterprarch
Here to help
‎Sep 2 2024 7:56 AM
‎Sep 2 2024 7:56 AM

This might be it.  Our affected SSID is in Slot9.

0 Kudos
mags1892
Here to help
‎Aug 8 2024 6:57 AM
‎Aug 8 2024 6:57 AM

 this seems specific to the AP model , we have MR57 and 30.7 with no issues . However other offices with mr33 do have issues. Meraki have not been very forthcoming with support 

In response to mags1892
BWIT
New here
‎Aug 9 2024 5:17 AM
‎Aug 9 2024 5:17 AM

Hi

We had the issue with MR46's with NPS

 

One of my networks I applied the workaround of diabling the client balencing, the others I chose to roll back.

 

The best part is meraki support said

'a fix has been developed by our engineering team and should be available in the next firmware releases of MR 30.8 & MR 31.1.2'

However 30.8 is not yet avaible and 31.1.2 has already been superseeded by 31.1.3 in beta. 🙄

 

Even worse than that, I asked why this known issue was not noted on the release notes and could the add it, they said

'While it is true that there is a known issue with SSID and client balancing in version 30.7, not all customers utilize these specific features, so they will not be impacted by this issue.' ...'Furthermore, the request to update the release notes of firmware upgrades immediately upon issue identification cannot be fulfilled by Meraki Support directly. Nevertheless, we have the means to relay feedback and information to our internal development team. Notably, utilizing the "leave feedback" function'.👏

 

The point being, I dont know why they can't retrospectivly add a note the release notes of 30.7 to mention this known issue, its not a secret.

 

Finally, the best part, even though I have an active support case about this issue, Meraki's automation decided to schedule updates to 30.7 for my remaing networks last week. 😒

 

JMI
Here to help
‎Sep 2 2024 2:14 AM
‎Sep 2 2024 2:14 AM

As per the recent findings in the Reddit thread mentioned earlier - avoid SSID slot #9.

In response to JMI
jpeterprarch
Here to help
‎Sep 2 2024 7:49 AM
‎Sep 2 2024 7:49 AM

Just read it (pun intended).  You have got to be kidding me.  Our affected SSID is in slot 9.  Now I haven't fully tested it yet, however, if this is the reason, this has to be one of the most absurd bugs encountered in my entire 30 year IT career.  I echo the sentiment of another post prior "Doesn't anyone test anything anymore?"

0 Kudos
In response to jpeterprarch
ChristianHenn
Conversationalist
‎Sep 2 2024 8:10 AM
‎Sep 2 2024 8:10 AM

Our affected SSID is in different templates in different slots...

0 Kudos
JMI
Here to help
‎Sep 2 2024 8:10 AM
‎Sep 2 2024 8:10 AM

I now found they actually updated the 30.7 release notes a couple weeks back. Not that it would have made much of a difference to us, we only have three active SSIDs. But at  our main site (of course) one of them was in #9, due to the presence of various disabled legacy networks.  No RADIUS on that SSID, by the way.

 

One might be forgiven for thinking Meraki could have issued a warning to accounts where they saw this particular configuration, them having access to global inventories and all.

 

JMI_0-1725289288378.png

 

0 Kudos
Brad39
Here to help
‎Sep 22 2024 4:42 PM
‎Sep 22 2024 4:42 PM

So looks to be an update in the "Known Issues". 

 

None of our affected networks are in slot 9 SSID, however they are in Slot 10. Meraki has updated the known issue to now be SSID 10. We are going to look at moving these from that SSID slot to another one in the next week or so and re-test 30.7...

unnamed (1).png

In response to Brad39
redsector
Head in the Cloud
‎Sep 23 2024 1:45 AM
‎Sep 23 2024 1:45 AM

Hello, where can I see the "slot"-number?

0 Kudos
In response to redsector
Brad39
Here to help
‎Sep 23 2024 1:48 AM
‎Sep 23 2024 1:48 AM

Under the network, Wireless > Configure > SSIDs and then click show all my SSIDs. Left to Right is 1 to 15

In response to Brad39
TBHPTL
A model citizen
‎Sep 23 2024 9:30 AM
‎Sep 23 2024 9:30 AM

No, in GUI left to right it is 0 , 1, 2 ,3 

In response to redsector
TBHPTL
A model citizen
‎Sep 23 2024 9:31 AM
‎Sep 23 2024 9:31 AM

https://developer.cisco.com/meraki/api-v1/get-network-wireless-ssids/

 

Left to right in GUI is slot 0 , slot 1, slot 2, etc

0 Kudos
In response to TBHPTL
Brad39
Here to help
‎Sep 23 2024 1:56 PM
‎Sep 23 2024 1:56 PM

Sorry you are correct!

 

Pulling it via API it’s “Number” 0-14 and via the GUI “Unconfigured SSID” 1-15. 

The terminology is prob not the best.

 

Sorry!

0 Kudos
In response to Brad39
mags1892
Here to help
‎Sep 23 2024 2:25 AM
‎Sep 23 2024 2:25 AM

we only have 4 ssids and the radius issues is there . we downgraded firmware and used meraki proxy on the MRs but also had to upgrade firmware on the MX 

In response to mags1892
redsector
Head in the Cloud
‎Sep 23 2024 2:54 AM
‎Sep 23 2024 2:54 AM

Which MX firmware had you bevore and after upgrading?

 

0 Kudos
In response to redsector
mags1892
Here to help
‎Sep 23 2024 3:03 AM
‎Sep 23 2024 3:03 AM

MX 18.211.2 - 18.211.3 

MX - 75

In response to mags1892
redsector
Head in the Cloud
‎Sep 23 2024 3:47 AM
‎Sep 23 2024 3:47 AM

Thank you, very interessting. we will check it here, we also have MX75 and firmware MX 18.211.2

0 Kudos
In response to redsector
mags1892
Here to help
‎Sep 23 2024 5:52 AM
‎Sep 23 2024 5:52 AM

it does seem like this had a bearing whereas our mx100 worked without issues. 

0 Kudos
In response to Brad39
JMI
Here to help
‎Sep 23 2024 2:56 AM
‎Sep 23 2024 2:56 AM

That's weird, so this bug is moving across the configured SSIDs? In our case it was definitely the 9th SSID that was affected (Default name "Unconfigured SSID 8" as they start counting from zero).

0 Kudos
scpswifi
Here to help
‎Oct 8 2024 11:14 AM
‎Oct 8 2024 11:14 AM

Same issue here, I was using slot 10 with radius and it broke.  Moved the network to slot 8 and clients are connecting again.

0 Kudos
Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels
© 2024 Cisco Systems, Inc.