- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Lots of wireless authentication failures
Hello!
With the improved wireless health screens, I've been trying to diagnose some issues. I am seeing a lot of authentication errors (mainly with iPhone / iPads). Some are static and some roam from one AP to another.
I've cleared the network settings and removed the wifi ssid from the phone and it's still happening.
Any ideas? I am testing and will soon deploy Identity PSK with RADIUS -will that address the problem?
Thanks,
Chris
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
What MR model and firmware are you running. Is it causing an actual problem, or simply a log issue?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Both APs are MR52 and latest firmware (26.7)
I do notice that sometimes my iPhone is on 4G and then switches back to wifi, is that an issue probably not.
I do have wifi calling set up and sometimes notice if I roam between the APs the signal degrades quite a lot (normal phone signal is pretty weak).
I do have 802.11r set to Adaptive (and just PSK WPA2). I do understand the security issue and hence moving to iPSK.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I'm using 802.1x with Meraki authentication - thought that might be Meraki radius availability problem.
br, Pawel.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
This morning, iPhone now says incorrect password and won't even join.
No configuration changes have been made at all.
Worth raising a case with Meraki support to have it logged?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
After upgrading to 26.7 I had constant and repeated problems with authentication, both standard WPA2 and RADIUS. Rolling back to 26.6.1 fixed the issues - I'd try that first and wait for a stable release to come out instead of the RC.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I've did a bit of debugging of this issue today and found out some curious thing:
It seems that failures reported by Wireless Health are fake. When I look at access logs there is no such event (there is a Radius authentication event, but it is not fail - just roaming re-auth)
Opened case about that.
Br, Pawel.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi!
Any replay from TAC about this behavior?
BR
frenz
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I've opened a case.
I've got reply that they are not aware of such issue and I need to call them to make real-time packet capture.
The problem is that those errors are random and it is not easy to reproduce them during such session.
Pawel.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I have seen similar issue with Apple and Non Apple devices as well. My MR is set for WPA2-PSK and the device is failing with WPA-PSK auth. It doesn't seem like an issue as my device connects fine later. I would hope if I enable WPA and WPA2 I will not see this error. I discarded it as a false alarm.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
One question to anyone that still have this issue:
Do you have corresponding event log entries to health-reported authentication errors. In may case there aren't any.
I've noiticed TAC about that, but they simply ignored it.
Br, Pawel.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I ma having the same issues Just replying so i can follow the answers
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I'v downgraded APs to 26.6.1 and problem still exists on both WPA2-PSK and WPA2-Enterprise networks. Authentication failures are only with Apple iOS devices - and the is no trace of them in device event logs - only in Wireless Health pages in dashboard.
BR, Pawel.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Has anyone seen any improvements with this? I recently update to 26.6.1 and started having auth issues with my RADIUS and WPA2 SSID's. Prior to this firmware version I had no issues so I am looking to roll back but was wondering if any of you had found a resolution to this yet.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
In my case no difference between 26.6.1 and 26.7.
I've read reports that those are false-positives and those events are only visible in health status not in real event logs.
Not sure about that, as my devices sometimes really report "bad password" messages - especially when roaming.
br, Pawel.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I'm installing 26.8 now to see if this resolves the problem.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I'm on 26.8 and I have already seen some bunch of those auth errors. So no change...
At least they fixed the foreign SSID signal strength on MR45s - I took them only one year...
Br, Pawel.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thank you, I rolled back to 25.13 yesterday afternoon and have not had an issue with Authentication since on WPA2 PSK or Enterprise. My biggest issue was the devices on PSK auth, I had devices that have had the passphrase saved for quite some time and never an issue but after 26.6.1 they were consistently failing to auth intermittently all day long. I'm at about 24 hours now without an issue. When I have more time to test I will raise a case with support.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I am having this same issue. Have you had any more issues since rolling back the firmware?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Does not seem to be resolved in latest stable version 27.6. Upgraded it last night. Even though mentioned fixed under bug fixes of release note.
Still seeing authentication error logs under 'Connection Logs' for only 1 SSID.
Called support again and toggling SSID for them look at backend logs in production environment not feasible option! And famous quote of taking wireshark capture from a non-IT user device
Please help!
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I'v had some spare time today, so I've made lots of testing.
In case of 802.1x authentication errors - those are NOT false positives. In my network it only happens when iOS device tries to roam from one AP to another (but I does not happen always). On iOS device there is wifi connection all the time, but it cannot roam to another AP which has much better signal. On the same time Authentication Errors (with some delay) appear on wireless health dashboard. There is NO sign of such errors in event log (for AP and client). When I disable wifi on iOS device and re-enble it - it correctly connects to AP it failed to connect when roaming. I can't say what are the circumstances it happens. I've seen lots of successful roamings when testing.
Br, Pawel
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
After further testing I've found out that its the 802.11r that is causing the problems (wether enabled or adaptive).
After disabling it on my 802.1x SSID - no authentication errors any more, no messages on iOS devices about bad password.
Br, Pawel.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
So the feature designed to assist roaming breaks it! 🤦♂️
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Yep, exactly.
But as it applies only to iOS devices - it might be a shared Meraki/Apple problem in implementation.
Even with 802.11r disabled all iOS devices roam with PKMSA cache - which is also quite fast (and with lack of all those auth errors much more robust and reliable than 802.11r FT)
Br, Pawel.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
We are on version MR 27.5.1 and still having same issues. Disabling 802.11r was a consistent solution? After disabling this, were those messages completely dissapeared?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I have got the same issue with Apple devices not with Win10 notebooks.
Roaming takes sometimes minutes to work. Sometimes it helps to switch off and on again wireless on the device.
I am using MR34, MR42, MR46 on different networks with MR26.7 or now MR26.8 software.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
also experiencing this general issue, replying to follow.
is disabling 802.1r the recommended step? what's the downside?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
You can refer to here https://support.apple.com/en-us/HT202628 or the article about 802.11r
802.11r uses the PSK method, which may be risky in special circumstances.