Meraki

Community

Radius Authentication Errors

Bohodir
Just browsing
‎Jun 10 2024 9:12 AM
‎Jun 10 2024 9:12 AM

Radius Authentication Errors

Hello Community,

 

We are having intermittent Radius authentication issues last couple month now. Here is some background regarding our configuration:

 

We have 2 SSID is setup across all offices which are xxx_CORP and xxx_GUEST. 

xxx_GUEST is based on permanent password authentication and works without issues.

However xxx_CORP is configured with Radius Authentication with certificate, and our radius

provider is radius-as-a-service.com. Intermittently our corporate devices like laptops are having 

issues to connect. When I pull Meraki portal logs regarding authentication I see lots of these errors:

 

Client made an 802.1X authentication request to the RADIUS server, but it did not respond.auth_mode='wpa2-802.1x' vlan_id='50' radius_proto='ipv4' radius_ip='127.0.0.1' reason='radius_timeout' reassoc='1' radio='1' vap='0' channel='44' rssi='42'

 

With radius server we use secure radius configuration utilizing RadSec over TCP. I wondering why in the logs showing radius

server address as "127.0.0.1" why not actual radius server address configured ?

If anybody have any advice or experience I really appreciate your input.

 

Thank you very much.

0 Kudos
8 Replies 8
alemabrahao
Kind of a big deal
Kind of a big deal
‎Jun 10 2024 9:23 AM
‎Jun 10 2024 9:23 AM

Have you had any recent firmware updates?
 
If so, which version are you running? Have you tried with another firmware version?
 
I also suggest you open a support case.
I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.
0 Kudos
Bohodir
Just browsing
‎Jun 10 2024 9:31 AM
‎Jun 10 2024 9:31 AM

Thank you @alemabrahao for quick response, here is firmware info:

 

Current version: MR 30.6

 

We upgraded couple month ago that also kind a aligns with radius issues, I have to check.

0 Kudos
PhilipDAth
Kind of a big deal
Kind of a big deal
‎Jun 10 2024 2:06 PM
‎Jun 10 2024 2:06 PM

What does the RADIUS server log show?  Is it seeing the authentication request coming in?  Is it allowing it or denying it (and if deny, why)?

0 Kudos
In response to PhilipDAth
Bohodir
Just browsing
‎Jun 11 2024 8:45 AM
‎Jun 11 2024 8:45 AM

Hey PhillipDath.

 

No unfortunately I do not see deny requests on Radius server. Especially from devices it has been issues. That's baffling me.

0 Kudos
In response to Bohodir
alemabrahao
Kind of a big deal
Kind of a big deal
‎Jun 11 2024 8:50 AM
‎Jun 11 2024 8:50 AM

In your place I would try to downgrade or upgrade to another version just to test. It would be interesting to request support from Meraki support.

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.
0 Kudos
kchand
Meraki Employee
Meraki Employee
‎Jun 14 2024 6:36 AM
‎Jun 14 2024 6:36 AM

Hello,

It is expected to observe 127.0.0.1 IP address while using the RADSec over TCP. Did you notice if the Access-Request messages are reaching your RADIUS server?

I will also recommend calling support to take a packet capture and confirm where the RADIUS authentication is failing on your network.

If you found this post helpful, please give it kudos.
If my answer solved your problem, click "accept as solution" so that others can benefit from it.
0 Kudos
Henry-M
New here
‎Oct 21 2024 3:53 AM
‎Oct 21 2024 3:53 AM

Was there ever a fix for this? I've got a similar issue using a cloud based Radsec provider.

HenryM_0-1729507951809.png

The client will authenticate in the end but it generates alerts along the way...

0 Kudos
In response to Henry-M
Bohodir
Just browsing
‎Oct 21 2024 11:11 AM
‎Oct 21 2024 11:11 AM

No never fixed the issue, but occurrences is decreased. I suspecting Radius-as-Service issue. I'm still building on prem solution for this issue.

0 Kudos
Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels
© 2024 Cisco Systems, Inc.