Radius Authentication Errors

Bohodir
Just browsing

Radius Authentication Errors

Hello Community,

 

We are having intermittent Radius authentication issues last couple month now. Here is some background regarding our configuration:

 

We have 2 SSID is setup across all offices which are xxx_CORP and xxx_GUEST. 

xxx_GUEST is based on permanent password authentication and works without issues.

However xxx_CORP is configured with Radius Authentication with certificate, and our radius

provider is radius-as-a-service.com. Intermittently our corporate devices like laptops are having 

issues to connect. When I pull Meraki portal logs regarding authentication I see lots of these errors:

 

Client made an 802.1X authentication request to the RADIUS server, but it did not respond.auth_mode='wpa2-802.1x' vlan_id='50' radius_proto='ipv4' radius_ip='127.0.0.1' reason='radius_timeout' reassoc='1' radio='1' vap='0' channel='44' rssi='42'

 

With radius server we use secure radius configuration utilizing RadSec over TCP. I wondering why in the logs showing radius

server address as "127.0.0.1" why not actual radius server address configured ?

If anybody have any advice or experience I really appreciate your input.

 

Thank you very much.

8 Replies 8
alemabrahao
Kind of a big deal
Kind of a big deal

Have you had any recent firmware updates?
 
If so, which version are you running? Have you tried with another firmware version?
 
I also suggest you open a support case.
I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.
Bohodir
Just browsing

Thank you @alemabrahao for quick response, here is firmware info:

 

Current version: MR 30.6

 

We upgraded couple month ago that also kind a aligns with radius issues, I have to check.

PhilipDAth
Kind of a big deal
Kind of a big deal

What does the RADIUS server log show?  Is it seeing the authentication request coming in?  Is it allowing it or denying it (and if deny, why)?

Bohodir
Just browsing

Hey PhillipDath.

 

No unfortunately I do not see deny requests on Radius server. Especially from devices it has been issues. That's baffling me.

alemabrahao
Kind of a big deal
Kind of a big deal

In your place I would try to downgrade or upgrade to another version just to test. It would be interesting to request support from Meraki support.

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.
kchand
Meraki Employee
Meraki Employee

Hello,

It is expected to observe 127.0.0.1 IP address while using the RADSec over TCP. Did you notice if the Access-Request messages are reaching your RADIUS server?

I will also recommend calling support to take a packet capture and confirm where the RADIUS authentication is failing on your network.

If you found this post helpful, please give it kudos.
If my answer solved your problem, click "accept as solution" so that others can benefit from it.
Henry-M
New here

Was there ever a fix for this? I've got a similar issue using a cloud based Radsec provider.

HenryM_0-1729507951809.png

The client will authenticate in the end but it generates alerts along the way...

Bohodir
Just browsing

No never fixed the issue, but occurrences is decreased. I suspecting Radius-as-Service issue. I'm still building on prem solution for this issue.

Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels