Radius Authentication Issues

JF1
Getting noticed

Radius Authentication Issues

Hi

 

I am having an issue with an SSID that uses Radius Authentication.

The problem is intermittent and doesn't affect all users, however the users / devices who are affected consistently have the problem.

If an affected user attempt to connect to said SSID they receive an error advising unable to connect to said SSID.

In the Meraki dashboard I see this error:-

"Client made an 802.1X authentication request to the RADIUS server, but it did not respond."

 

In the 2 scenarios we have 2 laptops both registering via the same access point.

The laptops are the same model and have been imaged the same.

I have performed a number of packet captures for both working and failed connection attempts.

 

When reviewing the packet capture, for the working scenario I can see an access challenge, access request and an access accept.

 

The failed attempts I only see the access challenge and access request - we don't see the accept.

When performing a packet capture on the RADIUS server, I cant see this issuing the Access-Accept

 

Has anyone seen this before? I presume the RADIUS server should issue the Access-Accept and therefore the RADIUS server is likely causing the issue? I'm struggling to find a resolution and hoping someone may be able to help.

 

Thanks

 

14 Replies 14
RaphaelL
Kind of a big deal
Kind of a big deal

Hi ,

 

What version are you running ?

JF1
Getting noticed

MR42s running 28.6.1

We are planning a round of upgrades to 28.7.1

KarstenI
Kind of a big deal
Kind of a big deal

When you look into the two final RADIUS Access-Requests (the working and the failed), do you spot any differences?

If you found this post helpful, please give it Kudos. If my answer solves your problem, please click Accept as Solution so others can benefit from it.
JF1
Getting noticed

No I dont. Other than the "Length:" under a few headings but I don't think this is related?

 

Found this guide - RADIUS Issue Resolution Guide - Cisco Meraki

 

The last packet I can see is an Access-Challenge response (to an Access-Requested message) from the RADIUS server to the AP.

JF1
Getting noticed

the NAS-port is different and the RSSI

KarstenI
Kind of a big deal
Kind of a big deal

Does the RADIUS server log in both cases a Success? Or what is the Log for the failed sessions?

If you found this post helpful, please give it Kudos. If my answer solves your problem, please click Accept as Solution so others can benefit from it.
JF1
Getting noticed

On the RADIUS server the first log for the affected device is a log from the AP, destination the RADIUS server - Access-Request

The response in Wireshark to the log above is from the AD server to the AP - Access-Challenge

 

This repeats so the next log is from the AP, destination the RADIUS server - Access-Request

The response in Wireshark to the log above is from the AD server to the AP - Access-Challenge

 

This repeats one more time - 

next log is from the AP, destination the RADIUS server - Access-Request

The response in Wireshark to the log above is from the AD server to the AP - Access-Challenge

 

So ultimately I dont see an Access-Reject or Access-Accept

 

KarstenI
Kind of a big deal
Kind of a big deal

Yes, but the question is if the RADIUS server processed the last request and just the reply got lost somewhere of if the RADIUS server was not able to process the last request.

Which RADIUS server is it?

If you found this post helpful, please give it Kudos. If my answer solves your problem, please click Accept as Solution so others can benefit from it.
JF1
Getting noticed

Its a Windows Server

KarstenI
Kind of a big deal
Kind of a big deal

That's the server with the probably worst logging available. Perhaps someone with knowledge of that system can jump in ...

If you found this post helpful, please give it Kudos. If my answer solves your problem, please click Accept as Solution so others can benefit from it.
JF1
Getting noticed

I have asked that, as I dont support the server infrastructure. Thanks for the input. Ive also got a ticket open with meraki support so I can see what they advise.

Henrik_
Here to help

We had a similar issues with Radius authentication and the same error messages, "Client made an 802.1X authentication request to the RADIUS server, but it did not respond". After months of struggling we disabled 802.11w about a week ago and we´ve had no connection problems since then. Meraki support says a fix is on it´s way but no ETA yet. MR46s running 29.4.1.

JF1
Getting noticed

Interestingly Meraki have since requested we disable 802.11w on the associated SSID. Clearly there is some issue there! We will do this and perform further testing in an attempt to see if its a contributing factor to the issue. Thanks for the input

JF1
Getting noticed

An update for anyone interested as I see a few RADIUS related posts recently.

We have found that Microsoft Credential Guard may be impacting this.

Disabling Credential Guard and clients can connect.

We are continuing to investigate, however potentially worth looking at this if anyone else is having issues 

Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels