Hi ,
Last week on 3 different networks I had 20+ APs that were down. The switchport had the error : SecurePort authentication failure
After taking packet captures , I noticed that the certificate of the APs were expired :
I had to reboot the APs like 10 times to get them working :
Couldn't find anything in the recent firmware that could explain that.
I'm running old MS and MR firmware due to multiple unsolved bugs.
Anyone ever experienced that ?
Solved! Go to solution.
After a small escalation support was able to pin point the ( multiple ) issues.
1- There is a bug in MR28.X that prevents an AP from changing it's "signing" URL when there is a shard change/split.
2- We had a shard split in July
So our APs were still pointing to the 'old' shard , tried to renew their cert and failed. They have to be rebooted to point to the new shard , download the new cert and voilà.
TL;DR : When Meraki is doing shard splits , they should check if customers are running MR28.X + SecurePort. That would avoid the mess that we are ( still ) experiencing.
Cheers !
I haven't used that feature yet.
I prefer having my AP's on their own VLAN.
From what you are describing is that the AP's do not automatically renew their certs when they have a long uptime.
That seems to be the case. Support might have mentionned that this has been reported in the past.
The APs are in their own mgmt vlan. However SecurePort is the only way to enable 802.1X on a trunk port 😞
In theory the new smart-port feature should sooonish support dot1x override port config ... as far as I know.
Then it should be possible with your standard radius server of choice.
But I have never had AP with secure-port quit on me before, perhaps I have just updated (rebooted) them more often, and they have just renewed their cert then ?
Well done tracking that fault down! That would have needed a very keen eye.
After a small escalation support was able to pin point the ( multiple ) issues.
1- There is a bug in MR28.X that prevents an AP from changing it's "signing" URL when there is a shard change/split.
2- We had a shard split in July
So our APs were still pointing to the 'old' shard , tried to renew their cert and failed. They have to be rebooted to point to the new shard , download the new cert and voilà.
TL;DR : When Meraki is doing shard splits , they should check if customers are running MR28.X + SecurePort. That would avoid the mess that we are ( still ) experiencing.
Cheers !