SecurePort Auth failure - MR certificate is expired

Solved
RaphaelL
Kind of a big deal
Kind of a big deal

SecurePort Auth failure - MR certificate is expired

Hi ,

 

Last week on 3 different networks I had 20+ APs that were down. The switchport had the error : SecurePort authentication failure

 

After taking packet captures , I noticed that the certificate of the APs were expired : 

 

RaphaelL_0-1724076622949.png

 

I had to reboot the APs like 10 times to get them working :

 

RaphaelL_1-1724076649445.png

 

 

Couldn't find anything in the recent firmware that could explain that. 

 

I'm running old MS and MR firmware due to multiple unsolved bugs.

 

Anyone ever experienced that ?

1 Accepted Solution
RaphaelL
Kind of a big deal
Kind of a big deal

After a small escalation support was able to pin point the ( multiple ) issues. 

 

1- There is a bug in MR28.X that prevents an AP from changing it's "signing" URL when there is a shard change/split.

2- We had a shard split in July

 

So our APs were still pointing to the 'old' shard , tried to renew their cert and failed. They have to be rebooted to point to the new shard , download the new cert and voilà. 

 

 

TL;DR  : When Meraki is doing shard splits , they should check if customers are running MR28.X + SecurePort. That would avoid the mess that we are ( still ) experiencing. 

 

 

Cheers !

View solution in original post

5 Replies 5
GIdenJoe
Kind of a big deal
Kind of a big deal

I haven't used that feature yet.
I prefer having my AP's on their own VLAN.

From what you are describing is that the AP's do not automatically renew their certs when they have a long uptime.

RaphaelL
Kind of a big deal
Kind of a big deal

That seems to be the case. Support might have mentionned that this has been reported in the past.

 

The APs are in their own mgmt vlan. However SecurePort is the only way to enable 802.1X on a trunk port 😞

In theory the new smart-port feature should sooonish support dot1x override port config ... as far as I know.

Then it should be possible with your standard radius server of choice.

But I have never had AP with secure-port quit on me before, perhaps I have just updated (rebooted) them more often, and they have just renewed their cert then ?

PhilipDAth
Kind of a big deal
Kind of a big deal

Well done tracking that fault down!  That would have needed a very keen eye.

RaphaelL
Kind of a big deal
Kind of a big deal

After a small escalation support was able to pin point the ( multiple ) issues. 

 

1- There is a bug in MR28.X that prevents an AP from changing it's "signing" URL when there is a shard change/split.

2- We had a shard split in July

 

So our APs were still pointing to the 'old' shard , tried to renew their cert and failed. They have to be rebooted to point to the new shard , download the new cert and voilà. 

 

 

TL;DR  : When Meraki is doing shard splits , they should check if customers are running MR28.X + SecurePort. That would avoid the mess that we are ( still ) experiencing. 

 

 

Cheers !

Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels