Strange behavior about RADIUS authentication on Android 11

BongHo
Conversationalist

Strange behavior about RADIUS authentication on Android 11

I just set up the RADIUS authentication with Meraki AP, and there is strange behaviour.

After I disable my AD account, I can still connect to the SSID associate with RADIUS authentication unless I forget the Wifi setting and reconnect, account disables would finally be effective.

And the strange thing is this kind of behaviour only occur on Android 11 device, others like PC and apple device work fine.

 

Is there anyone familiar with this issue? Any suggestions would be much appreciated!

3 Replies 3
KarstenI
Kind of a big deal
Kind of a big deal

I would assume that it is something with caching on the APs. Can you do a capture on the AP to see if the AP sends a RADIUS request to the NPS when the disabled user connects to the SSID?

If you found this post helpful, please give it Kudos. If my answer solves your problem, please click Accept as Solution so others can benefit from it.
BongHo
Conversationalist

Thanks for your comment!

 

I did try to capture on the AP, only the android 11 device didn't send any RADIUS request to the NPS after disable the AD account, no idea what's going on.

KarstenI
Kind of a big deal
Kind of a big deal

If there is no RADIUS request, it is likely the default PMKsa-caching on the APs. You could:

  1. Ask Meraki Support if they can disable it. Not sure if that is possible.
  2. Reduce the session timeout on the RADIUS-server to limit the amount of time the client could continue with disabled account.
If you found this post helpful, please give it Kudos. If my answer solves your problem, please click Accept as Solution so others can benefit from it.
Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels