Meraki

BongHo · ‎May 10 2021

I just set up the RADIUS authentication with Meraki AP, and there is strange behaviour.

After I disable my AD account, I can still connect to the SSID associate with RADIUS authentication unless I forget the Wifi setting and reconnect, account disables would finally be effective.

And the strange thing is this kind of behaviour only occur on Android 11 device, others like PC and apple device work fine.

Is there anyone familiar with this issue? Any suggestions would be much appreciated!

KarstenI · ‎May 11 2021

I would assume that it is something with caching on the APs. Can you do a capture on the AP to see if the AP sends a RADIUS request to the NPS when the disabled user connects to the SSID?

If you found this post helpful, please give it Kudos. If my answer solves your problem, please click Accept as Solution so others can benefit from it.

BongHo · ‎May 11 2021

Thanks for your comment!

I did try to capture on the AP, only the android 11 device didn't send any RADIUS request to the NPS after disable the AD account, no idea what's going on.

KarstenI · ‎May 11 2021

If there is no RADIUS request, it is likely the default PMKsa-caching on the APs. You could:

Ask Meraki Support if they can disable it. Not sure if that is possible.
Reduce the session timeout on the RADIUS-server to limit the amount of time the client could continue with disabled account.

If you found this post helpful, please give it Kudos. If my answer solves your problem, please click Accept as Solution so others can benefit from it.

Meraki

Community

Strange behavior about RADIUS authentication on Android 11

Strange behavior about RADIUS authentication on Android 11