WPA3 errors without WPA3 configured

904Tech
Here to help

WPA3 errors without WPA3 configured

Have an SSID that is configured for WPA2-Enterprise using Radius/802.1x-PEAP.  802.11w is set to required.  SSID is running in NAT mode.

 

At times I am seeing errors like the following:

 

Client made an 802.1X authentication request to the RADIUS server, but it did not respond. auth_mode='wpa3-802.1x' radius_proto='ipv4' radius_ip='192.168.xxx.xxx' reason='radius_login_failure' radio='0' vap='3' channel='6' rssi='42'

 

The client is configured for WPA2.  The client was successfully connected and then all the sudden couldn't roam to this AP and the above error was seen in the connection log.  Eventually, with no changes to the client or on the dashboard, the client was able to connect.

 

APs are MR42s and they are running MR 29.4.1

11 Replies 11
alemabrahao
Kind of a big deal
Kind of a big deal

Disable 802.11w and all will be fine.

Some legacy devices that do not support 802.11w may not be able to connect to an SSID even if in mixed mode. This may be due to the device improperly handling the advertised information contained within the beacons. 

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.
904Tech
Here to help

If I wasn't getting hammered with deauthentications from a neighbor then I would disable 802.11w.

 

Why would 802.11w trigger WPA3 errors?

alemabrahao
Kind of a big deal
Kind of a big deal

Disable 802.11w and all will be fine.

Some legacy devices that do not support 802.11w may not be able to connect to an SSID even if in mixed mode. This may be due to the device improperly handling the advertised information contained within the beacons. 

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.
904Tech
Here to help

That the thing, the device does support 802.11w.  It was previously connected and was able to connect after the fact eventually.

alemabrahao
Kind of a big deal
Kind of a big deal

WPA3 Transition Mode
WPA3 SAE has a transition mode (sometimes called mixed mode) created to allow WPA2 clients to co-exist on the same SSID used for WPA3. Although WPA3 needs to have Management Frame Protection (MFP/802.11w) set to Required, the Dashboard can also be set to Enabled, so that the STA which are not compliant with either WPA3 or MFP can still connect seamlessly.

802.11w can be set to Required, however WPA2 clients which do not support MFP will not be able to associate.

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.
904Tech
Here to help

WPA3 transition mode is only if you are doing PSK.  Isn't available for WPA3-Enterprise.

alemabrahao
Kind of a big deal
Kind of a big deal

Ok, but it explains the following behaviors that you informed us about, you can open a support case to confirm. 😉

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.
904Tech
Here to help

Opened a case.  This behavior is a known bug.

CTL1
Conversationalist

Do you have any update from the case? when it will be solved?

Olivier_P
Comes here often

Thanks man 🙂 you saved my day!!!

rhbirkelund
Kind of a big deal
Kind of a big deal

Instead of having the SSID in NAT mode, try putting the device directly on the network, using Bridge Mode.

LinkedIn ::: https://blog.rhbirkelund.dk/

Like what you see? - Give a Kudo ## Did it answer your question? - Mark it as a Solution 🙂

All code examples are provided as is. Responsibility for Code execution lies solely your own.
Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels