Meraki

Community

Wi-Fi disassociation reason code when password based RADIUS authentication fails

Solved
ESMichal
Here to help
‎Aug 18 2022 4:05 AM
‎Aug 18 2022 4:05 AM

Wi-Fi disassociation reason code when password based RADIUS authentication fails

We use Cisco Meraki APs with WPA2 Enterprise authentication againsts remote RADIUS server with EAP-TTLS + PAP.

 

When user provides wrong credentials (bad password), RADIUS sends Access-Reject message to the AP.

AP the disassociates the endpoint providing reason code 8. Reason code 8 means "Disassociated because sending STA is leaving or has left Basic Service Set (BSS)." That is a very generic response. In the list of possible reason codes there is also code 23: "IEEE 802.1X authentication failed.". At first look this seems to be more appropriate code to send.

 

https://www.cisco.com/assets/sol/sb/WAP371_Emulators/WAP371_Emulator_v1-0-1-5/help/Apx_ReasonCodes2....

 

Questions:

- Is code 23 suitable for this situation?

- Is Cisco Meraki AP capable of sending code 23?

- Why does not AP send the code 23?

0 Kudos
1 Accepted Solution
In response to RaphaelL
ESMichal
Here to help
‎Oct 11 2022 12:20 AM
‎Oct 11 2022 12:20 AM

Hey Raphael. Thank you for the reply. 

I think I was mistaken (or confused or something has changed) because last time I tried (week ago) I got the correct reason code from Meraki AP.

 

So at this point I believe Apple and its UI is to blame.

 

macoslog.png

 

 

View solution in original post

3 Replies 3
RaphaelL
Kind of a big deal
Kind of a big deal
‎Oct 10 2022 5:59 PM
‎Oct 10 2022 5:59 PM

Sorry for the late reply. 

 

What MR firmware are you running ? 

Were you able to capture the frame and confirm that the AP is really sending a frame with code '8' ?

Could the client be getting a code '23' , upon receving that code simply leaves the AP with code '8' ?

 

I think you should open a ticket and reproduce the issue and provide them a capture.

 

EDITv3 : This was solved under 28.7 : 

  • When an Apple client enters an incorrect PSK the AP responds with a disassociation response instead of deauthentication response, resulting in multiple failed connection attempts from the client (Wi-Fi 5 Wave 2 APs)    

Might be worth a try to upgrade and test it !

 

Good luck

0 Kudos
In response to RaphaelL
RaphaelL
Kind of a big deal
Kind of a big deal
‎Oct 10 2022 6:04 PM
‎Oct 10 2022 6:04 PM

Update : 

 

Took me a minute to find a code '23' : 

MR 28.7.1

RaphaelL_0-1665450217272.png

SSID configured with WPA enterprise and using Cisco ISE as Radius server. Client didn't provide a valid certificate.

0 Kudos
In response to RaphaelL
ESMichal
Here to help
‎Oct 11 2022 12:20 AM
‎Oct 11 2022 12:20 AM

Hey Raphael. Thank you for the reply. 

I think I was mistaken (or confused or something has changed) because last time I tried (week ago) I got the correct reason code from Meraki AP.

 

So at this point I believe Apple and its UI is to blame.

 

macoslog.png

 

 

Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels
© 2024 Cisco Systems, Inc.