Meraki

Community

Wireless - 802.1x auth fail

Solved
LC_IT
Here to help
‎Mar 17 2022 8:23 AM
‎Mar 17 2022 8:23 AM

Wireless - 802.1x auth fail

Hi, let me see if anyone saw a situation like this:

 

802.1x PEAP MSCHAPv2 authentication using a laptop windows and a smartphone.

The Radius Server is Cisco ISE and it reply the MR AP with a Access-Accept packet.

Cisco ISE and Access Point are connected to the same L2 domain, same subnet and there is not a firewall on that communication.

The Access Point was added on ISE as NAD and there is not logs of problem on ISE side.

 

I did a packet capture on wired interface of Access Point MR46E and the Access-Accept is delivered but in dashboard I see this error:

"Client 5c:cd:5b:a2:40:ab had a failed connection to SSID Corp on AP POC01 during authentication because the auth server did not respond."

 

How auth server did not reply if I see the access-accept arriving on AP?

 

Someone saw this behavior?

0 Kudos
1 Accepted Solution
Make_IT_Simple
Meraki Alumni (Retired)
Meraki Alumni (Retired)
‎Mar 17 2022 9:43 AM
‎Mar 17 2022 9:43 AM

If you guys are not using the new view, please do so and change the radius timeout from the default 2 sec to 10 sec (This is the max value) and it should help with your issue.

 

https://documentation.meraki.com/MR/Access_Control/MR_Meraki_RADIUS_2.0#Server_Timeout_and_Retry_Cou...

View solution in original post

11 Replies 11
RaphaelL
Kind of a big deal
Kind of a big deal
‎Mar 17 2022 8:53 AM
‎Mar 17 2022 8:53 AM

Following this thread. 

 

We do have lots of these , but never had the time to troubleshoot it properly. 

0 Kudos
Make_IT_Simple
Meraki Alumni (Retired)
Meraki Alumni (Retired)
‎Mar 17 2022 9:43 AM
‎Mar 17 2022 9:43 AM

If you guys are not using the new view, please do so and change the radius timeout from the default 2 sec to 10 sec (This is the max value) and it should help with your issue.

 

https://documentation.meraki.com/MR/Access_Control/MR_Meraki_RADIUS_2.0#Server_Timeout_and_Retry_Cou...

In response to Make_IT_Simple
RaphaelL
Kind of a big deal
Kind of a big deal
‎Mar 17 2022 10:32 AM
‎Mar 17 2022 10:32 AM

The default is 1s ,  and according to Cisco's documentation it seems to be 5s on Cisco's WLC . Strange to see such a big difference between 2 timeouts.  I will try to adjust it and monitor the difference in the logs

0 Kudos
RaphaelL
Kind of a big deal
Kind of a big deal
‎Mar 17 2022 11:59 AM
‎Mar 17 2022 11:59 AM

I just opened a case regarding that. We are on 27.7.1 and 28.5 and I keep seeing "Client made an 802.1X authentication request to the RADIUS server, but it did not respond." 

 

Upon taking a packet capture we can see the Access-Reject from our Radius server. The request was made in 300-400ms which is below the default timeout. 

 

To be continued...

RaphaelL
Kind of a big deal
Kind of a big deal
‎Mar 18 2022 5:23 AM
‎Mar 18 2022 5:23 AM

Update. It seems that the error is not showing the same description from  Wireless -> Health -> Connection log versus Wireless -> Health -> Timeline

 

In the Timeline page you will see :  Client X had a failed connection to SSID Y on AP Z during authentication because the auth server rejected the auth request.

 

In the Connection Log : Client made an 802.1X authentication request to the RADIUS server, but it did not respond.radius_ip='XX.XX.XX.XX' reason='radius_login_failure' radio='1' vap='0' channel='104' rssi='50'

 

I know this case is a bit different from yours , but can you check if you are seeing the same log message in the Timeline page and post the results between Timeline and Connection log. 


Thanks , 

0 Kudos
In response to RaphaelL
LC_IT
Here to help
‎Mar 18 2022 8:05 AM
‎Mar 18 2022 8:05 AM

In my case, the both logs are similiar:

Connection Log==> Client made an 802.1X authentication request to the RADIUS server, but it did not respond.auth_mode='wpa2-802.1x' vlan_id='11' radius_proto='ipv4' radius_ip='172.16.x.x' reason='radius_timeout' radio='1' vap='1' channel='149' rssi='30'

 

Timeline==> Client 9a:b0:xx:xx:xx:xx had a failed connection to SSID Y on AP Z during authentication because the auth server did not respond.

0 Kudos
In response to LC_IT
RaphaelL
Kind of a big deal
Kind of a big deal
‎Mar 18 2022 8:25 AM
‎Mar 18 2022 8:25 AM

Can you do a packet capture and calculate how long does the request take ?   First packet to the last one ( Access-Accept ). If it is over 1000ms , it will we flagged as didnt respond.

0 Kudos
In response to RaphaelL
LC_IT
Here to help
‎Mar 18 2022 11:38 AM
‎Mar 18 2022 11:38 AM

Yes, I did a capture.

Time from first radius package: 16:04:45,239667

Time from last radius package: 16:04:49,287265

 

Almost 5 seconds...

Unfortunately I am not able to test now, but I will try to increase the timeout and verify if solve the problem

 

@RaphaelLDid you try increase radius timeout?

0 Kudos
In response to LC_IT
RaphaelL
Kind of a big deal
Kind of a big deal
‎Mar 18 2022 1:52 PM
‎Mar 18 2022 1:52 PM

I will be increasing our timeout to 5 seconds , but we don't have currently issues with timeouts.

However you seem to be having issues with it.

0 Kudos
LC_IT
Here to help
‎Mar 23 2022 1:16 PM
‎Mar 23 2022 1:16 PM

Increase the Radius Timeout solved the problem!
Thank you so much!
0 Kudos
In response to LC_IT
ThieuQuangLeChi
New here
‎Dec 17 2024 5:37 PM
‎Dec 17 2024 5:37 PM

Hi, 

 

To what extend did you increase the Radius Timeout? 

 

Thanks!

0 Kudos
Back to the top
Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco ID. If you don't yet have a Cisco ID, you can sign up.
Labels
© 2025 Cisco Systems, Inc.