Meraki

thomasthomsen · ‎Feb 10 2023

The iPSK with Radius SSID has been a little more difficult to capture (because on this specific network there is only one "PSK" client), and when it does not get authenticated, it will select another AP "close" by and try again on that AP. So the below output is a little "copy past" of captures, but it is what I see. There is NOT a lot to go on here. I mean, sure, I can see the AAA packets being send to R2 for the dot1x SSID ( I "filtered" those out of the pic) , but whenever AAA is being send for the iPSK SSID, it ONLY tries R1, and fails (and by fails, I mean timeout). The second I manually switched that iPSK SSID to R2 as primary, everything started to work on the iPSK network.

thomasthomsen · ‎Feb 10 2023

So here is an output from one AP .142 that is only running the dot1x SSID. - .101 is Radius 1 - and .102 is Radius 2. Everything seems fine, the AP has switched to R2 (because R1 does not respond to radius messages). But half way down , "kinda" highlighted, it sends an Access-Request to R1 (For some reason) - This is a normal Access-Request, I can see the "client information" inside that packet. It also sends Accounting to R1 non of these packets are answered, so why did it all of a sudden try this, for a real client, to R1 ? - Then once in a while, ICMP is also send, but for the entirety of this capture it is always for R2 , never R1 (And as you can tell, ICMP is not allowed on this network). The output here "repeats" , in the sense that all of a sudden AAA messages are send to R1. Why does the AP do this with real client AAA's ? Why does it not use something else ? - I think this is broken.

thomasthomsen · ‎Feb 8 2023

Sure, no worries, I will post one tomorrow.

thomasthomsen · ‎Feb 8 2023

There does not seem to be any "testing" switches. So I cant tell when a radius server is marked as dead, or when it is marked as up again. And I cant see it anywhere in logs, or other UI. This is clearly an oversight.

thomasthomsen · ‎Feb 8 2023

Well , I do see that, all of a sudden , the AP sends a lot of radius packets (unfortunately from client authentications) to the primary radius server. - These fail / timeout, and are actually also retransmitted from the AP, because there was no answer, I do not see any "meraki test" radius messages. I have a bad feeling about this.

thomasthomsen · ‎Feb 8 2023

PS: That document referenced there seems to be for splashpages (Guest) not dot1x or iPSK with Radius. - Are we sure the same applies for these ? https://documentation.meraki.com/MR/Encryption_and_Authentication/RADIUS_Failover_and_Retry_Details

thomasthomsen · ‎Feb 8 2023

That error part makes me a little confused. Does it send an UDP to port 1812 to see if it responds ? Or does it send an ICMP (protocol 1) to the host to see if its alive ? And if both radius servers (or 3. as the max you can configure) do not reply to ICMP then what happens ? - I think this "then what happens" is where Im at right now, so perhaps the documentation should really really specify that ICMP is required for failover ?

thomasthomsen · ‎Feb 8 2023

I think I will create a case on this. This is very unclear. I can see from packet captures that the AP tries to ping the secondary radius server (that is the one that is working) and not getting a reply (we dont allow ICMP, but I can see that we might have to). It uses the secondary, but it never tries to ping the primary that is not working to see if its alive, it just at intervals sends a lot of radius requests that way (from clients, so it thinks the primary is alive ? without knowing ?) , and never gets a reply and then tries again (dub packet). Fallback has not been enabled, so this behaviour seems strange to me.

thomasthomsen · ‎Feb 8 2023

PS: https://documentation.meraki.com/MR/Access_Control/MR_Meraki_RADIUS_2.0 In that documentation you can enable fallback : "If the fallback option is enabled, once the server with higher priority recovers, the AP will switch back to using that preferred (higher priority) server." How does the AP know when the higher priority server is back ? ICMP ? Radius requests ? what ?

thomasthomsen · ‎Feb 8 2023

I seem to have a little radius trouble. I have two radius servers on a iPSK with radius SSID. Everything has worked just fine. But then things (hence this post) started , ehh , not working fine. A bit of investigation (packet captures) shows that the AP sends Access-Request to the radius server, as expected, then nothing happens (aka no response) and the AP sends the request again (duplicate packet). Apparently this continues, even though there are two radius servers configured on the SSID. Why does it not switch to the secondary radius server ? At the same time, I have another SSID running standard dot1x, nothing fancy, using the same radius servers in the same priority order. This seems to utilize radius 2 and , is my guess, switched over at some point. Do anyone know where I can see that radius servers switched over in the eventlog ? (I cant seem to find such an option). - And is there a warning anywhere that tells me: "Oh look, your primary radius server has stopped responding " - Im guessing there is not 🙂

thomasthomsen · ‎Feb 1 2023

Ventev does good work. We have often used enclosures from them.

thomasthomsen · ‎Feb 1 2023

As mentioned by everyone, it's not "the correct" way of running your AP (aka. bad 🙂 ). But you could get support to disable the other radio chains, and only have the one with the connected antenna enabled. It would still be bad, because of no diversity or mimo features would be in use, but better then running something where the same features would ruin things more when running, ehhh, "improper antenna configurations" .

thomasthomsen · ‎Jan 18 2023

Hmmmm ... I think 17.10.2 reintroduced the EEE bug on the MX85 boxes I monitor ... From just around the update I have started to see a lot of "Ethernet port carrier change" in the eventlog. I will try to "investigate" some more ....

thomasthomsen · ‎Nov 26 2022

So Im trying to troubleshoot some issues on a network with a MX85. In the eventlog for the MX85 I for example see "device: port3, carrier: false". Port 3 , on the dashboard UI page of the MX85 is the WAN1 RJ45 port, so this would be "bad". What boggles me, is that if this Port3 losts its carrier, then it would mean that WAN1 was down, and that I should then see a "Primary uplink status change" in the evenlog as well (since this MX has two running WAN links - not dual active). But I do not. I also see one or twice a "device: port4, carrier: false" and that would mean (according to the dashboard UI) that WAN2 would be down ? (Im not worried at all .... ... .... ). I then looked at the downlink switch, and on the lldp/cdp neighbour information of this switch it says : Meraki MX85 - fw01 / 6 - but there is nothing connected to Port 6 on the MX85. (the other downlink switch says : Meraki MX85 - fw01 / 7 for the lldp/cdp neighbour information). The actual dashboard UI ports are 11 and 12. So what can I conclude about this ? Is the eventlog information = the UI truth ? Or is there an "offset" somewhere, because the lldp/cdp information is clearly not equal to the UI. /Thomas

thomasthomsen · ‎Nov 17 2022

Thanks 🙂

thomasthomsen · ‎Nov 17 2022

Yeah they did. And I thought they would not, and just use the "SSID configured" VLAN for WPN. I dont mind, its fine. But I was just surprised. So Im guessing you could "mix and match" (I have not tested this). So two different GP (with the same VLAN override setting) and then two different iPSKs on the WPN enabled SSID would not be able to communicate. So you could have a "Group" of different GP (that would not be able to communicate) on VLAN 10 .. and another group of GPs using VLAN20 (that would not be able to communicate) .. on the same SSID ... I dont have a good usecase here ... But I now see WPN as a kind of iPSK scaling.

thomasthomsen · ‎Nov 17 2022

Hi all. This might be a dumb / quick question, but I just can't seem to find the information in the documentation. Is there a SKU for a standard MV32 bracket ? We have "lost" some, and I can't quite seem to find a SKU for a direct replacement. I can find the SKU for the Wall-arm and the "Telescopic"-arm - do these two require the standard bracket to function ? Do anyone know ? Thanks Thomas

thomasthomsen · ‎Nov 15 2022

I just found out something about the WPN feature that i DID not know. GP override VLAN works together with WPN. Or so it seems from the network i "converted" from multiple SSIDs (because of the 50 iPSK limit) to WPN.

thomasthomsen · ‎Nov 9 2022

So what was the problem ? Was it just the Pre-shared key ?

thomasthomsen · ‎Oct 13 2022

I think Im seeing some strange behaviour on MX84 and Layer 7 Firewall rules. The layer 7 firewall seems to block internal DNS requests (Clients on one vlan - dns server on another). DNS seems to be classified as eDonkey P2P traffic ... 😕 To external DNS servers it seems to work fine ... very strange. Im also seeing some strange behaviour on MX85 where it will stop traffic for small periods of time during the day, seems to be related to IPS rules that is being hit a lot of times all of a sudden, but Im more unsure of this one, --- It could also be a coincidence , and its in reality the WAN switch in this setup that is running out of buffer (for some reason).

thomasthomsen · ‎Sep 22 2022

One question. How many APs does WPN scale to ? Can I have 100 ? 200 ? (or more ) APs using it in the same Network / VLAN ?

thomasthomsen · ‎Sep 21 2022

Interesting ... But .... Im a little confused here ... WPN is for when you use one VLAN for all clients, and they are still seperated by #merakimagic right ? And iPSK with GP is for when you have multiple VLANs and want to separate clients on VLANs (of course you could put clients into the same VLAN with iPSK+GP but in this use case it does not really apply) Im currently running a dorm with iPSK+GP. And the way I got round the 50PSK limitation (with GP) was to create a SSID pr. floor. That way Im down to around 30 - 40 GP/PSKs. But I would really like to try just doing one large VLAN .. like a /22 or /21 and do one SSID with WPN and have clients separated by this. (using around 100 - 200 APs or so). But I always wonder if it will work 🙂

thomasthomsen · ‎Aug 17 2022

Well , those are the "rules" of our local regulatory domain (and I think it's the same for the rest of ETSI). - It states something like (in shortened form) --- You can use 10mW/mhz up to a max of 200mW EIRP (in UNII1-2A). Basically means that using a 20Mhz channel I can have a 200mW EIRP (10x20=200). But if i go to 40Mhz the radio needs to turn down its transmit power to 5mw/mhz in order to stay at the max allowed 200mW EIRP (40x5=200) ... and so on. In UNII2C my local regulatory states 50mW/Mhz and a max EIRP for 1000mW (1Watt). But yeah .. you also get the 3db SNR thing ... but that happens regardless.

thomasthomsen · ‎Aug 11 2022

Well here you are on channel 56 - UNII2A. Regdomain says 200mW EIRP on a 20Mhz channel at this frequency - so that would be 23dm EIRP. (Channel 36 <-> 64 are here). So here you are potentially missing 3.1 db. (And that's the same amount as you are missing with the same antenna on 2,4Ghz). 100 <-> 144 UNII2-EXT you are allowed 1 Watt EIRP for a 20Mhz channel = 30dbm EIRP. And remember, If you increase your channel width the AP must decrease transmit power 3db when its twice as wide. So 3 db down for a 40Mhz channel, and another 3db down from 40Mhz if you go to 80Mhz. PS: The rules are a bit more "complex" in 5Ghz frequency range 🙂 - When you factor in TPC + there are different rules for different parts of the range. - But Im pretty sure the APs supports TPC. PPS: Perhaps I should mention the above numbers are for ETSI reg domain. What US and other domains are doing I would have to look up 🙂 - Im sure there is a WiKi page for it 🙂

thomasthomsen · ‎Aug 10 2022

This should not have anything to do with elements (Im a little unsure what you mean here ... 🙂 ) But you are right, the MR76 would do better , raw signal wise, in every scenario (read, antenna attachment). They should just be able to beacon, and potentially do single stream data, at the highest allowed EIRP in your reg. domain. And they do not. But the MR46E is the worst one. (If I needed it to for some strange design reason...... it is of course not "best practice" to have your wireless network at max power - EIRP)

About thomasthomsen

thomasthomsen

Thomas Obbekær Thomsen

Community Record

Badges