Solved: Firmware MN 14.33 causing wireless Radius authentication issue.

Nickj3234 · ‎03-14-2022

Last week meraki updated the firmware on our MS225 switches, since then our MS42 wireless AP radius SSID is not working at all of our 4 sites. I enabled WPA2 wireless which works and guest works, I can test the radius SSID and it passes. but when connecting a PC they can't connect and event log shows

802.11 disassociation

unspecified reason

Whats weird is I see an iphone and an ipad connected but any pc i've tried to connect fails. Anyone else seeing this issue?

Philip D'Ath · ‎03-14-2022

I think this issue is highly unlikely to be related to the switch firmware. It may be that a reboot of the switches caused a reboot of the access points, and something around that has caused an issue.

Does the PC WiFI settings for the SSID match what is configured with the RADIUS server? For example, PEAP+MSCHAPv2 ?

I'm guessing these settings don't match.

Does the RADIUS server say it is allowing the connection? If not, why not?

View solution in original post

aleabrahao · ‎03-14-2022

Do you have tried to perform a Radius test on this SSID? Just to check de communication.

I am not a Cisco employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.

Nickj3234 · ‎03-14-2022

Yes testing is successful.

Philip D'Ath · ‎03-14-2022

I think this issue is highly unlikely to be related to the switch firmware. It may be that a reboot of the switches caused a reboot of the access points, and something around that has caused an issue.

Does the PC WiFI settings for the SSID match what is configured with the RADIUS server? For example, PEAP+MSCHAPv2 ?

I'm guessing these settings don't match.

Does the RADIUS server say it is allowing the connection? If not, why not?

Nickj3234 · ‎03-15-2022

Sorry, was an accident clicking as a solution, The problem started after the firmware upgrade, and is happening at 4 different sites, you don't configure PC wifi for Radius you just log in with windows creds.

Philip D'Ath · ‎03-15-2022

>you don't configure PC wifi for Radius you just log in with windows creds.

That means you are using the default configuration of PEAP+MSCHAPv2. Have you checked your PEAP certificate on your RADIUS server? Maybe it has expired.

Did you maybe manually load in the IP addresses as RADIUS clients (instead of loading in subnets), while the APs were set to DHCP, the switch upgrade happened, the APs rebooted, got new IP addresses, and now don't match the RADIUS client IP addresses configured?

aleabrahao · ‎03-15-2022

@Philip D'Ath , I don't think that's the case, because it works well on mobile devices. I recommended that he perform a manual configuration.

I am not a Cisco employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.

BlakeRichardson · ‎03-14-2022

Have the PC's had any windows updates during that time?

What firmware version did you update to?

If you found this post helpful, please give it Kudos. If my answer solves your problem, please click Accept as Solution so others can benefit from it.

Nickj3234 · ‎03-15-2022

Has nothing to do with the PC's, and the firmware is in the title of the post, slightly misspelled it's MS 14.33. I have a case open with meraki. Have updated firmware on the AP and rebooted the AP a few times, it worked fine since configuring radius authentication for wireless until the firmware upgrade.

aleabrahao · ‎03-15-2022

@Nickj3234, It doesn't make sense, I have upgraded my networks to the same version and It works fine. Can you share your SSID configuration?

I am not a Cisco employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.

Nickj3234 · ‎03-15-2022

Network access is set to My Radius Server

WPA encryption mode set to WPA2 only

802.11r and 802.11w disabled

no splash page

Defaults for all the timeouts and retries

RADIUS testing - disabled
RADIUS CoA support - disabled
RADIUS attribute specifying group policy name - Filter ID
RADIUS accounting - disabled
RADIUS proxy - do not use meraki proxy
Assign group policies by device type - disbled

Bridged mode: make clients part of the Lan

VLAN tagging - Don't use vlan tagging
RADIUS override - ignore vlan attribute in radius responses
Content filtering - don't filter content
Bonjour forwarding - disable
Mandatory DHCP - disable

aleabrahao · ‎03-15-2022

🙂

I am not a Cisco employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.

aleabrahao · ‎03-15-2022

What is the Minimum bitrate applied in your RF profile? Have you tried to configure your connection manually?

https://documentation.meraki.com/MR/Encryption_and_Authentication/Configuring_Clients_for_802.1X_and_Meraki_Authentication

I am not a Cisco employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.

Nickj3234 · ‎03-15-2022

Bit rate is set to 11 for Radius, for Guest and the wpa2 it is 18. Haven't tried manual connection, not in the office today, will try it tomorrow.

Nickj3234 · ‎03-16-2022

Tried the manual connection and I was able to connect, thanks for the tip. It will be a pain to do this for all the users though, but I have something I can go back to the meraki tech with working my case.