Solved: Re: Wireless - 802.1x auth fail

LC.IT · ‎03-17-2022

Hi, let me see if anyone saw a situation like this:

802.1x PEAP MSCHAPv2 authentication using a laptop windows and a smartphone.

The Radius Server is Cisco ISE and it reply the MR AP with a Access-Accept packet.

Cisco ISE and Access Point are connected to the same L2 domain, same subnet and there is not a firewall on that communication.

The Access Point was added on ISE as NAD and there is not logs of problem on ISE side.

I did a packet capture on wired interface of Access Point MR46E and the Access-Accept is delivered but in dashboard I see this error:

"Client 5c:cd:5b:a2:40:ab had a failed connection to SSID Corp on AP POC01 during authentication because the auth server did not respond."

How auth server did not reply if I see the access-accept arriving on AP?

Someone saw this behavior?

Make_IT_Simple · ‎03-17-2022

If you guys are not using the new view, please do so and change the radius timeout from the default 2 sec to 10 sec (This is the max value) and it should help with your issue.

https://documentation.meraki.com/MR/Access_Control/MR_Meraki_RADIUS_2.0#Server_Timeout_and_Retry_Count

View solution in original post

Raphael_L · ‎03-17-2022

Following this thread.

We do have lots of these , but never had the time to troubleshoot it properly.

Make_IT_Simple · ‎03-17-2022

If you guys are not using the new view, please do so and change the radius timeout from the default 2 sec to 10 sec (This is the max value) and it should help with your issue.

https://documentation.meraki.com/MR/Access_Control/MR_Meraki_RADIUS_2.0#Server_Timeout_and_Retry_Count

Raphael_L · ‎03-17-2022

The default is 1s , and according to Cisco's documentation it seems to be 5s on Cisco's WLC . Strange to see such a big difference between 2 timeouts. I will try to adjust it and monitor the difference in the logs

Raphael_L · ‎03-17-2022

I just opened a case regarding that. We are on 27.7.1 and 28.5 and I keep seeing "Client made an 802.1X authentication request to the RADIUS server, but it did not respond."

Upon taking a packet capture we can see the Access-Reject from our Radius server. The request was made in 300-400ms which is below the default timeout.

To be continued...

Raphael_L · ‎03-18-2022

Update. It seems that the error is not showing the same description from Wireless -> Health -> Connection log versus Wireless -> Health -> Timeline

In the Timeline page you will see : Client X had a failed connection to SSID Y on AP Z during authentication because the auth server rejected the auth request.

In the Connection Log : Client made an 802.1X authentication request to the RADIUS server, but it did not respond.radius_ip='XX.XX.XX.XX' reason='radius_login_failure' radio='1' vap='0' channel='104' rssi='50'

I know this case is a bit different from yours , but can you check if you are seeing the same log message in the Timeline page and post the results between Timeline and Connection log.

Thanks ,

LC.IT · ‎03-18-2022

In my case, the both logs are similiar:

Connection Log==> Client made an 802.1X authentication request to the RADIUS server, but it did not respond.auth_mode='wpa2-802.1x' vlan_id='11' radius_proto='ipv4' radius_ip='172.16.x.x' reason='radius_timeout' radio='1' vap='1' channel='149' rssi='30'

Timeline==> Client 9a:b0:xx:xx:xx:xx had a failed connection to SSID Y on AP Z during authentication because the auth server did not respond.

Raphael_L · ‎03-18-2022

Can you do a packet capture and calculate how long does the request take ? First packet to the last one ( Access-Accept ). If it is over 1000ms , it will we flagged as didnt respond.

LC.IT · ‎03-18-2022

Yes, I did a capture.

Time from first radius package: 16:04:45,239667

Time from last radius package: 16:04:49,287265

Almost 5 seconds...

Unfortunately I am not able to test now, but I will try to increase the timeout and verify if solve the problem

@RaphletournDid you try increase radius timeout?

Raphael_L · ‎03-18-2022

I will be increasing our timeout to 5 seconds , but we don't have currently issues with timeouts.

However you seem to be having issues with it.

LC.IT · ‎03-23-2022

Increase the Radius Timeout solved the problem!

Thank you so much!

ThieuQuangLeChi · ‎12-17-2024

Hi,

To what extend did you increase the Radius Timeout?

Thanks!