WPA3 errors without WPA3 configured

Todd S · ‎02-07-2023

Have an SSID that is configured for WPA2-Enterprise using Radius/802.1x-PEAP. 802.11w is set to required. SSID is running in NAT mode.

At times I am seeing errors like the following:

Client made an 802.1X authentication request to the RADIUS server, but it did not respond. auth_mode='wpa3-802.1x' radius_proto='ipv4' radius_ip='192.168.xxx.xxx' reason='radius_login_failure' radio='0' vap='3' channel='6' rssi='42'

The client is configured for WPA2. The client was successfully connected and then all the sudden couldn't roam to this AP and the above error was seen in the connection log. Eventually, with no changes to the client or on the dashboard, the client was able to connect.

APs are MR42s and they are running MR 29.4.1

aleabrahao · ‎02-07-2023

Disable 802.11w and all will be fine.

Some legacy devices that do not support 802.11w may not be able to connect to an SSID even if in mixed mode. This may be due to the device improperly handling the advertised information contained within the beacons.

I am not a Cisco employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.

Todd S · ‎02-07-2023

If I wasn't getting hammered with deauthentications from a neighbor then I would disable 802.11w.

Why would 802.11w trigger WPA3 errors?

aleabrahao · ‎02-07-2023

Disable 802.11w and all will be fine.

Some legacy devices that do not support 802.11w may not be able to connect to an SSID even if in mixed mode. This may be due to the device improperly handling the advertised information contained within the beacons.

I am not a Cisco employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.

Todd S · ‎02-07-2023

That the thing, the device does support 802.11w. It was previously connected and was able to connect after the fact eventually.

aleabrahao · ‎02-07-2023

WPA3 Transition Mode
WPA3 SAE has a transition mode (sometimes called mixed mode) created to allow WPA2 clients to co-exist on the same SSID used for WPA3. Although WPA3 needs to have Management Frame Protection (MFP/802.11w) set to Required, the Dashboard can also be set to Enabled, so that the STA which are not compliant with either WPA3 or MFP can still connect seamlessly.

802.11w can be set to Required, however WPA2 clients which do not support MFP will not be able to associate.

I am not a Cisco employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.

Todd S · ‎02-07-2023

WPA3 transition mode is only if you are doing PSK. Isn't available for WPA3-Enterprise.

aleabrahao · ‎02-07-2023

Ok, but it explains the following behaviors that you informed us about, you can open a support case to confirm. 😉

I am not a Cisco employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.

Todd S · ‎02-20-2023

Opened a case. This behavior is a known bug.

CTL1 · ‎03-07-2023

Do you have any update from the case? when it will be solved?

o pyrrhon · ‎02-20-2023

Thanks man 🙂 you saved my day!!!

Rasmus Hoffmann Birkelund · ‎02-07-2023

Instead of having the SSID in NAT mode, try putting the device directly on the network, using Bridge Mode.

#########
LinkedIn ::: https://blog.rhbirkelund.dk/
Like what you see? - Mark as helpful ## Did it answer your question? - Mark it as a Solution 🙂
All code examples are provided as is. Responsibility for Code execution is solely your own.