Troubleshoot Recent 802.1X Failure Alert in Meraki Device

Available Languages

Download Options

  • PDF     (1.2 MB)
    View with Adobe Reader on a variety of devices
  • ePub     (1.3 MB)
    View in various apps on iPhone, iPad, Android, Sony Reader, or Windows Phone
  • Mobi (Kindle)     (654.2 KB)
    View on Kindle device or Kindle app on multiple devices
Updated:May 20, 2022
Document ID:217894

Bias-Free Language

The documentation set for this product strives to use bias-free language. For the purposes of this documentation set, bias-free is defined as language that does not imply discrimination based on age, disability, gender, racial identity, ethnic identity, sexual orientation, socioeconomic status, and intersectionality. Exceptions may be present in the documentation due to language that is hardcoded in the user interfaces of the product software, language used based on RFP documentation, or language that is used by a referenced third-party product. Learn more about how Cisco is using Inclusive Language.


    Introduction

    This document describes how to resolve the recent 802.1X failure alert in the Meraki device.

    Prerequisites

    Requirements

    Cisco recommends that you have knowledge of these topics:

    • Understand basic Meraki Software-Defined Wide Area Network (SDWAN) solution
    • Understand basic Access Policy & Radius authentication

    Components Used

    This document is not restricted to specific software and hardware versions.

    The information in this document was created from the devices in a specific lab environment. All of the devices used in this document started with a cleared (default) configuration. If your network is live, ensure that you understand the potential impact of any command.

    Problem

    Meraki devices use the AAA radius server policy configuration to authenticate the end-user.

    What is the RADIUS test in Meraki devices?

    The recent 802.1X failure alert displayed that, if the periodic access-request messages sent to the configured RADIUS servers are unreachable, you must use a timeout period of 10 seconds.

    Meraki devices periodically send Access-Request messages to the configured RADIUS servers that use identity meraki_8021x_test to ensure that the RADIUS servers are reachable. These Access-Requests have a timeout of 10 seconds and if the RADIUS server does not respond then it considers radius servers are unreachable and prompts the alert "Recent 802.1X failure" message. Refer to the screenshot of the alert seen on the device:
    Recent 802.1X Failure Alerts in Meraki

    A test is considered successful if the Meraki device receives any legitimate RADIUS response (Access-Accept/Reject/Challenge) from the server.

    With the RADIUS test enabled, all RADIUS servers are kept test run on every node at least once per 24 hours regardless of a test result. If a RADIUS test fails for a given node, it tests again every hour until a result that passes occurs. A subsequent pass marks the server reachable, clears the alert, and returns to the 24-hour test cycle.

    Configure

    Network Diagram

    Here is a simple topology diagram that describes the setup:

    Generic Network Diagram for Meraki Setup

    Verify And Troubleshoot

    802.1X Configuration

    802.1X RADIUS configuration can be found in the path shown that depends on the Meraki product Model.

    1. MX-Security appliance (configured either for access ports or wireless)

    • For Access Ports
      Security & SD-WANAddressing & VLANs

    • For Wireless
      Security & SD-WAN > Wireless settings
      MX-Security Appliance Access Control Settings


    2. MR-Access points (enabled on a per Service Set Identifier (SSID) basis):
    Wireless > Access control
    MR-Access Points Access Control Settings

    3. MS-Switches
    Switch > Access Policies
    MS-Switches Access Control Settings


    802.1X Configuration Verification Test

    • Meraki DashboardNetwork TemplateSwitch > Access Policies > Radius ServersTest
    • Meraki Dashboard > Network TemplateWireless > Access Control > Radius Servers > Test


    1. If the test result is noticed as All AP failed to connect radius server, you need to check where the access-Request got dropped.

    All Meraki Devices Fail to Connect to the Radius Server - Test Output Result


    2. Run the packet capture on the uplink port and verify the access-request flow. Refer to the screenshot of the packet capture access - The request does not get any reply.
    Wireshark Output for Radius Connection Failed Packets

    3. If noticed test result gets replied as accept/reject/deny/response/incorrect credentials, it means the radius server is alive.

    All Meraki Devices Tries to Connect to the Radius Server - Test Output Result

    4. Run the packet capture on the uplink port and verify the access-request flow. Refer to the screenshot of the packet capture access - The request got a reply.

           Wireshark Output for Radius Connection Passed Packets

    Access Policy Configuration Verification

    1. Need to check the parameter mentioned in the access policy is correct and includes Host IP, Port Number, and Secret Key.

    Access Policy Configuration Verification on Meraki MS Devices


    2. Configured radius server IPs are dummy or not used in production or Access policy is not in use. It is recommended to remove the access policy. If you want to keep it, you can disable the Radius testing setting.

      Access Policy Settings in Meraki MS Devices



    Related Information


    Note

    • When the radius servers poll Meraki devices use the LAN IP and Default username “meraki_8021x_test”, the Meraki dashboard used the Meraki MAC address as the source.
    • Meraki provided visibility to these alerts since October 2021.

    Revision History

    Revision Publish Date Comments
    2.0
    20-May-2022
    Initial Release
    1.0
    20-May-2022
    Initial Release
    TAC Authored

    Contributed by Cisco Engineers

    • Suraj Pardule
      CMS Engineer

    Was this Document Helpful?

    FeedbackFeedback

    Contact Cisco