The "Recent 802.1X Failure" alert will be displayed if the periodic access-request messages sent to the configured RADIUS servers are unreachable, using a timeout period of 10 seconds. This alert was enabled on Meraki networks in January 2019.
Meraki devices periodically send Access-Request messages to configured RADIUS servers using identity 'meraki_8021x_test' to ensure that the RADIUS servers are reachable. These Access-Requests have a timeout of 10 seconds and if the RADIUS server does not respond it will be considered unreachable and will prompt the alert "Recent 802.1X failure" message.
A test is considered successful if the Meraki device receives any kind of legitimate RADIUS response (i.e. Access-Accept/Reject/Challenge) from the server.
With RADIUS testing enabled, all RADIUS servers will be tested by every node at least once per 24 hours regardless of test result. If a RADIUS test fails for a given node it will be tested again every hour until a passing result occurs. A subsequent pass will mark the server reachable and clear the alert, returning to the 24 hour testing cycle.
Adding or removing a node from a network invalidates previous tests as does changing the Dashboard configuration of the RADIUS servers.
Please note for a wireless 802.1X configuration, this alert will only be generated if the association requirements for network access is set to WPA2-Enterprise with a custom RADIUS server. This alert will not be triggered for splash pages using a RADIUS server if there is an 802.1X failure.
The TLS version used by MR to test RADIUS is determined by the firmware version. MR 26.x will use TLS 1.0 and MR 27.x will use TLS 1.2.
802.1X RADIUS configuration can be found in the following places depending on the product:
MX (configured either for access ports or wireless)
- For Access Ports
- Security & SD-WAN > Addressing & VLANs
- For Wireless
- Security & SD-WAN > Wireless settings
MR (enabled on a per SSID basis)
- Wireless > Access control
- Switch > Access policies