Skip to main content
Cisco Meraki Documentation

Alert - Recent 802.1X Failure

Introduction

802.1X failure - error screenshot

A node displays the Recent 802.1X Failure alert when the RADIUS testing feature is enabled and it doesn't get a reply from one or more of the configured RADIUS servers. The alert may just mean that the device didn't get a reply from the server once due to network conditions in that particular moment. Please keep reading to verify if is this a one-time situation or if there's a bigger problem.

Understanding RADIUS Testing Feature

When RADIUS testing feature is enabled, Meraki devices will periodically send Access-Request messages to the configured RADIUS servers using identity meraki_8021x_test to ensure that the RADIUS servers are reachable. All RADIUS servers are tested by every node at least once every 24 hours. 

A test is considered successful if the Meraki device receives any kind of legitimate RADIUS response (i.e. Access-Accept/Reject/Challenge) from the server. Nodes display the Recent 802.1X Failure alert when they don't get a reply from one or more of the configured RADIUS servers, using a timeout period of 10 seconds, and if and there were no successful 8021.x authentications in the last 10 minutes. In other words, if the device didn't get a reply from a RADIUS while doing the regular testing, but it did have a client successfully being authenticated in the last 10 minutes, even though the test failed, the alert won't be displayed.

If a RADIUS test fails for a given node it will be tested again every hour until a passing result occurs. A subsequent pass will mark the server reachable and clear the alert, returning to the 24 hour testing cycle.

Adding or removing a node from a network invalidates previous tests as does changing the Dashboard configuration of the RADIUS servers.

Please note for a wireless 802.1X configuration, this alert will only be generated if the association requirements for network access is set to WPA2-Enterprise with a custom RADIUS server.  This alert will not be triggered for splash pages using a RADIUS server if there is an 802.1X failure.

The TLS version used by MR to test RADIUS is determined by the firmware version. MR 26.x will use TLS 1.0 and MR 27.x will use TLS 1.2. 

Configuring RADIUS Testing

RADIUS testing configuration can be found in the following places depending on the product:

MR 

Wireless > Configure > Access control > SSID (select name) > RADIUS

Enabling RADIUS testing for wireless 802.1x SSID

MS

Switching > Configure > Access policies

Configuring RADIUS servers for MS

MX

MX don't have an option to turn on or off the RADIUS testing feature, but whenever you configure a RADIUS server under per-port VLAN settings or Wireless settings, a RADIUS test will be run following the conditions mentioned at the beginning of this document.

Security & SD-WAN > Configure > Addressing & VLANs > Routing > Per-port VLAN Settings.

Configuring RADIUS servers for MX

 

Security & SD-WAN > Configure > Wireless settings

Configuring RADIUS server for an SSID in wireless MX

Troubleshooting Recent 802.1x Failure Alert

When you see the Recent 802.1x Failure alert, that doesn't necessarily mean the users are experiencing a problem. It may only mean that the node didn't get a reply from at least one of the configured RADIUS servers within 10 seconds.

Troubleshooting MR networks

In order to verify if this is a widespread problem, we suggest you to:

1. Review if the alert has affected the users or if it may be a minor problem. Navigate to Wireless > Monitor > Overview > Network service health > RADIUS success. If you see 100%, that means that all your clients have successfully connected to any of the resources that use a RADIUS server and the alert is a minor problem.

Network service health

If you see less than 100% success, click RADIUS success and review why the RADIUS failures reason codes. If you see RADIUS timeout, that means clients aren't being able to connect because the server is unreachable. Continue the troubleshooting steps to figure out why a server is unreachable.

2. From the same screen, click RADIUS success, and then RADIUS Server IP drop-down to check the servers tested by the APs, and take note of them.

Selecting a RADIUS server IP for investigation

3. Navigate to Wireless > Monitor > Access points, open one of the alerting AP's page, then navigate to the Tools tab and see if the AP can ping the servers:

Using ping tool on an access point to check the RADIUS server reachability

If pings are unsuccessful, investigate why the APs are not able to reach the RADIUS server. 

If pings are successful, check your RADIUS server logs and investigate why the RADIUS server is ignoring the AP's RADIUS tests.

For a more detailed explanation about how to troubleshoot RADIUS problems, please check the RADIUS Issue Resolution Guide.

Troubleshooting MS networks

1. Take note of the RADIUS server(s) IP addresses configured in any of the configured policies (Switching > Configure > Access policies). 

2. Navigate to Switching > Monitor > Switches, open one of the alerting switches' page, then navigate to the Tools tab and see if the switch can ping the RADIUS servers.

If pings are unsuccessful, investigate why the switches are not able to reach the RADIUS server. 

If pings are successful, check your RADIUS server logs and investigate why the RADIUS server is ignoring the switches RADIUS tests.

For a more detailed explanation about how to troubleshoot RADIUS problems, please check RADIUS Issue Resolution Guide.