Troubleshoot Cisco Meraki integrations

Troubleshoot the Cisco Meraki integration

Topics

• Certificate errors
• RADIUS agent logging level
• Examine logs or capture packets
• Interpreting Wireshark captures

Certificate errors

The Error(s) below show when one of:

• The CA certificate was not added on the client machine
• The wrong CA certificate was added on the client machine
• An incorrect Wi-Fi network is used

RADIUS agent logging level

To set the log level in the RADIUS agent:

1. Using a text editor, open the log4j.properties file from the installation folder
   C:\Program Files (x86)\Okta\Okta RADIUS Agent\current\user\config\radius\
2. Change the last instance of “info” to
   debug (verbose) or trace (very verbose).
   The update should resemble:
   log4j.rootLogger=debug, app, stdout
   or
   log4j.rootLogger=trace, app, stdout
   
3. Save the change and close the editor.
   

Examine logs or capture packets

To examine logs or capture packets:

• On Mac, to display log information during connection attempts:
  Upen a command prompt and execute the command:
  log show --predicate 'subsystem == "com.apple.eapol"'
  Attempt to connect to the WiFi access point.
  Examine the log which will product results similar to:
  2019-04-10 15:38:53.868667-0400 0x1caacd Default 0x0 17296 0 eapolclient: [com.apple.eapol:Client] en0 START uid 501 gid 20
2019-04-10 15:38:54.062713-0400 0x1caacd Default 0x0 17296 0 eapolclient: [com.apple.eapol:Client] en0: 802.1X User Mode
2019-04-10 15:39:02.510875-0400 0x1caacd Default 0x0 17296 0 eapolclient: [com.apple.eapol:Client] en0 EAP-TTLS: successfully authenticated
2019-04-10 15:39:11.117972-0400 0x1caacd Default 0x0 17296 0 eapolclient: [com.apple.eapol:Client] en0 STOP
  
• On Meraki cloud admin dashboard, navigate to Network-wide , and select either Packet capture or Event Log, as shown below.

  

Interpreting Wireshark captures

Interpreting Wireshark captures
At a high level, there are three stages in the communication between the supplicant/AP and the RADIUS server when an authentication takes place:

• exchange of EAP-Identity and EAP-Start messages
• TLS Handshake, starting with a ClientHello
• RADIUS Access-Accept, followed by a 4-way EAPoL handshake between the AP and supplicant