Hi, all
I have Meraki VMX-S deployed in Azure. I have enabled User VPN on it. It works fine using Meraki cloud authentication - I can connect using Windows built-in VPN.
But if I change Authentication from Meraki cloud authentication to Radius, I don't get any Radius traffic between Meraki firewall and my Radius server (Windows 2016 with NPS service). I know that there is no Radius traffic because I'm running wireshark packet capture on Windows server interface and I do see DNS and ICMP packets between Windows server and Meraki firewall, but no other traffic when I change Radius server details on Meraki or when I attempt to login with VPN client. Meraki literally doesn't attempt to send any Radius packets to Radius server. Meraki packet capture also shows zero traffic between Meraki and Radius server when I attempt to establish VPn connection. Again, i'm using the same VPN connection on the same machine which works just fine once I switch back to Meraki cloud authentication. .
I do able to ping from Meraki to Radius server and vice versa. No firewall on Radius server.
Event log on Meraki shows only client VPN negotiations, and no Radius events.
What could be the reason of Meraki firewall ignoring Meraki User VPN Radius settings?
thanks
Is the radius server a Virtual Machine on Azure?
Yes, it's a Windows Server on the same Azure tenant, just in different subnet. No security groups on interfaces, so no ports are blocked.
What interface did you try to perform a pcap?
I have a suggestion, you can try to perform a pcap on the Windows server machine, I tried to perform a pcap on the Meraki dashboard, but I got the same result as you.
That's what I did. I installed wireshark on Win server machine on the lan interface. All firewall profiles are disabled on the OS. On Azure there are no security groups associated with Win server machine interface. Neither there are security groups associated with Meraki VM interface.
I'm able to ping Meraki<>WinServer both directions.
I even added explicit rules on Meraki firewall from/towards WinServer machine, but they showing zero hits.
Are their any network security groups i Azure that could be limiting the RADIUS traffic (perhaps allow ping but blocking udp/1812)?
It just hit me. The #1 problem when I run into this - is Windows Firewall on NPS.
Try disabling Windows Firewall and see if Wireshark starts showing traffic on the Windows NPS server.
There are no security groups associated with Windows Server vm and/or MerakiMX vm.
If I don't see "addressing and VLAN",
might it be because it's configured in One-Armed Concentrator mode?
https://documentation.meraki.com/MX/MX_Installation_Guides/vMX_Setup_Guide_for_Microsoft_Azure
The VM has a single interface, as clearly stated in Azure guide. It works fine as S2S VPN gateway - traffic between Azure subnet and on-prem network goes through. But I'm wondering maybe this mode prevents Radius works and some features are disabled?
I don't know in which mode (One-Armed or NAT mode) the device is configured and don't know where to find it. Not sure if that's related to the issue of the topic at all
I remember having same issue setting up Radius auth for VPN clients on my vMX-Medium in Azure... it was that Windows Server 2019 bug 😉
RADIUS Authentication and Windows Server 2019 Firewall/NPS Bug - The Meraki Community