User VPN authentication using RADIUS, on VMX-S deployed in Azure

VadimIvanov
Comes here often

User VPN authentication using RADIUS, on VMX-S deployed in Azure

Hi, all

I have Meraki VMX-S deployed in Azure. I have enabled User VPN on it. It works fine using Meraki cloud authentication - I can connect using Windows built-in VPN.

But if I change Authentication from Meraki cloud authentication to Radius, I don't get any Radius traffic between Meraki firewall and my Radius server (Windows 2016 with NPS service). I know that there is no Radius traffic because I'm running wireshark packet capture on Windows server interface and I do see DNS and ICMP packets between Windows server and Meraki firewall, but no other traffic when I change Radius server details on Meraki or when I attempt to login with VPN client. Meraki literally doesn't attempt to send any Radius packets to Radius server. Meraki packet capture also shows zero traffic between Meraki and Radius server when I attempt to establish VPn connection. Again, i'm using the same VPN connection on the same machine which works just fine once I switch back to Meraki cloud authentication. .

VadimIvanov_0-1666971319550.png

 

I do able to ping from Meraki to Radius server and vice versa. No firewall on Radius server.

 

Event log on Meraki shows only client VPN negotiations, and no Radius events. 

VadimIvanov_1-1666971406411.png

 

What could be the reason of Meraki firewall ignoring Meraki User VPN Radius settings? 

 

thanks

10 Replies 10
alemabrahao
Kind of a big deal
Kind of a big deal

Is the radius server a Virtual Machine on Azure?

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.

Yes, it's a Windows Server on the same Azure tenant, just in different subnet. No security groups on interfaces, so no ports are blocked. 

What interface did you try to perform a pcap?

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.

I have a suggestion, you can try to perform a pcap on the Windows server machine, I tried to perform a pcap on the Meraki dashboard, but I got the same result as you.

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.

That's what I did. I installed wireshark on Win server machine on the lan interface. All firewall profiles are disabled on the OS. On Azure there are no security groups associated with Win server machine interface. Neither there are security groups associated with Meraki VM interface.

I'm able to ping Meraki<>WinServer both directions.

I even added explicit rules on Meraki firewall from/towards WinServer machine, but they showing zero hits.

PhilipDAth
Kind of a big deal
Kind of a big deal

Are their any network security groups i Azure that could be limiting the RADIUS traffic (perhaps allow ping but blocking udp/1812)?

 

PhilipDAth
Kind of a big deal
Kind of a big deal

It just hit me.  The #1 problem when I run into this - is Windows Firewall on NPS.

 

Try disabling Windows Firewall and see if Wireshark starts showing traffic on the Windows NPS server.

There are no security groups associated with Windows Server vm and/or MerakiMX vm. 

VadimIvanov
Comes here often

If I don't see "addressing and VLAN", 

VadimIvanov_0-1667211260990.png

might it be because it's configured in One-Armed Concentrator mode?

https://documentation.meraki.com/MX/MX_Installation_Guides/vMX_Setup_Guide_for_Microsoft_Azure

 

VadimIvanov_1-1667211374017.png

The VM has a single interface, as clearly stated in Azure guide. It works fine as S2S VPN gateway - traffic between Azure subnet and on-prem network goes through. But I'm wondering maybe this mode prevents Radius works and some features are disabled?

I don't know in which mode (One-Armed or NAT mode) the device is configured and don't know where to find it. Not sure if that's related to the issue of the topic at all

 

 

rabusiak
Getting noticed

I remember having same issue setting up Radius auth for VPN clients on my vMX-Medium in Azure... it was that Windows Server 2019 bug 😉
RADIUS Authentication and Windows Server 2019 Firewall/NPS Bug - The Meraki Community

Get notified when there are additional replies to this discussion.