Meraki

Community

User VPN authentication using RADIUS, on VMX-S deployed in Azure

VadimIvanov
Comes here often
‎Oct 28 2022 8:40 AM
‎Oct 28 2022 8:40 AM

User VPN authentication using RADIUS, on VMX-S deployed in Azure

Hi, all

I have Meraki VMX-S deployed in Azure. I have enabled User VPN on it. It works fine using Meraki cloud authentication - I can connect using Windows built-in VPN.

But if I change Authentication from Meraki cloud authentication to Radius, I don't get any Radius traffic between Meraki firewall and my Radius server (Windows 2016 with NPS service). I know that there is no Radius traffic because I'm running wireshark packet capture on Windows server interface and I do see DNS and ICMP packets between Windows server and Meraki firewall, but no other traffic when I change Radius server details on Meraki or when I attempt to login with VPN client. Meraki literally doesn't attempt to send any Radius packets to Radius server. Meraki packet capture also shows zero traffic between Meraki and Radius server when I attempt to establish VPn connection. Again, i'm using the same VPN connection on the same machine which works just fine once I switch back to Meraki cloud authentication. .

VadimIvanov_0-1666971319550.png

 

I do able to ping from Meraki to Radius server and vice versa. No firewall on Radius server.

 

Event log on Meraki shows only client VPN negotiations, and no Radius events. 

VadimIvanov_1-1666971406411.png

 

What could be the reason of Meraki firewall ignoring Meraki User VPN Radius settings? 

 

thanks

Labels:
0 Kudos
10 Replies 10
alemabrahao
Kind of a big deal
Kind of a big deal
‎Oct 28 2022 8:53 AM
‎Oct 28 2022 8:53 AM

Is the radius server a Virtual Machine on Azure?

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.
0 Kudos
In response to alemabrahao
VadimIvanov
Comes here often
‎Oct 28 2022 11:10 AM
‎Oct 28 2022 11:10 AM

Yes, it's a Windows Server on the same Azure tenant, just in different subnet. No security groups on interfaces, so no ports are blocked. 

0 Kudos
In response to VadimIvanov
alemabrahao
Kind of a big deal
Kind of a big deal
‎Oct 28 2022 11:26 AM
‎Oct 28 2022 11:26 AM

What interface did you try to perform a pcap?

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.
0 Kudos
In response to VadimIvanov
alemabrahao
Kind of a big deal
Kind of a big deal
‎Oct 28 2022 11:35 AM
‎Oct 28 2022 11:35 AM

I have a suggestion, you can try to perform a pcap on the Windows server machine, I tried to perform a pcap on the Meraki dashboard, but I got the same result as you.

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.
0 Kudos
In response to alemabrahao
VadimIvanov
Comes here often
‎Oct 31 2022 2:53 AM
‎Oct 31 2022 2:53 AM

That's what I did. I installed wireshark on Win server machine on the lan interface. All firewall profiles are disabled on the OS. On Azure there are no security groups associated with Win server machine interface. Neither there are security groups associated with Meraki VM interface.

I'm able to ping Meraki<>WinServer both directions.

I even added explicit rules on Meraki firewall from/towards WinServer machine, but they showing zero hits.

0 Kudos
PhilipDAth
Kind of a big deal
Kind of a big deal
‎Oct 30 2022 12:31 PM
‎Oct 30 2022 12:31 PM

Are their any network security groups i Azure that could be limiting the RADIUS traffic (perhaps allow ping but blocking udp/1812)?

 

0 Kudos
PhilipDAth
Kind of a big deal
Kind of a big deal
‎Oct 30 2022 12:32 PM
‎Oct 30 2022 12:32 PM

It just hit me.  The #1 problem when I run into this - is Windows Firewall on NPS.

 

Try disabling Windows Firewall and see if Wireshark starts showing traffic on the Windows NPS server.

In response to PhilipDAth
VadimIvanov
Comes here often
‎Oct 31 2022 2:53 AM
‎Oct 31 2022 2:53 AM

There are no security groups associated with Windows Server vm and/or MerakiMX vm. 

0 Kudos
VadimIvanov
Comes here often
‎Oct 31 2022 3:27 AM
‎Oct 31 2022 3:27 AM

If I don't see "addressing and VLAN", 

VadimIvanov_0-1667211260990.png

might it be because it's configured in One-Armed Concentrator mode?

https://documentation.meraki.com/MX/MX_Installation_Guides/vMX_Setup_Guide_for_Microsoft_Azure

 

VadimIvanov_1-1667211374017.png

The VM has a single interface, as clearly stated in Azure guide. It works fine as S2S VPN gateway - traffic between Azure subnet and on-prem network goes through. But I'm wondering maybe this mode prevents Radius works and some features are disabled?

I don't know in which mode (One-Armed or NAT mode) the device is configured and don't know where to find it. Not sure if that's related to the issue of the topic at all

 

 

0 Kudos
rabusiak
Getting noticed
‎Jan 19 2023 7:58 AM
‎Jan 19 2023 7:58 AM

I remember having same issue setting up Radius auth for VPN clients on my vMX-Medium in Azure... it was that Windows Server 2019 bug 😉
RADIUS Authentication and Windows Server 2019 Firewall/NPS Bug - The Meraki Community

0 Kudos
Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
© 2024 Cisco Systems, Inc.