Cannot get VPN over Radius to work

Here to help

Cannot get VPN over Radius to work

I'm getting frustrated now.
I try to setup User VPN to authenticate with Radius-server but cannot get it to work.
If I use Cloud Authentication it works fine.
On the Meraki I setup up as follow.
Custom nameservers: IP to our internal DNS-server
I have a Shared Secret.
Authentication: Radius
RADIUS servers is our internal Network Policy Server.
Port: 1812
Secret: Same as on Network Policy Server.
The Policy Server is installed and registered in Active Directory.
I have all ports in and out opened on the Network Policy Server (just for test).
When the client attempt to connect they get error 691, wrong username/password.
I have tried multiple differnt accounts, but all the same.
Tried login with their domainname/username and mailaddress and other combination. But same error all the time.
Rebooted the Network Policy Server.
Tried from two differnt clients.
MX Eventlog says
msg: <l2tp-over-ipsec-1|1055> deleting IKE_SA l2tp-over-ipsec-1
msg: <l2tp-over-ipsec-1|1055> closing CHILD_SA net-1{6517} with SPIs cb90df4f(inbound) (798 bytes) efccb7de(outbound) (379 bytes) and TS
msg: <l2tp-over-ipsec-1|1055> CHILD_SA net-1{6517} established with SPIs cb90df4f(inbound) efccb7de(outbound) and TS
Packet Capture says nothing about Radius.
Kind of a big deal
Kind of a big deal

The has to be something in a packet capture ...


Have tried ping from MX to internal Radius-server with success.

When I capture from LAN while trying to connect I get nothing about radius in the log.


When the client is trying to connect it fails right away with error.


Would you share a screenshot of your config with us?

Delete. Wrong post.

Getting noticed

Do the Network Policy Server logs show anything?  They are in an unwieldy XML format, but they will tell you 1) if the request made it to the server and 2) what the NPS server's response was.  The log files default to %systemroot%\System32\LogFiles but you can change the location from the Accounting tab in the NPS MMC snapin.  The files are rotated daily with the date in the filename, so make sure you grab the right one.

Thanks, I will look at that.
Right now nothing works.
I can't even connect with Cloud Authentication.


Have setup this a few times before but this setup is haunted by evil spirits or something.


Maybe it is my clients thats is the problem.

But I can connect to other Meraki VPN.


Need to start over and verify every step.

Kind of a big deal
Kind of a big deal

You don't say which RADIUS server you are using - but it is the RADIUS server denying the user, so you have to look at the RADIUS server logs to determine why it is doing this.


If you are using Microsoft NPS, go to the security log and filter on event IDs 6272, 6273.  6273 will contain the deny.  Look at the reason it is giving.

We have Windows Server 2016 and MS Network Policy Server installed.

All ports are for now opened, in and out.


The Network contains of one Hub and multiple Spoke.

This MX is a spoke.


All MX have a VPN connection to our servercloud where the Network Policy Server is.

It's an VMWare Edge, so Non-Meraki Site to Site VPN.


There are no event logs with those eventIDs on the Policy Server.


The MX can ping the Policy Server both on LAN and on Internet.

Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.