Meraki Community

PatrikStar · ‎Apr 8 2022

I'm getting frustrated now.

I try to setup User VPN to authenticate with Radius-server but cannot get it to work.

If I use Cloud Authentication it works fine.

On the Meraki I setup up as follow.

Subnet: 10.10.5.0/24

Custom nameservers: IP to our internal DNS-server

I have a Shared Secret.

Authentication: Radius

RADIUS servers is our internal Network Policy Server.

IP: 10.10.9.18

Port: 1812

Secret: Same as on Network Policy Server.

The Policy Server is installed and registered in Active Directory.

I have followed the guide at https://documentation.meraki.com/MX/Client_VPN/Configuring_RADIUS_Authentication_with_Client_VPN

I have all ports in and out opened on the Network Policy Server (just for test).

When the client attempt to connect they get error 691, wrong username/password.

I have tried multiple differnt accounts, but all the same.

Tried login with their domainname/username and mailaddress and other combination. But same error all the time.

Rebooted the Network Policy Server.

Tried from two differnt clients.

MX Eventlog says

msg: <l2tp-over-ipsec-1|1055> deleting IKE_SA l2tp-over-ipsec-1

msg: <l2tp-over-ipsec-1|1055> closing CHILD_SA net-1{6517} with SPIs cb90df4f(inbound) (798 bytes) efccb7de(outbound) (379 bytes) and TS

msg: <l2tp-over-ipsec-1|1055> CHILD_SA net-1{6517} established with SPIs cb90df4f(inbound) efccb7de(outbound) and TS

Packet Capture says nothing about Radius.

KarstenI · ‎Apr 8 2022

The has to be something in a packet capture ...

Make sure the RADIUS ip is correct and you can ping the RADIUS server from the MX
The RADIUS server is on the inside? Then capture on the LAN port of the ASA with a filter "port 1812".
This document is about MR, but there are still some good hints for troubleshooting: https://documentation.meraki.com/MR/Encryption_and_Authentication/RADIUS_Issue_Resolution_Guide

PatrikStar · ‎Apr 8 2022

Have tried ping from MX to internal Radius-server with success.

When I capture from LAN while trying to connect I get nothing about radius in the log.

When the client is trying to connect it fails right away with error.

CptnCrnch · ‎Apr 8 2022

Would you share a screenshot of your config with us?

PatrikStar · ‎Apr 11 2022

Delete. Wrong post.

RichG · ‎Apr 8 2022

Do the Network Policy Server logs show anything? They are in an unwieldy XML format, but they will tell you 1) if the request made it to the server and 2) what the NPS server's response was. The log files default to %systemroot%\System32\LogFiles but you can change the location from the Accounting tab in the NPS MMC snapin. The files are rotated daily with the date in the filename, so make sure you grab the right one.

PatrikStar · ‎Apr 8 2022

Thanks, I will look at that.
Right now nothing works.
I can't even connect with Cloud Authentication.

Have setup this a few times before but this setup is haunted by evil spirits or something.

Maybe it is my clients thats is the problem.

But I can connect to other Meraki VPN.

Need to start over and verify every step.

PhilipDAth · ‎Apr 10 2022

You don't say which RADIUS server you are using - but it is the RADIUS server denying the user, so you have to look at the RADIUS server logs to determine why it is doing this.

If you are using Microsoft NPS, go to the security log and filter on event IDs 6272, 6273. 6273 will contain the deny. Look at the reason it is giving.

PatrikStar · ‎Apr 11 2022

Hi!
We have Windows Server 2016 and MS Network Policy Server installed.

All ports are for now opened, in and out.

The Network contains of one Hub and multiple Spoke.

This MX is a spoke.

All MX have a VPN connection to our servercloud where the Network Policy Server is.

It's an VMWare Edge, so Non-Meraki Site to Site VPN.

There are no event logs with those eventIDs on the Policy Server.

The MX can ping the Policy Server both on LAN and on Internet.

Meraki Community

Cannot get VPN over Radius to work

Cannot get VPN over Radius to work