Client VPN Utilizing RADIUS Failing on 2019 Servers After Recently Patching

dromios
Getting noticed

Client VPN Utilizing RADIUS Failing on 2019 Servers After Recently Patching

Hello,

 

We have a client that is using RADIUS authentication for client VPN.  It's been working fine up until the servers were patched.  Has anyone run into this issue, and if so, come up with a resolution?

Regards,

 

Doug

12 Replies 12
CptnCrnch
Kind of a big deal
Kind of a big deal

What kind of RADIUS servers are being used and which version were they upgraded to?

dromios
Getting noticed

We have been using the Windows Server 2019 Standard built-in NPS for RADIUS. Nothing was upgraded, but Windows Updates were run and the servers rebooted before this stopped happening. I followed the documentation outlined here:

https://documentation.meraki.com/MX/Client_VPN/Configuring_RADIUS_Authentication_with_Client_VPN

It worked like a charm out of the box. I tried removing the Calling Station ID per the article, as it said some RADIUS servers wouldn't like it, but it didn't make any difference. I'm being prompted for the username and password but when I connect it get's stuck on "Verifying your sign in information" and it eventually says "The remote connection was denied because the user name and password combination you provided is not recognized, or the selected authentication protocol is no permitted on the remote access server."
CptnCrnch
Kind of a big deal
Kind of a big deal

Is the Dial-In permission set for the specific users?

dromios
Getting noticed

The dial-in properties are set to use NPS.
Nash
Kind of a big deal

@dromios What errors are you seeing on the NPS server log?

dromios
Getting noticed

I was looking at the text file auditing but just found more information in event viewer by enabling information events:

I'm getting alerts that say "Network Policy Server discarded request for a user". Followed by:

Authentication Details:
Connection Request Policy Name: Meraki VPN
Network Policy Name: Meraki Client VPN
Authentication Provider: Windows
Authentication Server: DC01.xxx.local
Authentication Type: PAP
EAP Type: -
Account Session Identifier: -
Reason Code: 9
Reason: The request was discarded by a third-party extension DLL file.

That's something new to go on.
NSM
Here to help

We are having a similar issue in my environment. Patched 2019 NPS servers and now Meraki Client VPN is broken.

Has anyone found a resolution to the problem in this thread? Curious to see what is similar to my issue. 

dromios
Getting noticed

I forgot to mark this as completed.  Another round of patches actually resolved the issue for me.  If you don't have any more options I would put it on any server you have below 2019, that's what I did temporarily at least.  It's not an ideal fix but when in a pinch it helps.

NSM
Here to help

Thanks for the reply my friend. We will try that also!

dromios
Getting noticed

If you right click on nps you can export the config and import it quickly.  Should work from 2019 to any other 2019/2016 server, not sure about 2012 or 2012 r2.

Nash
Kind of a big deal


@dromios wrote:

If you right click on nps you can export the config and import it quickly.  Should work from 2019 to any other 2019/2016 server, not sure about 2012 or 2012 r2.


My systems people have recently successfully ported from 2012 r2 to 2016 and 2019, using this method. You're talking about the one that creates a big ol XML dump, right?

dromios
Getting noticed

That's correct.  Good to know it works all the way back to 2012 and vice versa!

Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels