Client VPN With RADIUS for Windows server 2012 R2

TL_Arwen
Getting noticed

Client VPN With RADIUS for Windows server 2012 R2

Here is my scenerio:

 

I have a meraki MX 84. I setup a RADIUS server on a windows server 2012 R2. I configured it according to the directions here: https://documentation.meraki.com/MX/Client_VPN/Configuring_RADIUS_Authentication_with_Client_VPN

Testing this on my samsung phone, I get a connection unsuccessful message on the phone and in the Meraki logs, I get: 

Jun 20 13:34:26 Non-Meraki / Client VPN negotiationmsg: phase1 negotiation failed.
Jun 20 13:34:26 Non-Meraki / Client VPN negotiationmsg: failed to pre-process ph1 packet (side: 1, status 1).
Jun 20 13:34:26 Non-Meraki / Client VPN negotiationmsg: failed to get valid proposal.
Jun 20 13:34:26 Non-Meraki / Client VPN negotiation

msg: no suitable proposal found.

 

 

I need to get this going for specific users in AD as our old VPN device is expiring and being retired.

 

Meraki support won't help troubleshoot the radius server

23 REPLIES 23
SoCalRacer
Kind of a big deal

My suggestion is to start with a Windows 10 device doing the client VPN. Once you know that is working then start on the mobile devices. The reason I say that, there are so many variables especially with Android devices on the VPN connection/settings.


@SoCalRacer wrote:

My suggestion is to start with a Windows 10 device doing the client VPN. Once you know that is working then start on the mobile devices. The reason I say that, there are so many variables especially with Android devices on the VPN connection/settings.


So I'm trying it with a windows 10 device and getting this: 

Jun 21 09:29:48 Non-Meraki / Client VPN negotiationmsg: invalid DH group 19.
Jun 21 09:29:48 Non-Meraki / Client VPN negotiationmsg: invalid DH group 20.
Jun 21 09:29:48 Non-Meraki / Client VPN negotiationmsg: received broken Microsoft ID: MS NT5 ISAKMPOAKLEY
PhilipDAth
Kind of a big deal
Kind of a big deal

Are you running 14.39 or better firmware on your MX?

 

Does the Windows 10 machine return an error code?

 

Does your MX have a public IP address directly on it, or is it sitting behind something else doing NAT?


@PhilipDAth wrote:

Are you running 14.39 or better firmware on your MX?

 

Does the Windows 10 machine return an error code?

 

Does your MX have a public IP address directly on it, or is it sitting behind something else doing NAT?


It is running 14.39.

 

Error code 691.

 

It has a public IP.

PhilipDAth
Kind of a big deal
Kind of a big deal

Error code 691 can be caused when the pre-shared key doesn't match.  If you don't mind, could we try breaking the problem into smaller chunks.

 

I've had error 691 before when the pre-shared key was too complex, and either Meraki or the client couldn't handle special characters (don't know which).

Could you try changing the pre-shared key to something simple like "password".  If that resolves it then change it to something more complicated, but not as complex as you had before.

 

If that doesn't resolve it, stick with using password and change to using "Meraki Authentication".  If this resolves it then we know the VPN part is fine, it is something to do with the RADIUS setup that is not working.

If it is still broken then it is fudamentally something wrong with the VPN side.

 

If it is still not working please try disabling antivirus or anything that installs a network shim.  For example, Dell computers are famous for coming with some software called "SmartByte" which breaks the Windows VPN.


@PhilipDAth wrote:

Error code 691 can be caused when the pre-shared key doesn't match.  If you don't mind, could we try breaking the problem into smaller chunks.

 

I've had error 691 before when the pre-shared key was too complex, and either Meraki or the client couldn't handle special characters (don't know which).

Could you try changing the pre-shared key to something simple like "password".  If that resolves it then change it to something more complicated, but not as complex as you had before.

 

If that doesn't resolve it, stick with using password and change to using "Meraki Authentication".  If this resolves it then we know the VPN part is fine, it is something to do with the RADIUS setup that is not working.

If it is still broken then it is fudamentally something wrong with the VPN side.

 

If it is still not working please try disabling antivirus or anything that installs a network shim.  For example, Dell computers are famous for coming with some software called "SmartByte" which breaks the Windows VPN.


I tried it with a simple password and doing the meraki authentication. That works. Same IPSEC password but on RADIUS doesn't work even with a simple password between the RADIUS and meraki. Disabled windows firewall as a test. 

PhilipDAth
Kind of a big deal
Kind of a big deal

Ok, so we know it is strictly a RADIUS issue now.

 

In the Windows Event log under "Application" does Network Policy Server log it is sending an ACCES ACCEPT or an ACCESS REJECT?

If you are getting a REJECT you need to look at the rest of the event log entry to see why.

 

If you get no log entry at all it usually means the RADIUS key configured on Meraki and the NPS server under clients doesn't match.


@PhilipDAth wrote:

Ok, so we know it is strictly a RADIUS issue now.

 

In the Windows Event log under "Application" does Network Policy Server log it is sending an ACCES ACCEPT or an ACCESS REJECT?

If you are getting a REJECT you need to look at the rest of the event log entry to see why.

 

If you get no log entry at all it usually means the RADIUS key configured on Meraki and the NPS server under clients doesn't match.


So, I am not getting any messages in the event viewer of the RADIUS server. I also checked the secret key between the Meraki and the RADIUS server. I even as a test made it a simple short word. 

SoCalRacer
Kind of a big deal

Re: Meraki VPN Som eusers get 691 error when authenticating with Radius 

 

Might check that thread there are a couple things to double check


@SoCalRacer wrote:

Re: Meraki VPN Som eusers get 691 error when authenticating with Radius 

 

Might check that thread there are a couple things to double check


I took a look at that guy's solution. Ran the command to see if there were any users with that issue but it didn't return any.

Not sure what changed. But somehow this morning when I tested it on a windows computer, the VPN worked. tested the connection on my phone. had to use domain\username, but it connected. I am however unable to access any local resources in the network. I cannot ping  servers or access network shares. In event viewer, when I connect, I get this:

Network Policy Server granted full access to a user because the host met the defined health policy.

 So it sounds like I should have full network access, but I don't.

So as of this morning when doing some tests, I can ping the DC's, but anything else, I get a timed out. I am able to ping when local.

SoCalRacer
Kind of a big deal

Looks like you have been working on this for almost 2 weeks. I know you mentioned support wouldnt help with radius, but they should be able to help with device pings not working. Have you contacted them about that?


@SoCalRacer wrote:

Looks like you have been working on this for almost 2 weeks. I know you mentioned support wouldnt help with radius, but they should be able to help with device pings not working. Have you contacted them about that?


No, not about that. I figured they would tell me to talk to MS support or something. They have not been great help with this at all. I will send off an e-mail to see if they will help.

PhilipDAth
Kind of a big deal
Kind of a big deal

Perhaps get it going with Meraki Authentication with a local user first, and then make it more complicatde by adding in RADIUS.

 

This is a good guide for configuring RADUS.

https://documentation.meraki.com/MX/Client_VPN/Configuring_RADIUS_Authentication_with_Client_VPN

WarrenG
Getting noticed

Did you ever get this resolved? I'm running into the same thing with Server 2019. For the life of me I can't figure out why it just won't connect or even create any entries in the event logs.

I did get it working. I'm using server 2012 R2, though. I'm betting the setup isn't too different, though.

Awesome, are there any tips or anything you could share about what you did to get it working?

Keep your secret key simple was the big thing. If I over complicated it, it wouldn't work.

Yep, I tried that too 🙂 Does it need to be a minimum number of characters or anything?

Not that I'm aware of. Maybe post some screenshots blanking out any details you shouldn't share.

 

Did you ever make any progress on this. I've been beating my head against a RADIUS rock for about 2 weeks now, and have the server rejecting all requests. Any advice would be amazing!

WarrenG
Getting noticed

Are you using Server 2012 R2 or something newer? I ask because I had a similar issue getting this to work using a Server 2019 server. That's until I found that Server 2019 has a bug that prevents NPS from working correctly. See if this might be useful at all in your particular situation:

 

https://www.risual.com/2019/03/windows-2019-server-nps-bug/

Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels