- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Client VPN With RADIUS for Windows server 2012 R2
Here is my scenerio:
I have a meraki MX 84. I setup a RADIUS server on a windows server 2012 R2. I configured it according to the directions here: https://documentation.meraki.com/MX/Client_VPN/Configuring_RADIUS_Authentication_with_Client_VPN
Testing this on my samsung phone, I get a connection unsuccessful message on the phone and in the Meraki logs, I get:
Jun 20 13:34:26 | Non-Meraki / Client VPN negotiation | msg: phase1 negotiation failed. | |
Jun 20 13:34:26 | Non-Meraki / Client VPN negotiation | msg: failed to pre-process ph1 packet (side: 1, status 1). | |
Jun 20 13:34:26 | Non-Meraki / Client VPN negotiation | msg: failed to get valid proposal. | |
Jun 20 13:34:26 | Non-Meraki / Client VPN negotiation | msg: no suitable proposal found.
|
I need to get this going for specific users in AD as our old VPN device is expiring and being retired.
Meraki support won't help troubleshoot the radius server
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
My suggestion is to start with a Windows 10 device doing the client VPN. Once you know that is working then start on the mobile devices. The reason I say that, there are so many variables especially with Android devices on the VPN connection/settings.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
@SoCalRacer wrote:My suggestion is to start with a Windows 10 device doing the client VPN. Once you know that is working then start on the mobile devices. The reason I say that, there are so many variables especially with Android devices on the VPN connection/settings.
So I'm trying it with a windows 10 device and getting this:
Jun 21 09:29:48 | Non-Meraki / Client VPN negotiation | msg: invalid DH group 19. | |
Jun 21 09:29:48 | Non-Meraki / Client VPN negotiation | msg: invalid DH group 20. | |
Jun 21 09:29:48 | Non-Meraki / Client VPN negotiation | msg: received broken Microsoft ID: MS NT5 ISAKMPOAKLEY |
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Are you running 14.39 or better firmware on your MX?
Does the Windows 10 machine return an error code?
Does your MX have a public IP address directly on it, or is it sitting behind something else doing NAT?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
@PhilipDAth wrote:Are you running 14.39 or better firmware on your MX?
Does the Windows 10 machine return an error code?
Does your MX have a public IP address directly on it, or is it sitting behind something else doing NAT?
It is running 14.39.
Error code 691.
It has a public IP.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Error code 691 can be caused when the pre-shared key doesn't match. If you don't mind, could we try breaking the problem into smaller chunks.
I've had error 691 before when the pre-shared key was too complex, and either Meraki or the client couldn't handle special characters (don't know which).
Could you try changing the pre-shared key to something simple like "password". If that resolves it then change it to something more complicated, but not as complex as you had before.
If that doesn't resolve it, stick with using password and change to using "Meraki Authentication". If this resolves it then we know the VPN part is fine, it is something to do with the RADIUS setup that is not working.
If it is still broken then it is fudamentally something wrong with the VPN side.
If it is still not working please try disabling antivirus or anything that installs a network shim. For example, Dell computers are famous for coming with some software called "SmartByte" which breaks the Windows VPN.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
@PhilipDAth wrote:Error code 691 can be caused when the pre-shared key doesn't match. If you don't mind, could we try breaking the problem into smaller chunks.
I've had error 691 before when the pre-shared key was too complex, and either Meraki or the client couldn't handle special characters (don't know which).
Could you try changing the pre-shared key to something simple like "password". If that resolves it then change it to something more complicated, but not as complex as you had before.
If that doesn't resolve it, stick with using password and change to using "Meraki Authentication". If this resolves it then we know the VPN part is fine, it is something to do with the RADIUS setup that is not working.
If it is still broken then it is fudamentally something wrong with the VPN side.
If it is still not working please try disabling antivirus or anything that installs a network shim. For example, Dell computers are famous for coming with some software called "SmartByte" which breaks the Windows VPN.
I tried it with a simple password and doing the meraki authentication. That works. Same IPSEC password but on RADIUS doesn't work even with a simple password between the RADIUS and meraki. Disabled windows firewall as a test.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Ok, so we know it is strictly a RADIUS issue now.
In the Windows Event log under "Application" does Network Policy Server log it is sending an ACCES ACCEPT or an ACCESS REJECT?
If you are getting a REJECT you need to look at the rest of the event log entry to see why.
If you get no log entry at all it usually means the RADIUS key configured on Meraki and the NPS server under clients doesn't match.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
@PhilipDAth wrote:Ok, so we know it is strictly a RADIUS issue now.
In the Windows Event log under "Application" does Network Policy Server log it is sending an ACCES ACCEPT or an ACCESS REJECT?
If you are getting a REJECT you need to look at the rest of the event log entry to see why.
If you get no log entry at all it usually means the RADIUS key configured on Meraki and the NPS server under clients doesn't match.
So, I am not getting any messages in the event viewer of the RADIUS server. I also checked the secret key between the Meraki and the RADIUS server. I even as a test made it a simple short word.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Re: Meraki VPN Som eusers get 691 error when authenticating with Radius
Might check that thread there are a couple things to double check
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
@SoCalRacer wrote:Re: Meraki VPN Som eusers get 691 error when authenticating with Radius
Might check that thread there are a couple things to double check
I took a look at that guy's solution. Ran the command to see if there were any users with that issue but it didn't return any.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Not sure what changed. But somehow this morning when I tested it on a windows computer, the VPN worked. tested the connection on my phone. had to use domain\username, but it connected. I am however unable to access any local resources in the network. I cannot ping servers or access network shares. In event viewer, when I connect, I get this:
Network Policy Server granted full access to a user because the host met the defined health policy.
So it sounds like I should have full network access, but I don't.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
So as of this morning when doing some tests, I can ping the DC's, but anything else, I get a timed out. I am able to ping when local.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Looks like you have been working on this for almost 2 weeks. I know you mentioned support wouldnt help with radius, but they should be able to help with device pings not working. Have you contacted them about that?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
@SoCalRacer wrote:Looks like you have been working on this for almost 2 weeks. I know you mentioned support wouldnt help with radius, but they should be able to help with device pings not working. Have you contacted them about that?
No, not about that. I figured they would tell me to talk to MS support or something. They have not been great help with this at all. I will send off an e-mail to see if they will help.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Perhaps get it going with Meraki Authentication with a local user first, and then make it more complicatde by adding in RADIUS.
This is a good guide for configuring RADUS.
https://documentation.meraki.com/MX/Client_VPN/Configuring_RADIUS_Authentication_with_Client_VPN
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Did you ever get this resolved? I'm running into the same thing with Server 2019. For the life of me I can't figure out why it just won't connect or even create any entries in the event logs.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I did get it working. I'm using server 2012 R2, though. I'm betting the setup isn't too different, though.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Awesome, are there any tips or anything you could share about what you did to get it working?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Keep your secret key simple was the big thing. If I over complicated it, it wouldn't work.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Yep, I tried that too 🙂 Does it need to be a minimum number of characters or anything?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Not that I'm aware of. Maybe post some screenshots blanking out any details you shouldn't share.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Did you ever make any progress on this. I've been beating my head against a RADIUS rock for about 2 weeks now, and have the server rejecting all requests. Any advice would be amazing!
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Are you using Server 2012 R2 or something newer? I ask because I had a similar issue getting this to work using a Server 2019 server. That's until I found that Server 2019 has a bug that prevents NPS from working correctly. See if this might be useful at all in your particular situation: