cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Client VPN With RADIUS for Windows server 2012 R2

Here to help

Client VPN With RADIUS for Windows server 2012 R2

Here is my scenerio:

 

I have a meraki MX 84. I setup a RADIUS server on a windows server 2012 R2. I configured it according to the directions here: https://documentation.meraki.com/MX/Client_VPN/Configuring_RADIUS_Authentication_with_Client_VPN

Testing this on my samsung phone, I get a connection unsuccessful message on the phone and in the Meraki logs, I get: 

Jun 20 13:34:26 Non-Meraki / Client VPN negotiationmsg: phase1 negotiation failed.
Jun 20 13:34:26 Non-Meraki / Client VPN negotiationmsg: failed to pre-process ph1 packet (side: 1, status 1).
Jun 20 13:34:26 Non-Meraki / Client VPN negotiationmsg: failed to get valid proposal.
Jun 20 13:34:26 Non-Meraki / Client VPN negotiation

msg: no suitable proposal found.

 

 

I need to get this going for specific users in AD as our old VPN device is expiring and being retired.

 

Meraki support won't help troubleshoot the radius server

15 REPLIES 15
Head in the Cloud

Re: Client VPN With RADIUS for Windows server 2012 R2

My suggestion is to start with a Windows 10 device doing the client VPN. Once you know that is working then start on the mobile devices. The reason I say that, there are so many variables especially with Android devices on the VPN connection/settings.

Here to help

Re: Client VPN With RADIUS for Windows server 2012 R2


@SoCalRacer wrote:

My suggestion is to start with a Windows 10 device doing the client VPN. Once you know that is working then start on the mobile devices. The reason I say that, there are so many variables especially with Android devices on the VPN connection/settings.


So I'm trying it with a windows 10 device and getting this: 

Jun 21 09:29:48 Non-Meraki / Client VPN negotiationmsg: invalid DH group 19.
Jun 21 09:29:48 Non-Meraki / Client VPN negotiationmsg: invalid DH group 20.
Jun 21 09:29:48 Non-Meraki / Client VPN negotiationmsg: received broken Microsoft ID: MS NT5 ISAKMPOAKLEY
Kind of a big deal

Re: Client VPN With RADIUS for Windows server 2012 R2

Are you running 14.39 or better firmware on your MX?

 

Does the Windows 10 machine return an error code?

 

Does your MX have a public IP address directly on it, or is it sitting behind something else doing NAT?

Here to help

Re: Client VPN With RADIUS for Windows server 2012 R2


@PhilipDAth wrote:

Are you running 14.39 or better firmware on your MX?

 

Does the Windows 10 machine return an error code?

 

Does your MX have a public IP address directly on it, or is it sitting behind something else doing NAT?


It is running 14.39.

 

Error code 691.

 

It has a public IP.

Kind of a big deal

Re: Client VPN With RADIUS for Windows server 2012 R2

Error code 691 can be caused when the pre-shared key doesn't match.  If you don't mind, could we try breaking the problem into smaller chunks.

 

I've had error 691 before when the pre-shared key was too complex, and either Meraki or the client couldn't handle special characters (don't know which).

Could you try changing the pre-shared key to something simple like "password".  If that resolves it then change it to something more complicated, but not as complex as you had before.

 

If that doesn't resolve it, stick with using password and change to using "Meraki Authentication".  If this resolves it then we know the VPN part is fine, it is something to do with the RADIUS setup that is not working.

If it is still broken then it is fudamentally something wrong with the VPN side.

 

If it is still not working please try disabling antivirus or anything that installs a network shim.  For example, Dell computers are famous for coming with some software called "SmartByte" which breaks the Windows VPN.

Here to help

Re: Client VPN With RADIUS for Windows server 2012 R2


@PhilipDAth wrote:

Error code 691 can be caused when the pre-shared key doesn't match.  If you don't mind, could we try breaking the problem into smaller chunks.

 

I've had error 691 before when the pre-shared key was too complex, and either Meraki or the client couldn't handle special characters (don't know which).

Could you try changing the pre-shared key to something simple like "password".  If that resolves it then change it to something more complicated, but not as complex as you had before.

 

If that doesn't resolve it, stick with using password and change to using "Meraki Authentication".  If this resolves it then we know the VPN part is fine, it is something to do with the RADIUS setup that is not working.

If it is still broken then it is fudamentally something wrong with the VPN side.

 

If it is still not working please try disabling antivirus or anything that installs a network shim.  For example, Dell computers are famous for coming with some software called "SmartByte" which breaks the Windows VPN.


I tried it with a simple password and doing the meraki authentication. That works. Same IPSEC password but on RADIUS doesn't work even with a simple password between the RADIUS and meraki. Disabled windows firewall as a test. 

Kind of a big deal

Re: Client VPN With RADIUS for Windows server 2012 R2

Ok, so we know it is strictly a RADIUS issue now.

 

In the Windows Event log under "Application" does Network Policy Server log it is sending an ACCES ACCEPT or an ACCESS REJECT?

If you are getting a REJECT you need to look at the rest of the event log entry to see why.

 

If you get no log entry at all it usually means the RADIUS key configured on Meraki and the NPS server under clients doesn't match.

Here to help

Re: Client VPN With RADIUS for Windows server 2012 R2


@PhilipDAth wrote:

Ok, so we know it is strictly a RADIUS issue now.

 

In the Windows Event log under "Application" does Network Policy Server log it is sending an ACCES ACCEPT or an ACCESS REJECT?

If you are getting a REJECT you need to look at the rest of the event log entry to see why.

 

If you get no log entry at all it usually means the RADIUS key configured on Meraki and the NPS server under clients doesn't match.


So, I am not getting any messages in the event viewer of the RADIUS server. I also checked the secret key between the Meraki and the RADIUS server. I even as a test made it a simple short word. 

Head in the Cloud

Re: Client VPN With RADIUS for Windows server 2012 R2

Re: Meraki VPN Som eusers get 691 error when authenticating with Radius 

 

Might check that thread there are a couple things to double check

Here to help

Re: Client VPN With RADIUS for Windows server 2012 R2


@SoCalRacer wrote:

Re: Meraki VPN Som eusers get 691 error when authenticating with Radius 

 

Might check that thread there are a couple things to double check


I took a look at that guy's solution. Ran the command to see if there were any users with that issue but it didn't return any.

Here to help

Re: Client VPN With RADIUS for Windows server 2012 R2

Not sure what changed. But somehow this morning when I tested it on a windows computer, the VPN worked. tested the connection on my phone. had to use domain\username, but it connected. I am however unable to access any local resources in the network. I cannot ping  servers or access network shares. In event viewer, when I connect, I get this:

Network Policy Server granted full access to a user because the host met the defined health policy.

 So it sounds like I should have full network access, but I don't.

Here to help

Re: Client VPN With RADIUS for Windows server 2012 R2

So as of this morning when doing some tests, I can ping the DC's, but anything else, I get a timed out. I am able to ping when local.

Head in the Cloud

Re: Client VPN With RADIUS for Windows server 2012 R2

Looks like you have been working on this for almost 2 weeks. I know you mentioned support wouldnt help with radius, but they should be able to help with device pings not working. Have you contacted them about that?

Here to help

Re: Client VPN With RADIUS for Windows server 2012 R2


@SoCalRacer wrote:

Looks like you have been working on this for almost 2 weeks. I know you mentioned support wouldnt help with radius, but they should be able to help with device pings not working. Have you contacted them about that?


No, not about that. I figured they would tell me to talk to MS support or something. They have not been great help with this at all. I will send off an e-mail to see if they will help.

Kind of a big deal

Re: Client VPN With RADIUS for Windows server 2012 R2

Perhaps get it going with Meraki Authentication with a local user first, and then make it more complicatde by adding in RADIUS.

 

This is a good guide for configuring RADUS.

https://documentation.meraki.com/MX/Client_VPN/Configuring_RADIUS_Authentication_with_Client_VPN

Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.