Client VPN with Radius Server

Solved
Patrik73
Getting noticed

Client VPN with Radius Server

Meraki keeps haunting me.
 
I try to setup Client VPN with Windows server 2019 NPL-server.
I have followed the guide at
 
My Meraki is on another site from my AD.
They are connected via Site 2 Site non Meraki VPN.
It works fine and all traffic flows from Meraki to AD-site.
 
My Meraki can ping the Radius-server from default source.
ping.png
 
I have opened all ports on the Radius-server, inbound and outbound (just for test).
 
I have checked the shared secret and even changed it to something simple like 12345, and the same in Meraki Dasboard.
 
I have run sc sidtype IAS unrestricted on the Radius-server and rebooted.
 
I have deleted the file %windir%\system32\ias\ias.xml and rebuilt the settings in NPS.
 
I have checked Allow on Network Access Permission on the testusers AD-account and tried to check Control access through NPS Network Policy.
 
I have created a completely new user in my AD just to be sure that nothing "old" is making the error.
 
I have checked the Attribute msRADIUSServiceType so it is empty.
 
I have tried to connect with VPN from my Samsung phone with only data traffic enabled, and not wifi.
 
I have activated logging on the Radius server firewall for dropped connections, nothing is dropped.
 
I have activated logging Audit Policy (Account logon events and Logon events) on my Radius Server but the security logs shows no logging at all about failed connections.
 
I have tried to use different methods in username, domainname.local\username, domainname\username username@domainname.com and just username.
 
I have tried multiple different accounts.
 
Probably tried a number of more things, but no success at all.
 
The error I get is Error 691.
691.PNG
 
Meraki Cloud Authentiaction and AD authentication works .
 
I'm not sure what else I Can try now.
 
Maybe try to install NPS on an old Server 2012R2 just to make sure there is nothing strange with the 2019-server.
1 Accepted Solution
alemabrahao
Kind of a big deal
Kind of a big deal

Note: Some versions of Windows Server require that the CallingStationID is omitted. If you are unable to establish connectivity, remove the CallingStationID and leave the field blank.

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.

View solution in original post

5 Replies 5
alemabrahao
Kind of a big deal
Kind of a big deal

Have you created a server certificate for the NPS?

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.
alemabrahao
Kind of a big deal
Kind of a big deal

Have you checked the NPS logs?

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.
Patrik73
Getting noticed

Meraki states that you don't need a certificate for Radius-server with VPN.

The NPS-logs are empty.

But looks like it works fine when I removed CLIENTVPN from NPS.
Thanks!

alemabrahao
Kind of a big deal
Kind of a big deal

Note: Some versions of Windows Server require that the CallingStationID is omitted. If you are unable to establish connectivity, remove the CallingStationID and leave the field blank.

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.
Patrik73
Getting noticed

Thank you!
I was pretty sure I tried that, but apperently not.

It works fine when I removed CallingStationID.

You are a champ.

 

Now even Azure MFA works with User VPN.

Get notified when there are additional replies to this discussion.