How to test a second new RADIUS server (NPS) for vpn clients

Announcer
Getting noticed

How to test a second new RADIUS server (NPS) for vpn clients

I currently have a server 2008r2 RADIUS server (NPS-network policy server).  I created a new server 2016 server with NPS configured with the same settings(imported xml file).  

 

I want to test to see if people can connect using the new server.  Is there a way of doing this without disrupting people.  I have attached screen shot for help.  We use Windows builtin vpn to connect.

 

vpn.PNG

5 Replies 5
NolanHerring
Kind of a big deal

I know on the wireless Access Control page they provide a TEST button on the right side. Is there one for this? Can't tell if you simply cut it off or not in the screenshot.
Nolan Herring | nolanwifi.com
TwitterLinkedIn
Announcer
Getting noticed

Yes, I tested the new one on the wifi page and it said no reply.  I inputted the working one and still get the same 'no reply', so not sure if that 'test' button is working properly.

Nash
Kind of a big deal

This situation is why we need a test setup specifically for the client VPN, if that's even possible.

 

I don't think using the 802.1x test off your wireless would necessarily be too helpful here, since that'd be testing off your APs instead of the fw. Did you copy your 802.1x config over to the new NPS server, with your APs as valid clients?

 

If you're using that test button and not getting a valid test when you should, you probably should check to make sure that packets are actually leaving your device and being received by your NPS server. You can do a pcap off your Meraki device, and then check your NPS logs on your server. 

ciph3r
Getting noticed

The only options I see here are - 

 

Bring up another MX device and test in a lab environment.

 

Quickly change the port on the known good server and try to connect. (during a maintenance window or late at night)

 

 

Because my NPS is setup to verify machine name and cert the test doesn't work for me either. 

Announcer
Getting noticed

I'm think I'm going to have to add the second one in Meraki, turn off the old one and see if I can connect.  Off hours of course.  Wish there was a better way.

Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels