Meraki 802.1X Authentication with NPS

Adeldardari
Here to help

Meraki 802.1X Authentication with NPS

Hi, 

we have a meraki MR / MS and MX at head office. we are using NPS as our radius server hosted in Azure. We are using PEAP ( EAP-TLS with x.509 certificate based authentication) using user certificate.

 

Everything is working well but we started getting an issue : when a user PC is connected to both wired and wireless network ( both networks got 802.1x enabled) , the user laptop is preferring the wired as expected. our wired gateway is 10.1.10.1 ( our switch ). On the other hand, the wireless AP IP is ( 10.1.20.1 ). 

 

we have enabled re-authentication on the switch every 300 seconds. When the PC is trying to re-authenticate the wired network, it is taking long time ( around 30 sec ) , then the wired is failing and the user laptop gets switched to the wireless network. 

 

we have played around with the Metrics for both networks on the laptop as per the attached screenshot but that didn't fix it. My assumption is that, when the pc is trying to reauthenticate the wired connecting (by fragmenting the certificate and sending it) , the wireless profile is kicking in as it is trying to give the pc an access to the network ( also by fragmenting the certificate and sending it all the way to nps ) and this is why it is taking longer during the re-authentication process, but i wasn't sure why the wired ends up failing and the wireless takes over. 

 

Is there a way to fix this issue ? ( we want to keep reauthentication on , disabling it would fix the issue but it is not recommended )

Also, can we pin-point the problem ? is it the laptop behaving the way i explained, or is it that the switch is receiving the same certificate from two different resources and is getting confused ? or is it related to NPS ? 

MicrosoftTeams-image - 3.png

4 Replies 4
alemabrahao
Kind of a big deal
Kind of a big deal

Have you checked the logs on NPS? Have you checked that the CA certificate is correctly configured in the network adapter properties?

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.
Adeldardari
Here to help

There are no hits on NPS during re-authentication, but we see some eap traffic is received on nps from the switch before the wired network fails ( mainly the first fragment ). CA on network adapter is configured correctly , i assume, otherwise it wouldn't have connected at first place. 

alemabrahao
Kind of a big deal
Kind of a big deal

I suggest you to open a case with Meraki support.

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.
thomasthomsen
Kind of a big deal

In an authentication scenario the laptop does not directly "talk" to the Radius server. It is the switch or AP that "talks" to the Radius server (hence, why you setup those devices as "NAS" devices on the Radius server). 

But something is going on.

Try looking at the windows client eventlog for authentications (if nothing shows up on the radius server logs that is). The switch should send a EAP-Id request when the session timeout happens (try verifying with a packetsniff). If it does not, well, then there is a problem, because your client would not know that the session has ended, and would still think it is connected.

 

There is also a very old Windows 7 bug where the windows firewall would actually block all traffic for x amount of time, whenever a session timeout happened, as far as I remember.

Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels