Meraki

Community

Meraki VPN client with NPS Radius - problem with NAS Port type

Solved
rrocha
Getting noticed
‎Oct 31 2019 9:34 AM
‎Oct 31 2019 9:34 AM

Meraki VPN client with NPS Radius - problem with NAS Port type

I am struggling with VPN clients and the NPS. Today I am using the Meraki option selected as direct read to the AD, I think is as a LDAP.

 

I still want to use the NPS, but my default policy do not work, its says in the event view that my policy do not accept the NAS port type of the incoming connection when using VPN.

 

I am using NPS with my wireless and 802.1x, in both cases the NAS port type is showings its type... but with the VPN connection the NAS port type its not been recognize its only shows a dash (-) like blank information.

Unfortunately the NPS don't give me a option to create a policy that accept a connection without the NAS port type showing something... Any suggestion to fix this behavior ?

0 Kudos
1 Accepted Solution
In response to Nash
rrocha
Getting noticed
‎Oct 31 2019 1:35 PM
‎Oct 31 2019 1:35 PM

It is workings now! I keep the same configuration but I uncheck all option about NAS Porty Type and did a reboot on the NPS service instead of the server itself. Windows and its need of random reboots rsrrsrs

 

Thank you guys !!

 

View solution in original post

9 Replies 9
Nash
Kind of a big deal
‎Oct 31 2019 9:44 AM
‎Oct 31 2019 9:44 AM

Just to confirm, did you follow https://documentation.meraki.com/MR/Encryption_and_Authentication/Configuring_RADIUS_Authentication_... to set this up? Have you validated your settings against it?

Windows 10 Client VPN scripts: Makes life better!
0 Kudos
In response to Nash
rrocha
Getting noticed
‎Oct 31 2019 9:51 AM
‎Oct 31 2019 9:51 AM

Thank you Nash.

Yes I did, my wireless WPA2-enteprise is working fine by the way, my default policy is a very basic one, basically is says if you are from my Windows group all users and use any kind of EAPS you have access granted...

 

When using the Meraki to test my NPS I receive a pass too, but with the VPN, because its inability to recognize the NAS port type, its is not letting my users when coming from the VPN connection to have access.

0 Kudos
In response to rrocha
Nash
Kind of a big deal
‎Oct 31 2019 10:05 AM
‎Oct 31 2019 10:05 AM

Oh gosh, I see. You're having trouble with the client VPN? I assumed wireless because it's in the wireless forum. @MeredithW I think this topic needs a move maybe?

 

Since client VPN, have you built out a fully separate setup using https://documentation.meraki.com/MX/Client_VPN/Configuring_RADIUS_Authentication_with_Client_VPN ? Do your settings for it match this exactly?

 

I've followed the above for NPS for client VPN on a couple dozen servers now, ranging from 2008r2 to 2016, and not seen the problem you are encountering. Including at clients that also use NPS for 802.1x.

Windows 10 Client VPN scripts: Makes life better!
In response to Nash
rrocha
Getting noticed
‎Oct 31 2019 10:22 AM
‎Oct 31 2019 10:22 AM

Hi Nash, I really didn't read this article, thank you.

 

Reading it now, I see that my Request Policy is different from the example, I am using the default one about the time of the day, I think is not the problem in my case.

 

Although maybe my Network Policy need to change or I will create a new one with this settings*** as the article indicate.

My conditions as I said before is only asking for the Windows Group Domain Users. The NAS port type setting is together in the same session as settings about encryption, maybe will make a difference in my case changing the encrypted type to exactly as the article says. Anyway even with it is not looks like that it will have a relationship about NAS type port, maybe it will do a trick and fixed my situation ? I will try and post the results. Thanks !!

 

 

***Deselect all checkboxes and select Unencrypted authentication (PAP, SPAP). An informational box will be displayed press No to continue and press Next.  For security information about using PAP click here.

0 Kudos
In response to rrocha
Nash
Kind of a big deal
‎Oct 31 2019 11:05 AM
‎Oct 31 2019 11:05 AM

You're welcome! Hope it helps.

 

I strongly recommend setting it up exactly as Meraki recommends on all policies. Get it working then see if the NAS port type is still an issue. I'm pretty sure it won't be. 🙂

Windows 10 Client VPN scripts: Makes life better!
In response to Nash
PhilipDAth
Kind of a big deal
Kind of a big deal
‎Oct 31 2019 12:45 PM
‎Oct 31 2019 12:45 PM

>its says in the event view that my policy do not accept the NAS port type of the incoming connection when using VPN.

 

The MX does not set the port type attribute for client VPN users, so you can't match on port type being "VPN".

In response to PhilipDAth
rrocha
Getting noticed
‎Oct 31 2019 1:14 PM
‎Oct 31 2019 1:14 PM

Hey Philip, thanks for the clarification, so my Win server is a 2012, in the NPS I tried to make it stop caring about the NAS port type, but I couldn't, I didn't see any option to disable this setting, I tried un-check all option, or checking all them, but both ways it is not working.

 

Any orientation ?

 

Thanks.

0 Kudos
In response to rrocha
Nash
Kind of a big deal
‎Oct 31 2019 1:26 PM
‎Oct 31 2019 1:26 PM

Did you try to delete and recreate the problem policy? That can be simpler than adjusting the settings after it's done.

Windows 10 Client VPN scripts: Makes life better!
0 Kudos
In response to Nash
rrocha
Getting noticed
‎Oct 31 2019 1:35 PM
‎Oct 31 2019 1:35 PM

It is workings now! I keep the same configuration but I uncheck all option about NAS Porty Type and did a reboot on the NPS service instead of the server itself. Windows and its need of random reboots rsrrsrs

 

Thank you guys !!

 

Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels
© 2024 Cisco Systems, Inc.