Meraki VPN client with NPS Radius - problem with NAS Port type

Solved
rrocha
Getting noticed

Meraki VPN client with NPS Radius - problem with NAS Port type

I am struggling with VPN clients and the NPS. Today I am using the Meraki option selected as direct read to the AD, I think is as a LDAP.

 

I still want to use the NPS, but my default policy do not work, its says in the event view that my policy do not accept the NAS port type of the incoming connection when using VPN.

 

I am using NPS with my wireless and 802.1x, in both cases the NAS port type is showings its type... but with the VPN connection the NAS port type its not been recognize its only shows a dash (-) like blank information.

Unfortunately the NPS don't give me a option to create a policy that accept a connection without the NAS port type showing something... Any suggestion to fix this behavior ?

1 Accepted Solution
rrocha
Getting noticed

It is workings now! I keep the same configuration but I uncheck all option about NAS Porty Type and did a reboot on the NPS service instead of the server itself. Windows and its need of random reboots rsrrsrs

 

Thank you guys !!

 

View solution in original post

9 Replies 9
Nash
Kind of a big deal

rrocha
Getting noticed

Thank you Nash.

Yes I did, my wireless WPA2-enteprise is working fine by the way, my default policy is a very basic one, basically is says if you are from my Windows group all users and use any kind of EAPS you have access granted...

 

When using the Meraki to test my NPS I receive a pass too, but with the VPN, because its inability to recognize the NAS port type, its is not letting my users when coming from the VPN connection to have access.

Nash
Kind of a big deal

Oh gosh, I see. You're having trouble with the client VPN? I assumed wireless because it's in the wireless forum. @MeredithW I think this topic needs a move maybe?

 

Since client VPN, have you built out a fully separate setup using https://documentation.meraki.com/MX/Client_VPN/Configuring_RADIUS_Authentication_with_Client_VPN ? Do your settings for it match this exactly?

 

I've followed the above for NPS for client VPN on a couple dozen servers now, ranging from 2008r2 to 2016, and not seen the problem you are encountering. Including at clients that also use NPS for 802.1x.

rrocha
Getting noticed

Hi Nash, I really didn't read this article, thank you.

 

Reading it now, I see that my Request Policy is different from the example, I am using the default one about the time of the day, I think is not the problem in my case.

 

Although maybe my Network Policy need to change or I will create a new one with this settings*** as the article indicate.

My conditions as I said before is only asking for the Windows Group Domain Users. The NAS port type setting is together in the same session as settings about encryption, maybe will make a difference in my case changing the encrypted type to exactly as the article says. Anyway even with it is not looks like that it will have a relationship about NAS type port, maybe it will do a trick and fixed my situation ? I will try and post the results. Thanks !!

 

 

***Deselect all checkboxes and select Unencrypted authentication (PAP, SPAP). An informational box will be displayed press No to continue and press Next.  For security information about using PAP click here.

Nash
Kind of a big deal

You're welcome! Hope it helps.

 

I strongly recommend setting it up exactly as Meraki recommends on all policies. Get it working then see if the NAS port type is still an issue. I'm pretty sure it won't be. 🙂

PhilipDAth
Kind of a big deal
Kind of a big deal

>its says in the event view that my policy do not accept the NAS port type of the incoming connection when using VPN.

 

The MX does not set the port type attribute for client VPN users, so you can't match on port type being "VPN".

rrocha
Getting noticed

Hey Philip, thanks for the clarification, so my Win server is a 2012, in the NPS I tried to make it stop caring about the NAS port type, but I couldn't, I didn't see any option to disable this setting, I tried un-check all option, or checking all them, but both ways it is not working.

 

Any orientation ?

 

Thanks.

Nash
Kind of a big deal

Did you try to delete and recreate the problem policy? That can be simpler than adjusting the settings after it's done.

rrocha
Getting noticed

It is workings now! I keep the same configuration but I uncheck all option about NAS Porty Type and did a reboot on the NPS service instead of the server itself. Windows and its need of random reboots rsrrsrs

 

Thank you guys !!

 

Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels