Meraki

DrakeKammer · ‎Feb 26 2024

We've migrated the on-prem Active Directory environment to azure and have an existing VPN pipeline.

We're struggling to get Meraki to send the requests over the S2S VPN. We're using the NPS azure vm private ip within the meraki portal.

We thought since there was an existing VPN connection, that we could just spin up a new NPS/DC and change Meraki to forward the request to the azure vm via the S2S vpn.

I have event logs of on-prem devices talking to azure resources over the S2S, but cannot get the radius request to flow, or so it seems.

Any layers or breaking points to look into?

I don't have good log files as of yet.

CptnCrnch · ‎Feb 26 2024

Correct: https://documentation.meraki.com/MX/Other_Topics/MX_and_Z-series_Source_IP_for_RADIUS_Authentication

View solution in original post

rhbirkelund · ‎Feb 26 2024

Iirc radius messages are sourced from the highest VPN enabled VLAN on the MX. E.g. If you have vlans 1, 10, and 20, and 1 and 10 are VPN enabled, it will be vlan 10 that the radius messages are sourced from.

LinkedIn ::: https://blog.rhbirkelund.dk/

Like what you see? - Give a Kudo ## Did it answer your question? - Mark it as a Solution 🙂

All code examples are provided as is. Responsibility for Code execution lies solely your own.

CptnCrnch · ‎Feb 26 2024

Correct: https://documentation.meraki.com/MX/Other_Topics/MX_and_Z-series_Source_IP_for_RADIUS_Authentication

DrakeKammer · ‎Feb 29 2024

Added routes to azure network gateway for the highest numbered VLAN and 6.X.X.X

DrakeKammer · ‎Feb 26 2024

What if VLAN 10 isn't where the Radius server lives, but rather VLAN 1.

cmr · ‎Feb 26 2024

Create a route from VLAN 10 to 1 or move the RADIUS server?

If my answer solves your problem please click Accept as Solution so others can benefit from it.

DrakeKammer · ‎Feb 26 2024

So since the original Radius server was on-prem, VLAN priority didn't matter? As it currently stands, using the on-prem radius server, our highest VLAN is 300, and the VLAN where the on-prem Radius server lives is on VLAN 1. That's why I'm somewhat confused.

But since we're moving to a S2S tunnel for radius, it needs to be in the highest VLAN possible?

Where as on-prem it didn't matter?

cmr · ‎Feb 26 2024

Can the on prem RADIS server route to VLAN 300 and can the cloud one not?

If my answer solves your problem please click Accept as Solution so others can benefit from it.

DrakeKammer · ‎Feb 26 2024

Might be on to something. Yes I can ping VLAN 300 from the on-prem, but not from the azure vm. I can ping other on-prem devices. But it doesn't appear I can talk to VLAN300.

DrakeKammer · ‎Feb 29 2024

Solved. Thank you.

Added routes to azure network gateway for the highest numbered VLAN and 6.X.X.X

PhilipDAth · ‎Feb 26 2024

A common issue I run into is that Windows does not correctly configure Windows Firewall to allow NPS traffic. You need to either add extra firewall rules or disable Windows firewall.

DrakeKammer · ‎Feb 26 2024

one of the first things I tried after seeing the server 2019 bug.

Meraki

Community

On-Prem Meraki Radius --> NPS Azure VM

On-Prem Meraki Radius --> NPS Azure VM