Meraki

Community

RADIUS Accept not being received

HBPeter
Conversationalist
‎Jun 24 2020 6:56 AM
‎Jun 24 2020 6:56 AM

RADIUS Accept not being received

Hi,

 

I have an issue with Meraki and my NPS somewhere and am struggling to find the cause.

 

The packet capture from the AP outbound to the internet show the Radius request going to the NPS and even the challenges coming back, however nothing else after that apart from fragmented IPv4 packets.

 

The NPS can see the requests and is authenticating with reason code 0 as per https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/dd....

 

What is going on? I can provide more detail if it would help but might have to edit it heavily to avoid giving away IP addresses etc.

 

Thanks in advance

0 Kudos
3 Replies 3
GIdenJoe
Kind of a big deal
Kind of a big deal
‎Jun 24 2020 8:52 AM
‎Jun 24 2020 8:52 AM

After the initial EAP packets the client will probably build a TLS tunnel between itself and NPS and that traffic starting from the change cipher spec should be opaque in your capture of the inside communication.

 

However after that exchange is completed you should see an access-accept packet from NPS destined to the AP with all needed AV pairs.  Can you verify the AP receives that packet?

Wirelesslywired has a few captures as example but it's EAP-PEAP.
https://drive.google.com/drive/folders/0B4-AWwD5siI1VFVTU01aV3QxWHc

0 Kudos
In response to GIdenJoe
PhilipDAth
Kind of a big deal
Kind of a big deal
‎Jun 24 2020 2:09 PM
‎Jun 24 2020 2:09 PM

Negative.  The client never communicates directly with NPS.  The tunnel always runs through the AP (in this case).

 

I had a recent case like this.  It turned out one of the device was using a different default gateway, and it didn't have all the network routes on it.

In response to PhilipDAth
HBPeter
Conversationalist
‎Jun 25 2020 6:08 AM
‎Jun 25 2020 6:08 AM

Hi, thanks for the response. In your case was the NPS able to see the authentication attempts or did they not reach it?

 

I've noticed the same problem now at some other sites in this Meraki template group. All these sites routers have a similar setup so it doesn't really narrow it down between the Meraki config and the ISR config.

 

Meraki states that about 40% of attempts fail at association and 50% at authentication for all the problem sites.

 

Wired connections are still working and they are on the same VLAN as the WiFi so I don't see where the problem lies yet.

0 Kudos
Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels
© 2024 Cisco Systems, Inc.