cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

RADIUS Accept not being received

HBPeter
Conversationalist

RADIUS Accept not being received

Hi,

 

I have an issue with Meraki and my NPS somewhere and am struggling to find the cause.

 

The packet capture from the AP outbound to the internet show the Radius request going to the NPS and even the challenges coming back, however nothing else after that apart from fragmented IPv4 packets.

 

The NPS can see the requests and is authenticating with reason code 0 as per https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/dd....

 

What is going on? I can provide more detail if it would help but might have to edit it heavily to avoid giving away IP addresses etc.

 

Thanks in advance

3 REPLIES 3
GIdenJoe
Head in the Cloud

Re: RADIUS Accept not being received

After the initial EAP packets the client will probably build a TLS tunnel between itself and NPS and that traffic starting from the change cipher spec should be opaque in your capture of the inside communication.

 

However after that exchange is completed you should see an access-accept packet from NPS destined to the AP with all needed AV pairs.  Can you verify the AP receives that packet?

Wirelesslywired has a few captures as example but it's EAP-PEAP.
https://drive.google.com/drive/folders/0B4-AWwD5siI1VFVTU01aV3QxWHc

PhilipDAth
Kind of a big deal

Re: RADIUS Accept not being received

Negative.  The client never communicates directly with NPS.  The tunnel always runs through the AP (in this case).

 

I had a recent case like this.  It turned out one of the device was using a different default gateway, and it didn't have all the network routes on it.

HBPeter
Conversationalist

Re: RADIUS Accept not being received

Hi, thanks for the response. In your case was the NPS able to see the authentication attempts or did they not reach it?

 

I've noticed the same problem now at some other sites in this Meraki template group. All these sites routers have a similar setup so it doesn't really narrow it down between the Meraki config and the ISR config.

 

Meraki states that about 40% of attempts fail at association and 50% at authentication for all the problem sites.

 

Wired connections are still working and they are on the same VLAN as the WiFi so I don't see where the problem lies yet.

Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.