Meraki

Community

RADIUS Authentication Issue on Meraki AP

Solved
ph0t0g
Getting noticed
‎Nov 2 2018 8:35 AM
‎Nov 2 2018 8:35 AM

RADIUS Authentication Issue on Meraki AP

I am attempting to configure RADIUS authentication for the first time. The AP is a MR30H. I set up two SSID's. One for Shared Key and one for RADIUS (following the instructions here). I can authenticate using the Shared Key just fine, so I know the basic AP setup is working. RADIUS authentication just returns "Can't connect to the network" without ever prompting for credentials. No error message appears and there are no entries in Event Viewer on the RADIUS server or the client. Here are some details...

 

- RADIUS server is Windows Server 2016 and is on the same VLAN as the AP

- When I run the test from the Meraki Dashboard from the AP to the Radius server, it prompts for AD credentials and the test is successful.

- Access Control Settings are:

  Network Access: 

  WPA2-Enterprise with <my Radius Server>

  WPA2 Encryption Mode <WPA2 Only>

  Client IP Assignment <Bridge mode: make all clients part of the LAN>

  ** all other settings are at the defaults 

 

I know this is not a lot of info to go on, but this is the first time setting up a RADIUS server for me and I don't know where to look next.

 

Thanks.

 

P.S. Sorry, meant to put this under Wireless. Don't know how to move it there.

 

 

 

0 Kudos
1 Accepted Solution
In response to ph0t0g
NolanHerring
Kind of a big deal
‎Nov 2 2018 11:04 AM
‎Nov 2 2018 11:04 AM

So if you choose USER ONLY does it not work?

 

You probably need to add your AD group on the NPS server when you specify user groups.

 

Also check the setting under Advanced in that screenshot. I think the default is that it uses the account you logged into the computer with. You may want to uncheck that so that it prompts you to input your username/password.


If you test with your phone does it work or not work?

 

I would recommend using User & Computer as you may want the computer to be on the wireless, and that way someone can login to the machine without having local creds cached. This will also allow mobile devices to connect with AD creds.

 

Nolan Herring | nolanwifi.com
TwitterLinkedIn

View solution in original post

0 Kudos
6 Replies 6
NolanHerring
Kind of a big deal
‎Nov 2 2018 9:04 AM
‎Nov 2 2018 9:04 AM

So to confirm your using NPS on that windows server.


Did you put the entire subnet (or specific AP LAN IP which you should make sure is static if your not doing the entire subnet range) that the access points are sitting on?

 

You might want to review this:

https://documentation.meraki.com/MR/Encryption_and_Authentication/Configuring_RADIUS_Authentication_...

 

Also you need to ensure your supplicant is setup correctly as well. Could just be a client issue with your settings since you mentioned the AP does pass that built in test.

Nolan Herring | nolanwifi.com
TwitterLinkedIn
0 Kudos
In response to NolanHerring
ph0t0g
Getting noticed
‎Nov 2 2018 9:57 AM
‎Nov 2 2018 9:57 AM

Thanks for the reply Nolan. Yes, I am using NPS, and used a specific IP (static).

 

I followed the document you linked to as closely as possible, and rechecked everything twice. Still no luck.

 

I configured the supplicant using Group Policy as specified in the document under "(Optional) Deploy a PEAP Wireless Profile using Group Policy", but I will check it again.

 

 

0 Kudos
In response to NolanHerring
ph0t0g
Getting noticed
‎Nov 2 2018 10:32 AM
‎Nov 2 2018 10:32 AM

OK, I set the RADIUS Wireless Policy to use Computer Authentication Mode instead of User Authentication.AuthMode.JPG.

 

I then ran gpupdate on the client and tried to connect. It connected straight away, without asking for credentials (as I believe it should under this setting). However, I would prefer to use User Authentication so devices that are not in the domain can connect. Is there something else I need to change after I switch the policy to User Authentication?

 

 

0 Kudos
In response to ph0t0g
NolanHerring
Kind of a big deal
‎Nov 2 2018 11:04 AM
‎Nov 2 2018 11:04 AM

So if you choose USER ONLY does it not work?

 

You probably need to add your AD group on the NPS server when you specify user groups.

 

Also check the setting under Advanced in that screenshot. I think the default is that it uses the account you logged into the computer with. You may want to uncheck that so that it prompts you to input your username/password.


If you test with your phone does it work or not work?

 

I would recommend using User & Computer as you may want the computer to be on the wireless, and that way someone can login to the machine without having local creds cached. This will also allow mobile devices to connect with AD creds.

 

Nolan Herring | nolanwifi.com
TwitterLinkedIn
0 Kudos
In response to NolanHerring
ph0t0g
Getting noticed
‎Nov 2 2018 11:40 AM
‎Nov 2 2018 11:40 AM

Yes. If I choose User only, it does not work. If I choose Computer or User, then it logs straight in ( I assume with the computer account).

 

The AD group contains both the username and the computer as members. It is added to the NPS server as a condition.

 

Conditions.JPG

 

Here are the settings under advanced. There is an option for single sign on, but it is unchecked.

 

Advanced.JPG

 

I have not checked with my phone yet. I will do that and let you know the results.

 

I probably will set it to User and Computer eventually, but I want to make sure both ways work first.

 

I did not mention before, but the CA is also on the same server as the NPS so that should not be an issue. 

 

Thanks for you help so far.

 

0 Kudos
In response to ph0t0g
ph0t0g
Getting noticed
‎Nov 5 2018 7:11 AM
‎Nov 5 2018 7:11 AM

I tried connecting from another workstation in the domain and it seems to be working as designed. I was a little confused about the name of the wireless network that the GP creates, but I figured that out by experimenting a little bit. I also tried connecting with an Android phone and a iOS tablet and both worked fine.

 

So, I think I am good for now. Thanks for replying to this thread (even though it's in the wrong forum).

0 Kudos
Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels
© 2024 Cisco Systems, Inc.