Trouble connecting to Radius server for Access Policy for a the switch

Announcer
Getting noticed

Trouble connecting to Radius server for Access Policy for a the switch

I have client vpn setup with Radius enabled and working so I know the Radius portion is working.  I am trying to setup an Access Policy to enable 802.1x on a switch port.  When I enter the info of the radius server it fails the test.  What do I need to configure on the radius server side to make this work?  ap.JPG

6 REPLIES 6
ww
Kind of a big deal
Kind of a big deal

Did you add the switch management ip/subnet  to the radius server. Or does your radius server accept radius requests from any ip

Announcer
Getting noticed

Ok, let me try that.  I currently have the gateway (MX100) ip being accepted.  

alemabrahao
Kind of a big deal
Kind of a big deal

What Radius are you using?

 

Check the documentation.

 

 

https://documentation.meraki.com/MS/Access_Control/Configuring_802.1X_Access_Policies_on_MS_Switches...

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.

Documentation really helped.  If I want to test this on just one switch ( have 3), and on just one port, will all connected clients be affected when I make this on the NPS?  Or does it only get applied when it is applied via Meraki?

JamesC_AB
Here to help

Assuming you're using a Microsoft Windows NPS (RADIUS) server, here's some more up to date Microsoft documentation for adding the IP address of the Meraki switch(es) to the server:
https://learn.microsoft.com/en-us/windows-server/networking/technologies/nps/nps-radius-clients-conf...

Without first adding those IPs to the RADIUS server, RADIUS requests may just be ignored.

Further, you can confirm the IP address that the switches are using to communicate with the RADIUS server by taking a packet capture (filtered for UDP port 1812 on whichever port is connecting to the RADIUS server) while attempting to authenticate a network client. Then look at the "NAS-IP-Address" attribute field for each switch:

 

JamesC_AB_0-1692373563284.png

It'll likely just be the management IP address, but if you're using Layer 3 routing on the switches, it might be good idea to confirm.

PhilipDAth
Kind of a big deal
Kind of a big deal

Take a look at the RADIUS server log and see what reason it gave for denying the connection request.

Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels