Hello all,
I hope you be able to assist me because I'm frustrated.
I have 2 Meraki Switches MS-225 for Lan connection only. No vlans. all ports are configured on Vlan 1.
my goal is to authenticate any computer in my organization by user domain group.
I already installed RADIUS server and configured it. its located also on the same network on my Meraki switch.
I tried all the authenticated methods I have in the NPS but non of them works for me.
Test connectivity to the RADIUS server is working fine to all 4 Meraki switches.
Currently my conditions are NAS Port Type Ethernet or cable along with Domain users User Groups.
Authentication method is Microsoft: Protected EAP (PEAP).
Not sure if i select domain user group , how is the RADIUS server authenticate it ? by user creds or do I need to validates the users with certificate as well?
The problem is , once i assign the Access Policy to any port its getting red and lost connection to the client computer.
Please help me, what is the exact configuration I need to set on the RADIUS/NPS server ??
Thanks in advanced.
Dror
Check the documentation.
Hi,
Thanks for you reply.
Yes, I tried all these docs from Meraki but unfortunatly its not helps me.
I preaty sure I need to set the right configurations on the NPS side but so far nothing works for me.
Have you checked the NPS logs?
I could find logs only in Event viewer but not something i could point on.
The thing is that I need to know which uthenticated method should i use for domain user authentication.
Is there other place to see NPS logs?
Check which Connection Request policy/Network policy is matching.
You need to send the radius attribute Tunnel-Pvt-Group-ID with the VLan ID when the user authenticates.
You mean like this ?
the port has disabled again after this change.
Did you edit the PEAP EAP type to set the inner Authentication method? That is not the MSCHAPv2 that is shown below that box. It has to be configured inside the PEAP config.
I've removed the inside MSCHAPv2. Port still disabled.😕
Check which Connection Request policy/Network policy is matching on logs.
WHAT did you remove? You have to make sure to have the right inner method.
And what are they ?
these my current Authentication methods:
Likely the "Secure Password". Did you add it?
it was there before. it didnt help. port still get disable
if you sure it has to be there i will add it back.
Do I need to use any certificate in order to authenticate the users ?
The certificate shown in NPS must be trusted on the end devices.
You really should get a consultant to help you. 802.1X is one of the most complex topics and is especially hard with NPS.
Guys the problem is that it's not matching with any connection policy.
It's very common, create a new connection policy with the the same configuration that you create in the network policy.
I dont have User Group under connection request policy like I have in Network Policy
I don't remember exactly what the config should look like, but this might help.
I tried many consultants before i posted here. 😉
Where can i see the certificate in the NPS ? Couldnt find it.
Thanks
Really? Don't have a certificate installed? You need an MS Windows server expert.
OK but non of the logs i get says something about certificate..
This is the basics of 802.1x.
If the connection request policies are messed up, it doesn't even get to the point where the certificates are relevant. When looking at the screenshot above, it seems that you assigned the root cert to the NPS. Let's say this is as least "unconventional".
Any change on NPS configuration bring a different logs. I dont know what are the right configuration i need to set.
this is the latest logs I've received:
You need to create a connection request policy.
sure but i already have one configured.
s there any configuration needed to do on the endpoint ? NIC configurations?
🤔https://www.virtualizationhowto.com/2018/12/configure-windows-10-for-802-1x-user-authentication/