Meraki Community
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 

802.1x Wired connection with RADIUS server authentication

Dror
Just browsing
‎Aug 2 2023 4:55 AM
‎Aug 2 2023 4:55 AM

802.1x Wired connection with RADIUS server authentication

Hello all,

 

I hope you be able to assist me because I'm frustrated.

 

I have 2 Meraki Switches MS-225 for Lan connection only. No vlans. all ports are configured on Vlan 1.

my goal is to authenticate any computer in my organization by user domain group.

I already installed RADIUS server and configured it. its located also on the same network on my Meraki switch.

I tried all the authenticated methods I have in the NPS but non of them works for me.

Test connectivity to the RADIUS server is working fine to all 4 Meraki switches.

 

Currently my conditions are NAS Port Type Ethernet or cable along with Domain users User Groups. 

Authentication method is Microsoft: Protected EAP (PEAP).

Not sure if i select domain user group , how is the RADIUS server authenticate it ? by user creds or do I need to validates the users with certificate as well?

The problem is , once i assign the Access Policy to any port its getting red and lost connection to the client computer.

 

Please help me, what is the exact configuration I need to set on the RADIUS/NPS server ??

 

Thanks in advanced.

 

Dror

 

Meraki1.jpgMeraki2.jpgMeraki3.jpgMeraki4.jpgMeraki5.jpgMeraki6.jpgMeraki7.jpg

 

 

0 Kudos
Subscribe
28 Replies 28
alemabrahao
Kind of a big deal
Kind of a big deal
‎Aug 2 2023 5:00 AM
‎Aug 2 2023 5:00 AM

Check the documentation.

 

https://documentation.meraki.com/MS/Access_Control/Configuring_802.1X_Access_Policies_on_MS_Switches...

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.
0 Kudos
Subscribe
In response to alemabrahao
Dror
Just browsing
‎Aug 2 2023 5:06 AM
‎Aug 2 2023 5:06 AM

Hi,

 

Thanks for you reply.

Yes, I tried all these docs from Meraki but unfortunatly its not helps me.

I preaty sure I need to set the right configurations on the NPS side but so far nothing works for me.

0 Kudos
Subscribe
In response to Dror
alemabrahao
Kind of a big deal
Kind of a big deal
‎Aug 2 2023 5:09 AM
‎Aug 2 2023 5:09 AM

Have you checked the NPS logs?

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.
0 Kudos
Subscribe
Dror
Just browsing
‎Aug 2 2023 5:16 AM
‎Aug 2 2023 5:16 AM

I could find logs only in Event viewer but not something i could point on.

The thing is that I need to know which uthenticated method should i use for domain user authentication.

Is there other place to see NPS logs?

0 Kudos
Subscribe
In response to Dror
alemabrahao
Kind of a big deal
Kind of a big deal
‎Aug 2 2023 5:43 AM
‎Aug 2 2023 5:43 AM

Check which Connection Request policy/Network policy is matching.

 

alemabrahao_0-1690980038644.png

 

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.
0 Kudos
Subscribe
Cisco_CCIE
Just browsing
‎Aug 2 2023 5:16 AM
‎Aug 2 2023 5:16 AM

You need to send the radius attribute Tunnel-Pvt-Group-ID with the VLan ID when the user authenticates.

0 Kudos
Subscribe
In response to Cisco_CCIE
Dror
Just browsing
‎Aug 2 2023 5:28 AM
‎Aug 2 2023 5:28 AM

You mean like this ?

 

the port has disabled again after this change. Meraki8.jpgMeraki9.jpg

0 Kudos
Subscribe
KarstenI
Kind of a big deal
Kind of a big deal
‎Aug 2 2023 6:55 AM
‎Aug 2 2023 6:55 AM

Did you edit the PEAP EAP type to set the inner Authentication method? That is not the MSCHAPv2 that is shown below that box. It has to be configured inside the PEAP config.

Subscribe
In response to KarstenI
Dror
Just browsing
‎Aug 2 2023 7:29 AM
‎Aug 2 2023 7:29 AM

I've removed the inside MSCHAPv2. Port still disabled.😕

 

0 Kudos
Subscribe
In response to Dror
alemabrahao
Kind of a big deal
Kind of a big deal
‎Aug 2 2023 8:05 AM
‎Aug 2 2023 8:05 AM

Check which Connection Request policy/Network policy is matching on logs.

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.
0 Kudos
Subscribe
In response to Dror
KarstenI
Kind of a big deal
Kind of a big deal
‎Aug 2 2023 8:11 AM
‎Aug 2 2023 8:11 AM

WHAT did you remove? You have to make sure to have the right inner method.

0 Kudos
Subscribe
In response to KarstenI
Dror
Just browsing
‎Aug 2 2023 8:15 AM
‎Aug 2 2023 8:15 AM

And what are they ?

 

these my current Authentication methods:

Meraki10.jpg

0 Kudos
Subscribe
In response to Dror
KarstenI
Kind of a big deal
Kind of a big deal
‎Aug 2 2023 8:20 AM
‎Aug 2 2023 8:20 AM

Likely the "Secure Password". Did you add it?

0 Kudos
Subscribe
In response to KarstenI
Dror
Just browsing
‎Aug 2 2023 8:22 AM
‎Aug 2 2023 8:22 AM

it was there before. it didnt help. port still get disable

if you sure it has to be there i will add it back.

 

Do I need to use any certificate in order to authenticate the users ?

0 Kudos
Subscribe
In response to Dror
KarstenI
Kind of a big deal
Kind of a big deal
‎Aug 2 2023 8:40 AM
‎Aug 2 2023 8:40 AM

The certificate shown in NPS must be trusted on the end devices.

You really should get a consultant to help you. 802.1X is one of the most complex topics and is especially hard with NPS.

0 Kudos
Subscribe
In response to KarstenI
alemabrahao
Kind of a big deal
Kind of a big deal
‎Aug 2 2023 8:43 AM
‎Aug 2 2023 8:43 AM

Guys the problem is that it's not matching with any connection policy.

 It's very common, create a new connection policy with the the same configuration that you create in the network policy.

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.
0 Kudos
Subscribe
In response to alemabrahao
Dror
Just browsing
‎Aug 2 2023 8:46 AM
‎Aug 2 2023 8:46 AM

I dont have User Group under connection request policy like I have in Network Policy

0 Kudos
Subscribe
In response to Dror
alemabrahao
Kind of a big deal
Kind of a big deal
‎Aug 2 2023 8:55 AM
‎Aug 2 2023 8:55 AM

I don't remember exactly what the config should look like, but this might help.

 

alemabrahao_0-1690991741043.png

 

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.
0 Kudos
Subscribe
In response to KarstenI
Dror
Just browsing
‎Aug 2 2023 8:52 AM
‎Aug 2 2023 8:52 AM

I tried many consultants before i posted here. 😉

Where can i see the certificate in the NPS ? Couldnt find it.

 

Thanks

0 Kudos
Subscribe
In response to Dror
alemabrahao
Kind of a big deal
Kind of a big deal
‎Aug 2 2023 8:59 AM
‎Aug 2 2023 8:59 AM

Really? Don't have a certificate installed? You need an MS Windows server expert.

 

https://learn.microsoft.com/en-us/windows-server/networking/core-network-guide/cncg/server-certs/ins...

 

 

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.
0 Kudos
Subscribe
In response to alemabrahao
Dror
Just browsing
‎Aug 2 2023 9:02 AM
‎Aug 2 2023 9:02 AM

OK but non of the logs i get says something about certificate..

0 Kudos
Subscribe
In response to Dror
alemabrahao
Kind of a big deal
Kind of a big deal
‎Aug 2 2023 9:06 AM
‎Aug 2 2023 9:06 AM

This is the basics of 802.1x.

 

 

https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/h...)

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.
0 Kudos
Subscribe
In response to Dror
KarstenI
Kind of a big deal
Kind of a big deal
‎Aug 2 2023 9:06 AM
‎Aug 2 2023 9:06 AM

If the connection request policies are messed up, it doesn't even get to the point where the certificates are relevant. When looking at the screenshot above, it seems that you assigned the root cert to the NPS. Let's say this is as least "unconventional".

0 Kudos
Subscribe
Dror
Just browsing
‎Aug 2 2023 8:12 AM
‎Aug 2 2023 8:12 AM

Any change on NPS configuration bring a different logs. I dont know what are the right configuration i need to set.

 

this is the latest logs I've received:

 

 

Network Policy Server denied access to a user.
 
Contact the Network Policy Server administrator for more information.
 
User:
Security ID: NULL SID
Account Name: host/TACCPC333.claimscon.org
Account Domain: -
Fully Qualified Account Name: -
 
Client Machine:
Security ID: NULL SID
Account Name: -
Fully Qualified Account Name: -
Called Station Identifier: 08-F1-B3-34-3F-94:
Calling Station Identifier: 70-B5-E8-3A-31-E7
 
NAS:
NAS IPv4 Address: 192.168.250.51
NAS IPv6 Address: -
NAS Identifier: -
NAS Port-Type: Ethernet
NAS Port: 5
 
RADIUS Client:
Client Friendly Name: TA Switch LAN 1
Client IP Address: 192.168.250.51
 
Authentication Details:
Connection Request Policy Name: -
Network Policy Name: -
Authentication Provider: -
Authentication Server: TACCDC19.claimscon.org
Authentication Type: -
EAP Type: -
Account Session Identifier: 31394546453945463246324638364531
Logging Results: Accounting information was written to the local log file.
Reason Code: 49
Reason: The RADIUS request did not match any configured connection request policy (CRP).

 

0 Kudos
Subscribe
In response to Dror
alemabrahao
Kind of a big deal
Kind of a big deal
‎Aug 2 2023 8:40 AM
‎Aug 2 2023 8:40 AM

You need to create a connection request policy.

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.
0 Kudos
Subscribe
In response to alemabrahao
Dror
Just browsing
‎Aug 2 2023 8:44 AM
‎Aug 2 2023 8:44 AM

sure but i already have one configured.

Meraki11.jpgMeraki12.jpg

 

0 Kudos
Subscribe
Dror
Just browsing
‎Aug 2 2023 9:09 AM
‎Aug 2 2023 9:09 AM

s there any configuration needed to do on the endpoint ? NIC configurations?

0 Kudos
Subscribe
In response to Dror
alemabrahao
Kind of a big deal
Kind of a big deal
‎Aug 2 2023 9:11 AM
‎Aug 2 2023 9:11 AM

🤔https://www.virtualizationhowto.com/2018/12/configure-windows-10-for-802-1x-user-authentication/  

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.
0 Kudos
Subscribe
Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels
© 2024 Cisco Systems, Inc.