Meraki

Community
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 

802.1x over Ethernet EAP-TLS

zdawg
New here
Friday
Friday

802.1x over Ethernet EAP-TLS

I have been dealing with getting this working for some time now. I am not entirely sure what you will all need from me, and I can give whatever you need to assist. 

 

We are using Cisco MS switches and want to implement 802.1x EAP-TLS over Ethernet and have our NPS authenticate the user and place that user on the VLAN they belong in, which is handled by User Group within NPS Conditions. The server has RequireMsgAuth and LimitProxyState to disabled (KB5043417: RADIUS authentication to NPS might fail with the July 2024 security update and later upda...).

 

While running a packet capture on an end point device utilizing a port with the Meraki Access Policy for 802.1x and the NPS I do see it trying to authenticate, however, it stops at "Access-Request" on the NPS Wireshark log. NPS event viewer does not show anything. Checking CAPI2 logs (certificate logs) on the end device in Event Viewer I see no certificate issues. 

 

I verified that all certs are applied, auth method is set to Smart Card... on both NPS side and 802.3 group policy side yet still cannot authenticate. The NPS is also our domain controller and yes, all computers can do what they need on the DC without issue. 

 

I am sure there is MUCH more info I could give, so please feel free to ask. 

 

Thank you! 

0 Kudos
3 Replies 3
MartinLL
Building a reputation
Saturday
Saturday

Without more info its hard to say.

But, since your NPS recieves the access-request but does not return the access-challenge something might be wrong with radius clients on your NPS. Verify that the client config contains the switches management ip and verify the shared secret.

 

It could also be certificates missing from trusted root and the personal store on the server, but it sounds like you already checked that.

 

Read this article and see if you missed something. It might give you some pointers as to whats missing. Its for access points and uses PEAP, but much of it still appliens to EAP-TLS.

https://documentation.meraki.com/MR/Encryption_and_Authentication/Configuring_RADIUS_Authentication_... 

0 Kudos
GIdenJoe
Kind of a big deal
Kind of a big deal
Saturday
Saturday

When you do a packet capture on port 1812 you should see access-request packets being sent from the switch and access-challenge back from the NPS server.

So first make sure the messages reach the NPS server and see if the server responds.
If the server does not respond then you will need to look purely at the server (are the switches present in the radius clients configuration?).

If you are seeing access-reject messages from the NPS server then you are probably not matching an access rule.

There are many more issues but at least start with the basics.

KarstenI
Kind of a big deal
Kind of a big deal
Saturday
Saturday

If you only see the initial Access-Request of the 802.1X communication, it is still far away from anything certificate related.

If there is no answer at all, the most likely cause is a mismatch in the shared secret. First tripple-check that.

0 Kudos
Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels
© 2024 Cisco Systems, Inc.