Meraki

Community

C9300L and 802.1x Windows Network Policy Server

Solved
Bovie2K
Getting noticed
‎Feb 13 2025 9:41 AM
‎Feb 13 2025 9:41 AM

C9300L and 802.1x Windows Network Policy Server

Hello, I've got some new C9300L's but am having a hard time with 802.1x Windows Network Policy Server. It works great with our MS series switches but cannot get it working with the C9300's.

 

First I figured out it's not using Ethernet as a NAS port type it's using Async (Modem). Second it won't accept PEAP and MS-CHAPv2. It will only accept PAP, SNAP which is no encryption. That will get the NPS logs to show an accept on the request but Meraki still shows a deny when testing radius.

 

Does anyone have the new C9300's 802.1x working with NPS? Note I have the same experiencing the same issue with both MS firmware and the new IOS XE public beta.

0 Kudos
1 Accepted Solution
Bovie2K
Getting noticed
a month ago
a month ago

Support resolved the issue for me. When diagnosing the issue with the CS firmware we added a second access policy for testing. Turns out there is a bug with the IOS XE firmware where if you have 2 access polices only one of them work. We removed the second policy and it works. This still doesn't answer why I had issues with the CS firmware but with the IOS XE firmware I'm fixed.

View solution in original post

8 Replies 8
Bovie2K
Getting noticed
‎Feb 13 2025 10:19 AM
‎Feb 13 2025 10:19 AM

More information. Working with Meraki support the IOS XE firmware doesn't even seem to be sending radius request. Super odd. Same question anyone running C9300's with NPS?

0 Kudos
In response to Bovie2K
Inderdeep
Kind of a big deal
‎Feb 13 2025 10:26 AM
‎Feb 13 2025 10:26 AM

Check this one if this helps

https://community.cisco.com/t5/network-access-control/802-1x-port-authentication-using-microsoft-nps... 

Cisco Awarded Blogs 2020/2021 https://www.thenetworkdna.com/
0 Kudos
alemabrahao
Kind of a big deal
‎Feb 13 2025 10:20 AM
‎Feb 13 2025 10:20 AM

Maybe it will help you.

 https://documentation.meraki.com/MS/Access_Control/MS_Switch_Access_Policies_(802.1X)#RADIUS_Caching...

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.
0 Kudos
PhilipDAth
Kind of a big deal
Kind of a big deal
‎Feb 13 2025 11:12 AM
‎Feb 13 2025 11:12 AM

I hope they fix up the NAS port type.  Tat is going to break a lot of things.  I would call this a bug.

 

I assume you are using an up to date firmware?

0 Kudos
In response to PhilipDAth
Bovie2K
Getting noticed
‎Feb 13 2025 11:17 AM
‎Feb 13 2025 11:17 AM

yes running latest IOS XE firmware now and its not even sending a radius request anymore. They escalated my case. Will keep updated here.

0 Kudos
In response to Bovie2K
Mtravaglia
Conversationalist
‎Mar 21 2025 4:05 AM
‎Mar 21 2025 4:05 AM

Hi Bovie2K,

 

Did you get this sorted at the end? I am facing the same issue.

0 Kudos
In response to Mtravaglia
Bovie2K
Getting noticed
‎Mar 21 2025 6:47 PM
‎Mar 21 2025 6:47 PM

nope but I'm working with a good tech in support. He has it narrowed down to one of the daemon's marking the radius server dead when it's not and the switch never sends the radius request to the radius server. So he is working with engineering thinking it's a bug. 20/20 hindsight I shouldn't have done IOS XE should have stayed CS but I had issues with CS NAS PORT Type so I tried the upgrade. Will report back when I know more.

Bovie2K
Getting noticed
a month ago
a month ago

Support resolved the issue for me. When diagnosing the issue with the CS firmware we added a second access policy for testing. Turns out there is a bug with the IOS XE firmware where if you have 2 access polices only one of them work. We removed the second policy and it works. This still doesn't answer why I had issues with the CS firmware but with the IOS XE firmware I'm fixed.

Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco ID. If you don't yet have a Cisco ID, you can sign up.
Labels
© 2025 Cisco Systems, Inc.