Meraki AP & Radius Integration

SLR
Building a reputation

Meraki AP & Radius Integration

I have set up Configuring RADIUS Authentication with WPA2-Enterprise. My AP management IP for MR55-1-Downstairs-AP is configured.  USER VLAN ID for this which set up in attribute is 129 - the user who connects to this AP should get an IP that is not management IP of AP but VLAN ID 129 IP.

 

When I test radius server from the radius servers part of the dashboard, my test is successful. However, when I connect to the wireless SSID - I am connected but it say no internet and I get 169.254.xxxx.xxx. IP address.

What am I doing wrong?

Completed testing to "IP address of Radius server" for corporate\username"

Total APs:
1
APs passed:
1
APs failed:
0
APs unreachable:
0


All access points successfully contacted the RADIUS server.

RADIUS attributes used:
Tunnel-Type:VLAN
Tunnel-Medium-Type:IEEE-802
Tunnel-Private-Group-Id:129

RADIUS attributes unused:
Framed-Protocol:PPP
Service-Type:Framed-User
MS-CHAP-Domain:CORPORATE

 

What is missing?

 

I used this link to configure https://documentation.meraki.com/MR/Encryption_and_Authentication/Configuring_RADIUS_Authentication_...

 

 

End goal is to implement 17 MR55 devices into my environment.1st Floor devices will use VLAN user ID xxx and 2nd Floor devices will use VLAN user ID xxx. They are both different VLAN IDS for each floor. 

8 REPLIES 8
ww
Kind of a big deal
Kind of a big deal

the auth is succesfull?

try capture on ap and client to see if the client sending a bootp discover . also check the switch trunk port to verify what vlan the dhcp request is send

SLR
Building a reputation

1) Pcap on wired interface of the AP ' shows that Radius server sends a Access-Accept after which the client sends DHCP Discovers but we are not receiving any DHCP offers from the upstream.

—————————————————————————
What are the next steps 
—————————————————————————
check upstream.

 

on my 4510 - ip dhcp pool RESERVATION-(name of AP)
host (IP OF AP)
client-identifier (MAC OF AP)
client-name RESERVATION-(name of AP)

 

on my 3560 for the port that my AP is directly plugged into from wall to PP to 3560 port Config

 

interface GigabitEthernet
description (name of AP)
switchport trunk encapsulation dot1q
switchport trunk native vlan (AP management IP)
switchport trunk allowed vlan (AP management IP VLAN and AP User IP VLAN)
switchport mode trunk

 

ww
Kind of a big deal
Kind of a big deal

check is the dhcp server is receiving the discover. if not, your vlan is not l2 from ap to the dhcp server or your forwarder is failing.

jdsilva
Kind of a big deal

You should also be able to check the client auth status too. It's shown on the client details page which you can reach by finding the client in Network-wdie > Clients and clicking on them. That should at least tell you if the client is authenticated, and if they have the correct VLAN assigned. 

SLR
Building a reputation

our DHCP is coming directly from our Cisco 4510. Everything is configured correctly - I am trying to see if it is possible with Meraki and Radius to configure two vlans. Management vlan id of AP and vlan id of clients connecting to IP

 

for example lets say my AP IP is vlan 130 10.40.130.100 and my clients connecting to it will get vlan id 131 10.40.131.12

 

I want to be able to accomplish this on my radius - Meraki using radius authentication 

 

my client is authenticating to the radius I am just not getting an IP. it connects and says no internet my IP address is a 169 instead of a 10.40.131.12 IP (these are ex and not actual ip addresses) It states it is VLAN 131 I am seeing this information via the clients tab of my dashboard 

PhilipDAth
Kind of a big deal

Is the SSID in bridge mode?

 

Are there any Meraki L3 firewall rules configured?

SLR
Building a reputation

Yes, the SSID is in bridge mode. No - there aren't any Meraki L3 Firewall rules configured.

SLR
Building a reputation

Did anyone have to create policies in the Meraki Dashboard? We are not doing policy based...

Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels