Having some problems getting RADIUS to work on my Meraki AP where the RADIUS server is running on a Windows NPS VM in Azure. The VM is sitting behind an Azure firewall.
Is this set up supported as I suspect there is some Fragmentation of UDP packets happening that Azure doesn't support?
I can see in the NPS logs that the firewall is forwarding packets etc but logging stops and then the RADIUS flow times out. I have literally tried everything but can't get to the bottom of this problem
It's over the internet to an Azure public IP (Firewall WAN interface). I'm using a DNat rule on the Azure firewall to the NPS box. The Firewall and NPS VNets are peered and all the routing is definitely working.
I can't use a VPN as there are already VPNs into Azure from the sites where the Meraki's are. The VPNs pass over an Azure Load Balancer which historically has been the reason why we it hasn't worked before, potentially the same problem with the udp fragmentation,
Are you connecting over the internet or using a VPN?
Yes, I've checked the IAS logs and Event Logs and there are no more errors. I can force an error if I turn off the Connection Policy and a log entry in Event log gets created saying there is not matching Connection policy. If I reenable it, RADIUS times out when it should be Authenticating using the Network policy... I'm a bit lost currently on the next step forward
Yes, 802.1x, Machine certificates. Because I have a DNat rule on the Firewall, the Radius client is configured to the inside IP range of the Firewall. I can see info in the Event logs on the Radius that shows inbound connections from IPs in the internal firewall IP range. Mmm, Interesting, Is there something in the Radius protocol that needs the actual Public ip address to work (as this is the Address configured in Meraki) ?
This solution relies on Microsoft Azure’s SLA (99.99%) due to the caveats above. In addition, the solution requires a secure connection so that the MR can reach Azure AD DS by its private IP addresses. Although Azure AD DS allows LDAPS over the internet, it only allows port 636 and not 389.