Meraki AP using RADIUS Server in Azure

Comes here often

Meraki AP using RADIUS Server in Azure

Having some problems getting RADIUS to work on my Meraki AP where the RADIUS server is running on a Windows NPS VM in Azure.  The VM is sitting behind an Azure firewall.


Is this set up supported as I suspect there is some Fragmentation of UDP packets happening that Azure doesn't support?


I can see in the NPS logs that the firewall is forwarding packets etc but logging stops and then the RADIUS flow times out.  I have literally tried everything but can't get to the bottom of this problem


Help/Guidance appreciated

Kind of a big deal
Kind of a big deal

I've already configured it and haven't had any problems. Do you have a VPN tunnel with Azure or are you connecting via the internet?

It's over the internet to an Azure public IP (Firewall WAN interface).  I'm using a DNat rule on the Azure firewall to the NPS box.  The Firewall and NPS VNets are peered and all the routing is definitely working.


I can't use a VPN as there are already VPNs into Azure from the sites where the Meraki's are.  The VPNs pass over an Azure Load Balancer which historically has been the reason why we it hasn't worked before, potentially the same problem with the udp fragmentation,


Are you connecting over the internet or using a VPN?

I use it in both scenarios, although I prefer to have the S2S VPN for security reasons.


Have you checked your NPS logs?

Yes, I've checked the IAS logs and Event Logs and there are no more errors.  I can force an error if I turn off the Connection Policy and a log entry in Event log gets created saying there is not matching Connection policy.  If I reenable it, RADIUS times out when it should be Authenticating using the Network policy...  I'm a bit lost currently on the next step forward

What type of authentication are you using? 802.1x?

You must configure your network's public IP as Radius Client in NPS.

Yes, 802.1x, Machine certificates.  Because I have a DNat rule on the Firewall, the Radius client is configured to the inside IP range of the Firewall.  I can see info in the Event logs on the Radius that shows inbound connections from IPs in the internal firewall IP range.  Mmm, Interesting, Is there something in the Radius protocol that needs the actual Public ip address to work (as this is the Address configured in Meraki) ?

Have you looked into this article?

This solution relies on Microsoft Azure’s SLA (99.99%) due to the caveats above. In addition, the solution requires a secure connection so that the MR can reach Azure AD DS by its private IP addresses. Although Azure AD DS allows LDAPS over the internet, it only allows port 636 and not 389.

Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.