problem with radius authentication

gchak
New here

problem with radius authentication

Hello,

 

We've got an SSID which use the radius authentication. 

When I try an authentication via the AP I've got this error message "failed to connect to the RADIUS server".

I run a packet capture on the radius server and on the wired AP, and I see that the AP communicate with the radius but it block on the access challenge id=2.

See below please:

On the AP:

gchak_0-1642519195765.png

On the radius server:

gchak_1-1642519349331.png

It seems that the AP don't received the "access-challenge id=2".

 

Have you experienced this issue ? How to resolve ? 

 

Thank you for your help!

 

Regards

8 REPLIES 8
ww
Kind of a big deal
Kind of a big deal

Did you capture on the switchport to the ap? or other devices in the path if that packet is still present

PhilipDAth
Kind of a big deal
Kind of a big deal

My first guess is that the RADIUS server is not configured to accept MSCHAPv2.

PhilipDAth
Kind of a big deal
Kind of a big deal

What does the RADIUS server log say?

BlakeRichardson
Kind of a big deal
Kind of a big deal

Have you confirmed the shared secret is correct? 

I'm 50% confident you won't get an Access-Reject if the shared secret is wrong.  You generally get no response at all.

KarstenI
Kind of a big deal
Kind of a big deal

just go to 100% (RFC2865):

 

Once the RADIUS server receives the request, it validates the sending
   client.  A request from a client for which the RADIUS server does not
   have a shared secret MUST be silently discarded.  If the client is
   valid, ...

 

KarstenI
Kind of a big deal
Kind of a big deal

The relevant part will likely be inside the second Access-Reques/Access-Chalenge. There the Client and RADIUS-Server talk about the EAP-Method to use. 

Inderdeep
Kind of a big deal
Kind of a big deal

@gchak : Review this if it helps 

https://documentation.meraki.com/MR/MR_Splash_Page/RADIUS_Failover_and_Retry_Details

 

Regards/Inder
Cisco IT Blogs awarded in 2020 & 2021
www.thenetworkdna.com
Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels