Meraki

Community

Cisco Meraki MR APs issue with Radius NPS | Reason : The RADIUS Request message that Network Policy

sureelam
Comes here often
‎Apr 26 2024 9:46 AM
‎Apr 26 2024 9:46 AM

Cisco Meraki MR APs issue with Radius NPS | Reason : The RADIUS Request message that Network Policy

Team, We are experiencing a recurring problem with our NPS and Cisco Meraki MR Access Point. This issue has surfaced recently, where the AP authentication initially functions properly upon installation but stops working after 3 hours, despite no alterations to the network configuration. The notable difference in the logs is the appearance of the user as Security ID: NULL SID (previously displayed as the username).
The reason for this anomaly is identified as a malformed RADIUS Request message received by the Network Policy Server from the network access server.

Reason : The RADIUS Request message that Network Policy Server received from the network access server was malformed.

Our network setup consists solely of Meraki APs, connected in the following sequence: MR ----> Aruba Switch ----> Palo Alto Firewall ----> RADIUS via IPsec tunnel. Looking forward to hearing from you guys soon...

Labels:
0 Kudos
5 Replies 5
alemabrahao
Kind of a big deal
Kind of a big deal
‎Apr 26 2024 10:47 AM
‎Apr 26 2024 10:47 AM

Perform a packet capture.

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.
0 Kudos
sureelam
Comes here often
‎Apr 26 2024 10:50 AM
‎Apr 26 2024 10:50 AM

@alemabrahao  What elements should we examine in a packet capture?

0 Kudos
In response to sureelam
cmr
Kind of a big deal
Kind of a big deal
‎Apr 28 2024 1:24 AM
‎Apr 28 2024 1:24 AM

Capture the traffic on the Aruna switch for the port where the AP is connected. Compare the RADIUS requests when it works to when it fails. 

Are the packets different?  If not then move down the chain to the port connected to the Palo Alto and if still okay, to the PA itself.

If my answer solves your problem please click Accept as Solution so others can benefit from it.
0 Kudos
sureelam
Comes here often
‎May 2 2024 10:36 AM
‎May 2 2024 10:36 AM

In the packet, it indicates an "Access-Request" message being sent, and the response from the server is an "Access-Challenge." This cycle repeats, occasionally resulting in an "Access-Request" being flagged as a duplicate request.

Within the "Access-Challenge" response, the Radius protocol is utilized, specifically involving Attribute Value pairs, with one such pair being AVP:t=Session-Timeout(27) L=6 val(30).

Could this be linked to the aforementioned issue at times?

6099d3f8-1fe8-45a3-85fe-9730506e1722.png

0 Kudos
In response to sureelam
sureelam
Comes here often
‎May 2 2024 10:52 AM
‎May 2 2024 10:52 AM

Untitled.png


Not seeing any other packets apart from this. 

0 Kudos
Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels
© 2024 Cisco Systems, Inc.