Meraki AP & Radius Integration

SLR
Building a reputation

Meraki AP & Radius Integration

I have set up Configuring RADIUS Authentication with WPA2-Enterprise. My AP management IP for MR55-1-Downstairs-AP is configured.  USER VLAN ID for this which set up in attribute is 129 - the user who connects to this AP should get an IP that is not management IP of AP but VLAN ID 129 IP.

 

When I test radius server from the radius servers part of the dashboard, my test is successful. However, when I connect to the wireless SSID - I am connected but it say no internet and I get 169.254.xxxx.xxx. IP address.

What am I doing wrong?

Completed testing to "IP address of Radius server" for corporate\username"

Total APs:
1
APs passed:
1
APs failed:
0
APs unreachable:
0


All access points successfully contacted the RADIUS server.

RADIUS attributes used:
Tunnel-Type:VLAN
Tunnel-Medium-Type:IEEE-802
Tunnel-Private-Group-Id:129

RADIUS attributes unused:
Framed-Protocol:PPP
Service-Type:Framed-User
MS-CHAP-Domain:CORPORATE

 

What is missing?

 

I used this link to configure https://documentation.meraki.com/MR/Encryption_and_Authentication/Configuring_RADIUS_Authentication_...

 

 

End goal is to implement 17 MR55 devices into my environment.1st Floor devices will use VLAN user ID xxx and 2nd Floor devices will use VLAN user ID xxx. They are both different VLAN IDS for each floor. 

11 Replies 11
ww
Kind of a big deal
Kind of a big deal

the auth is succesfull?

try capture on ap and client to see if the client sending a bootp discover . also check the switch trunk port to verify what vlan the dhcp request is send

SLR
Building a reputation

1) Pcap on wired interface of the AP ' shows that Radius server sends a Access-Accept after which the client sends DHCP Discovers but we are not receiving any DHCP offers from the upstream.

—————————————————————————
What are the next steps 
—————————————————————————
check upstream.

 

on my 4510 - ip dhcp pool RESERVATION-(name of AP)
host (IP OF AP)
client-identifier (MAC OF AP)
client-name RESERVATION-(name of AP)

 

on my 3560 for the port that my AP is directly plugged into from wall to PP to 3560 port Config

 

interface GigabitEthernet
description (name of AP)
switchport trunk encapsulation dot1q
switchport trunk native vlan (AP management IP)
switchport trunk allowed vlan (AP management IP VLAN and AP User IP VLAN)
switchport mode trunk

 

ww
Kind of a big deal
Kind of a big deal

check is the dhcp server is receiving the discover. if not, your vlan is not l2 from ap to the dhcp server or your forwarder is failing.

jdsilva
Kind of a big deal

You should also be able to check the client auth status too. It's shown on the client details page which you can reach by finding the client in Network-wdie > Clients and clicking on them. That should at least tell you if the client is authenticated, and if they have the correct VLAN assigned. 

SLR
Building a reputation

our DHCP is coming directly from our Cisco 4510. Everything is configured correctly - I am trying to see if it is possible with Meraki and Radius to configure two vlans. Management vlan id of AP and vlan id of clients connecting to IP

 

for example lets say my AP IP is vlan 130 10.40.130.100 and my clients connecting to it will get vlan id 131 10.40.131.12

 

I want to be able to accomplish this on my radius - Meraki using radius authentication 

 

my client is authenticating to the radius I am just not getting an IP. it connects and says no internet my IP address is a 169 instead of a 10.40.131.12 IP (these are ex and not actual ip addresses) It states it is VLAN 131 I am seeing this information via the clients tab of my dashboard 

PhilipDAth
Kind of a big deal
Kind of a big deal

Is the SSID in bridge mode?

 

Are there any Meraki L3 firewall rules configured?

SLR
Building a reputation

Yes, the SSID is in bridge mode. No - there aren't any Meraki L3 Firewall rules configured.

SLR
Building a reputation

Did anyone have to create policies in the Meraki Dashboard? We are not doing policy based...

_Ernie_
Conversationalist

I´m actually facing the same issue.

 

Access-Acccept is successful, SSID in bridge-mode, not using Group policies (so no Filter-ID AVP), no L3 Firewall rules... and a Packet Capture on the Meraki AP itself shows no DHCP packet from the client towards the DHCP server.

 

I see that the original post was posted back in 2019 but did you ever get it resolved?

FabianSchleef
Here to help

What could be possible is that dhcp snooping is enabled and not trusted on the AP port…

I‘ve had DHCP issues with all kinds of Meraki APs (Catalyst 916x aswell) by not allowing „all vlans“ but instead only allowing the specific SSID VLANS on the switch port. Only with Meraki switches. Catalyst switches are uncomplicated in comparison lol 

CFStevens
Meraki Employee
Meraki Employee

Hi @SLR

 

As stated earlier, it would be advisable to confirm that your DHCP server is receiving the DHCP Discover messages, preferably via packet capture. Once that is confirmed, you could take a few additional captures from the DHCP server back down to the AP to determine if the DHCP messages are getting back to your client, and if not, where they are being dropped. You can then focus your troubleshooting efforts at the last hop the DHCP communications are seen. 

Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels