Meraki Dashboard Radius Test Failures

Solved
Shauny
Conversationalist

Meraki Dashboard Radius Test Failures

HI all,

Got a bit of a strange one I want to run past someone before I go back to support (Have had a couple of cases and just keep getting sent back to look at the radius server as the cause of the issue.)

Essentially the issue is I have several Networks under one org. Each Network points back to the same primary and secondary NPS/Radius Server. Primary Server is 10.1.1.100. Secondary Server is 10.2.1.100. Both servers all working and have been for a long time. They both use the exact same policy on the NPS radius configuration. Setup is using EAP-PEAP with TLS 1.2 enabled on the server with TLS 1.0 disabled at the NPS level. 

First Site is called "Site B" is working 100%. It runs an MR42 Clients mobile phones, PC's etc can join the wireless with Dot1x Radius Auth, and the Dashboard test button for Radius under SSID passes the tests using my confirmed valid and active Domain Username and Password. Passes for both Primary and Secondary Radius tests under SSID page.

Site with the issue is called "Site G". It runs an MR32 AP.  At "Site G" the PC's and mobile phones are working fine. They are able to auth successfully via dot1x radius authentication and they ARE working. The only thing that fails and never works is the Meraki Dashboard Test button for Radius. It fails against both Primary and Secondary Radius test buttons using the exact same Username and Password as "Site B".

Third site for the customer is called "Site S" It runs an MR20 AP. At "Site S" PC's and mobile phones are working fine, authenticating successfully via dot1x radius authentication. Meraki Dashboard Radius Test button tests pass at this site each time testing with the same Username and Password tested above. 

 

I have gone and done some detailed testing and Meraki packet captures and trawling through them line by line I have finally found something different between them. 

"Site B" does the tests from the Dashboard Radius test button using TLS1.2 which is configured correctly on the Server.

"Site G" does the tests from the Dashboard Radius test button using TLS1.0 and is rejected as the server is configured to disable TLS1.0.

The clients running on the LAN are correctly using TLS1.2 at "Site G" the only place that TLS1.0 is used is on the Meraki Dashboard Test.

I have searched doco, community forum and the dashboard but I cannot find any reference to what settings are used for the Dashboard Radius Test, and if it varies based on the Underlying AP used for the test?

"Site G"

Shauny_0-1680739477929.png

Shauny_3-1680739654046.png

 




"Site B"

Shauny_1-1680739569871.png

Shauny_2-1680739623893.png




"Site S"

Shauny_5-1680740379838.png

 

Shauny_4-1680740197439.png

 


IF this was testing with a PC I would 100% understand someone sending me back to look at the Radius Box, but the clients and the Radius box are correct and using TLS1.2.

The Meraki Dashboard, purely for one Network Location is using TLS 1.0 and not TLS1.2. I am stuck. Do different AP models send their Radius tests via the Dashboard with different settings possibly?

1 Accepted Solution
Shauny
Conversationalist

You are spot on GreenMan.

The MR32 was running it's highest version of firmware at 26, and the support team came back to me a couple of hours ago after I gave all the specific information above and explicitely asked the question, is there something on this AP that will not work with TLS1.2 and they confirmed that the MR32 and anything using Firmware version 26 only supports sending the Authentication Tests using TLS1.0. Support for TLS 1.2 only came in on the version 27 firmware.

Looks like we will be recommending this user replace this one old AP asap so they can see the tests work from the dashboard for Troubleshooting. 

View solution in original post

4 Replies 4
alemabrahao
Kind of a big deal
Kind of a big deal

Have you checked with Meraki support?

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.
Shauny
Conversationalist

Each time I have spoken with them they blamed the server and said it wasn't meraki. Have gone back to them yet again, but hoping someone else out there may have seen something similar.

GreenMan
Meraki Employee
Meraki Employee

My guess is that they are running different versions of firmware and this may cause the difference in TLS version used for the tests - see MR32 here will run max 26.x

https://documentation.meraki.com/General_Administration/Firmware_Upgrades/Product_Firmware_Version_R...

Shauny
Conversationalist

You are spot on GreenMan.

The MR32 was running it's highest version of firmware at 26, and the support team came back to me a couple of hours ago after I gave all the specific information above and explicitely asked the question, is there something on this AP that will not work with TLS1.2 and they confirmed that the MR32 and anything using Firmware version 26 only supports sending the Authentication Tests using TLS1.0. Support for TLS 1.2 only came in on the version 27 firmware.

Looks like we will be recommending this user replace this one old AP asap so they can see the tests work from the dashboard for Troubleshooting. 

Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels