HI all,
Got a bit of a strange one I want to run past someone before I go back to support (Have had a couple of cases and just keep getting sent back to look at the radius server as the cause of the issue.)
Essentially the issue is I have several Networks under one org. Each Network points back to the same primary and secondary NPS/Radius Server. Primary Server is 10.1.1.100. Secondary Server is 10.2.1.100. Both servers all working and have been for a long time. They both use the exact same policy on the NPS radius configuration. Setup is using EAP-PEAP with TLS 1.2 enabled on the server with TLS 1.0 disabled at the NPS level.
First Site is called "Site B" is working 100%. It runs an MR42 Clients mobile phones, PC's etc can join the wireless with Dot1x Radius Auth, and the Dashboard test button for Radius under SSID passes the tests using my confirmed valid and active Domain Username and Password. Passes for both Primary and Secondary Radius tests under SSID page.
Site with the issue is called "Site G". It runs an MR32 AP. At "Site G" the PC's and mobile phones are working fine. They are able to auth successfully via dot1x radius authentication and they ARE working. The only thing that fails and never works is the Meraki Dashboard Test button for Radius. It fails against both Primary and Secondary Radius test buttons using the exact same Username and Password as "Site B".
Third site for the customer is called "Site S" It runs an MR20 AP. At "Site S" PC's and mobile phones are working fine, authenticating successfully via dot1x radius authentication. Meraki Dashboard Radius Test button tests pass at this site each time testing with the same Username and Password tested above.
I have gone and done some detailed testing and Meraki packet captures and trawling through them line by line I have finally found something different between them.
"Site B" does the tests from the Dashboard Radius test button using TLS1.2 which is configured correctly on the Server.
"Site G" does the tests from the Dashboard Radius test button using TLS1.0 and is rejected as the server is configured to disable TLS1.0.
The clients running on the LAN are correctly using TLS1.2 at "Site G" the only place that TLS1.0 is used is on the Meraki Dashboard Test.
I have searched doco, community forum and the dashboard but I cannot find any reference to what settings are used for the Dashboard Radius Test, and if it varies based on the Underlying AP used for the test?
"Site G"
"Site B"
"Site S"
IF this was testing with a PC I would 100% understand someone sending me back to look at the Radius Box, but the clients and the Radius box are correct and using TLS1.2.
The Meraki Dashboard, purely for one Network Location is using TLS 1.0 and not TLS1.2. I am stuck. Do different AP models send their Radius tests via the Dashboard with different settings possibly?
