RADIUS Auth failed on Meraki, but Aironet working

Solved
MikeC
Here to help

RADIUS Auth failed on Meraki, but Aironet working

Hi,

 

Firstly, I'm a bit of a n00b on enterprise-class wireless networking (have been predominantly working on routing and switching only until recently).

 

I'm currently working on migrating a customer's existing Cisco Aironet to Meraki. The particular site that I'm currently working on has 4x Aironet 1142 controlled by integrated WLC on Cat 3750G. Wireless clients are authenticated to "main" SSID via 802.1X with RADIUS (Microsoft RADIUS/NPS).

 

I configured a test SSID on the Meraki with 802.1X authentication using the same RADIUS server. But I could not connect to this SSID from customer's SOE laptop, running Windows 7. Running packet capture on the Meraki dashboard revealed RADIUS Access-Reject message. I could connect successfully to the SSID on the Aironet using the same laptop and username/pwd. I've made sure the RADIUS secret is correct. I created another test SSID using WPA2-Personal auth and could connect without any problem.

 

What am I missing? 

 

TIA.

 

 

 

1 Accepted Solution
PhilipDAth
Kind of a big deal
Kind of a big deal

You can pattern match on part of a string with the Called-Station-ID attribute.  In this case, if you put just the SSID it should match.

 

https://blogs.technet.microsoft.com/netgeeks/2017/05/02/how-to-authenticate-multiple-wifi-ssids-on-a...

View solution in original post

5 Replies 5
PhilipDAth
Kind of a big deal
Kind of a big deal

If you are getting an ACCESS-REJECT that means the Microsoft NPS RADIUS server is refusing to allowing the client to connect.

 

You need to go and look at the policy or logs on this server to see why it is rejecting the client.

MikeC
Here to help

Managed to get things working by removing "Called-Station-ID" from the condition/restriction on the NPS profile. Just realised that Meraki used a different value in "Called-Station-ID" rather than using the SSID name, it's using BSSID (I missed this part when I scanned through the document on configuring RADIUS on Meraki). If we need to maintain this condition/restriction on the NPS profile, it appears that we will have to list all the possible "Called-Station-ID" on the NPS profile. Considering we have 2 SSID's on each WAP, running over both 2.4GHz and 5GHz radios, we'll have to add 4 BSSID's for *each* Meraki WAP on the NPS profile. We'll need to deploy 11 WAP's, so 44 BSSID's. This will get untenable, and unscalable, very quickly.

 

Is there any other way that's more scalable, but still using RADIUS? 

PhilipDAth
Kind of a big deal
Kind of a big deal

You can pattern match on part of a string with the Called-Station-ID attribute.  In this case, if you put just the SSID it should match.

 

https://blogs.technet.microsoft.com/netgeeks/2017/05/02/how-to-authenticate-multiple-wifi-ssids-on-a...

PhilipDAth
Kind of a big deal
Kind of a big deal

Make sure the case of the SSID exactly matches.

MikeC
Here to help

My counterpart on the Windows side changed the NPS profile to use wildcard. All works now.

Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels