RADIUS success on Meraki dashboard failure on clients (Android and Win7)

SCPITDIR
Here to help

RADIUS success on Meraki dashboard failure on clients (Android and Win7)

Greetings-

 

We have successfully installed radius server on Meraki Dashboard and server passes test.  When trying to connect clients (Android and Win7)  it gives password error.

 

I'm at my wits end here. ALL HELP is appreciated!

 

 

12 Replies 12
PhilipDAth
Kind of a big deal
Kind of a big deal

/You provide so little information it is not possible to help you.

 

How are you using Radius?  Client VPN?  WPA2 authentication? Something else?  Radius proxy?

MilesMeraki
Head in the Cloud

Yeah, providing more information will definitely assist us in helping you. Does testing the Radius authentication pass under the access control page? 

Eliot F | Simplifying IT with Cloud Solutions
Found this helpful? Give me some Kudos! (click on the little up-arrow below)
SCPITDIR
Here to help

So sorry for not providing more info, just at my wits end so i turned off all computers for the weekend.  here's the info:

 

Windows server 2008 NPS server; EAP-MSCHAP v2, PEAP

Meraki configured WPA2-Enterprise with My Radius Server, no splash page

RADIUS Server PASSES test on Meraki Dashboard 

All clients get "password error" when trying to connect (Android or Win7 laptops)

 

any further coinfig i should send you??

SCPITDIR
Here to help

So sorry for not providing more info, just at my wits end so i turned off all computers for the weekend.  here's the info:

 

Windows server 2008 NPS server; EAP-MSCHAP v2, PEAP

Meraki configured WPA2-Enterprise with My Radius Server, no splash page

RADIUS Server PASSES test on Meraki Dashboard 

All clients get "password error" when trying to connect (Android or Win7 laptops)

 

any further coinfig i should send you??

PhilipDAth
Kind of a big deal
Kind of a big deal

You still haven't answered one of my questions from my first post?  What is using the RADIUS?  WiFi?  Client VPN?  Content filtering?  What are you using it for.

SCPITDIR
Here to help

Apologies it is on my SSID so i presume that means the WiFi configured for RADIUS:

 

 

SSID

Access control
Encryption                                                          802.1X with custom RADIUS
Sign-on method                                                  None
Bandwidth limit                                                   unlimited
Client IP assignment                                          Local LAN
Clients blocked from using LAN                         n/a
Wired clients are part of Wi-Fi network              no
VLAN tag                                                           xxx
VPN                                                                   disabled

 

 

we are trying to set up a Staff SSID just like we have on our failing aging Cisco APs that uses the users AD credentials and password to access the network.

 

 

 

 

PhilipDAth
Kind of a big deal
Kind of a big deal

On your RADIUS server you only need PEAP enabled, and then in the PEAP properties you should have MSCHAPv2 enabled.

 

You do not need MSCHAPv2 in the "outer" layer where PEAP is.

SCPITDIR
Here to help

Thank you.  Passed test in Meraki Dashboard SSID Access Configuration Test RADIUS :

Completed testing to "192.168.xxx.xx:1812 for user"

 
Total APs: 8
APs passed: 3
APs failed: 0
APs unreachable: 5
 
 

All online access points successfully contacted the RADIUS server, however 5 access points were offline and could not be tested.


RADIUS attributes used: 

RADIUS attributes unused: 
Framed-Protocol:PPP
Service-Type:Framed-User
MS-CHAP-Domain:DOMAIN NAME
 
 
 
Android clients still failing...   trying to verify Android config
 
no Win laptops available to test..
 
 
PhilipDAth
Kind of a big deal
Kind of a big deal

For Android use these settings:

EAP Method = PEAP

Phase-2 Authentication = PEAP

CA Certificate = Do not validate (or you need to install the root certificate that issued your RADIUS server certificate)

Identity = AD username

Anonymous Identity = Blank

 

SCPITDIR
Here to help

ok at least now i'm getting a different error.. failed to obtain IP....

 

 

PhilipDAth
Kind of a big deal
Kind of a big deal

That sounds like you have now authenticated (you should be able to see the client int he Dashboard) but that you have a DHCP issue now.

SCPITDIR
Here to help

SUCCESS!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!   A MILLION THANK YOUS!!!!!       Here is the end result fix:

 

 

in Micro$oft NPS server removed MSCHAPv2  as an EAP type as suggested

 

changed DHCP to NAT mode: Use Meraki DHCP

 

on android device:

EAP Method = PEAP

Phase-2 Authentication = none

CA Certificate = (unspecified)

Identity = AD username 

Anonymous Identity = Blank

Password=Password

 

Thank you Phillip! hope this helps someone else !!!

Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels