Radius Problems 801.x

athan1234
A model citizen

Radius Problems 801.x

Hello

 

I am having issues with the radius.
Mr 33

a recent
Version in use: MR 28.7.1.
The customers are unable to connect to the network

 
16 Replies 16
Brash
Kind of a big deal
Kind of a big deal

The test proves that the Meraki AP's are successfully able to reach the RADIUS server and (I'm fairly sure) that they are authorized to send RADIUS requests.

However it doesn't validate that the client can successfully authenticate.

 

What do your authentication policies look like on the RADIUS server? What are you using to identify and authorize clients? (Eg, computer name, username, certificates)

alemabrahao
Kind of a big deal
Kind of a big deal

Have you checked the logs on the Radius server?

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.
athan1234
A model citizen

Hi I checked the radisus server .

 

I get  this message 

 

athan1234_0-1666867705071.png

 

 

 

alemabrahao
Kind of a big deal
Kind of a big deal

Perfect, you need to install AD CS.

 

RADIUS Server Requirements

There are many server options available for RADIUS, which should work with MR access points if configured correctly. Please refer to your RADIUS server documentation for specifics, but the key requirements for WPA2-Enterprise with Meraki are as follows:

  • The server must host a certificate from a Certificate Authority (CA) trusted by clients on the network.
  • All gateway APs broadcasting the WPA2-Enterprise SSID must be configured as RADIUS clients/authenticators on the server, with a shared secret.
  • The RADIUS server must have a user base to authenticate against.

Once the RADIUS server is configured, refer to the Dashboard Configuration section below for instructions on how to add your RADIUS server to Dashboard.

 

https://documentation.meraki.com/MR/Encryption_and_Authentication/Configuring_RADIUS_Authentication_...

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.
athan1234
A model citizen

What do you mean with AD CS?

alemabrahao
Kind of a big deal
Kind of a big deal

active directory certificate server. For 802.1x It's necessary to have a server certificate.

 

It's an old article but take a look at Install and Configure the Microsoft Windows 2008 Server as a CA Server

 

https://www.cisco.com/c/en/us/support/docs/wireless/5500-series-wireless-controllers/115988-nps-wlc-...

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.
athan1234
A model citizen

When I built the cA, did I need to install it on the PC for the users ?

alemabrahao
Kind of a big deal
Kind of a big deal

If you are using PEAP It is not necessary, just for EAP-TLS.

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.
alemabrahao
Kind of a big deal
Kind of a big deal

You can download this document and follow the steps.

 

https://community.cisco.com/t5/wireless-mobility-knowledge-base/deploy-a-ca-and-nps-certificate-serv...

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.
athan1234
A model citizen

One question more . There is any way to access wothout a CA . A user are able to connect 8021x only with AD domain ? I belive MS CHAP it is possible ?

alemabrahao
Kind of a big deal
Kind of a big deal

Nope, to use 802.1x It's required a server certificate from a Certificate Authority (CA). The client does not have to validate It, but on the server, I have to install a certificate.

 

On Cisco WLC I know that is possible to use LDAP to 802.1x, but on Meraki, I think that is not possible.

 

https://www.cisco.com/c/en/us/support/docs/wireless-mobility/wireless-lan-wlan/211277-WLC-with-LDAP-...

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.
athan1234
A model citizen

Thanks crack 

athan1234
A model citizen

Hi i am watching this video the guy dosen’t set up a  server certificate from a Certificate Authority (CA). 


https://m.youtube.com/watch?v=TQNgh5m5ehU

alemabrahao
Kind of a big deal
Kind of a big deal

802.1x needs a server certificate. I'm 100% sure of that. In this video he is configuring a policy in NPS, probably AD CS has been installed.


trust me 802.1x doesn't work without a server certificate.

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.
alemabrahao
Kind of a big deal
Kind of a big deal

Protected EAP (PEAP) – it uses inner and outer authentication. Nevertheless, the Authentication Server (AS) presents a digital certificate to authenticate itself with the supplicant in the outer authentication.

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.
alemabrahao
Kind of a big deal
Kind of a big deal

alemabrahao_0-1667241850767.png

 

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.
Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels