Meraki

Community

Radius Problems 801.x

athan1234
A model citizen
‎Oct 27 2022 2:34 AM
‎Oct 27 2022 2:34 AM

Radius Problems 801.x

Hello

 

I am having issues with the radius.
Mr 33

a recent
Version in use: MR 28.7.1.
The customers are unable to connect to the network

 
0 Kudos
16 Replies 16
Brash
Kind of a big deal
Kind of a big deal
‎Oct 27 2022 2:52 AM
‎Oct 27 2022 2:52 AM

The test proves that the Meraki AP's are successfully able to reach the RADIUS server and (I'm fairly sure) that they are authorized to send RADIUS requests.

However it doesn't validate that the client can successfully authenticate.

 

What do your authentication policies look like on the RADIUS server? What are you using to identify and authorize clients? (Eg, computer name, username, certificates)

0 Kudos
alemabrahao
Kind of a big deal
Kind of a big deal
‎Oct 27 2022 3:33 AM
‎Oct 27 2022 3:33 AM

Have you checked the logs on the Radius server?

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.
In response to alemabrahao
athan1234
A model citizen
‎Oct 27 2022 3:49 AM
‎Oct 27 2022 3:49 AM

Hi I checked the radisus server .

 

I get  this message 

 

athan1234_0-1666867705071.png

 

 

 

0 Kudos
In response to athan1234
alemabrahao
Kind of a big deal
Kind of a big deal
‎Oct 27 2022 4:01 AM
‎Oct 27 2022 4:01 AM

Perfect, you need to install AD CS.

 

RADIUS Server Requirements

There are many server options available for RADIUS, which should work with MR access points if configured correctly. Please refer to your RADIUS server documentation for specifics, but the key requirements for WPA2-Enterprise with Meraki are as follows:

  • The server must host a certificate from a Certificate Authority (CA) trusted by clients on the network.
  • All gateway APs broadcasting the WPA2-Enterprise SSID must be configured as RADIUS clients/authenticators on the server, with a shared secret.
  • The RADIUS server must have a user base to authenticate against.

Once the RADIUS server is configured, refer to the Dashboard Configuration section below for instructions on how to add your RADIUS server to Dashboard.

 

https://documentation.meraki.com/MR/Encryption_and_Authentication/Configuring_RADIUS_Authentication_...

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.
In response to alemabrahao
athan1234
A model citizen
‎Oct 27 2022 4:06 AM
‎Oct 27 2022 4:06 AM

What do you mean with AD CS?

0 Kudos
In response to athan1234
alemabrahao
Kind of a big deal
Kind of a big deal
‎Oct 27 2022 4:11 AM
‎Oct 27 2022 4:11 AM

active directory certificate server. For 802.1x It's necessary to have a server certificate.

 

It's an old article but take a look at Install and Configure the Microsoft Windows 2008 Server as a CA Server

 

https://www.cisco.com/c/en/us/support/docs/wireless/5500-series-wireless-controllers/115988-nps-wlc-...

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.
In response to alemabrahao
athan1234
A model citizen
‎Oct 27 2022 4:34 AM
‎Oct 27 2022 4:34 AM

When I built the cA, did I need to install it on the PC for the users ?

0 Kudos
In response to athan1234
alemabrahao
Kind of a big deal
Kind of a big deal
‎Oct 27 2022 4:40 AM
‎Oct 27 2022 4:40 AM

If you are using PEAP It is not necessary, just for EAP-TLS.

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.
In response to alemabrahao
alemabrahao
Kind of a big deal
Kind of a big deal
‎Oct 27 2022 4:44 AM
‎Oct 27 2022 4:44 AM

You can download this document and follow the steps.

 

https://community.cisco.com/t5/wireless-mobility-knowledge-base/deploy-a-ca-and-nps-certificate-serv...

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.
In response to alemabrahao
athan1234
A model citizen
‎Oct 27 2022 7:27 AM
‎Oct 27 2022 7:27 AM

One question more . There is any way to access wothout a CA . A user are able to connect 8021x only with AD domain ? I belive MS CHAP it is possible ?

0 Kudos
In response to athan1234
alemabrahao
Kind of a big deal
Kind of a big deal
‎Oct 27 2022 7:37 AM
‎Oct 27 2022 7:37 AM

Nope, to use 802.1x It's required a server certificate from a Certificate Authority (CA). The client does not have to validate It, but on the server, I have to install a certificate.

 

On Cisco WLC I know that is possible to use LDAP to 802.1x, but on Meraki, I think that is not possible.

 

https://www.cisco.com/c/en/us/support/docs/wireless-mobility/wireless-lan-wlan/211277-WLC-with-LDAP-...

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.
0 Kudos
In response to alemabrahao
athan1234
A model citizen
‎Oct 27 2022 7:38 AM
‎Oct 27 2022 7:38 AM

Thanks crack 

0 Kudos
In response to alemabrahao
athan1234
A model citizen
‎Oct 31 2022 11:33 AM
‎Oct 31 2022 11:33 AM

Hi i am watching this video the guy dosen’t set up a  server certificate from a Certificate Authority (CA). 


https://m.youtube.com/watch?v=TQNgh5m5ehU

0 Kudos
In response to athan1234
alemabrahao
Kind of a big deal
Kind of a big deal
‎Oct 31 2022 11:38 AM
‎Oct 31 2022 11:38 AM

802.1x needs a server certificate. I'm 100% sure of that. In this video he is configuring a policy in NPS, probably AD CS has been installed.


trust me 802.1x doesn't work without a server certificate.

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.
In response to alemabrahao
alemabrahao
Kind of a big deal
Kind of a big deal
‎Oct 31 2022 11:40 AM
‎Oct 31 2022 11:40 AM

Protected EAP (PEAP) – it uses inner and outer authentication. Nevertheless, the Authentication Server (AS) presents a digital certificate to authenticate itself with the supplicant in the outer authentication.

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.
0 Kudos
In response to alemabrahao
alemabrahao
Kind of a big deal
Kind of a big deal
‎Oct 31 2022 11:44 AM
‎Oct 31 2022 11:44 AM

alemabrahao_0-1667241850767.png

 

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.
0 Kudos
Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels
© 2024 Cisco Systems, Inc.