Radius Server Testing Failed

Prashan
Getting noticed

Radius Server Testing Failed

Hi Team,

 

When I try to test my radius server from Meraki Dashboard it got following messaging. Can you help out to solve this issue ?

 

"Authentication failed while testing on one of your APs. This means the RADIUS server was reached but your credentials were incorrect. The test was stopped to prevent this account from being locked out due to multiple failed attempts. Please try again with different username and/or password"

 

Regards

Prashan

 

Note - AP unreachable is cause of I ddnt power up the other AP

asas.PNG

24 Replies 24
MarcP
Kind of a big deal

Have you set up the AP on Radius site, with the correct "Secret"?

 

2019-09-03 11_59_20-rdp.png

 

https://documentation.meraki.com/MR/Encryption_and_Authentication/Configuring_RADIUS_Authentication_...

 

 

Prashan
Getting noticed

Capture2.PNG

 

Yes I think so

Nick
Head in the Cloud

Have you checked the basics through? You can fully route to the server IP and it can route back?

Anything in the logs? Re-entered the secrets again just to be sure etc

Prashan
Getting noticed

from Server, AP ip is pinging and from AP, server ip is pinging. Can you guide me to troubleshoot this ?
redsector
Head in the Cloud

Ping is working in both directions. No L3 only L2.

redsector
Head in the Cloud

I have got the same issue with all of our MR-accesspoints (about 60 MR accesspoints). Everything is working well but the Radius-Test doesn´t work. We use an Cisco ISE as Radius-server.

Prashan
Getting noticed

Hi Redsector,

Did you over come the issue ?
redsector
Head in the Cloud

No solution up to now.

The Radius-test is still not possible.

The routing must be good because otherwise the clients and accesspoints couldn´t connect to the ISE (both have to).

 

 

Prashan
Getting noticed

So u ddnt able to use Radius Server option in Meraki ?
redsector
Head in the Cloud

No, I can use it, otherwise the clients couldn´t connect to the LAN.

Only the Radius-Test option is not working.

Prashan
Getting noticed

I'm not able to connect my clients to radius. I'm pretty new to this radius testing. I dont know how to troubleshoot this issue
redsector
Head in the Cloud

Prashan: in the Cisco ISE (Radius) you have to add every accesspoint with an fixed IP-address to allow clients to be connected.

Prashan
Getting noticed

Hi @redsector 

 

I use windows server 2016 environment

MarcP
Kind of a big deal


@Prashan wrote:

Hi @redsector 

 

I use windows server 2016 environment


We do as well and it is working fine, even at the moment.

 

Do you use authentication certificates on your clients to connect to the wifi, which have to be installed within the Radius as well?

redsector
Head in the Cloud

MarcP: how do you connect to test the Radius? Is it the Windows-Domain-Name + Name + Password?

Or is there a special Radius account to use?

MarcP
Kind of a big deal

I am using my personal username + password

 

To verify used another accounts credentials, worked as well.

 

without domain\

 

2019-09-03 13_49_24-Access Control Configuration - Meraki Dashboard.png

2019-09-03 13_50_01-Access Control Configuration - Meraki Dashboard.png

Raphael_M
Here to help

Hello Prashan,

 

That's a funny coincidence, I noticed the exact same issue earlier today.

I spent a few hours scratching my head and switching between the Meraki dashboard and our Cisco ISE (which handles the RADIUS requests) and I finally figured out what was the issue.

 

In our case: all our ISE policies start with a "if Wireless_802.1X". This checks two things from the RADIUS request fields:

  • NAS-Port-Type = Wireless-802.11
  • Service-Type = Framed

Interestingly enough, it turns out that if you use the "Test" button the Meraki AP will not include the "Service-Type" information in its RADIUS request. Because of that the request does not pass the "if Wireless_802.1X" condition and is rejected.

 

You can see this behavior with a packet capture of the AP uplink port. As you can see below  only the NAS-Port-Type is sent:

a.jpg

 

However during a real user authentication, the AP correctly sends both information to the RADIUS server so the authentication is working fine.

b.jpg

 

So I would check whether you are also using the "Wireless_802.1X" condition on your RADIUS server or not.

Nick
Head in the Cloud

To confirm this test works correctly on all sites we manage

 

What issues are you having?

 

 

Screenshot 2019-09-03 at 11.58.03.png

Prashan
Getting noticed

Hi @Nick 

 

1st I'm not able to do the Radius Test.

 

Radius installed on Windows Server 2016. Ping is working from both ends

 

Is there way to check from server side ? I followed youtube video for complete this task

redsector
Head in the Cloud

Nick: "Authentification failed", means connection to Cisco ISE is ok. But my Cisco ISE credentials are not working.

Look at the first picture in this topic. It's a problem of how to connect with which name.

 

Prashan: did you test yourdomain\name + password ?

Prashan
Getting noticed

Hi @redsector,

 

I did test using server admin login

 

Hi @MarcP 

 

I hope this is what you asking

Capture3.png

 

Hi @Raphael_M 

 

I hope this is what you asking

 

Capture4.png

Prashan
Getting noticed

Hi All,

 

Please find more details for this thread

 

Clients are connecting successfully

 

Request Accept.PNG

Prashan
Getting noticed

Hi All,

 

Thank you for your time and valuable thoughts

 

It is suddenly get successfull and clients are getting connected as well

 

capture6.PNG

 

Hi @redsector 

 

Try to test using user which are in Radius group

 

Capture7.png

Nick
Head in the Cloud

Hi @redsector I was focussed on the original posters question - not your ISE part. Though you are correct the image shows failed authentication not connection.

 

Looks like that issue is resolved now 🙂 - did you try the suggestions made in the later posts?

Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels