Meraki Community
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Radius Timeout Issues - remote site

OneMoreEspresso
New here
‎Oct 11 2023 4:28 AM
‎Oct 11 2023 4:28 AM

Radius Timeout Issues - remote site

Currently trying to setup a wireless network on the other side of the planet, we're experiencing Radius server timeouts on client authentication, latency is around 133-137ms back to the Radius server. Tried increasing the radius server timemout from 1s to 10s but no change.

 

Is there anything else we can try other than a local PSK

0 Kudos
Subscribe
8 Replies 8
alemabrahao
Kind of a big deal
Kind of a big deal
‎Oct 11 2023 4:34 AM
‎Oct 11 2023 4:34 AM

Is this communication via the Internet or S2S VPN?

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.
0 Kudos
Subscribe
OneMoreEspresso
New here
‎Oct 11 2023 4:35 AM
‎Oct 11 2023 4:35 AM

It's over a Palo Alto S2S VPN, we can see the requests reaching our Radius server but nothing gets back

0 Kudos
Subscribe
In response to OneMoreEspresso
alemabrahao
Kind of a big deal
Kind of a big deal
‎Oct 11 2023 4:38 AM
‎Oct 11 2023 4:38 AM

Strange, did you ever do a packet capture in Palo Alto?
 
Are the Proxy ID on the tunnel and routes on the VR configured correctly?
I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.
0 Kudos
Subscribe
In response to OneMoreEspresso
alemabrahao
Kind of a big deal
Kind of a big deal
‎Oct 11 2023 4:42 AM
‎Oct 11 2023 4:42 AM

Another thing, I don't know which Radius you are using (NPS, Freeradius), but did you add the AP IP with the Radius Client?

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.
0 Kudos
Subscribe
PhilipDAth
Kind of a big deal
Kind of a big deal
‎Oct 11 2023 1:09 PM
‎Oct 11 2023 1:09 PM

> latency is around 133-137ms back to the Radius server.

 

This is not your issue.

 

What I have seen is RADIUS packets failing when an MTU squeeze happens (such as when using VPN).  Try reducing the MTU on the RADIUS server, or see if the PA has some option to help with MTU adjustment.  Remember - RADIUS is UDP based.

Subscribe
In response to PhilipDAth
pjc
A model citizen
‎Oct 12 2023 5:32 AM
‎Oct 12 2023 5:32 AM

I have the same issue at a few of our SD-WAN sites with Radius and EAP-TLS certs.  My solution was to use the Meraki Cloud Radius Proxy for these sites - the request goes out directly across the internet (Not over SDWan where there is added VPN packet overhead) to the radius proxy and then onward into datacentre where the request is accepted and returned back to the cloud radius and onto the WAN site.

Note: The meraki radius test feature (where there is no added user certs packet overhead) worked fine at these sites where it was only using username/pw authentication

I found changing MTU size on NPS radius made no difference - you have little or no control on the MTU size across your ISP links etc

Some pings showing packet fragmentation and comparing against working sites may help you check if MTU is your issue

 

Subscribe
In response to PhilipDAth
Paccers
Getting noticed
‎Oct 13 2023 12:02 AM
‎Oct 13 2023 12:02 AM

+1 for MTU, we had issues with this exact problem and Access-Rejects due to timeouts. Setting the relevant NPS policy (Windows server) with a Framed-MTU of 1344 fixed it for us

0 Kudos
Subscribe
OneMoreEspresso
New here
‎Oct 12 2023 5:38 AM
‎Oct 12 2023 5:38 AM

Thanks everyone for the replies, we're just working through some of the suggestions and will report back if we make any progress

0 Kudos
Subscribe
Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels
© 2024 Cisco Systems, Inc.