Meraki

Community

Seeing "Unauthenticated" on Windows Nic after connecting to Meraki wifi via Windows NPS (Radius)

Solved
B_Seiler
Here to help
‎Apr 4 2024 12:49 PM
‎Apr 4 2024 12:49 PM

Seeing "Unauthenticated" on Windows Nic after connecting to Meraki wifi via Windows NPS (Radius)

Seeing "Unauthenticated" on Windows Nic after connecting to Meraki wifi via Windows NPS (Radius)

I am following this guide (Configuring RADIUS Authentication with WPA2-Enterprise) to configure Meraki Wifi.)

Configuring RADIUS Authentication with WPA2-Enterprise - Cisco Meraki Documentation

I set up a new test meraki network and have pushed out the wifi profile via GPO. The windows test laptop can connect to the Meraki wifi network via radius and receives an IP address correctly from our on-prem DHCP server.

Radius auth using EAP-TLS is working.

Only bug is the windows nic says "Unauthenticated." It's on the correct vlan and it has network access.

What would cause this? The only thing I can think of is that I have not configured a "proper" (ie, from an enterprise CA) certificate for the NPS server. The NPS server does have an issued server cert from our standalone windows CA (we don't have an Enterprise CA yet). It does not seem to matter whether or not I click "Validate Server Certificate" on the gpo settings for the wifi profile. See below:

wifi screenshot.jpg

Labels:
0 Kudos
1 Accepted Solution
B_Seiler
Here to help
‎Apr 10 2024 10:49 AM
‎Apr 10 2024 10:49 AM

I have solved the issue.

Meraki automatically blocks the first (default) SSID from accessing the local LAN. It was blocking DNS and all other domain traffic. (except for dhcp which it allows by default)

What tipped me off? 2 things:

1-Seeing the network profile in Windows showing as "private" instead of "domain."

2-Comparing the target SSID to another temporary SSID that I set up that does not use radius but rather only a PSK.  When I saw "Clients blocked from using LAN" I knew I was on to something.

B_Seiler_1-1712771320427.png

 

https://documentation.meraki.com/MR/Firewall_and_Traffic_Shaping/%27Deny_Local_LAN%27_settings_in_Ci...

You have to change the setting in Firewall and traffic shaping. Working great now.

B_Seiler_0-1712771154878.png

 

View solution in original post

0 Kudos
7 Replies 7
alemabrahao
Kind of a big deal
Kind of a big deal
‎Apr 4 2024 12:54 PM
‎Apr 4 2024 12:54 PM

Have you tried updating both the system and the wifi network card driver?

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.
0 Kudos
In response to alemabrahao
B_Seiler
Here to help
‎Apr 9 2024 8:57 AM
‎Apr 9 2024 8:57 AM

the laptop has another NIC connected to the LAN that is working fine (no "unauthenticated" message)
and another wifi connection (the production wifi connection) that is also good. 
So I'm leaning toward Paccer's solution of a review of dhcp/dns config.
I'll keep your suggestion in my back pocket for now, thanks!

0 Kudos
Paccers
Building a reputation
‎Apr 4 2024 6:45 PM
‎Apr 4 2024 6:45 PM

Suspect this is more of a client/DC or DNS problem than anything Meraki specific, you've confirmed the client has completed auth and has network connectivity

In response to Paccers
alemabrahao
Kind of a big deal
Kind of a big deal
‎Apr 5 2024 3:55 AM
‎Apr 5 2024 3:55 AM

I'm referring to updating the client system and the wireless card drive.

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.
In response to alemabrahao
Paccers
Building a reputation
‎Apr 7 2024 9:23 PM
‎Apr 7 2024 9:23 PM

hey @alemabrahao my bad, my reply was intended for OP

0 Kudos
In response to Paccers
B_Seiler
Here to help
‎Apr 9 2024 8:55 AM
‎Apr 9 2024 8:55 AM

Thanks, Paccers, I am leaning toward this as well. 
Hoping to get quality time to troubleshoot this today and tomorrow.

0 Kudos
B_Seiler
Here to help
‎Apr 10 2024 10:49 AM
‎Apr 10 2024 10:49 AM

I have solved the issue.

Meraki automatically blocks the first (default) SSID from accessing the local LAN. It was blocking DNS and all other domain traffic. (except for dhcp which it allows by default)

What tipped me off? 2 things:

1-Seeing the network profile in Windows showing as "private" instead of "domain."

2-Comparing the target SSID to another temporary SSID that I set up that does not use radius but rather only a PSK.  When I saw "Clients blocked from using LAN" I knew I was on to something.

B_Seiler_1-1712771320427.png

 

https://documentation.meraki.com/MR/Firewall_and_Traffic_Shaping/%27Deny_Local_LAN%27_settings_in_Ci...

You have to change the setting in Firewall and traffic shaping. Working great now.

B_Seiler_0-1712771154878.png

 

0 Kudos
Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels
© 2024 Cisco Systems, Inc.