Hi experts,
I am using RADIUS authentication to connect to the Wi-Fi network, I have two Windows Servers with AD where I have aggregated the RADIUS role and created the RADIUS clients, and so on. With the primary RADIUS server it works fine, but with the secondary RADIUS server there is a credentials issue:
However, I am entering the same credentials and the user is created in both servers. Do you have experimented the same issue? Any tip?
Regards,
Julián
Solved! Go to solution.
The root issue was that the second NPS server did not have a certificate installed & configured in the NPS policy.
Hi Julian,
are you using Microsoft NPS, or what is your RADIUS Server?
I have implemented this many times and not seen this issue so far.
Normally your RADIUS Servers authenticate against the same AD's. (Could be different servers, but the same AD cluster)
Could you explain the setup in more detail?
Regards,
Markus
If I run that same test from the Meraki dashboard it fails but my radius is working fine with NPS. I think I called Meraki about that a long time ago but I can't remember what they said about the reliability of that test. So you may want to try connecting an actual client to your SSID to test.
Hi Adam,
Thanks for that recommendation, I will test it.
Regards,
Julián
Hi Markus,
I don't know very much about servers, I have to check the detail configuration with customer. So far I know there are two Windows Servers with AD, in each Windows Server I have aggregated the RADIUS role, Microsoft NPS. I know each Windows Server has its own AD, but I don't know if they are in the same cluster or not (I guess so because customer told me the configurations in both ADs are replicated automatically, but I don't know if that has to do with AD clusters or not).
Regards,
Julián
Yes, AD is replicating automatically, but NPS is not. The config needs to be manually synched between the two servers.
Maybe you should check this is the case.
In my setup the check in dashboard was successfull for all RADIUS servers.
I agree with @Markus comment. The NPS config on each server will be important to review. There are a lot of moving parts to make sure NPS is configured properly on both the server and also on the clients (GPO). Shared secret, Policy Conditions/Constraints, etc...
Hi guys,
Just in case, do you know how difficult is the synchronization of RADIUS servers? Because I have googled out and seen that a PowerShell script is needed. If it is very difficult I will tell customer to implement it.
Regards,
Julián
You can also export and import the config in the GUI if you want.
Hi Markus,
I don't understand, what do you mean?
Regards,
Julián
In the NPS GUI you can export the config as XML and import it on the other NPS so they are in sync with the config.
Hi Markus,
OK, I understand, I will try it. Thank you very much!
Regards,
Julián
Hi Markus and Adam,
One more question about that. I have delete the primary RADIUS server under Wireless > Access control > RADIUS servers and left the secondary server and try to authenticate, it was unsuccessful. Is this correct? If I authenticate with only one RADIUS server (the secondary) and get EAP failure is it due to previous RADIUS synchronization problem?
Regards,
Julián
Yes... It actually does not matter whether you have one or two RADIUS Servers configured. Both of them need to be successfull.
If you get an error, there is a problem with the RADIUS Server or the credentials. In your case I think it is the NPS.
I‘d recommend to have a look into the NPS log.
Did you check that already?
Did you export and import the NPS Config?
Hi Markus,
I have just exported the NPS configuration of the primary RADIUS server and imported to the secondary RADIUS server. I have deleted the primary RADIUS server in the dashboard and the authentication is still unsuccessful. The NPS log is the same I sent you. Do you guess something?
Regards,
Julián
What does the NPS log say when you try to authenticate? Are you using this NPS server for anything other than the Meraki AP's? Can you ping the NPS server from the subnet where the AP's are (management interface)?
The root issue was that the second NPS server did not have a certificate installed & configured in the NPS policy.
Hi MRCUR,
Yeah, that's right and thanks for your help.
Regards,
Julián
For syncing two NPS you can have a look here:
https://deployhappiness.com/two-network-policy-server-tricks-subnets-and-syncing/