In the NPS Policy, Constraints > Authentication Methods screen, I have EAP Type: Microsoft: Protected EAP (PEAP) set, which when you edit has the Eap Type Secured Password (EAP-MSCHAP v2) set.   Back on the Authentication Methods screen I have none of the Less secure authentication methods ticked.   These should all be correct as I've verified this with several guides.   Regarding the certificate, I obtained this for the RADIUS server from SSL.com, so a trusted CA. Is there a basic test I can run to check this part is setup correctly? ... View more

I changed it to the OR statement, still no joy!   I also deployed a GPO to set a PEAP Wireless Profile on the laptop (using machine authentication as per the "(Optional) Deploy a PEAP Wireless Profile using Group Policy" section in the Meraki guide), which I can see is applied to the laptop after I do a gpupdate, but when attempting to connect it just tries and tries but logs no errors.   Is there an absolute minimum configuration I can go with to try to connect, and then add security layers on top to get to where it should be? ... View more

Thanks Philip, some good suggestions there.   I changed the condition in the network policy to only check for the Meraki Staff Group, and attempted to reconnect. I was then prompted whether to use Windows Credentials, so ticked the box again and clicked OK. It failed to connect.   Checking the NPS server, I see 2 entries:   1) User:      Security ID: MYDOMAIN\ITSPARE01$ Authentication Details:      Reason Code: 48      Reason: The connection request did not match any configured network policy.   2) User:      Security ID: MYDOMAIN\ElectroDan Authentication Details:      Reason Code: 22      Reason: The client could not be authenticated because the Extensible Authentication Protocol (EAP) Type cannot be processed by the server.   Looking in the WLAN-AutoConfig event log on the laptop, I see several errors:   1) Wireless 802.1x authentication failed. Identity: host/ITSPARE01.mydomain.local User:  Reason: Explicit Eap failure received Error: 0x40420016 EAP Root cause String: Network authentication failed\nWindows doesn't have the required authentication method to connect to this network.   2) Wireless 802.1x authentication failed. Identity: ElectroDan@mydomain.com User: ElectroDan Reason: Explicit Eap failure received Error: 0x40420016 EAP Root cause String: Network authentication failed\nWindows doesn't have the required authentication method to connect to this network.   A couple of the other Information type event log entries show the Encryption for the RADIUS_Test network as AES-CCMP and the EAP Information: Type: 0, Vendor ID 0, Vendor Type 0, Author ID 0   I would've thought the EAP information should show some values? Either way, I'm going to change it to an OR statement for the Network Policy by removing the User Group condition and adding the 2 security groups as Windows Groups on the same line, then retest. ... View more

A couple of other things I've noticed.   From this guide: https://documentation.meraki.com/MR/Encryption_and_Authentication/Configuring_RADIUS_Authentication_with_WPA2-Enterprise I'm not able to do the following:   Disable Auto Remediation Navigate to   Policies>Network Policies. Right click the wireless policy and select   Properties. On the   Setting   tab for the policy uncheck the box   Enable auto-remediation   of client computers and click   OK. The auto-remediation option isn't there on the Settings tab and I haven't located it elsewhere.   Also, in the screenshot that outlines an example of an NPS policy, it has 2 conditions which I don't have (and can't find where I set them):   NAP Enforcement: Allow full network access Update Noncompliant Clients: False   I'd like to add these, just in case they have an affect. ... View more

Hi Bruce,   I can confirm the EAP service is set to Manual, and the NPS server is registered in AD.   Thanks. ... View more

Hi Philip,   I can confirm that all of those conditions should match, as the user account is in the  MYDOMAIN\Meraki Staff Group, and the laptop in the MYDOMAIN\Meraki Computer Group.   If I change it to an OR condition, which I have previously tried, and set the condition to Windows Groups, when attempting to connect it just hangs on 'Verifying and connecting' on the laptop for a minute or so, then eventually ask for credentials. I tick the box for 'Use my Windows user account' and click OK, it checks for network requirements, then prompts for credentials again, and at no stage does anything get logged in the NPS event log.   If I take out the Meraki Computer Group condition, leaving just the NAS Port Type and User Groups conditions, again nothing gets logged and I'm repeatedly prompted for credentials.   If I remove the Meraki Computer Group condition and re-add the Meraki User Group condition, I get a Reason Code 48 logged, referencing the user account I'm testing with.   So I can't even connect with less security. Ultimately I want the AND condition to work, as I only want to allow company-issued computers that a domain user is logged onto, to connect. ... View more

I'm back on this now Christmas is out of the way :)   I had some default policies still enabled on my 2016 NPS Server, which I've disabled. They were:   Connection Request Policies > Use Windows authentication for all users. Network Policies > Connections to other access servers. Network Policies > Connections to Microsoft Routing and Remote Access server.   With those 3 disabled, I'm no longer getting the following Information level event logged in Event Viewer: Reason code: 66 Reason: The user attempted to use an authentication method that is not enabled on the matching network policy.   Instead, I am now getting: Reason code: 48 Reason: The connection request did not match any configured network policy.   I have 3 conditions set for the Staff WiFi Network Policy: Condition: NAS Port Type, Value: Wireless - IEEE 802.11 OR Wireless - Other Condition: User Groups, Value: MYDOMAIN\Meraki Staff Group Condition: Machine Groups, Value: MYDOMAIN\Meraki Computer Group   The laptop I'm testing on is a member of the Meraki Computer Group, and the user account I'm logged on with belongs to the Meraki Staff Group.   I get a 'Reason Code: 48' event logged twice each time I try to connect; first for the user, then 10 seconds later for the machine:   -------------------------------------------------------------------------------------------------------------   Network Policy Server denied access to a user. Contact the Network Policy Server administrator for more information.   User:      Security ID: MYDOMAIN\ElectroDan       Account Name: MYDOMAIN \ ElectroDan       Account Domain: MYDOMAIN       Fully Qualified Account Name: MYDOMAIN \ ElectroDan   Client Machine:       Security ID: NULL SID       Account Name: -       Fully Qualified Account Name: -       Called Station Identifier: 9A-15-54-AB-52-67:Radius_Test       Calling Station Identifier: 84-3A-4B-56-F4-5C   NAS:       NAS IPv4 Address: 10.99.108.26       NAS IPv6 Address: -       NAS Identifier: -       NAS Port-Type: Wireless - IEEE 802.11       NAS Port: -   RADIUS Client:       Client Friendly Name: Meraki - Purchasing       Client IP Address: 10.99.108.26   Authentication Details:       Connection Request Policy Name: WiFi_Staff       Network Policy Name: -       Authentication Provider: Windows       Authentication Server: DC03.mydomain.local       Authentication Type: EAP       EAP Type: -       Account Session Identifier: 41413346334133424138354636383335       Logging Results: Accounting information was written to the local log file.       Reason Code: 48       Reason: The connection request did not match any configured network policy.   -------------------------------------------------------------------------------------------------------------   Network Policy Server denied access to a user. Contact the Network Policy Server administrator for more information.   User:       Security ID: MYDOMAIN\ITSPARE01$       Account Name: host/ITSPARE01.mydomain.local       Account Domain: MYDOMAIN       Fully Qualified Account Name: MYDOMAIN\ITSPARE01$   Client Machine:       Security ID: NULL SID       Account Name: -       Fully Qualified Account Name: -       Called Station Identifier: 9A-15-54-AB-56-2D:Radius_Test       Calling Station Identifier: 84-3A-4B-56-F4-5C   NAS:       NAS IPv4 Address: 10.99.108.25       NAS IPv6 Address: -       NAS Identifier: -       NAS Port-Type: Wireless - IEEE 802.11       NAS Port: -   RADIUS Client:       Client Friendly Name: Meraki - Accounts       Client IP Address: 10.99.108.25   Authentication Details:       Connection Request Policy Name: WiFi_Staff       Network Policy Name: -       Authentication Provider: Windows       Authentication Server: DC03.mydomain.local       Authentication Type: EAP       EAP Type: -       Account Session Identifier: 41433342464337434233394535444334       Logging Results: Accounting information was written to the local log file.       Reason Code: 48       Reason: The connection request did not match any configured network policy.     -------------------------------------------------------------------------------------------------------------   A couple of things I've noticed. 1) The machine account (MYDOMAIN\ITSPARE01$) is being listed in the User section, and the Client Machine section is empty. 2) The 2nd entry (for MYDOMAIN\ITSPARE01$) is registering via a different AP (Meraki - Accounts). Both AP's are within range of my test laptop.   Fun.   Not. ... View more

I've now found out that if I remove the Machine Group from NPS > Policies > Network Policies > MyPolicy > Conditions, I don't get anything logged in the Security Event Log.   Once I add that back in, I see log entries again.   Still failing though with: Reason Code: 66 Reason: The user attempted to use an authentication method that is not enabled on the matching network policy. ... View more

Have gotten a bit further.   With my user profile in AD set to 'Allow access' under the Dial-in tab, and the computer account having always been set to  'Control access through NPS Network Policy', I now see in Event Viewer on the NPS server:   Network Policy Server denied access to a user. Reason Code: 66 Reason: The user attempted to use an authentication method that is not enabled on the matching network policy. ... View more

Okay, so working through the Event Viewer Security log, seems my user account is blocked from dial-in in my AD user properties. I don't recall this being mention in ANY of the guides I've read?!   I've opened my AD user properties, navigated to the Dial-in tab, changed Network Access Permission to 'Control access through NPS Network Policy', then rebooted my laptop but no joy. I then changed it to 'Allow access' but still no joy. I made these changes on my local domain controller, but I'll try again in an hour or so in case it's referring to another DC for some reason. ... View more

I was really hopeful with your suggestion on  802.11r, however I don't seem to have an 802.11r section in my dashboard! Searching for it just takes me to the Access Control page but the nearest thing to that on the page is 802.11w. ... View more

Okay so the Security Event Log shows this on the NPS server. I'm guessing it's trying to authenticate the computer rather than the user?:   Network Policy Server denied access to a user. Contact the Network Policy Server administrator for more information. User: Security ID: MYDOMAIN\ITSPARE01$ Account Name: host/ITSPARE01.mydomain.local Account Domain: MYDOMAIN Fully Qualified Account Name: mydomain.local/Mydomain/UK/Computers/ITSPARE01 Client Machine: Security ID: NULL SID Account Name: - Fully Qualified Account Name: - Called Station Identifier: 9A-15-54-AB-52-67:Radius_Test Calling Station Identifier: 84-3A-4B-56-F4-5C NAS: NAS IPv4 Address: 10.32.108.26 NAS IPv6 Address: - NAS Identifier: - NAS Port-Type: Wireless - IEEE 802.11 NAS Port: - RADIUS Client: Client Friendly Name: Meraki - Purchasing Client IP Address: 10.32.108.26 Authentication Details: Connection Request Policy Name: Meraki Staff Secure Wireless Connections Network Policy Name: Connections to other access servers Authentication Provider: Windows Authentication Server: DC03.mydomain.local Authentication Type: EAP EAP Type: - Account Session Identifier: 33364144324231353946353331303231 Logging Results: Accounting information was written to the local log file. Reason Code: 65 Reason: The Network Access Permission setting in the dial-in properties of the user account in Active Directory is set to Deny access to the user. To change the Network Access Permission setting to either Allow access or Control access through NPS Network Policy, obtain the properties of the user account in Active Directory Users and Computers, click the Dial-in tab, and change Network Access Permission. ... View more

I've had a go at that, however the link for  rootsupd.exe is dead. I'll need to find an alternative. ... View more

Okay I'll give it a go. Our clients are all Windows 10. At the moment when I try to connect to the Radius SSID it prompts me for credentials, with a tickbox to 'use my Windows user account', which if I tick fills in the boxes with my AD credentials. It check network requirements after clicking OK, but the credentials prompt just comes back again. ... View more

Thanks, I did come across that thread previously (with all the Spanish screenshots!) but I think I need to get the Test button working from the Meraki dashboard > Access Control for SSID first, before I then troubleshoot client PC's, would you agree? ... View more

Yes, I have a certificate selected in NPS > Network Policies > My Meraki Policy > Constraints > Auth Methods > Microsoft PEAP > (Edit), issued by the server I installed the CA role on. I suspect it could be failing to do with this? I think at some point I created a Group Policy to deploy that certificate to client PC's, perhaps something is amiss with that but I can't seem to get enough info from any logs. ... View more

All AP's are set to DHCP but have a reservation set on the DHCP server. NPS server can ping all AP's no problem. ... View more

Yes, all of my Meraki AP's were added with their IP addresses. I created a Shared Secret template first, which I applied to all APs when adding them as RADIUS Clients. ... View more