The Meraki Community
Register or Sign in
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
  • About ElectroDan
ElectroDan

ElectroDan

Getting noticed

Member since Nov 15, 2018

‎02-03-2020
Kudos from
User Count
NDRANDY
NDRANDY
3
CarolineS
Community Manager CarolineS
1
View All
Kudos given to
User Count
JohnR1
JohnR1
1
PhilipDAth
Kind of a big deal PhilipDAth
1
View All

Community Record

23
Posts
4
Kudos
0
Solutions

Badges

First 5 Posts
Lift-Off View All
Latest Contributions by ElectroDan
  • Topics ElectroDan has Participated In
  • Latest Contributions by ElectroDan

Re: RADIUS - Can authenticate by user, but not by computer

by ElectroDan in Wireless LAN
‎01-29-2020 02:28 AM
‎01-29-2020 02:28 AM
Thanks, did you reference a guide you can post the link to? ... View more

RADIUS - Can authenticate by user, but not by computer

by ElectroDan in Wireless LAN
‎01-29-2020 02:14 AM
‎01-29-2020 02:14 AM
Last year, after much troubleshooting, I managed to get RADIUS authentication working for my AD users (although the first time they connect they have to enter their AD username and password as ticking the 'Use my Windows credentials' checkbox does not work).   Anyway, I'd like switch to computer account authentication, so users aren't prompted to re-authenticate against the WiFi when their AD password changes. However, when I switch to this, users (all on Windows 10) are unable to connect.   This is what is shown in the NPS logs:   Network Policy Server denied access to a user.   Contact the Network Policy Server administrator for more information.   User: Security ID: OURDOMAIN\Daniel Account Name: Daniel Account Domain: OURDOMAIN Fully Qualified Account Name: OURDOMAIN\Daniel   Client Machine: Security ID: NULL SID Account Name: - Fully Qualified Account Name: - Called Station Identifier: 9A-15-54-AB-56-2D:ES_Radius_Test Calling Station Identifier: B8-08-CF-3E-20-26   It looks as if the machine name isn't being passed to the RADIUS server (Windows Server 2016). Is this a bug?   To confirm, this is the Network Policy config that works and allows users to connect with the AD credentials:   This config works.   But if I change from User Groups to Machine Groups, users can't connect:   This config doesn't work. ... View more

Re: 802.1X EAP failure with Windows AD Radius - Help!

by ElectroDan in Wireless LAN
‎07-04-2019 07:14 AM
1 Kudo
‎07-04-2019 07:14 AM
1 Kudo
JohnR1 - is this some kind of joke?!   I tried that and IT WORKED!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!   Gobsmacked. After all that effort, that was the final piece.   Thanks SO MUCH for posting that reply, I'd all but given up on getting it working!   Now Meraki just needs to fix it so you can tick the "use my Windows user account" option, and it actually connect.   Cheers again! ... View more

Re: 802.1X EAP failure with Windows AD Radius - Help!

by ElectroDan in Wireless LAN
‎06-03-2019 07:38 AM
‎06-03-2019 07:38 AM
AT LAST I've made some progress (after shelving this out of frustration for several months).   In the Meraki dashboard I can now get the Test function to work from the Radius servers section for my SSID. How? Well, a while back we set a group policy to disable TLS 1.0 and 1.1. Seems this was breaking Meraki.   After re-enabling TLS 1.0/1.1, I was able to run the Radius test successfully with all AP's passing said test using my domain credentials.   Now I just need to get my test laptop connected to the SSID using Radius.   Does anyone know if I can set the Meraki kit to use TLS 1.2? ... View more

Re: 802.1X EAP failure with Windows AD Radius - Help!

by ElectroDan in Wireless LAN
‎01-07-2019 03:25 AM
‎01-07-2019 03:25 AM
In the NPS Policy, Constraints > Authentication Methods screen, I have EAP Type: Microsoft: Protected EAP (PEAP) set, which when you edit has the Eap Type Secured Password (EAP-MSCHAP v2) set.   Back on the Authentication Methods screen I have none of the Less secure authentication methods ticked.   These should all be correct as I've verified this with several guides.   Regarding the certificate, I obtained this for the RADIUS server from SSL.com, so a trusted CA. Is there a basic test I can run to check this part is setup correctly? ... View more

Re: 802.1X EAP failure with Windows AD Radius - Help!

by ElectroDan in Wireless LAN
‎01-04-2019 09:11 AM
‎01-04-2019 09:11 AM
I changed it to the OR statement, still no joy!   I also deployed a GPO to set a PEAP Wireless Profile on the laptop (using machine authentication as per the "(Optional) Deploy a PEAP Wireless Profile using Group Policy" section in the Meraki guide), which I can see is applied to the laptop after I do a gpupdate, but when attempting to connect it just tries and tries but logs no errors.   Is there an absolute minimum configuration I can go with to try to connect, and then add security layers on top to get to where it should be? ... View more

Re: 802.1X EAP failure with Windows AD Radius - Help!

by ElectroDan in Wireless LAN
‎01-04-2019 02:02 AM
‎01-04-2019 02:02 AM
Thanks Philip, some good suggestions there.   I changed the condition in the network policy to only check for the Meraki Staff Group, and attempted to reconnect. I was then prompted whether to use Windows Credentials, so ticked the box again and clicked OK. It failed to connect.   Checking the NPS server, I see 2 entries:   1) User:      Security ID: MYDOMAIN\ITSPARE01$ Authentication Details:      Reason Code: 48      Reason: The connection request did not match any configured network policy.   2) User:      Security ID: MYDOMAIN\ElectroDan Authentication Details:      Reason Code: 22      Reason: The client could not be authenticated because the Extensible Authentication Protocol (EAP) Type cannot be processed by the server.   Looking in the WLAN-AutoConfig event log on the laptop, I see several errors:   1) Wireless 802.1x authentication failed. Identity: host/ITSPARE01.mydomain.local User:  Reason: Explicit Eap failure received Error: 0x40420016 EAP Root cause String: Network authentication failed\nWindows doesn't have the required authentication method to connect to this network.   2) Wireless 802.1x authentication failed. Identity: ElectroDan@mydomain.com User: ElectroDan Reason: Explicit Eap failure received Error: 0x40420016 EAP Root cause String: Network authentication failed\nWindows doesn't have the required authentication method to connect to this network.   A couple of the other Information type event log entries show the Encryption for the RADIUS_Test network as AES-CCMP and the EAP Information: Type: 0, Vendor ID 0, Vendor Type 0, Author ID 0   I would've thought the EAP information should show some values? Either way, I'm going to change it to an OR statement for the Network Policy by removing the User Group condition and adding the 2 security groups as Windows Groups on the same line, then retest. ... View more

Re: 802.1X EAP failure with Windows AD Radius - Help!

by ElectroDan in Wireless LAN
‎01-03-2019 07:10 AM
‎01-03-2019 07:10 AM
A couple of other things I've noticed.   From this guide: https://documentation.meraki.com/MR/Encryption_and_Authentication/Configuring_RADIUS_Authentication_with_WPA2-Enterprise I'm not able to do the following:   Disable Auto Remediation Navigate to   Policies>Network Policies. Right click the wireless policy and select   Properties. On the   Setting   tab for the policy uncheck the box   Enable auto-remediation   of client computers and click   OK. The auto-remediation option isn't there on the Settings tab and I haven't located it elsewhere.   Also, in the screenshot that outlines an example of an NPS policy, it has 2 conditions which I don't have (and can't find where I set them):   NAP Enforcement: Allow full network access Update Noncompliant Clients: False   I'd like to add these, just in case they have an affect. ... View more

Re: 802.1X EAP failure with Windows AD Radius - Help!

by ElectroDan in Wireless LAN
‎01-03-2019 01:45 AM
‎01-03-2019 01:45 AM
Hi Bruce,   I can confirm the EAP service is set to Manual, and the NPS server is registered in AD.   Thanks. ... View more

Re: 802.1X EAP failure with Windows AD Radius - Help!

by ElectroDan in Wireless LAN
‎01-03-2019 01:44 AM
‎01-03-2019 01:44 AM
Hi Philip,   I can confirm that all of those conditions should match, as the user account is in the  MYDOMAIN\Meraki Staff Group, and the laptop in the MYDOMAIN\Meraki Computer Group.   If I change it to an OR condition, which I have previously tried, and set the condition to Windows Groups, when attempting to connect it just hangs on 'Verifying and connecting' on the laptop for a minute or so, then eventually ask for credentials. I tick the box for 'Use my Windows user account' and click OK, it checks for network requirements, then prompts for credentials again, and at no stage does anything get logged in the NPS event log.   If I take out the Meraki Computer Group condition, leaving just the NAS Port Type and User Groups conditions, again nothing gets logged and I'm repeatedly prompted for credentials.   If I remove the Meraki Computer Group condition and re-add the Meraki User Group condition, I get a Reason Code 48 logged, referencing the user account I'm testing with.   So I can't even connect with less security. Ultimately I want the AND condition to work, as I only want to allow company-issued computers that a domain user is logged onto, to connect. ... View more

Re: 802.1X EAP failure with Windows AD Radius - Help!

by ElectroDan in Wireless LAN
‎01-02-2019 08:44 AM
‎01-02-2019 08:44 AM
I'm back on this now Christmas is out of the way 🙂   I had some default policies still enabled on my 2016 NPS Server, which I've disabled. They were:   Connection Request Policies > Use Windows authentication for all users. Network Policies > Connections to other access servers. Network Policies > Connections to Microsoft Routing and Remote Access server.   With those 3 disabled, I'm no longer getting the following Information level event logged in Event Viewer: Reason code: 66 Reason: The user attempted to use an authentication method that is not enabled on the matching network policy.   Instead, I am now getting: Reason code: 48 Reason: The connection request did not match any configured network policy.   I have 3 conditions set for the Staff WiFi Network Policy: Condition: NAS Port Type, Value: Wireless - IEEE 802.11 OR Wireless - Other Condition: User Groups, Value: MYDOMAIN\Meraki Staff Group Condition: Machine Groups, Value: MYDOMAIN\Meraki Computer Group   The laptop I'm testing on is a member of the Meraki Computer Group, and the user account I'm logged on with belongs to the Meraki Staff Group.   I get a 'Reason Code: 48' event logged twice each time I try to connect; first for the user, then 10 seconds later for the machine:   -------------------------------------------------------------------------------------------------------------   Network Policy Server denied access to a user. Contact the Network Policy Server administrator for more information.   User:      Security ID: MYDOMAIN\ElectroDan       Account Name: MYDOMAIN \ ElectroDan       Account Domain: MYDOMAIN       Fully Qualified Account Name: MYDOMAIN \ ElectroDan   Client Machine:       Security ID: NULL SID       Account Name: -       Fully Qualified Account Name: -       Called Station Identifier: 9A-15-54-AB-52-67:Radius_Test       Calling Station Identifier: 84-3A-4B-56-F4-5C   NAS:       NAS IPv4 Address: 10.99.108.26       NAS IPv6 Address: -       NAS Identifier: -       NAS Port-Type: Wireless - IEEE 802.11       NAS Port: -   RADIUS Client:       Client Friendly Name: Meraki - Purchasing       Client IP Address: 10.99.108.26   Authentication Details:       Connection Request Policy Name: WiFi_Staff       Network Policy Name: -       Authentication Provider: Windows       Authentication Server: DC03.mydomain.local       Authentication Type: EAP       EAP Type: -       Account Session Identifier: 41413346334133424138354636383335       Logging Results: Accounting information was written to the local log file.       Reason Code: 48       Reason: The connection request did not match any configured network policy.   -------------------------------------------------------------------------------------------------------------   Network Policy Server denied access to a user. Contact the Network Policy Server administrator for more information.   User:       Security ID: MYDOMAIN\ITSPARE01$       Account Name: host/ITSPARE01.mydomain.local       Account Domain: MYDOMAIN       Fully Qualified Account Name: MYDOMAIN\ITSPARE01$   Client Machine:       Security ID: NULL SID       Account Name: -       Fully Qualified Account Name: -       Called Station Identifier: 9A-15-54-AB-56-2D:Radius_Test       Calling Station Identifier: 84-3A-4B-56-F4-5C   NAS:       NAS IPv4 Address: 10.99.108.25       NAS IPv6 Address: -       NAS Identifier: -       NAS Port-Type: Wireless - IEEE 802.11       NAS Port: -   RADIUS Client:       Client Friendly Name: Meraki - Accounts       Client IP Address: 10.99.108.25   Authentication Details:       Connection Request Policy Name: WiFi_Staff       Network Policy Name: -       Authentication Provider: Windows       Authentication Server: DC03.mydomain.local       Authentication Type: EAP       EAP Type: -       Account Session Identifier: 41433342464337434233394535444334       Logging Results: Accounting information was written to the local log file.       Reason Code: 48       Reason: The connection request did not match any configured network policy.     -------------------------------------------------------------------------------------------------------------   A couple of things I've noticed. 1) The machine account (MYDOMAIN\ITSPARE01$) is being listed in the User section, and the Client Machine section is empty. 2) The 2nd entry (for MYDOMAIN\ITSPARE01$) is registering via a different AP (Meraki - Accounts). Both AP's are within range of my test laptop.   Fun.   Not. ... View more

Re: 802.1X EAP failure with Windows AD Radius - Help!

by ElectroDan in Wireless LAN
‎11-22-2018 06:52 AM
‎11-22-2018 06:52 AM
I've now found out that if I remove the Machine Group from NPS > Policies > Network Policies > MyPolicy > Conditions, I don't get anything logged in the Security Event Log.   Once I add that back in, I see log entries again.   Still failing though with: Reason Code: 66 Reason: The user attempted to use an authentication method that is not enabled on the matching network policy. ... View more

Re: 802.1X EAP failure with Windows AD Radius - Help!

by ElectroDan in Wireless LAN
‎11-22-2018 06:29 AM
‎11-22-2018 06:29 AM
Have gotten a bit further.   With my user profile in AD set to 'Allow access' under the Dial-in tab, and the computer account having always been set to  'Control access through NPS Network Policy', I now see in Event Viewer on the NPS server:   Network Policy Server denied access to a user. Reason Code: 66 Reason: The user attempted to use an authentication method that is not enabled on the matching network policy. ... View more

Re: 802.1X EAP failure with Windows AD Radius - Help!

by ElectroDan in Wireless LAN
‎11-22-2018 04:23 AM
‎11-22-2018 04:23 AM
Okay, so working through the Event Viewer Security log, seems my user account is blocked from dial-in in my AD user properties. I don't recall this being mention in ANY of the guides I've read?!   I've opened my AD user properties, navigated to the Dial-in tab, changed Network Access Permission to 'Control access through NPS Network Policy', then rebooted my laptop but no joy. I then changed it to 'Allow access' but still no joy. I made these changes on my local domain controller, but I'll try again in an hour or so in case it's referring to another DC for some reason. ... View more

Re: 802.1X EAP failure with Windows AD Radius - Help!

by ElectroDan in Wireless LAN
‎11-22-2018 03:06 AM
‎11-22-2018 03:06 AM
I was really hopeful with your suggestion on  802.11r, however I don't seem to have an 802.11r section in my dashboard! Searching for it just takes me to the Access Control page but the nearest thing to that on the page is 802.11w. ... View more

Re: 802.1X EAP failure with Windows AD Radius - Help!

by ElectroDan in Wireless LAN
‎11-22-2018 03:04 AM
‎11-22-2018 03:04 AM
Okay so the Security Event Log shows this on the NPS server. I'm guessing it's trying to authenticate the computer rather than the user?:   Network Policy Server denied access to a user. Contact the Network Policy Server administrator for more information. User: Security ID: MYDOMAIN\ITSPARE01$ Account Name: host/ITSPARE01.mydomain.local Account Domain: MYDOMAIN Fully Qualified Account Name: mydomain.local/Mydomain/UK/Computers/ITSPARE01 Client Machine: Security ID: NULL SID Account Name: - Fully Qualified Account Name: - Called Station Identifier: 9A-15-54-AB-52-67:Radius_Test Calling Station Identifier: 84-3A-4B-56-F4-5C NAS: NAS IPv4 Address: 10.32.108.26 NAS IPv6 Address: - NAS Identifier: - NAS Port-Type: Wireless - IEEE 802.11 NAS Port: - RADIUS Client: Client Friendly Name: Meraki - Purchasing Client IP Address: 10.32.108.26 Authentication Details: Connection Request Policy Name: Meraki Staff Secure Wireless Connections Network Policy Name: Connections to other access servers Authentication Provider: Windows Authentication Server: DC03.mydomain.local Authentication Type: EAP EAP Type: - Account Session Identifier: 33364144324231353946353331303231 Logging Results: Accounting information was written to the local log file. Reason Code: 65 Reason: The Network Access Permission setting in the dial-in properties of the user account in Active Directory is set to Deny access to the user. To change the Network Access Permission setting to either Allow access or Control access through NPS Network Policy, obtain the properties of the user account in Active Directory Users and Computers, click the Dial-in tab, and change Network Access Permission. ... View more

Re: 802.1X EAP failure with Windows AD Radius - Help!

by ElectroDan in Wireless LAN
‎11-22-2018 02:49 AM
‎11-22-2018 02:49 AM
I've had a go at that, however the link for  rootsupd.exe is dead. I'll need to find an alternative. ... View more

Re: 802.1X EAP failure with Windows AD Radius - Help!

by ElectroDan in Wireless LAN
‎11-15-2018 09:16 AM
‎11-15-2018 09:16 AM
Okay I'll give it a go. Our clients are all Windows 10. At the moment when I try to connect to the Radius SSID it prompts me for credentials, with a tickbox to 'use my Windows user account', which if I tick fills in the boxes with my AD credentials. It check network requirements after clicking OK, but the credentials prompt just comes back again. ... View more

Re: 802.1X EAP failure with Windows AD Radius - Help!

by ElectroDan in Wireless LAN
‎11-15-2018 09:10 AM
‎11-15-2018 09:10 AM
Thanks, I did come across that thread previously (with all the Spanish screenshots!) but I think I need to get the Test button working from the Meraki dashboard > Access Control for SSID first, before I then troubleshoot client PC's, would you agree? ... View more

Re: 802.1X EAP failure with Windows AD Radius - Help!

by ElectroDan in Wireless LAN
‎11-15-2018 07:24 AM
1 Kudo
‎11-15-2018 07:24 AM
1 Kudo
Yes, I have a certificate selected in NPS > Network Policies > My Meraki Policy > Constraints > Auth Methods > Microsoft PEAP > (Edit), issued by the server I installed the CA role on. I suspect it could be failing to do with this? I think at some point I created a Group Policy to deploy that certificate to client PC's, perhaps something is amiss with that but I can't seem to get enough info from any logs. ... View more

Re: 802.1X EAP failure with Windows AD Radius - Help!

by ElectroDan in Wireless LAN
‎11-15-2018 07:21 AM
‎11-15-2018 07:21 AM
All AP's are set to DHCP but have a reservation set on the DHCP server. NPS server can ping all AP's no problem. ... View more

Re: 802.1X EAP failure with Windows AD Radius - Help!

by ElectroDan in Wireless LAN
‎11-15-2018 06:55 AM
1 Kudo
‎11-15-2018 06:55 AM
1 Kudo
Yes, all of my Meraki AP's were added with their IP addresses. I created a Shared Secret template first, which I applied to all APs when adding them as RADIUS Clients. ... View more

802.1X EAP failure with Windows AD Radius - Help!

by ElectroDan in Wireless LAN
‎11-15-2018 06:29 AM
1 Kudo
‎11-15-2018 06:29 AM
1 Kudo
Okay so I've spent several DAYS on this and seem to be getting nowhere 😕 I'm starting to get fairly frustrated having followed numerous guides exactly.   I used this to setup the Meraki side: https://documentation.meraki.com/MR/Encryption_and_Authentication/Configuring_RADIUS_Authentication_with_WPA2-Enterprise This is the latest guide I followed: http://www.cracknells.co.uk/servers-side/configuring-radius-authentication-for-a-wireless-network-802-1x-eap/   No matter what I try though, I can't get my phone or laptop to connect, nor get the Test function to succeed from the SSID > Radius Servers section.   When I click Test, I get: Total APs: 14 APs failed: 14   I have Accounting enabled on the Windows Server (which is now a DC running Server 2016. I had been running 2012 R2 but decided to wipe it and install 2016 afresh as though maybe RADIUS worked better!). The NPS Account log shows this when I click the Test button:   <Event><Timestamp data_type="4">11/15/2018 14:15:21.607</Timestamp><Computer-Name data_type="1">MY-DC03</Computer-Name><Event-Source data_type="1">IAS</Event-Source><Class data_type="1">311 1 10.33.102.23 11/15/2018 13:06:56 231</Class><Client-IP-Address data_type="3">10.32.108.21</Client-IP-Address><Client-Vendor data_type="0">0</Client-Vendor><Client-Friendly-Name data_type="1">Meraki - AP1</Client-Friendly-Name><Session-Timeout data_type="0">30</Session-Timeout><Proxy-Policy-Name data_type="1">Meraki Staff Secure Wireless Connections</Proxy-Policy-Name><Provider-Type data_type="0">1</Provider-Type><SAM-Account-Name data_type="1">MYDOMAIN\JohnDoe</SAM-Account-Name><Fully-Qualifed-User-Name data_type="1"> MYDOMAIN \JohnDoe </Fully-Qualifed-User-Name><Authentication-Type data_type="0">5</Authentication-Type><NP-Policy-Name data_type="1">Meraki Staff Secure Wireless Connections</NP-Policy-Name><Packet-Type data_type="0">11</Packet-Type><Reason-Code data_type="0">0</Reason-Code></Event>   I get pretty much the same error logged when trying to connect from my laptop. I also see this in the Meraki event log:   Nov 15 14:24:57 Purchasing Radius_Test ITSPARE01 802.11 association channel: 40, rssi: 29 Nov 15 14:24:57 Purchasing Radius_Test ITSPARE01 802.11 disassociation unknown reason Nov 15 14:24:57 Purchasing Radius_Test ITSPARE01 802.1X deauthentication radio: 1, vap: 4, client_mac: 84:3A:4B:56:F4:5C   more » Nov 15 14:24:48 Purchasing Radius_Test ITSPARE01 802.1X deauthentication radio: 1, vap: 4, client_mac: 84:3A:4B:56:F4:5C   more » Nov 15 14:24:48 Purchasing Radius_Test ITSPARE01 802.11 association channel: 40, rssi: 28 Nov 15 14:24:47 Purchasing Radius_Test ITSPARE01 802.11 disassociation unspecified reason Nov 15 14:24:47 Purchasing Radius_Test ITSPARE01 802.1X deauthentication radio: 1, vap: 4, client_mac: 84:3A:4B:56:F4:5C   more » Nov 15 14:24:47 Purchasing Radius_Test ITSPARE01 802.1X EAP failure radio: 1, vap: 4, client_mac: 84:3A:4B:56:F4:5C   more » Nov 15 14:24:47 Purchasing Radius_Test ITSPARE01 802.1X deauthentication radio: 1, vap: 4, client_mac: 84:3A:4B:56:F4:5C   more » Nov 15 14:24:47 Purchasing Radius_Test ITSPARE01 802.11 association channel: 40, rssi: 29   Any ideas? ... View more
Kudos from
User Count
NDRANDY
NDRANDY
3
CarolineS
Community Manager CarolineS
1
View All
Kudos given to
User Count
JohnR1
JohnR1
1
PhilipDAth
Kind of a big deal PhilipDAth
1
View All
My Top Kudoed Posts
Subject Kudos Views

Re: 802.1X EAP failure with Windows AD Radius - Help!

Wireless LAN
1 166679

Re: 802.1X EAP failure with Windows AD Radius - Help!

Wireless LAN
1 174941

Re: 802.1X EAP failure with Windows AD Radius - Help!

Wireless LAN
1 174952

802.1X EAP failure with Windows AD Radius - Help!

Wireless LAN
1 174962
View All
Powered by Khoros
custom.footer.
  • Community Guidelines
  • Cisco Privacy
  • Khoros Privacy
  • Privacy Settings
  • Terms of Use
© 2023 Meraki