Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
About JacobD
JacobD
Here to help
Member since Jul 5, 2019
Apr 27 2021
Community Record
17
Posts
1
Kudos
1
Solution
Badges
Oct 12 2020
12:12 AM
1 Kudo
What exactly was wrong with the authentication? I am having the same issue but can't find anything in the documentation about authentication other than setting the API key and bearer, and I am not using bearer.
... View more
This may seem crazy, but is it possible that I have to just let the config sit for a day? We had some weird issues with the ISE when we were replacing old devices with Meraki at each branch location, I had to configure everything a day before, otherwise the radius on the ISE wouldn't work either. But it always worked the next day. I thought that was something weird on the ISE, but maybe it that is related.
... View more
It's windows server 2016 (says version 1607). I'm no sysadmin, but that doesn't sound very new to me, but maybe others are running on an older version. I know our sysadmins have a patch day every month, so it's also possible they added a patch that changed something. However, I cannot say what exactly. I only have the rights to the NPS settings.
... View more
We gave it a RAS and IAS Server certificate and it is from our CA. Under "intended purpose" for that certificate it says for client and server authentication. I believe that's the correct one, but maybe I am wrong. And as far as I understand, if that cert is there (under personal certificates btw) then it trusts our CA. Am I wrong in that assumption? Also under "trust root CA" it has our CA listed there.
... View more
I'm currently moving our authentication off of a Cisco ISE to a windows NPS server. Each machine uses a certificate from our CA to authenticate and has worked on the ISE with no issues. We now are moving most services (maybe all eventually) to Microsoft Azure and so my boss wanted to set up a NPS server there. We also have a vMX100 in Azure so all traffic is sent to Azure through the Meraki VPN. I set up an MX68CW at my desk and configured it with a test SSID that was set to authenticate with the new NPS. It's a pretty simple policy in the NPS, just matches 802.1x and then does a certificate exchange. The NPS has a certificate from our CA as well and is set to use that to authenticate itself to the client. It worked fine on my test MX68CW. I joyfully told my boss and he gave me the go-ahead to set it up on all our branches. The clients at the first branch I set it up on wouldn't authenticate. The NPS gave me this error: Reason code: 22
The client could not be authenticated because the Extensible Authentication Protocol type cannot be processed by the server. But when I use my test MX68CW again, it still works fine there. I tried a few other locations, some with MX68CW, some with MR52/55, but it always generates this error. With the MX68CWs I can't really change that many settings, so the EAP type shouldn't be different. I just have the NPS clients set up in subnets, so not individual devices, and it's matching that fine. I am at a loss. I don't know what to check because it works for exactly one device that I have tried and since it's not working for any actual production devices that I've tried, I'm unsure about trying anymore. I had the thought, that maybe I needed to reboot the wireless devices after I change the setting. So I went in earlier today to try that. Deleted the ISE entry and added the NPS and let it sit for about a minute so the dashboard would push the setting change, then rebooted. After it came back it did attempt to authenticate on the NPS but I still got the same error for the 2 wireless devices at that location. I rebooted it once more, and when it came back up for some reason it authenticated with the Cisco ISE, even though that is not even configured in dashboard now. It was previous configured with the ISE, but I deleted that. Did the new config not get completely committed or something? Maybe this is to much information, but I try to always list everything I've done and everything I've experienced, just in case something clues someone in on something.
... View more
Feb 27 2020
7:29 AM
Awesome, thanks for the help. I had already set up the new wireless only dashboard network just so I could get started, but I would definitely like to combined them, so I will do that then.
... View more
Feb 27 2020
12:15 AM
Okay, and that won't mess up the clients coming in from other L3 devices? The MPLS clients get their internet from our Meraki, so they are essentially clients on the MX250.
... View more
Feb 26 2020
12:52 AM
Hi everyone, I'm working on putting our HQ on Meraki. We have a few things happening in our topology so I will explain it here, so it could be long but I will try to keep it short. We have about 90 remote branches, many of which have an MX and are VPNed into our HQ with our MX250 in our HQ (configured on HQ as Hub, all others as spokes). We also have around 5 MPLS locations (because of still active contracts) and I have the MPLS to our HQ connected to our MX250 (so all the MPLS networks are sent over the provider network and terminates on our MX250 to be routed where ever needed). We also have a NG-Firewall connected to the MX250 and some static routes on the MX250 for our server network, that way all spokes have a route to the HQ MX250 for the servers and the HQ MX250 just sends it on to the firewall. All this being said, we have 2 major points that has non-Meraki L3 devices: one being the MPLS connection, the other being the firewall and the server network. So we have clients appearing in the MX250 network from these other networks and the Meraki Network is configured for client tracking with IP Addresses, because that's what Meraki docs say to do in this situation. Until recently, our HQ Client network was not in Meraki, but also behind the firewall like the server network. We recently moved all the HQ L2 devices onto the MX250 (as the default router), so now our entire end-user client network is on Meraki, and to reach the server network they have to first go through the MX250 then is routed to the firewall, which currently works well. I'm now in the process of changing out our old access points with Meraki as well. When I tried to add an MR to our HQ network, it gave me an error because of clients being tracked with IP addresses. So my question is: what do I need to do in this situation? Should I change the HQ MX250 client tracking to MAC, or will that break our MPLS and server network? Or should I just create a new dashboard network for our access points with client mac tracking? Would that even work with the default router being on another dashboard network?
... View more
Jan 30 2020
7:02 AM
Haha, that's actually pretty cool. You ended up saving money on a smaller MX. I have no idea how you could plan for that without a meraki already there though.
... View more
Jan 30 2020
6:26 AM
Okay cool, thanks for the help. We can rule that out for sure then.
... View more
Jan 30 2020
5:18 AM
Thanks, makes sense, but I wanted to be sure. To answer your questions: Device utilization over the past 30 days is almost never over 25%, there's one time in that history where it got close to 50%, but looks like it was just a short peak. So that means the MX should be fine, if I understand correctly. Here is what it says for Uplinks: Label Loss Rate% Latency (ms) RTT min (ms) RTT max (ms) Jitter (ms) % Time Up Internet 1 0 22.872 11.51 3201.798 1.949 100 Internet 2 0 7.983 7.812 834.297 0.289 99.99 Interent 2 is the primary and active WAN. Internet 1 is just a backup slow internet meant to just keep the location online if the other internet goes down. So the latency there makes sense to me.
... View more
Jan 30 2020
4:34 AM
This may seem like a stupid question, but I can't seem to find the answer. It would make sense to me for to only include currently online clients, but I want to be sure. We have a branch with an MX68, which has a client recommendation of up to 50 clients. At the moment of writing this post, this location has 122 clients devices in the network-wide > clients section. However when I filter to online clients it has only 32. This should be fine right? As long as the online clients never reach more than 50, the MX68 should be able to handle the traffic fine, right? I ask because we are getting complaints that everything is really slow at this location. We are trying to figure out what is causing it. This is our biggest branch, so I had the thought that an MX68 might not be enough for it. With there being 122 including offline, I suppose it's possible that it goes over 50 clients at some point that I'm not monitoring it. But I don't want to buy a MX84 (200 client recommendation) and it not solve anything.
... View more
Oct 4 2019
6:27 AM
Seems it might be a fragmentation/MTU issue. But I think the ISP would still be to blame for that, unless there is something that I can do on my end to reassemble a fragmented packet before it reaches the Radius server.
... View more
Oct 4 2019
1:37 AM
I'm definitely willing to discuss anything that could be the cause. If what you are saying is true then it would be the ISP fragmenting it, right? Because if it works sometimes then it wouldn't be my devices fragmenting it. We will go months without issues and then randomly 3 branches won't be able to authenticate. What could I even do against that?
... View more
Oct 4 2019
12:45 AM
Hi everyone, my company has a bunch of branch locations all over the country. Most of the branches aren't very big, many have just 1 to 3 people. Therefore we have just a Meraki SD-WAN device for them to be VPNed into our internal network at HQ. We have a Cisco ISE at HQ that handles our 802.1x authentication and all these branch locations are also using the ISE. Most of the time it works fine, but sometimes the ISE has error messages that the supplicant stopped responding. I saw this happening with a larger branch that has 2 internet providers so I went into traffic shaping and sent all traffic destined for the ISE to be sent to the other ISP, immediately authenticated without issues. I then moved the traffic to the other ISP, started failing again. It seems when the issues are happening it's because of the ISP being to slow on some days. We don't always have the best speeds for the locations with just a couple of people, and like I said, most of the time it works; but when it doesn't then we get a lot of complaints and of course the employees there can't work. I'm starting to think it might be good to not have the authentication go over the VPN because of this. However we currently authenticate with certificates (no username/password), so I can't just add the users to the network and use Meraki authentication. Have any of you had this issue? Is there any other way that we can make 802.1x authentication work a little better in these scenario? Is it at all possible to make the supplicant of the 802.1x authentication be a device that is inside our internal network? Maybe there is a configuration that I can do that would help but don't know about. Just looking for any suggestions or experience that someone can give. Thanks in advance!
... View more
Thank you for your reply. The problem has been solved, sadly not by my efforts. There are cable modem connections at the locations and there were a few other issues that I wasn't aware of (one being issues with connecting to some our HQ servers from clients at the locations). My boss called the company and requested the modem be set to bridge mode. Everything works after the change. I am not sure if the modem has anything to do with the MTU, I don't think so, but I guess it's possible. It's also possible the modem had a security setting that was blocking our traffic. Again, thanks for your reply!
... View more
Hi, My company has many locations which we have put a Meraki SD-WAN device at to VPN to our HQ. At HQ we have a Cisco ISE which we use to authenticate WLAN with dot1x. It works with most of our Meraki locations with no issues. But there are a couple of locations that have the exact same configuration as everywhere else, but cannot connect to our WLAN. Each computer is setup with a certificate to authenticate with, so no username/password should be needed to authenticate. And like I said, with most locations this works perfectly. But for these couple locations that don't work, the logs in the ISE say "Supplicant stopped responding to ISE". It never gives a deny or anything. My first thought was that the computers weren't configured with a certificate but there are other services that we use those same certificates for, so they wouldn't be able to work from home over VPN without these certificates either. I tried a to test the connection from the dashboard with just test/test, because there are no username/passwords configured nothing i do will succeed, but I just wanted to make sure that it could reach the ISE. Meraki says that it failed but it did reach the server. In the logs of the ISE I see no log for this attempt for at least 3 minutes. usually I see logs appear pretty fast, so I am beginning to think that the clients are taking to long to answer. Is this a possibility or am I just shooting in the dark? If it is possible that it's answering to slow/late, what can I do in Meraki to troubleshoot? I don't see any configuration for radius timeout or anything similar. Thanks in advance!
... View more
My Accepted Solutions
| Subject | Views | Posted |
|---|---|---|
| 7640 | Jul 9 2019 12:20 AM |
My Top Kudoed Posts
| Subject | Kudos | Views |
|---|---|---|
| 1 | 6582 |
© 2024 Cisco Systems, Inc.
