Hi MRCUR,   I don't want to achive anything here, as I said at the beginning of the post I only wanted to know if Meraki has the EAP offload feature.   Regards, Julián ... View more

Hi,   Honestly I haven't used this feature with Aruba controllers, but I do have with Aruba Instant APs, where there is no physical controller. And I have used this feature without importing any certificate into the AP, and the APs have terminated the EAPOL process very fine. Obviosly the client gets a warning and must accept since doesn't have the certificate, but the client also gets a warning in case EAP offload is not used and it doesn't have the RADIUS certificate.   Regards, Julián ... View more

Hi,   EAP offloading terminates the EAPOL process onto the Aruba controller. If we supported EAP offloading you would have to upload a certificate to every AP, which isn't scaleable.   Maybe in Meraki, but that's not needed in Aruba since each AP uses its built-in certificate.   Regards, Julián ... View more

Hi Adam,   Can the person(s) that manages the RADIUS make changes needed for you?   But I don't need any change, as I said, the RADIUS server has a certificate, so can I assume the clients are receiving that certificate?   I believe the function you are using is when clients have and use a certificate to authenticate?   No, in that network I don't need the users authenticate with certificate, just with username and password (PEAP).   I think the best way to prove that is setting up a lab with a RADIUS server without certificate and try if the users can authenticate or not. If they can't, it means the APs can't act as the authentication server and the RADIUS server MUST have a certificate. But right now I remember when I implemented that network the users could authenticate with the primary RADIUS server but not with the secondary one (there are two servers for redundancy purposes), and the problem was the secondary server didn't have a certificate. The problem was solved once I installed the certificate in the server. I open a thread in this community, look at this:   https://community.meraki.com/t5/Wireless-LAN/Wi-Fi-RADIUS-Authentication-failed/td-p/11676   So I guess the Meraki APs don't have that EAP offload feature.   Regards, Julián ... View more

Hi Adam,   Sorry, before I meant EAP-PEAP and not EAP-TLS (edited), but basically is the same since in both cases the server must authenticate againts the user.   Don't get me wrong, some time ago I have implemented a network using Meraki APs and the users are using their credentials to connect to the Wi-Fi network, they use EAP-PEAP, and it works fine. The RADIUS server has a certificate, but because I don't have access to that network, I don't know when the users connect to the Wi-Fi network, they receive the RADIUS certificate or the Meraki APs certificate (I don't know if this is possible). Or in other words, if the RADIUS server doesn't have a certificate, can the Meraki APs act as the authentication server and provide the certificate? Or just that scenario won't work? This is possible with the EAP offload feature in Aruba, I don't know in Meraki...   Regards, Julián ... View more

Hi Adam,   I assume your ultimate goal is to have the users/computers authenticate against your RADIUS server correct?   Yes, you are correct.   Some documentation on your wifi offload stuff here https://documentation.meraki.com/MR/Encryption_and_Authentication/EAP-SIM_with_MR_Access_Points   But it talks about EAP-SIM, I use EAP-PEAP.   Regards, Julián ... View more

Hi guys,   Today is fine, if I make a config change it takes around 1-2 minutes to update. Maybe the yesterday's cause was a Dashboard temporary outage.   Regards, Julián ... View more

Hi,   Right now the config changed to "up to date". Is there any place when I can see logs or something to try to see what is happening?   Regards, Julián ... View more

Hi Adam,   So it is weird. I also have changed only one port from VLAN 1 to VLAN 20. Right now is "out of date" for 44 minutes :S   Regards, Julián ... View more

Hi Adam,   Changes are on my switches, I am changing the untagged VLAN of access ports from 1 to 20.   Regards, Julián ... View more

Hi MRCUR and Philip,   I only read the L3 roaming description which appears at the Meraki dashboard, which only explains it is used to roam between APs, but it doesn't indicates "APs in differents VLANs". I have checked the Meraki documentation and there does explain L3 Roaming is used to roam between APs in different VLANs     Since I can make the wireless VLAN available at all the APs as you said, then I will choose Bridge mode and tagging with the appropiate VLAN. Thanks very much for your help.   Regards, Julián ... View more

Hi MRCUR,   Yeah, that's right and thanks for your help.   Regards, Julián ... View more

Hi Markus,   I have just exported the NPS configuration of the primary RADIUS server and imported to the secondary RADIUS server. I have deleted the primary RADIUS server in the dashboard and the authentication is still unsuccessful. The NPS log is the same I sent you. Do you guess something?   Regards, Julián ... View more

Hi Philip,   You are right, but that the client can attach to an AP which receives weaker signal from is also true. This is my case right now and therefore my laptop browsing speed is lower. In my case it makes no sense since in my office we have 4 APs and we are around 35 people. What was stated by MRCUR is also true.   Regards, Julián ... View more

Hi MRCUR,   Good information! Thanks!   Regards, Julián ... View more

Hi,   I find an option in Meraki which I think it has to do with roaming directly, which is the "Client balancing" feature. When I enable this feature I can see some logs like this:     The AP rejects the association according to load balance, even if the client is receiving stronger signal from this AP. So I don't know how good is to enable this feature, especially for environments with few clients.   Regards, Julián     ... View more

Hi Markus and Adam,   One more question about that. I have delete the primary RADIUS server under Wireless > Access control > RADIUS servers and left the secondary server and try to authenticate, it was unsuccessful. Is this correct? If I authenticate with only one RADIUS server (the secondary) and get EAP failure is it due to previous RADIUS synchronization problem?   Regards, Julián ... View more

Hi Markus,   OK, I understand, I will try it. Thank you very much!   Regards, Julián ... View more

Hi Markus,   I don't understand, what do you mean?   Regards, Julián ... View more

Hi guys,   Just in case, do you know how difficult is the synchronization of RADIUS servers? Because I have googled out and seen that a PowerShell script is needed. If it is very difficult I will tell customer to implement it.   Regards, Julián ... View more

Hi Adam,   Thanks for that recommendation, I will test it.   Regards, Julián ... View more

Hi Markus,   I don't know very much about servers, I have to check the detail configuration with customer. So far I know there are two Windows Servers with AD, in each Windows Server I have aggregated the RADIUS role, Microsoft NPS. I know each Windows Server has its own AD, but I don't know if they are in the same cluster or not (I guess so because customer told me the configurations in both ADs are replicated automatically, but I don't know if that has to do with AD clusters or not).   Regards, Julián ... View more