Thank you so much Berlin_IT_Guy. That fixed our problem. I did not call Meraki to change the MTU. I added the Frame-MTU attribute on the NPS server under the settings tab of our network policy and set it to 1344. I'll adjust that later but our wireless network is finally up. Thank you!

Team,

We are experiencing a recurring problem with our NPS and Cisco Meraki MR Access Point. This issue has surfaced recently, where the AP authentication initially functions properly upon installation but stops working after 3 hours, despite no alterations to the network configuration.

The notable difference in the logs is the appearance of the user as Security ID: NULL SID (previously displayed as the username). The reason for this anomaly is identified as a malformed RADIUS Request message received by the Network Policy Server from the network access server.

Reason : The RADIUS Request message that Network Policy Server received from the network access server was malformed.

Our network setup consists solely of Meraki APs, connected in the following sequence: MR ----> Aruba Switch ----> Palo Alto Firewall ----> RADIUS via IPsec tunnel.

Looking forward to hearing from you guys soon...

We had a sumular issue and it turned out to be due to MTU size. The packets would be broken up into smaller chunks that are not big enough to contain the header information in the packet required for raduis auth. The packets then arrive with only partial incomplete header information. Changing to the correct MTU fixed the issue for us.

Thank you for posting this! I've been fighting with this for over a week and your suggestion worked!

This thread is 6 years old. It would be better if you started a new thread.

I better way to handle this @AZR-DDespard is in the NPS policy tick the option to ignore the dial-in properties. They are a relic from the past.

I have an update on this thread.

1. The Test button does not work with NPS. It appears not to use PEAP and MS-CHAPv2, or maybe it is a TLS issue as described earlier. I don't want to modify the registry and enable TLS 1.0 or 1.1.
2. The WiFi client DOES work. So, keep that in mind when using the Test button.

No, it works just fine, been using it for several years across multiple deployments.

Make sure you set your certificate in nps policy to allow it to communicate with meraki securely, even unsigned will do.

Thank you for the post Mizerka. I'm new to certs, our test button does not work. How do you make the cert allow communication with Meraki securely?

you have to give it some cert, doesn't matter which one even, I still use just my nps server's self signed cert, but it NEEDS one to be able to use mschap and to authenticate correctly, recently I've installed ad ca role on my nps server which broke this and I had to recreate self signed in nps policy to get it going again.

Thank you for the reply back Mizerka. Actually after I reduced the MTU size as indicated by Berlin_IT_Guy it not only resolved the connection problem but also fixed the Test button failing. By the way, we did not call Meraki to change the MTU size. Instead I changed the network policy on our NPS server on the Settings tab under Standard. I added the Frame-MTU attribute and set it to 1344. That got everything working again. I'll gradually increase it to see how high I can set it but so glad the wireless is working again after trying many things for several days. Thank you all!

Ye sorry just chipping in to say we run PEAP w/ MS-CHAPv2 and it works well for us!