Freeradius

School_admin · ‎03-18-2025

Hello,
We operate a local AD with an NPS for the Meraki AP'S, which also works so far for all users.
Now we want to split the whole thing into 4 SSIDs, i.e. only certain users are allowed to log on to the corresponding SSID.
For this we want to switch from NPS to Freeradius 3.0 under ubuntu Server 24.04. The installation itself works without any problems, which I can check with the NTRadPing tool.
However, as soon as I integrate the radius in the dashboard, I get the message that the radius is accessible, but the login data is not correct. Messagetext.

"Authentication failed while testing on one of your access points. This means the RADIUS server was reached but your credentials were incorrect. The test was stopped to prevent this account from being locked out due to multiple failed attempts. Please try again with different username and/or password."

But the User and the Password are correct.

I have already copied the corresponding configuration from https://documentation.meraki.com/MR/Encryption_and_Authentication/Freeradius%3A_Configure_freeradius_to_work_with_EAP-TLS_authentication , but unfortunately without success.
Is anyone familiar with this issue and knows where I can start?

Translated with DeepL.com (free version)

allik · ‎03-19-2025

Hi School_admin,

Welcome to Meraki Community 🙂

Have you taken packet captures while performing the RADIUS Test Tool button?

Wireshark filter - ip.addr==192.168.128.254 && radius (replace 192.168.128.254 with your RADIUS server IP)

Error message "the radius is accessible, but the login data is not correct" :

Have you tried with different login credentials? Do you have more than 1 AP in your network?
Is the credentials only failing while using the RADIUS Test Button or when connecting with a client device?

(1) Can you ping successfully the RADIUS Server? - https://documentation.meraki.com/MR/Wireless_Troubleshooting/MR_RADIUS_Troubleshooting

(2) Make sure the routing and firewalls are allowing communication to and from port 1812 - https://community.meraki.com/t5/Wireless/RADIUS-servers-testing/td-p/43865

(3) Check the RADIUS logs to see why it's failing.

(4) The Authentication method in use seems to be EAP-TLS: Certificate-based authentication - https://www.freeradius.org/documentation/freeradius-server/4.0.0/tutorials/eap-tls.html

(5) Make sure this AP Is added to the RADIUS Server as Client - Freeradius: Adding a gateway AP as a RADIUS client

(6) Is the credentials only failing while using the RADIUS Test Button or when connecting with a client device?

(7) Additional troubleshooting guides - https://documentation.meraki.com/MR/Encryption_and_Authentication/RADIUS_Issue_Resolution_Guide/TS-flow-radius

Troubleshooting RADIUS server with the MX, Switch and MR using the Cisco Meraki Dashboard

(8) Using FreeRADIUS with Cisco Meraki

If you have additional questions, please don't hesitate to contact us.

If you found this post helpful, please give it kudos.
If my answer solved your problem, click "accept as solution" so that others can benefit from it.

School_admin · ‎03-20-2025

Good morning,
First of all, thanks for the relevant information and sorry that I'm only getting back to you now as I have too many things to do at the moment.

Unfortunately, Wireshark does not currently work via the dashboard.

To 1
The Freeradius is in the same network as the access point and the port is also enabled.
To 2
Not applicable as the radius and AP are in the same network
To 3 and 4
I'll have another look today as I didn't know the link until now.
To 5
All clients are entered accordingly

Re 6
When testing via the dashboard, there is just this error message.

Completed testing connectivity to RADIUS server at xx.xx.xx.xx:1812

Authentication failed while testing on one of your access points. This means the RADIUS server was reached but your credentials were incorrect. The test was stopped to prevent this account from being locked out due to multiple failed attempts. Please try again with different username and/or password." So the connection between the APs and the RAdius looks good in the dashboard.

The user name and password are also requested on the client. Then I have to enter a password again, which makes me a bit nervous.

Regarding the other points
I will also work through them again today.

Translated with DeepL.com (free version)

allik · ‎03-24-2025

Hi School_admin ,

Additional info from one of the documentation - MR RADIUS Troubleshooting:

"If using an EAP type that requires a client-side certificate such as EAP-TLS, the test will fail because the AP does not have the certificate installed. It is recommended to test with a real client device. MR access points support the EAP types listed here."

Have you tested with a real client device?

Thank you in advance 🙂

If you found this post helpful, please give it kudos.
If my answer solved your problem, click "accept as solution" so that others can benefit from it.

School_admin · ‎03-24-2025

Hello,
when I use a Windows client I get the same error messages as in the dashboard.
but now I was able to capture the corresponding logs via the dashboard and see that the RADIUS request is made with the error: Duplicate Request from Client to Server. I then get the same message from the server to the client (MR57).
This is probably a timing problem, but I don't know where I can set this on the Freeradius.

I Use EAP-TLS

Translated with DeepL.com (free version)

School_admin · ‎03-24-2025

Hello,
sorry for the late reply, but now I was able to capture the corresponding logs via the dashboard and see that the RADIUS request is made with the error: Duplicate Request from Client to Server. I then get the same message from the server to the client (MR57).
This is probably a timing problem, but I don't know where I can set this on the Freeradius.

Does anyone have such problems and how could they be solved?

Translated with DeepL.com (free version)