Meraki AP to FreeRADIUS stuck on Access-Request

motorbass · ‎03-06-2025

Hi,

I'm currently facing some troubles while trying to set up a Lab between Windows 11 PC (with Credential Guard & TLS 1.3 enabled by default) and a FreeRADIUS server using EAP-TLS.

1) Where Win 11 PC is configured to use EAP-TLS with its machine certificate to authenticate to my Lab SSID. Machine certificate is delivered by GPO (machine cert auto-enroll) with an on prem Windows 3-tiers PKI.

2) Where FreeRADIUS server (v3.2.7-1) based on Debian 12 is configured to allow 10.0.0.0/8 NACs with a passphrase.
```
client test {
ipaddr = 10.0.0.0/8
secret = testing123
}
```

Also, I enabled the current configuration for EAP within mods-available/eap
```
eap {
default_eap_type = tls
timer_expire = 60
ignore_unknown_eap_types = no
cisco_accounting_username_bug = no
max_sessions = ${max_requests}
}
tls-config tls-common {
#private_key_password = whatever
private_key_file = ${certdir}/myfreeradius_server.key
certificate_file = ${certdir}/myfreeradius_server.pem
ca_file = ${cadir}/my_corp_root_ca.pem
ca_path = ${cadir}
tls_min_version = "1.2"
tls_max_version = "1.3"
}
```

3) At the moment, if I try this configuration from another Debian server with eapol cli
```eapol_test -c wpa_supplicant-tls.conf -a 10.230.102.108 -s testing123 ```
where wpa_supplicant-tls.conf contains :
```
ap_scan=0

network={
eap=TLS
eapol_flags=0
key_mgmt=IEEE8021X
identity="my_ad_account@domain.net"
client_cert="my_user_cert.pem"
private_key="my_user_privkey.key"
# CA certificate to validate the RADIUS server's identity
ca_cert="my_corp_root_ca.pem"
phase1="tls_disable_tlsv1_3=0"
}
```
**=> It works well**, client show SUCCESS status and RADIUS server proceed to the request.

**The pain is :**
When I try to access the test SSID, wifi connection from Win 11 PC loads,loads, and never ends.
Meraki AP say :
`Client made an 802.1X authentication request to the RADIUS server, but it did not respond. auth_mode='wpa2-802.1x' vlan_id='32' radius_proto='ipv4' radius_ip='10.230.102.108' reason='radius_timeout' reassoc='1' radio='0' vap='10' channel='1' rssi='40'`

FreeRadius receives that kind of logs :
```
Waking up in 4.7 seconds.
(5) Received Access-Request Id 5 from 10.6.4.165:50147 to 10.230.102.108:1812 length 413
(5) User-Name = "host/my_PC.my-domain.net"
(5) NAS-IP-Address = 10.6.4.165
(5) NAS-Identifier = "E0-CB-BC-8B-65-ED:vap10"
(5) NAS-Port-Type = Wireless-802.11
(5) Service-Type = Framed-User
(5) NAS-Port = 1
(5) Calling-Station-Id = "F4-D1-08-87-72-56"
(5) Connect-Info = "CONNECT 54.00 Mbps / 802.11n / RSSI: 38 / Channel: 1"
(5) Acct-Session-Id = "479273B6606E05AE"
(5) Acct-Multi-Session-Id = "BA3341F3610DFCF9"
(5) WLAN-Pairwise-Cipher = 1027076
(5) WLAN-Group-Cipher = 1027076
(5) WLAN-AKM-Suite = 1027073
(5) Meraki-Network-Name = "APW-Wifi- - wireless"
(5) Meraki-Ap-Name = "MyWifiAP"
(5) Meraki-Ap-Tags = " recently-added "
(5) Called-Station-Id = "E0-CB-BC-8B-65-ED:00-Test-W11"
(5) Meraki-Device-Name = "MyWifiAP"
(5) Framed-MTU = 1400
(5) EAP-Message = 0x021b00060d00
(5) State = 0x943a85b2902188fe8217870d8617c1ba
(5) Message-Authenticator = 0x63c15f58f21aa1566869606e3b3b7609
(5) Restoring &session-state
(5) &session-state:Framed-MTU = 994
(5) &session-state:TLS-Session-Information = "(TLS) TLS - recv TLS 1.3 Handshake, ClientHello"
(5) &session-state:TLS-Session-Information = "(TLS) TLS - send TLS 1.3 Handshake, ServerHello"
(5) &session-state:TLS-Session-Information = "(TLS) TLS - send TLS 1.3 ChangeCipherSpec"
(5) &session-state:TLS-Session-Information = "(TLS) TLS - send TLS 1.3 Handshake, EncryptedExtensions"
(5) &session-state:TLS-Session-Information = "(TLS) TLS - send TLS 1.3 Handshake, CertificateRequest"
(5) &session-state:TLS-Session-Information = "(TLS) TLS - send TLS 1.3 Handshake, Certificate"
(5) &session-state:TLS-Session-Information = "(TLS) TLS - send TLS 1.3 Handshake, CertificateVerify"
(5) &session-state:TLS-Session-Information = "(TLS) TLS - send TLS 1.3 Handshake, Finished"
(5) # Executing section authorize from file /etc/freeradius/sites-enabled/default
(5) authorize {
(5) policy filter_username {
(5) if (&User-Name) {
(5) if (&User-Name) -> TRUE
(5) if (&User-Name) {
(5) if (&User-Name =~ / /) {
(5) if (&User-Name =~ / /) -> FALSE
(5) if (&User-Name =~ /@[^@]*@/ ) {
(5) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
(5) if (&User-Name =~ /\.\./ ) {
(5) if (&User-Name =~ /\.\./ ) -> FALSE
(5) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) {
(5) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE
(5) if (&User-Name =~ /\.$/) {
(5) if (&User-Name =~ /\.$/) -> FALSE
(5) if (&User-Name =~ /@\./) {
(5) if (&User-Name =~ /@\./) -> FALSE
(5) } # if (&User-Name) = notfound
(5) } # policy filter_username = notfound
(5) [preprocess] = ok
(5) [chap] = noop
(5) [mschap] = noop
(5) [digest] = noop
(5) suffix: Checking for suffix after "@"
(5) suffix: No '@' in User-Name = "host/my_PC.my-domain.net", looking up realm NULL
(5) suffix: No such realm "NULL"
(5) [suffix] = noop
(5) eap: Peer sent EAP Response (code 2) ID 27 length 6
(5) eap: No EAP Start, assuming it's an on-going EAP conversation
(5) [eap] = updated
(5) [files] = noop
(5) [expiration] = noop
(5) [logintime] = noop
(5) [pap] = noop
(5) } # authorize = updated
(5) Found Auth-Type = eap
(5) # Executing group from file /etc/freeradius/sites-enabled/default
(5) authenticate {
(5) eap: Removing EAP session with state 0x943a85b2902188fe
(5) eap: Previous EAP request found for state 0x943a85b2902188fe, released from the list
(5) eap: Peer sent packet with method EAP TLS (13)
(5) eap: Calling submodule eap_tls to process data
(5) eap_tls: (TLS) Peer ACKed our handshake fragment
(5) eap: Sending EAP Request (code 1) ID 28 length 857
(5) eap: EAP session adding &reply:State = 0x943a85b2912688fe
(5) [eap] = handled
(5) } # authenticate = handled
(5) Using Post-Auth-Type Challenge
(5) # Executing group from file /etc/freeradius/sites-enabled/default
(5) Challenge { ... } # empty sub-section is ignored
(5) session-state: Saving cached attributes
(5) Framed-MTU = 994
(5) TLS-Session-Information = "(TLS) TLS - recv TLS 1.3 Handshake, ClientHello"
(5) TLS-Session-Information = "(TLS) TLS - send TLS 1.3 Handshake, ServerHello"
(5) TLS-Session-Information = "(TLS) TLS - send TLS 1.3 ChangeCipherSpec"
(5) TLS-Session-Information = "(TLS) TLS - send TLS 1.3 Handshake, EncryptedExtensions"
(5) TLS-Session-Information = "(TLS) TLS - send TLS 1.3 Handshake, CertificateRequest"
(5) TLS-Session-Information = "(TLS) TLS - send TLS 1.3 Handshake, Certificate"
(5) TLS-Session-Information = "(TLS) TLS - send TLS 1.3 Handshake, CertificateVerify"
(5) TLS-Session-Information = "(TLS) TLS - send TLS 1.3 Handshake, Finished"
(5) Sent Access-Challenge Id 5 from 10.230.102.108:1812 to 10.6.4.165:50147 length 921
(5) EAP-Message = 0x011c03590d80000012c7f6cbc153327171b2bc76c1934410b97b378c7eae3013184e9818477a0023577d5b678d502568f0b09628dbd76f62fecf4371422aaa1538c9da69ac89b654746eac2c9f6ed32ad40d84ee1574974b0ef24eb77fb357fc4033f32c14c4a0ba5ff1703b1bb950bcfb58cb5999a9b58ad84acea5472e349b4d7da305c7f1340da2c48c075b78837cd46a00e0c775fd4367b4c5074bed51e00ad9de13b607b679da5c5319129ce28ef91a2ac3c2ffaca88ddea2b8c6e969d1e804db5257c7a801ac6402f6480f4e554e4dc00cd52b08341bd3e9bfa69d0c74fc24e20daeb8a8fed4f2084fe4786915c317030302196928863add7ee4ea6274589fd4f86b88e9a0a3c6361300c86330893c81ac7176a8c00d601e988ff7782ef6a94021e7da2105a2168eb1939064bbe10bbf90c5dfe7e8ca4e99905b38ea8befb911fc3ea7f86b3dfb12ad311e11334edfa51564d697962deb990430f8b9c16580074080727774b679663bb376b839bd8b99ab529406
(5) Message-Authenticator = 0x00000000000000000000000000000000
(5) State = 0x943a85b2912688fe8217870d8617c1ba
(5) Finished request
Waking up in 4.7 seconds.
(0) Cleaning up request packet ID 0 with timestamp +69 due to cleanup_delay was reached
(1) Cleaning up request packet ID 1 with timestamp +69 due to cleanup_delay was reached
(2) Cleaning up request packet ID 2 with timestamp +69 due to cleanup_delay was reached
(3) Cleaning up request packet ID 3 with timestamp +69 due to cleanup_delay was reached
(4) Cleaning up request packet ID 4 with timestamp +69 due to cleanup_delay was reached
(5) Cleaning up request packet ID 5 with timestamp +69 due to cleanup_delay was reached
Ready to process requests

```

From a Wireshark flows perspective, it seems Meraki AP sends Access-Request to FreeRadius, which never answers.

My questions are :
1) Do we agree that such a configuration on FreeRADIUS should verify machine (or eventually user) certificate thanks to the configured root CA ? and so, every machine or user that has a certificate provided by the PKI should be authorized to access network ?

2) How can I investigate more to know if it's a freeRADIUS misconfiguration ?

I'm kind of stuck at the moment..

(Here's my original post with pictures and better log format => https://serverfault.com/questions/1174336/meraki-ap-to-freeradius-stuck-on-access-request )

marce1000 · ‎03-06-2025

@motorbass : >....`Client made an 802.1X authentication request to the RADIUS server, but it did not respond. auth_mode='wpa2-802.1x' vlan_id='32' radius_proto='ipv4' radius_ip='10.230.102.108' reason='radius_timeout' reassoc='1' radio='0' vap='10' channel='1' rssi='40'`...

For starters have a look at https://documentation.meraki.com/MR/Access_Control/MR_Meraki_RADIUS_2.0#Server_Timeout_and_Retry_Count
and check if increasing the Radius Server Timeout can help ,

M.

-- Each morning when I wake up and look into the mirror I always say ' Why am I so brilliant ? '
When the mirror will then always repond to me with ' The only thing that exceeds your brilliance is your beauty! '

motorbass · ‎03-06-2025

Hi @marce1000 , interesting doc , thanks !

i tried to set the max (10s) according to the relative documentation, but I face the same behaviour.

marce1000 · ‎03-06-2025

- @motorbass : You may also post this in https://community.meraki.com/t5/Wireless/bd-p/wireless-lan

M.

-- Each morning when I wake up and look into the mirror I always say ' Why am I so brilliant ? '
When the mirror will then always repond to me with ' The only thing that exceeds your brilliance is your beauty! '

Scott Fella · ‎03-06-2025

If you are using EAP-TLS, then the client/endpoint should only be configured for EAP-TLS. Now depending on if your radius server is joined to your domain, how does the radius server validate the certificate? What rules are you configuring to look at that certificate. Seems like the Windows machine is configured for "User and Computer" not "Certificate", which means PEAP vs EAP-TLS.

I would probably start easy.... try to just get username/password working with a lookup to AD, then try machine authentication before you try EAP-TLS. EAP-TLS also means you have to have to trust the root and intermediate CA's that the client device is sending for auth and the client needs to trust the root and intermediate CA's that your radius server is using. That would be the basic of what you need to do.

-Scott
*** Please rate helpful posts ***

motorbass · ‎03-06-2025

Hi @Scott Fella

I confirm my endpoint is configured to used only EAP-TLS by providing its machine certificate (configuration is quite standard and is made from GPO). Machine certificate is delivered by our on prem pki with auto enroll. (Radius server certificate also come from this PKI).

At the moment my Radius server isn't joined to the domain. As I understand as my Radius is also configured to use EAP-TLS only, it should use the CA cert to validate or not endpoint certificate. I'm starting to have doubt, if you can confirm this ?

For example, if I run an eapol_test using a windows machine cert + its private key, it succeeds whereas my radius server isn't domain joined.

Scott Fella · ‎03-06-2025

I'm not familiar with FreeRadius but have experience with ISE and Microsoft Windows NPS, which of course is joined to the domain. Like what I said, try to just get username and password working, if you can get that working then it shouldn't be too difficult to get EAP-TLS working. I don't know FreeRadius and how you would auth the device cert like looking at the CN or SAN and just allowing any.

-Scott
*** Please rate helpful posts ***

motorbass · ‎03-06-2025

Freeradius is on testing due to some restriction with Windows 11 (credential guard, tls 1.3 etc...) to replace our old NPS

On NPS we used to have the credentials login/password (peap mschapv2) but to be compliant with Windows 11, we'd like to go through certificate authentication rather than credentials.

(From your perspective, if you have to configure EAP-TLS on NPS, we agree that you'll select only Microsoft Smart card or certificate as EAP-Type as an Auth method, EAP as auth type as conditions and that's it ? )

Scott Fella · ‎03-06-2025

yup.... but you also have to look at how you setup the NAD and also the rules you have defined.

-Scott
*** Please rate helpful posts ***

motorbass · ‎03-07-2025

Sure, i'll have to try that.

Meanwhile, i'm having a doubt on how Meraki AP forward frames. I mean, as it add some RADIUS attributes for Called-station-ID & NAS-ID and as communication between Win 11 => AP is ok, but challenge is looping between AP <=> RADIUS...

I'll see what I can find there.

Scott Fella · ‎03-07-2025

That is one thing you need to find out. Reach out to the FreeRadius community as someone must have done that before. What you can try is a very simple allow rule if that is possible and just capture what attributes are being sent back.

-Scott
*** Please rate helpful posts ***

Rich R · ‎03-10-2025

Did you look at https://documentation.meraki.com/MR/Encryption_and_Authentication/Freeradius%3A_Configure_freeradius_to_work_with_EAP-TLS_authentication ?

------------------------------
Please click Helpful if this post helped you and Select as Solution (drop down menu at top right of this reply) if this answered your query.
------------------------------
TAC recommended codes for AireOS WLC's and TAC recommended codes for 9800 WLC's
Best Practices for AireOS WLC's, Best Practices for 9800 WLC's and Cisco Wireless compatibility matrix
Check your 9800 WLC config with Wireless Config Analyzer using "show tech wireless" output or "config paging disable" then "show run-config" output on AireOS and use Wireless Debug Analyzer to analyze your WLC client debugs
Field Notice: FN63942 APs and WLCs Fail to Create CAPWAP Connections Due to Certificate Expiration
Field Notice: FN72424 Later Versions of WiFi 6 APs Fail to Join WLC - Software Upgrade Required
Field Notice: FN72524 IOS APs stuck in downloading state after 4 Dec 2022 due to Certificate Expired
- Fixed in 8.10.196.0, latest 9800 releases, 8.5.182.12 (8.5.182.13 for 3504) and 8.5.182.109 (IRCM, 8.5.182.111 for 3504)
Field Notice: FN70479 AP Fails to Join or Joins with 1 Radio due to Country Mismatch, RMA needed
How to avoid boot loop due to corrupted image on Wave 2 and Catalyst 11ax Access Points (CSCvx32806)
Field Notice: FN74035 - Wave2 APs DFS May Not Detect Radar After Channel Availability Check Time
Leo's list of bugs affecting 2800/3800/4800/1560 APs
Default AP console baud rate from 17.12.x is 115200 - introduced by CSCwe88390

motorbass · ‎03-10-2025

Yes my configuration is based on this article and I also test it as is to be sure but unfortunately behaviour is the same.