{"id":8759,"date":"2025-04-14T04:27:13","date_gmt":"2025-04-14T04:27:13","guid":{"rendered":"https:\/\/pariswells.com\/blog\/?p=8759"},"modified":"2025-04-14T04:27:14","modified_gmt":"2025-04-14T04:27:14","slug":"radius-auth-for-wifi-stops-working-due-to-an-increase-in-latency-between-nps-server-and-ap-meraki","status":"publish","type":"post","link":"https:\/\/pariswells.com\/blog\/research\/radius-auth-for-wifi-stops-working-due-to-an-increase-in-latency-between-nps-server-and-ap-meraki","title":{"rendered":"Radius Auth for Wifi Stops working due to an increase in Latency between NPS server and AP Meraki"},"content":{"rendered":"\n

<\/p>\n\n\n\n

Packet capture attached, our Access-Request and Reject are working<\/p>\n\n\n\n

However we seem to be missing another Access-Request from the Meraki?<\/p>\n\n\n\n

Should go Request -> Challenge -> Request -> Accept \\ Reject <\/p>\n\n\n\n

Seems to be going<\/p>\n\n\n\n

Request -> Challenge <\/p>\n\n\n\n

\"All<\/figure>\n\n\n\n
<\/td><\/tr><\/tbody><\/table><\/figure>\n\n\n\n
\"\"<\/a><\/figure>\n\n\n\n

We see an NPS Entry<\/p>\n\n\n\n

When a user connects , we don’t see any ( Failure \\ Sucess ) <\/p>\n\n\n\n

<\/td><\/tr><\/tbody><\/table><\/figure>\n\n\n\n
\n\n\n\n

We can confirm there is a connection from the WAPs to the NPS Server ( with the correct passcode ) <\/p>\n\n\n\n

When we press the test radius button a Log Entry Appears on the NPS server per below<\/p>\n\n\n\n

We cannot fully test the auth using username and password as we use Certificate based auth which the test does not support<\/p>\n\n\n\n

We do not get any entry in the NPS server when a user tries to connect <\/p>\n\n\n\n

We have experienced a jump in Latency from the APs to the NPS Server 7ms to 30ms however I would still expect this to work <\/p>\n\n\n\n

We tried to increase the Timeouts per below to see if this would resolve<\/p>\n\n\n\n

\"\"<\/a><\/figure>\n\n\n\n

Network Policy Server denied access to a user.<\/p>\n\n\n\n

Contact the Network Policy Server administrator for more information.<\/p>\n\n\n\n

User:<\/p>\n\n\n\n

??????Security ID:??????????????????NULL SID<\/p>\n\n\n\n

??????Account Name:?????????????????fasfs<\/p>\n\n\n\n

??????<\/p>\n\n\n\n

Client Machine:<\/p>\n\n\n\n

??????Security ID:??????????????????NULL SID<\/p>\n\n\n\n

??????Account Name:?????????????????-<\/p>\n\n\n\n

??????Fully Qualified Account Name:?-<\/p>\n\n\n\n

??????Called Station Identifier:??????????E4-55-A8-7F-7E-94:PCA Corp WiFi<\/p>\n\n\n\n

??????Calling Station Identifier:?????????02-00-00-00-00-01<\/p>\n\n\n\n

NAS:<\/p>\n\n\n\n

??????NAS IPv4 Address:???????<\/p>\n\n\n\n

??????NAS IPv6 Address:???????-<\/p>\n\n\n\n

??????NAS Identifier:???????????????-<\/p>\n\n\n\n

??????NAS Port-Type:????????????????Wireless – IEEE 802.11<\/p>\n\n\n\n

??????NAS Port:???????????????-<\/p>\n\n\n\n

RADIUS Client:<\/p>\n\n\n\n

??????Client Friendly Name:?????????PER – WAP01<\/p>\n\n\n\n

??????Client IP Address:??????????????????192.168.22.29<\/p>\n\n\n\n

Authentication Details:<\/p>\n\n\n\n

??????Connection Request Policy Name:????<\/p>\n\n\n\n

??????Network Policy Name:??????????-<\/p>\n\n\n\n

??????Authentication Provider:????????????Windows<\/p>\n\n\n\n

??????Authentication Server:????????????Authentication Type:??????????EAP<\/p>\n\n\n\n

??????EAP Type:???????????????-<\/p>\n\n\n\n

??????Account Session Identifier:?????????-<\/p>\n\n\n\n

??????Logging Results:??????????????Accounting information was written to the local log file.<\/p>\n\n\n\n

??????Reason Code:??????????????????8<\/p>\n\n\n\n

??????Reason:???????????????????????The specified user account does not exist.<\/p>\n\n\n\n

\u00a0<\/a>\u00a0<\/a>\u00a0

<\/td><\/tr><\/tbody><\/table><\/figure>\n\n\n\n
\n\n\n\n

<\/p>\n\n\n\n

This is what can be seen<\/p>\n\n\n\n

\"\"<\/a><\/figure>\n\n\n\n

Client has a Failed connection to SSID on access point during authentication<\/p>\n","protected":false},"excerpt":{"rendered":"

Packet capture attached, our Access-Request and Reject are working However we seem to be missing another Access-Request from the Meraki? Should go Request -> Challenge -> Request -> […]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[1],"tags":[],"class_list":["post-8759","post","type-post","status-publish","format-standard","hentry","category-research"],"aioseo_notices":[],"_links":{"self":[{"href":"https:\/\/pariswells.com\/blog\/wp-json\/wp\/v2\/posts\/8759","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/pariswells.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/pariswells.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/pariswells.com\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/pariswells.com\/blog\/wp-json\/wp\/v2\/comments?post=8759"}],"version-history":[{"count":1,"href":"https:\/\/pariswells.com\/blog\/wp-json\/wp\/v2\/posts\/8759\/revisions"}],"predecessor-version":[{"id":8766,"href":"https:\/\/pariswells.com\/blog\/wp-json\/wp\/v2\/posts\/8759\/revisions\/8766"}],"wp:attachment":[{"href":"https:\/\/pariswells.com\/blog\/wp-json\/wp\/v2\/media?parent=8759"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/pariswells.com\/blog\/wp-json\/wp\/v2\/categories?post=8759"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/pariswells.com\/blog\/wp-json\/wp\/v2\/tags?post=8759"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}