We are trying to authenticate a wireless client using EAP-TLS on a
Meraki AP against a FortiAuthenticator (with RADIUS).The EAP-TLS is
successful but the wireless client doesn´t receive a DHCP IP address,
nor does it have network access. However, a w...
After multiple support calls with Fortinet and Meraki in the same call,
the Meraki engineer concluded that this wasn´t an authentication
issue... she asked us to disable 802.11r on the SSID and after that,
RADIUS authentication worked instantly! Also...
We made some progress after switching the RADIUS ports 1812/1813 instead
of 1645/1646. Also we´ve changed the Framed-MTU to 1200 in the
Access-Accept resulting in Accounting-Request packets shown in the
Packet Capture... however, no Accounting-Respon...
The packet captures shows that the Cisco ISE sets the following RADIUS
attributes in the Access-Accept packet:- User-Name = W10CLIENT$@domain
(weird?)- Class (25) FAC does the following:- Framed-MTU = set to 994-
User-Name = same as in Access-Request...
Looking at the Cisco ISE configuration: the only difference seems to be
a Set ACL setting under Network Device Profile that sets Filter-ID as a
RADIUS attribute. Although I can´t find in ISE what it is that is being
set. But to be sure, we´ll be doin...
This is the correct VLAN indeed and static IP doesn´t make a difference.
The thing is, if we redirect the RADIUS request to the (to be phased
out) Cisco ISE, the wireless client gets an IP and is allowed on the
network instantly. So it looks like I´m...
