Meraki

Community

Client VPN - AD Authentication

Solved
Patrik73
Getting noticed
‎Apr 21 2023 1:59 PM
‎Apr 21 2023 1:59 PM

Client VPN - AD Authentication

I am struggeling with my Merkai and are trying to setup Client VPN AD Authentication.
I have added
Client VPN: Enabled
Subnet: 10.10.2.0/24
A Shared secret.
Choosen Active Directory
Short domain: my local domainname (name.local)
Server IP: The IP address of my DC
Username: Admin
Password: *******
settings.png
 
The MX can ping The IP address of my DC
ping.png
 
I have for test purpose created a firewall rule on my DC that allow all traffic inbound and outbound.
 
Worth mention is that my DC is on another site that is connected to the MX with a Non Meraki VPN.
But the traffic flows fine.
 
The Client VPN is allowed over VPN
vpn.PNG
 
The error I get from the client is Error 691.
691.PNG 
 
I have double and tripple checked my username and password and my shared key on the client.
 
I am not sure what to do now.
Labels:
0 Kudos
1 Accepted Solution
In response to Patrik73
alemabrahao
Kind of a big deal
Kind of a big deal
‎Apr 22 2023 3:56 AM
‎Apr 22 2023 3:56 AM

Group policies don't work for L2TP VPN just for Anyconnect.

The certificate is a requirement if you want to authenticate the users from LAN. Check it out:

 

The MX will run through the following steps to identify AD group members and apply associated group policies:

  1. MX securely contacts the specified Domain Controllers for the AD domain, using TLS
  2. MX reads WMI logon events from the DC's security events, to determine which users are logged into which devices.
  3. MX binds to DCs using LDAP/TLS to gather each user's AD group membership.
  4. Group membership is added to a database on the MX.
  5. If a domain user's group membership matches an AD group policy mapping in Dashboard, the MX can apply the associated group policy to the user's computer.

Because the MX is continuously gathering this information from the domain controllers, it is able to accurately apply the policy in real-time whenever a new user logs in.

 

Note: At this time, the MX does not support mapping group policies via Active Directory for users connecting through the Client VPN.

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.

View solution in original post

11 Replies 11
alemabrahao
Kind of a big deal
Kind of a big deal
‎Apr 21 2023 2:10 PM
‎Apr 21 2023 2:10 PM

@Patrik73, there are some steps that you have to configure before. Take a look ate the documentation:

 

https://documentation.meraki.com/MX/Content_Filtering_and_Threat_Protection/Configuring_Active_Direc...

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.
0 Kudos
In response to alemabrahao
Patrik73
Getting noticed
‎Apr 21 2023 2:19 PM
‎Apr 21 2023 2:19 PM

Thanks!
I guess I need that certificate, but the guide is a little to shallow. Al least for me.

Not sure how to create that self-signed certificate on my server. Server 2019.

 

Would really appreciate a guide. 🙂

In response to Patrik73
alemabrahao
Kind of a big deal
Kind of a big deal
‎Apr 21 2023 2:22 PM
‎Apr 21 2023 2:22 PM

Maybe it will help you: https://windowstechpro.com/how-to-install-certificate-services-ad-cs-in-server-2019/

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.
0 Kudos
In response to alemabrahao
Patrik73
Getting noticed
‎Apr 21 2023 2:26 PM
‎Apr 21 2023 2:26 PM

Or is it enough to install IIS-role and create the certificate that way?

0 Kudos
In response to Patrik73
alemabrahao
Kind of a big deal
Kind of a big deal
‎Apr 21 2023 2:32 PM
‎Apr 21 2023 2:32 PM

You need a certificate, either self-signed or a valid certificate.

 

I always use a self-signed certificate so I prefer to install AD CS, but each case is different.

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.
0 Kudos
In response to alemabrahao
Patrik73
Getting noticed
‎Apr 21 2023 2:36 PM
‎Apr 21 2023 2:36 PM

Thank you!
I really appreciate your help.

Guess I will install the AD CS.

 

I do have a wildcard cert, but that is for my public domain name.

*.name.com

and not my internal domain name

*.name.local

0 Kudos
In response to alemabrahao
Patrik73
Getting noticed
‎Apr 21 2023 4:19 PM
‎Apr 21 2023 4:19 PM

I now have setup an CA-server and created a certificate.

Configured Active Directory authentication.

It looks like it can communicate.

settings.png

 

I have also added the net in Subnet

subnet.PNG

And the Audit Policy.

audit.PNG

And my certificate seems ok.

 

But still get errror 691 😞

 

Getting a little bit frustrated. 

 

0 Kudos
In response to Patrik73
alemabrahao
Kind of a big deal
Kind of a big deal
‎Apr 21 2023 4:32 PM
‎Apr 21 2023 4:32 PM

 Your L2TP connect probably is misconfigured. Can you share the configuration on your machine?

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.
0 Kudos
In response to alemabrahao
Patrik73
Getting noticed
‎Apr 22 2023 12:45 AM
‎Apr 22 2023 12:45 AM

It seems to work now.

I tried to login with my full login name but then I get Error 691.

login-01.png

When I change to just my username it worked.

login-02.png

 

But I'n not sure what the groups actually does.

I tried to set some restriction on the group that my testuser is member of, but that doesn't change anything.

settings-01.PNGsettings-02.PNGsettings-03.PNG

 

Maybe I should go for Radius login instead to be able to restrict access to VPN through AD-group membership.

And then I can activate Azure MFA.

 

And I'm not sure why I need the certificate, I removed it and the VPN still works.

 

Guess all I needed to do was to add to the Client VPN settings.

Domain short name

IP to DC

Username

Password

 

I also removed the subnets from Sites and Services and it still works.

subnet.PNG

0 Kudos
In response to Patrik73
alemabrahao
Kind of a big deal
Kind of a big deal
‎Apr 22 2023 3:56 AM
‎Apr 22 2023 3:56 AM

Group policies don't work for L2TP VPN just for Anyconnect.

The certificate is a requirement if you want to authenticate the users from LAN. Check it out:

 

The MX will run through the following steps to identify AD group members and apply associated group policies:

  1. MX securely contacts the specified Domain Controllers for the AD domain, using TLS
  2. MX reads WMI logon events from the DC's security events, to determine which users are logged into which devices.
  3. MX binds to DCs using LDAP/TLS to gather each user's AD group membership.
  4. Group membership is added to a database on the MX.
  5. If a domain user's group membership matches an AD group policy mapping in Dashboard, the MX can apply the associated group policy to the user's computer.

Because the MX is continuously gathering this information from the domain controllers, it is able to accurately apply the policy in real-time whenever a new user logs in.

 

Note: At this time, the MX does not support mapping group policies via Active Directory for users connecting through the Client VPN.

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.
In response to alemabrahao
Patrik73
Getting noticed
‎Apr 22 2023 3:17 PM
‎Apr 22 2023 3:17 PM

Thank you very much for the help.

0 Kudos
Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels
© 2024 Cisco Systems, Inc.