Client VPN Active Directory authentication doesn't need a Domain Admin account

DarthKevin
Here to help

Client VPN Active Directory authentication doesn't need a Domain Admin account

All,

 

After some testing on an MX84, even though the Client VPN page indicates that a Domain ADMIN account is needed for authentication, I've tested with a standard Domain USER account and client authentication still works. 

I humbly suggest you all follow the principle of least privilege and switch to a domain user account. Likewise, I think Meraki needs to change the wording on the headers for that part of the Client VPN configuration to User or Service Account instead of Domain Admin.2018-12-03_11-59-44.jpg

 

 

 

10 REPLIES 10
jdsilva
Kind of a big deal

I just ran into this last week and that account MUST be an admin. It didn't work until my customer elevated the user from user to admin. 

 

Something's different in the setups...

Has to be. My service account is running as a standard domain user and I just tested again and it's working. Just for a sanity check I looked at Domain Users security group to be sure it didn't have any extra permissions delegated by a previous administrator and it is bone stock standard.  Likewise I double checked the service account and it is only a member of Domain Users. 

Hmm... It could be AD Architecture. We're a single Forest/Domain. If authenticating across domains/forests, I can see additional permissions being necessary.
WadeAlsup
A model citizen

They actually address this in the documentation. 

 

"User permissions for AD integration

While the AD integration account does not have to be a domain admin, it is usually the easiest way to implement this feature. If using a domain admin account is not possible or not preferable, ensure that the account has the necessary permissions to perform the following actions:

  • Query the user database via LDAP
  • Query group membership via LDAP
  • Query the domain controller via WMI"

See here


Found this helpful? Give me some Kudos! (click on the little up-arrow below) and If my reply solved your issue, please mark it as a solution 🙂

I searched for a good half hour and couldn't find this. Bookmarked. I bow to your superior Google-fu.

Thank you!


@WadeAlsup wrote:

@WadeAlsup wrote:

They actually address this in the documentation. 

 

"User permissions for AD integration

While the AD integration account does not have to be a domain admin, it is usually the easiest way to implement this feature. If using a domain admin account is not possible or not preferable, ensure that the account has the necessary permissions to perform the following actions:

  • Query the user database via LDAP
  • Query group membership via LDAP
  • Query the domain controller via WMI"

See here




See here


 

If a standard user account is able to authenticatr the Client VPN connections then you might find the AD servers default LDAP query permissions have been changed.

Just talking about the integration account here @PhilipDAth, not for authentication. Unless I'm missing something? 


Found this helpful? Give me some Kudos! (click on the little up-arrow below) and If my reply solved your issue, please mark it as a solution 🙂

The "integration" account for Client VPN is used for authenticating the user.

Sorry @PhilipDAth, I was under the impression the MX only passed the authentication credentials on to AD and received a success or failure response to complete the connection. Am I wrong about that?  


Found this helpful? Give me some Kudos! (click on the little up-arrow below) and If my reply solved your issue, please mark it as a solution 🙂

https://documentation.meraki.com/MX/Content_Filtering_and_Threat_Protection/Active_Directory_Integra...

 

Traffic Flow

When a user attempts to connect to Client VPN, the following process occurs:

  1. The user's device attempts to establish a VPN tunnel using L2TP over IP.
  2. The user provides their valid domain credentials.
  3. The MX, from its LAN IP, queries the Global Catalog over TCP port 3268 (encrypted using TLS) to the AD server configured in Dashboard.
  4. If the user's credentials are valid, the AD server will send its response to the MX, completing authentication.
  5. The MX offers the client an IP configuration on the Client VPN subnet, and the client can start communicating on the network.
Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels