Meraki

Community

Client VPN Active Directory authentication doesn't need a Domain Admin account

DarthKevin
Here to help
‎Dec 3 2018 9:26 AM
‎Dec 3 2018 9:26 AM

Client VPN Active Directory authentication doesn't need a Domain Admin account

All,

 

After some testing on an MX84, even though the Client VPN page indicates that a Domain ADMIN account is needed for authentication, I've tested with a standard Domain USER account and client authentication still works. 

I humbly suggest you all follow the principle of least privilege and switch to a domain user account. Likewise, I think Meraki needs to change the wording on the headers for that part of the Client VPN configuration to User or Service Account instead of Domain Admin.2018-12-03_11-59-44.jpg

 

 

 

0 Kudos
10 Replies 10
jdsilva
Kind of a big deal
‎Dec 3 2018 11:01 AM
‎Dec 3 2018 11:01 AM

I just ran into this last week and that account MUST be an admin. It didn't work until my customer elevated the user from user to admin. 

 

Something's different in the setups...

http://blog.brokennetwork.ca | @jdsilva
0 Kudos
In response to jdsilva
DarthKevin
Here to help
‎Dec 3 2018 11:10 AM
‎Dec 3 2018 11:10 AM

Has to be. My service account is running as a standard domain user and I just tested again and it's working. Just for a sanity check I looked at Domain Users security group to be sure it didn't have any extra permissions delegated by a previous administrator and it is bone stock standard.  Likewise I double checked the service account and it is only a member of Domain Users. 

0 Kudos
In response to jdsilva
DarthKevin
Here to help
‎Dec 3 2018 11:13 AM
‎Dec 3 2018 11:13 AM

Hmm... It could be AD Architecture. We're a single Forest/Domain. If authenticating across domains/forests, I can see additional permissions being necessary.
0 Kudos
WadeAlsup
A model citizen
‎Dec 3 2018 11:36 AM
‎Dec 3 2018 11:36 AM

They actually address this in the documentation. 

 

"User permissions for AD integration

While the AD integration account does not have to be a domain admin, it is usually the easiest way to implement this feature. If using a domain admin account is not possible or not preferable, ensure that the account has the necessary permissions to perform the following actions:

  • Query the user database via LDAP
  • Query group membership via LDAP
  • Query the domain controller via WMI"

See here


Found this helpful? Give me some Kudos! (click on the little up-arrow below) and If my reply solved your issue, please mark it as a solution 🙂
In response to WadeAlsup
DarthKevin
Here to help
‎Dec 3 2018 11:45 AM
‎Dec 3 2018 11:45 AM

I searched for a good half hour and couldn't find this. Bookmarked. I bow to your superior Google-fu.

Thank you!

@WadeAlsup wrote:
@WadeAlsup wrote:

They actually address this in the documentation. 

 

"User permissions for AD integration

While the AD integration account does not have to be a domain admin, it is usually the easiest way to implement this feature. If using a domain admin account is not possible or not preferable, ensure that the account has the necessary permissions to perform the following actions:

  • Query the user database via LDAP
  • Query group membership via LDAP
  • Query the domain controller via WMI"

See here



See here

 

In response to DarthKevin
PhilipDAth
Kind of a big deal
Kind of a big deal
‎Dec 3 2018 12:45 PM
‎Dec 3 2018 12:45 PM

If a standard user account is able to authenticatr the Client VPN connections then you might find the AD servers default LDAP query permissions have been changed.

0 Kudos
In response to PhilipDAth
WadeAlsup
A model citizen
‎Dec 3 2018 12:48 PM
‎Dec 3 2018 12:48 PM

Just talking about the integration account here @PhilipDAth, not for authentication. Unless I'm missing something? 


Found this helpful? Give me some Kudos! (click on the little up-arrow below) and If my reply solved your issue, please mark it as a solution 🙂
0 Kudos
In response to WadeAlsup
PhilipDAth
Kind of a big deal
Kind of a big deal
‎Dec 3 2018 12:50 PM
‎Dec 3 2018 12:50 PM

The "integration" account for Client VPN is used for authenticating the user.

0 Kudos
In response to PhilipDAth
WadeAlsup
A model citizen
‎Dec 3 2018 1:38 PM
‎Dec 3 2018 1:38 PM

Sorry @PhilipDAth, I was under the impression the MX only passed the authentication credentials on to AD and received a success or failure response to complete the connection. Am I wrong about that?  


Found this helpful? Give me some Kudos! (click on the little up-arrow below) and If my reply solved your issue, please mark it as a solution 🙂
0 Kudos
In response to WadeAlsup
PhilipDAth
Kind of a big deal
Kind of a big deal
‎Dec 3 2018 1:48 PM
‎Dec 3 2018 1:48 PM

https://documentation.meraki.com/MX/Content_Filtering_and_Threat_Protection/Active_Directory_Integra...

 

Traffic Flow

When a user attempts to connect to Client VPN, the following process occurs:

  1. The user's device attempts to establish a VPN tunnel using L2TP over IP.
  2. The user provides their valid domain credentials.
  3. The MX, from its LAN IP, queries the Global Catalog over TCP port 3268 (encrypted using TLS) to the AD server configured in Dashboard.
  4. If the user's credentials are valid, the AD server will send its response to the MX, completing authentication.
  5. The MX offers the client an IP configuration on the Client VPN subnet, and the client can start communicating on the network.
Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels
© 2024 Cisco Systems, Inc.