All,
After some testing on an MX84, even though the Client VPN page indicates that a Domain ADMIN account is needed for authentication, I've tested with a standard Domain USER account and client authentication still works.
I humbly suggest you all follow the principle of least privilege and switch to a domain user account. Likewise, I think Meraki needs to change the wording on the headers for that part of the Client VPN configuration to User or Service Account instead of Domain Admin.
I just ran into this last week and that account MUST be an admin. It didn't work until my customer elevated the user from user to admin.
Something's different in the setups...
Has to be. My service account is running as a standard domain user and I just tested again and it's working. Just for a sanity check I looked at Domain Users security group to be sure it didn't have any extra permissions delegated by a previous administrator and it is bone stock standard. Likewise I double checked the service account and it is only a member of Domain Users.
They actually address this in the documentation.
"User permissions for AD integration
While the AD integration account does not have to be a domain admin, it is usually the easiest way to implement this feature. If using a domain admin account is not possible or not preferable, ensure that the account has the necessary permissions to perform the following actions:
See here
I searched for a good half hour and couldn't find this. Bookmarked. I bow to your superior Google-fu.
Thank you!
@WadeAlsup wrote:
@WadeAlsup wrote:They actually address this in the documentation.
"User permissions for AD integration
While the AD integration account does not have to be a domain admin, it is usually the easiest way to implement this feature. If using a domain admin account is not possible or not preferable, ensure that the account has the necessary permissions to perform the following actions:
- Query the user database via LDAP
- Query group membership via LDAP
- Query the domain controller via WMI"
See here
See here
If a standard user account is able to authenticatr the Client VPN connections then you might find the AD servers default LDAP query permissions have been changed.
Just talking about the integration account here @PhilipDAth, not for authentication. Unless I'm missing something?
The "integration" account for Client VPN is used for authenticating the user.
Sorry @PhilipDAth, I was under the impression the MX only passed the authentication credentials on to AD and received a success or failure response to complete the connection. Am I wrong about that?
When a user attempts to connect to Client VPN, the following process occurs: