Client VPN Active Directory authentication through AutoVPN?

Mikekaleny
Here to help

Client VPN Active Directory authentication through AutoVPN?

Hello all, 

 

I need to configure Meraki Client VPN but ran into an architectural "pickle". My hub location only has one public IP, and it's being used by a different vendors client VPN. My solution was to configure the Meraki client VPN on one of my spoke sites, and use Active Directory (at the hub) for authentication. 

 

The problem is that I'm now being told the AD server needs to be local to where the client VPN is configured. Is there any solution I can temporarily use to get the AD server at the hub location authenticating the client VPN that is configured at a spoke site? Maybe some kind of a proxy server that would send the authentication requests from the spoke site to the AD server at the hub (no idea if that's even possible)?

 

EDIT: after doing some research, would a TCP proxy like this, work? http://www.partow.net/programming/tcpproxy/index.html

 

 

5 REPLIES 5
KarstenI
Kind of a big deal
Kind of a big deal

When you say you could install a "proxy server" for that at the branch, well, a small AD DC (or RODC) would do the job. Or even an MS member server running the NPS (RADIUS service) could do the job.

I'm assuming it would take a lot of work to build an AD DC? Forgive me if it's a dumb question, I don't usually deal with AD or anything microsoft.

KarstenI
Kind of a big deal
Kind of a big deal

Better ask your Windows admins for that. It all depends on the number of users that are using the DC. A VM with 16 Gig of RAM can handle quite some load but you also need an additional server license.

If you have someone with good Linux skills, a Freeradius proxy doesn't need many resources (could run on a RasPi) and also doesn't need any paid license. Or, if you don't have that many users, you could consider Meraki Cloud Authentication.

There's probably 50 or so users, so meraki cloud auth wouldn't work unfortunately. 

I did find another solution that I'm keen on testing out, called a tcp proxy http://www.partow.net/programming/tcpproxy/index.html

PhilipDAth
Kind of a big deal
Kind of a big deal

You don't have to have a local AD server.  If the MX can ping the AD server at your hub site it will work fine.

Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels