Hello all,
I need to configure Meraki Client VPN but ran into an architectural "pickle". My hub location only has one public IP, and it's being used by a different vendors client VPN. My solution was to configure the Meraki client VPN on one of my spoke sites, and use Active Directory (at the hub) for authentication.
The problem is that I'm now being told the AD server needs to be local to where the client VPN is configured. Is there any solution I can temporarily use to get the AD server at the hub location authenticating the client VPN that is configured at a spoke site? Maybe some kind of a proxy server that would send the authentication requests from the spoke site to the AD server at the hub (no idea if that's even possible)?
EDIT: after doing some research, would a TCP proxy like this, work? http://www.partow.net/programming/tcpproxy/index.html
When you say you could install a "proxy server" for that at the branch, well, a small AD DC (or RODC) would do the job. Or even an MS member server running the NPS (RADIUS service) could do the job.
I'm assuming it would take a lot of work to build an AD DC? Forgive me if it's a dumb question, I don't usually deal with AD or anything microsoft.
Better ask your Windows admins for that. It all depends on the number of users that are using the DC. A VM with 16 Gig of RAM can handle quite some load but you also need an additional server license.
If you have someone with good Linux skills, a Freeradius proxy doesn't need many resources (could run on a RasPi) and also doesn't need any paid license. Or, if you don't have that many users, you could consider Meraki Cloud Authentication.
There's probably 50 or so users, so meraki cloud auth wouldn't work unfortunately.
I did find another solution that I'm keen on testing out, called a tcp proxy http://www.partow.net/programming/tcpproxy/index.html
You don't have to have a local AD server. If the MX can ping the AD server at your hub site it will work fine.