Client VPN Troubles

SOLVED
dlowery
Getting noticed

Client VPN Troubles

Hey guys, I have a user who uses the client VPN, which has AD authentication enabled. He is a "light" user of the client VPN (only 2-3 times per month) His connection will work fine for a month or two, then it will suddenly break. We've found that the only thing we need to do is reset his password in AD, and he will immediately be able to connect again. His AD password is set to never expire, so I'm not sure why this keeps happening. Any ideas on troubleshooting this issue? Thanks!

1 ACCEPTED SOLUTION
Nash
Kind of a big deal

Okay, for Win10, I'm a broken record: Use a script. 

 

There's a lot of problems with the Win10 client that you can fix with PowerShell. 

 

If you do the following, your users will normally have better behavior:

 

1. Never save their credential

2. Always connect from rasphone.exe. Easiest is to make them a shortcut.

3. Set Encryption to optional. 'Required' is not supported with PAP, as Meraki uses, and Win10 assumes it needs to change the password protocol to satisfy the 'required' setting.

 

Since we moved to script installs, it's dramatically reduced the number of VPN repeat tickets my helpdesk gets. They also can fix it quite quickly. 3-5 minutes from the time the client gets on the line.

View solution in original post

5 REPLIES 5
Nash
Kind of a big deal

What OS is he on?

 

For Win10, how are you setting him up? I've got scripts in my sig that make for a better experience.

 

In Windows, you need your users to not save their credentials.

dlowery
Getting noticed

Yes, he is running windows 10. He is using the built-in windows 10 VPN client, but I think he does have a password saved. I will try changing that. I’ll take a look at those scripts too, that seems useful
Nash
Kind of a big deal

Okay, for Win10, I'm a broken record: Use a script. 

 

There's a lot of problems with the Win10 client that you can fix with PowerShell. 

 

If you do the following, your users will normally have better behavior:

 

1. Never save their credential

2. Always connect from rasphone.exe. Easiest is to make them a shortcut.

3. Set Encryption to optional. 'Required' is not supported with PAP, as Meraki uses, and Win10 assumes it needs to change the password protocol to satisfy the 'required' setting.

 

Since we moved to script installs, it's dramatically reduced the number of VPN repeat tickets my helpdesk gets. They also can fix it quite quickly. 3-5 minutes from the time the client gets on the line.

dlowery
Getting noticed

Thanks a bunch, I'm gonna try out that script today. 

 

Also, that's some awesome, helpful comments in the script, thanks boo ✌️

Nash
Kind of a big deal

Thank you! That's one of the nicest compliments I've gotten about my code.

Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels