Client VPN via AD authentication issue.

RYN0
Here to help

Client VPN via AD authentication issue.

Hi all,

We recently replaced and MX60 with an MX67 for a client or ours. Ever since then the client VPN will no longer authenticate via AD authentication. I can flip it to Meraki authentication and it works fine though.

 

I re-verified my client VPN settings are correct. I even check the DC certificate in case it was some sort of TLS issue, but the certificate is fine. I setup the DC on the Active Directory Authentication page to see if that would produce an error but it connects fine with the green checkmark status.

 

The issue was even escalated to the meraki development team to look into. They states they are able to see is that the AD server is attempting to create a TLS session with the Meraki device in a way which is not compatible, however, we are unable to do further troubleshooting from their end. Next troubleshooting steps would need to be done on the AD server itself.

 

If this is an issue with the AD server, why would it crop up out of the blue when the firewall was replaced? Makes no sense to me yet.

5 Replies 5
GOwens
Here to help

I was on the phone for 2 hours trying to get mine to work. We were not able to get it to authenticate properly. His last suggestion was to install a new certificate, which I have not done yet. This seems to be an issue. I mainly commented to keep up with any progress you make with this.

SoCalRacer
Kind of a big deal

My guess it has to do with the server and TLS versions being too far out of date, but I don't have all the info.

 

What OS is the server (Server 2008, 2012, R2, etc.)?

What OS is the client (Windows 10, 7, etc.)?

 

In the mean time some places to check are below.

 

Verify all the requirements of the Certificate

https://documentation.meraki.com/MX/Content_Filtering_and_Threat_Protection/Configuring_Active_Direc...

 

Assuming this is a Windows device, what error codes do you get on the client?

https://documentation.meraki.com/MX/Client_VPN/Troubleshooting_Client_VPN

RYN0
Here to help

Now that you mention it, I could imagine it being the version of TLS on the server (2008r2 DC) may be too old for the MX67 with the latest stable firmware on it.

 

My own resolution for the time being was to setup NPS on the DC and enable RADIUS authentication in the MX client VPN settings, and this works just fine for them.

PhilipDAth
Kind of a big deal
Kind of a big deal

I think @SoCalRacer is most likely to be on the money.  Going from an MX60 to an MX67 is a big jump.  It probably has a new minimum standard of crypto configurations.

 

Make sure you server has TLSv1.2 enabled.  I don't know if this is correct - but I found this article talking about how to do it.

https://support.quovadisglobal.com/kb/a433/how-to-enable-tls-1_2-on-windows-server-2008-r2.aspx

 

If that doesn't work make sure the certificate that you are using is at least 2048 bits.  1024 bit certificates might not work anymore.

SoCalRacer
Kind of a big deal

Everything tells me it a server/certificate problem.

 

All of the current docs like this say 2048bit so I would just double check all the info about the certificate otherwise use the RADIUS authentication

https://documentation.meraki.com/MX/Content_Filtering_and_Threat_Protection/Configuring_Active_Direc...

Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels