Client VPN

Solved
Patrik73
Getting noticed

Client VPN

Hello!
 
I have a problem with Client VPN.
We are using Meraki Cloud authenticating.
 
Computer are AD-connected and the users login with their AD-account on the computer.
firstname.lastname@domain.local
 
The VPN-accounts are registered to their mail-address.
firstname.lastname@domain.com
 
We are mapping the drives with GPO, so when they start their computers at home there is a red cross over the drives.
Then they connect with VPN and try to open the drive and gets an error.
Microsoft Windows Network: The local device name is already in use
 
I have found that if I change their username for VPN to the same they have in the domain then it works.
But that name isn't mail enabled because we use domain.local as name.
 
Is there anyway to solve this without having to change my UPN in my domain?
1 Accepted Solution
PhilipDAth
Kind of a big deal
Kind of a big deal

I am very rough on this now - but the issue is because Windows uses VPN credentials by default to access other Windows resources.

 

This may not be 100% right, but will get you pretty close.  You need to edit the Windows phone book via a text editor:
%ProgramData%\Microsoft\Network\Connections\Pbk\rasphone.pbk
And change UseRasCredentials to 0.

 

If that doesn't work, Google UseRasCredentials.

View solution in original post

11 Replies 11
alemabrahao
Kind of a big deal
Kind of a big deal

Have you tried configuring the Wins Server?

 

alemabrahao_0-1682022493817.png

 

Is there a possibility to use your Local AD to authenticate instead of the Meraki Base?

 

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.
Patrik73
Getting noticed

Hi and thanks for reply.

I have no problem ping netbios name of servers FQDN name when connected with VPN.
In the Windows VPN connection I have added the DNS-suffix.

 

Yes, that's one way to go.

Setup either AD-authentication or Radius-server.

But I Cannot change it right now and would really like to know if this is solvable or not.

 

Of course I can change their accounts on Meraki Cloud to match their AD-account, but it wont be mail-enabled so we then must hand them their username and passwords manually.

Or add the public domainname as an UPN-domainname in the local AD and change all users domain.

 

But would really like to fix this without doing that, at least for now.

alemabrahao
Kind of a big deal
Kind of a big deal

As far as know, the only way is to use the same domain name or map it by IP instead of name.

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.
Patrik73
Getting noticed

Thanks again!

 

Not sure mapping to IP will solve it, but I will give it a try. 🙂

PhilipDAth
Kind of a big deal
Kind of a big deal

I am very rough on this now - but the issue is because Windows uses VPN credentials by default to access other Windows resources.

 

This may not be 100% right, but will get you pretty close.  You need to edit the Windows phone book via a text editor:
%ProgramData%\Microsoft\Network\Connections\Pbk\rasphone.pbk
And change UseRasCredentials to 0.

 

If that doesn't work, Google UseRasCredentials.

Patrik73
Getting noticed

Thank you!
That seems to work.

Not sure I will implement it though. 🙂

But at least now I know what the problem is.

Maybe AD authentication or Radius is what I need to plan for.

PhilipDAth
Kind of a big deal
Kind of a big deal

You can try using my client VPN wizard to create a powershell script to configure the VPN.  I don't think it has the same issue.

https://www.ifm.net.nz/cookbooks/meraki-client-vpn.html 

 

You can also use the more advanced client VPN, AnyConnect.  It doesn't have the issue, either.

https://documentation.meraki.com/MX/Client_VPN/AnyConnect_on_the_MX_Appliance 

Mantach
New here

Hi Patrik,

 

I'm having the same problem, however my VPN client windows don't have the Windows phone book.

What was the most effective practice for you?

PhilipDAth
Kind of a big deal
Kind of a big deal

Did you try my cookbook above to generate a powershell script to create the VPN connection?

Mantach
New here

Not yet, VPN connection is there but the only challenge is the mapped drives.

Patrik73
Getting noticed

We skipped that part with the phonebook and instead went for Radius-server for a while.

But soon after we went for radius with AnyConnect. 🙂

Get notified when there are additional replies to this discussion.