hi i try to use my AD 2019 IN VPN CLIENT AND IT'S NOT WORK I WANT TO ASK WHEN USE AD IN CLIENT VPN
AND HOW I CHECK IF MERAKI MX OTHURIZED USERNAME AND PASSWORD FROM AD CAN I SEE EVENT IN EVENT LOG IN AD PLEASE HELP ME THE MERAKI SUPPORT NOT HELP ME
ANY THERE ANY ADITIONAL SITTING I NEED TO DO IN AD
There are a few steps you should follow before you configure it on the dashboard.
The Cisco Meraki MX Security Appliance supports Active Directory authentication with Client VPN, so a client will be required to provide domain credentials in order to connect via VPN.
When a user attempts to connect to Client VPN, the following process occurs:
Note: At this time, the MX does not support mapping group policies via Active Directory for users connecting through the Client VPN.
In order to configure Active Directory authentication for Client VPN, configuration steps must be completed on both Dashboard and Active Directory, outlined below:
The following requirements must be configured on each AD server being used for authentication:
When Active Directory authentication is configured, the MX queries the Global Catalog over TCP port 3268. Therefore the Active Directory server (Domain Controller) specified in Dashboard must also hold the Global Catalog role.
Once the AD servers have been primed with the configuration requirements outlined above, the following steps outline how to set up AD authentication for Client VPN:
Note: In order for Client VPN users to be able to resolve internal DNS entries, the Custom nameservers option should be configured with an internal DNS server. The server's firewall may need to be adjusted to allow queries from the Client VPN subnet, and best practices dictate that a public DNS server should be listed as a secondary option.
Note: If the credentials provided do not have domain admin permissions, the MX will be unable to query the AD server.
Clients can use their native VPN client to connect to Client VPN, with or without Active Directory.
Please refer to our Client VPN documentation for OS-specific configuration steps.
Due to the nature of Active Directory authentication for Client VPN, all domain users will be able to authenticate and connect to Client VPN. There is no Dashboard-native way to limit which users can authenticate, however, there is a workaround in Active Directory that allows the scope of users to be limited by specifying a domain administrator with limited group visibility.
The following article outlines how to configure this workaround for wireless networks, but the same principles can be applied to Client VPN: Scoping Active Directory per SSID
Note: This configuration is entirely reliant on Active Directory. Depending on how domain groups are managed, this may not work some environments - please refer to Microsoft documentation and support for assistance with Active Directory configuration.
User permissions for AD integration
While the AD integration account does not have to be a domain admin, it is usually the easiest way to implement this feature. If using a domain admin account is not possible or not preferable, ensure that the account has the necessary permissions to perform the following actions:
Once the configuration above has been completed, the Meraki device should be able to communicate with the Active Directory server using TLS. If this fails, Microsoft offers the Ldp.exe tool to ensure that the LDAP service is running and compatible with the current certificate.
Please reference Microsoft documentation for error code details and troubleshooting assistance.
For more information about both Client VPN and Active Directory integration, please refer to the following articles:
You can also use Radius (Microsoft NPS) to authenticate your clients:
https://documentation.meraki.com/MX/Client_VPN/Configuring_RADIUS_Authentication_with_Client_VPN
Try checking out the client VPN AD client guide.
Especially note the section about the AD controller requiring a certificate.