Configuring Active Directory Authentication

CloudViking86
Here to help

Configuring Active Directory Authentication

Hello,


So I've actually finished configuring our MX to use Active Directory-authentication and wanted to share what I've learned which hopefully can help others.

 

Now this worked for me, it doesn't have to work for you and my DCs are located upstream (i.e. in a remote subnet which we reach through the site-to-site VPN);

* Regarding the cert:
** Remember that you enter the IP (or at least I did) in the Meraki dashboard so the cert needs to have the IP of the server and not just the FQDN of the server
You can test this using "ldp.exe" which is included (?) on Windows Server, if you are running this on your own desktop then you will need to copy the "ldp.exe" and also "ldp.exe.mui" as well as creating a folder called "en-us" in the directory where "ldp.exe" resides and move "ldp.exe.mui" to the "en-us" folder.

** Remember to add the cert to "Active Directory Domain Services";
LDAP over SSL (LDAPS) Certificate - TechNet Articles - United States (English) - TechNet Wiki (micro...

 

* Regarding the user / pass

** Remember to use only a-z and 0-9 for the username and password.

** Remember to check the account you created to see what it's "Pre-Windows 2000" username is, my username was too long when checking the "Pre-Windows 2000"-field so it had been cut off when it had reached the max. amount of character.

 

* To get this working with an account that isn't domadmin;
Grant Minimum Permission to an Active Directory User Account Used by the Sourcefire User Agent - Cis...

^ I followed these steps;
** Giving the user WMI-permissions
** Giving the user DCOM-permissions

(I am yet to actually see if the group policy works, it doesn't seem to be supported through ClientVPN but Cisco states that it doesn't and I don't have the appliance where I am so waiting for a colleague to verify. The config works however and I can fetch AD-groups)

 

* Regarding network connectivity

TCP 135
TCP 445
TCP 3268
TCP 49152-65535 (RPC "high-ports")
whitelisted against the MX's highest numbered VLAN participating in the site-to-site VPN ex;
192.168.1.1/24 = VLAN 1 = Not participating
192.168.2.1/24 = VLAN 200 = Participating <-- This is not the highest numbered VLAN but it is the highest numbered VLAN participating in the site-to-site so 192.168.2.1/32 is the MX's IP calling the DCs
192.168.3.1/24 = VLAN 300 = Not participating
Active Directory Issue Resolution Guide - Cisco Meraki

 

* Regarding general config

** Domain = the "shortname" of the domain, ex. "ad.mydomain.com" is the FQDN then "ad" is the shortname
** IP = the IP without any CIDR notation ex. "192.168.4.1"
** Username = the username without any domain prefix, ex. "myuseraccount" and NOT "ad\myuseraccount"
^ Remember a-z, 0-9 and check the "Pre-Windows 2000" for the user so your username hasn't been shortened due to too many chars.
** Password = a password (see below)
^ Remember a-z, 0-9

Hopefully this might have helped someone who is setting this up!

Best Regards - Karl

0 REPLIES 0
Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels