Meraki

Community

MX65 Client VPN with UPN

Solved
Stach53
Conversationalist
‎Nov 22 2019 10:34 AM
‎Nov 22 2019 10:34 AM

MX65 Client VPN with UPN

Community Members

I have been unable to use UPN (User Principal Name) when entering credentials for Win10 client VPN. The AD connected PCs accept UPN without issue but client VPN requires sAMAccountName.

Basically, client VPN requires this format

Domain\Username

But any other connection to the DC can use the Username@DomainName format.

Has anyone else experienced this and if so were you able to fix it?

Best Regards,

Stach53 

 

0 Kudos
1 Accepted Solution
jdsilva
Kind of a big deal
‎Nov 22 2019 10:56 AM
‎Nov 22 2019 10:56 AM

When you're doing a direct AD connection from the MX it looks like the domain/username format is the only supported format. 

 

The client config guide indicates that it must be domain/username:

 

https://documentation.meraki.com/MX/Client_VPN/Client_VPN_Overview#Active_Directory

 

I don't see anything in the main KB doc that indicates otherwise either.

 

https://documentation.meraki.com/MX/Content_Filtering_and_Threat_Protection/Configuring_Active_Direc...

 

Maybe a good question for support if no one here has an answer. I only have one customer using this and they're doing domain/username. 

http://blog.brokennetwork.ca | @jdsilva

View solution in original post

7 Replies 7
Nash
Kind of a big deal
‎Nov 22 2019 10:48 AM
‎Nov 22 2019 10:48 AM

How are you authenticating users to your client VPN? When I use RADIUS, folks just enter their user name to login. No domain name required.

Windows 10 Client VPN scripts: Makes life better!
0 Kudos
In response to Nash
Stach53
Conversationalist
‎Nov 22 2019 10:56 AM
‎Nov 22 2019 10:56 AM

It is using Active Directory authentication.

0 Kudos
jdsilva
Kind of a big deal
‎Nov 22 2019 10:56 AM
‎Nov 22 2019 10:56 AM

When you're doing a direct AD connection from the MX it looks like the domain/username format is the only supported format. 

 

The client config guide indicates that it must be domain/username:

 

https://documentation.meraki.com/MX/Client_VPN/Client_VPN_Overview#Active_Directory

 

I don't see anything in the main KB doc that indicates otherwise either.

 

https://documentation.meraki.com/MX/Content_Filtering_and_Threat_Protection/Configuring_Active_Direc...

 

Maybe a good question for support if no one here has an answer. I only have one customer using this and they're doing domain/username. 

http://blog.brokennetwork.ca | @jdsilva
In response to jdsilva
Stach53
Conversationalist
‎Nov 22 2019 11:12 AM
‎Nov 22 2019 11:12 AM

UPN will not work with older clients like W98 and prior. Maybe it's for backward compatibility but W98?? Thanks for the input JD. 

In response to Stach53
Nash
Kind of a big deal
‎Nov 22 2019 11:14 AM
‎Nov 22 2019 11:14 AM

@Stach53 wrote:

UPN will not work with older clients like W98 and prior. Maybe it's for backward compatibility but W98?? Thanks for the input JD. 

May I humbly suggest that you really should replace anything older than Win8? Changing the W98 machines to Win7 would be better, even though Win7 is going end of support shortly.

 

Edit: Unless I misread and this is MSFT retaining backwards compatibility to Win98. In which case, uh, I absolutely have clients with e.g. domain-joined HVAC controllers that run on Win98 that won't be going away any time soon. What horrors lie in network shadows.

Windows 10 Client VPN scripts: Makes life better!
In response to Nash
Stach53
Conversationalist
‎Nov 23 2019 1:58 PM
‎Nov 23 2019 1:58 PM

We're all Win10 but being x-manufacturing, I understand the need to retain old OSs. Still wish they would allow both user name types. It doesn't take much to confuse the end users when you have different naming conventions at password time.

0 Kudos
In response to Stach53
PhilipDAth
Kind of a big deal
Kind of a big deal
‎Nov 24 2019 12:14 PM
‎Nov 24 2019 12:14 PM

>We're all Win10 but being x-manufacturing, I understand the need to retain old OSs.

 

I have a manufcaturing client still using MS-DOS.  The MS-DOS computers are embedded into large one-off custom built factory machines.  The cost of changing the manufacturing plant is eye watering.  So MS-DOS will be around for a while for them.

0 Kudos
Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels
© 2025 Cisco Systems, Inc.