MX65 Client VPN with UPN

SOLVED
Stach53
Conversationalist

MX65 Client VPN with UPN

Community Members

I have been unable to use UPN (User Principal Name) when entering credentials for Win10 client VPN. The AD connected PCs accept UPN without issue but client VPN requires sAMAccountName.

Basically, client VPN requires this format

Domain\Username

But any other connection to the DC can use the Username@DomainName format.

Has anyone else experienced this and if so were you able to fix it?

Best Regards,

Stach53 

 

1 ACCEPTED SOLUTION
jdsilva
Kind of a big deal

When you're doing a direct AD connection from the MX it looks like the domain/username format is the only supported format. 

 

The client config guide indicates that it must be domain/username:

 

https://documentation.meraki.com/MX/Client_VPN/Client_VPN_Overview#Active_Directory

 

I don't see anything in the main KB doc that indicates otherwise either.

 

https://documentation.meraki.com/MX/Content_Filtering_and_Threat_Protection/Configuring_Active_Direc...

 

Maybe a good question for support if no one here has an answer. I only have one customer using this and they're doing domain/username. 

View solution in original post

7 REPLIES 7
Nash
Kind of a big deal

How are you authenticating users to your client VPN? When I use RADIUS, folks just enter their user name to login. No domain name required.

Stach53
Conversationalist

It is using Active Directory authentication.

jdsilva
Kind of a big deal

When you're doing a direct AD connection from the MX it looks like the domain/username format is the only supported format. 

 

The client config guide indicates that it must be domain/username:

 

https://documentation.meraki.com/MX/Client_VPN/Client_VPN_Overview#Active_Directory

 

I don't see anything in the main KB doc that indicates otherwise either.

 

https://documentation.meraki.com/MX/Content_Filtering_and_Threat_Protection/Configuring_Active_Direc...

 

Maybe a good question for support if no one here has an answer. I only have one customer using this and they're doing domain/username. 

Stach53
Conversationalist

UPN will not work with older clients like W98 and prior. Maybe it's for backward compatibility but W98?? Thanks for the input JD. 

Nash
Kind of a big deal


@Stach53 wrote:

UPN will not work with older clients like W98 and prior. Maybe it's for backward compatibility but W98?? Thanks for the input JD. 


May I humbly suggest that you really should replace anything older than Win8? Changing the W98 machines to Win7 would be better, even though Win7 is going end of support shortly.

 

Edit: Unless I misread and this is MSFT retaining backwards compatibility to Win98. In which case, uh, I absolutely have clients with e.g. domain-joined HVAC controllers that run on Win98 that won't be going away any time soon. What horrors lie in network shadows.

Stach53
Conversationalist

We're all Win10 but being x-manufacturing, I understand the need to retain old OSs. Still wish they would allow both user name types. It doesn't take much to confuse the end users when you have different naming conventions at password time.

PhilipDAth
Kind of a big deal
Kind of a big deal

>We're all Win10 but being x-manufacturing, I understand the need to retain old OSs.

 

I have a manufcaturing client still using MS-DOS.  The MS-DOS computers are embedded into large one-off custom built factory machines.  The cost of changing the manufacturing plant is eye watering.  So MS-DOS will be around for a while for them.

Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels