Meraki

Community

MX84 RADIUS authentication failing for client VPN

Solved
osvan
Comes here often
‎Oct 27 2021 8:19 AM
‎Oct 27 2021 8:19 AM

MX84 RADIUS authentication failing for client VPN

Hello,

 

Yesterday I noticed that our MX84 event log has been filling up with DC connection errors (unable to connect to domain controller), and the logs on my DCs have been filling up with DCOM error 10036 (The server-side authentication level policy does not allow the user (RADIUS auth user) SID (*****) from address (MX84 IP) to activate DCOM server. Please raise the activation authentication level at least to RPC_C_AUTHN_LEVEL_PKT_INTEGRITY in client application).

 

I've done some Googling, but haven't come up with a working solution yet - any ideas?

 

I was alerted to the issue when our CEO wasn't able to authenticate with the VPN... NOT good.

Labels:
0 Kudos
1 Accepted Solution
PhilipDAth
Kind of a big deal
Kind of a big deal
‎Oct 27 2021 12:57 PM
‎Oct 27 2021 12:57 PM

I think it is related to this update.  You might need to disable the hardening.

https://support.microsoft.com/en-us/topic/kb5004442-manage-changes-for-windows-dcom-server-security-... 

View solution in original post

10 Replies 10
osvan
Comes here often
‎Oct 27 2021 11:22 AM
‎Oct 27 2021 11:22 AM

For reference, we are running firmware v.15.44 and there are a number of others having the same or similar issue related to recent Windows security updates on domain controllers. In my case the update is KB5005568 which I am unable to uninstall.

 

There is a relevant thread at Microsoft here which gives more insight into the issue.

 

Is there any reason to believe the 16.x firmware branch would solve the problem?

0 Kudos
PhilipDAth
Kind of a big deal
Kind of a big deal
‎Oct 27 2021 12:57 PM
‎Oct 27 2021 12:57 PM

I think it is related to this update.  You might need to disable the hardening.

https://support.microsoft.com/en-us/topic/kb5004442-manage-changes-for-windows-dcom-server-security-... 

In response to PhilipDAth
osvan
Comes here often
‎Oct 27 2021 1:24 PM
‎Oct 27 2021 1:24 PM

Thanks for the reply PhilipDAth. I've read that topic and applied the recommended change, and although I am seeing users successfully logged into the VPN, authentication still seems to be hit and miss judging from my MX log (see image below).

 

MX84 log snippetMX84 log snippet

 

From looking at the deployment roadmap at that link, it would seem that this issue will become a real problem when Microsoft makes it impossible to disable that CVE fix in 2022, which isn't that far away.

0 Kudos
In response to osvan
alexthegeekiest
Comes here often
‎Feb 15 2022 7:48 AM
‎Feb 15 2022 7:48 AM

Has there been a proper resolution put into place for this yet?   I chose to disable it on one of my servers while we have the option.  The ability to manually disable it ends in June per the document referenced above: KB5004442 - DCOM hardening 

0 Kudos
In response to alexthegeekiest
PhilipDAth
Kind of a big deal
Kind of a big deal
‎Feb 15 2022 12:35 PM
‎Feb 15 2022 12:35 PM

I haven't seen anyone having this issue using RADIUS authentication against NPS.  Are you sure you are using RADIUS authentication rather than direct Active Directory authentication?

0 Kudos
In response to PhilipDAth
alexthegeekiest
Comes here often
‎Feb 15 2022 1:57 PM
‎Feb 15 2022 1:57 PM

You are absolutely right!  I meant AD authentication..not radius.  Support ticket opened indicates this a MS problem and not a Meraki problem, but come June this could be a bigger issue because the registry fix won't work.

0 Kudos
In response to alexthegeekiest
PhilipDAth
Kind of a big deal
Kind of a big deal
‎Feb 15 2022 5:01 PM
‎Feb 15 2022 5:01 PM

NPS (Microsoft's RADIUS server) is built into Windows Server and has no additional cost.  Any reason you can't change over to using it?

0 Kudos
In response to PhilipDAth
alexthegeekiest
Comes here often
‎Feb 16 2022 3:48 AM
‎Feb 16 2022 3:48 AM

I can certainly do that.  This would remediate this issue then because it is specific to AD authentication?

0 Kudos
In response to alexthegeekiest
PhilipDAth
Kind of a big deal
Kind of a big deal
‎Feb 20 2022 12:28 PM
‎Feb 20 2022 12:28 PM

Correct.

0 Kudos
osvan
Comes here often
‎Feb 21 2022 6:57 AM
‎Feb 21 2022 6:57 AM

That's the same solution that I came up with. We have been using RADIUS authentication for months now with no issues. Fortunately, I was just testing AD authentication so switching over wasn't a big deal for me.

0 Kudos
Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels
© 2024 Cisco Systems, Inc.