Meraki

Community

Meraki MX65W Client VPN with RODC

Flashback
Here to help
‎Apr 7 2020 9:15 AM
‎Apr 7 2020 9:15 AM

Meraki MX65W Client VPN with RODC

We're having issues with clients authenticating to the client VPN if the domain controller it's pointing to is a read-only domain controller.

 

Is this a known issue/restriction in place? As soon as I point it to a full DC, it works fine.

 

We use RODC in small site branches for security reasons, so if it's a restriction and we need to point the auth activities to another site it defeats the purpose slightly of giving staff the ability to come in through another site (if one site is down for example).

 

Thanks!

0 Kudos
5 Replies 5
DHAnderson
Head in the Cloud
‎Apr 7 2020 10:17 AM
‎Apr 7 2020 10:17 AM

Can any clients authenticate through a RODC?

 

Also, do any clients have authentication issues when signing into the site with the primary DC?

 

Dave Anderson
0 Kudos
In response to DHAnderson
Flashback
Here to help
‎Apr 7 2020 10:36 AM
‎Apr 7 2020 10:36 AM

No, no one can VPN through the MX65W when it's pointing to a RODC for AD authentication.

 

Once I changed the AD controller it's pointing at to a full DC, authentication is fine.

0 Kudos
PhilipDAth
Kind of a big deal
Kind of a big deal
‎Apr 7 2020 1:05 PM
‎Apr 7 2020 1:05 PM

I don't know the answer.

 

You also don't say weather you are using RADIUS (via NPS) or Active Directory authentication.

 

If see NPS has quite a few restrictions when used with RODC.  Search this article for NPS:

https://support.microsoft.com/en-nz/help/4053480/rodc-application-compatibility 

 

 

Have you enabled the Password Replication Policy to your RODC?  Password caching needs to be enabled on them to be able to use LDAPS against the.

Also - have you enabled LDAPs on those RODC?  The RODC needs a certificate to be installed to enable this.

In response to PhilipDAth
Flashback
Here to help
‎Apr 7 2020 1:51 PM
‎Apr 7 2020 1:51 PM

Using AD auth.

 

Password replication policy is in place, but I don't believe LDAPS is in place. Would we need to have a CA server running in the environment in order to use LDAPS?

0 Kudos
In response to Flashback
Flashback
Here to help
‎Jun 30 2022 3:40 AM
‎Jun 30 2022 3:40 AM

Just to close the loop on this one - it was a fairly simple fix in the end.

 

To create a self-signed cert (to enable Meraki Client VPN via AD auth to work):
 
  • PowerShell (admin) and run the command New-SelfSignedCertificate -DnsName "servername.fqdn.domain" -KeyAlgorithm RSA -KeyLength 2048 -CertStoreLocation "Cert:\LocalMachine\My" -NotAfter (Get-Date).AddYears(10)
  • Hit your Windows Key and type “Cert” and click on Manage Computer Certificates
  • Go to Personal > Certificates and see your new Cert that you just created
  • Right-click the new Cert and go to All Tasks > Export
  • Yes, export the private key
  • Personal Information Exchange, check the following:
  • Include all certificates
  • Export all extended properties
  • Check Password: Make a password you’ll remember
  • Browse to an easy to remember location like C:\Certs and Finish
  • Expand Trusted Root Certificate Authorities, right click Certificates > All Tasks, Import…
  • Choose your cert, enter the password, make sure importing is a success
  • Test
  • Note: DO NOT DELETE the certificate from Personal > Certificates - it needs this one otherwise Auth will continue to fail.
Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels
© 2024 Cisco Systems, Inc.