Good afternoon,
I have a situation where I can use my orgs VPN from any device outside the network. Works great.
Given a computer that I can use the VPN and successfully authenticate with my username and password, a few specific users receive an error 691 about incorrect credentials when they attempt to use the VPN from the same exact computer.
I have verified the credentials are not the problem.
Any thoughts?
Solved! Go to solution.
Huzzah! I found the solution.
Thank you Nash, your recommendation wasn't the solution, but it put me on the right path.
The users having problems had an msRADIUSServiceType value equal to 4, while users with no problem had a value for the same attribute of <not set>.
After clearing this value with ADSI Edit, the user was able to access the VPN as expected.
The following powershell cmdlet helped me proactively identify other users who may not have experienced this problem yet.
get-aduser -Filter * -Properties * | Select SAMAccountName, msRADIUSServiceType, Enabled | Where-Object {$_.Enabled -eq $true -and $_.msRADIUSServiceType -ge 1}
Thanks again for your help.
This is a good place to start
https://documentation.meraki.com/MX/Client_VPN/Troubleshooting_Client_VPN
Error 691
Possible causes and solutions:
Solution: If the MX is configured with an ISP DNS server, change this to a Non-ISP public DNS server such as Google 8.8.8.8
Thank you for providing feedback.
Here are my findings.
On my Radius Server I have verified the users meet the conditions for windows groups for the network policy.
One thing I have noticed is these users having problems have been at the company for a long time. They have older AD accounts. I was curious if there was anything that could cause a problem related to that?
IAS Logs
CLIENTCOMP | ServiceName | RecordDate | RecordTime | PackeyType | UserName | FQDN of UserName | CallingStationID | Client IP Addr | ClientFriendlyName | ServiceType? | AuthenticationType | PolicyName | ReasonCode | MS_RAS-Client-Name | MS-RAS-Client-Version | |||||
NPS_Server | IAS | 6/21/2019 | 7:38:42 | 1 | me@mydomain | FQDN of AD User Object, as expected | CLIENTVPN | same value | 3 | 0 | expected IP | Meraki | 1 | 2 | 1 | Meraki_VPN | 0 | 311 1 10.2.1.2 05/30/2019 02:55:51 1501 | Meraki_VPN | 1 |
NPS_Server | IAS | 6/21/2019 | 7:38:42 | 2 | FQDN of AD User Object, as expected | 0 | expected IP | Meraki | 1 | 2 | 1 | Meraki_VPN | 0 | 311 1 10.2.1.2 05/30/2019 02:55:51 1501 | Meraki_VPN | 1 | ||||
NPS_Server | IAS | 6/21/2019 | 7:40:18 | 1 | other_user@mydomain | FQDN of AD User Object, as expected | CLIENTVPN | same value | 3 | 0 | expected IP | Meraki | 1 | 1 | Meraki_VPN | 0 | 311 1 10.2.1.2 05/30/2019 02:55:51 1502 | Meraki_VPN | 1 | |
NPS_Server | IAS | 6/21/2019 | 7:40:18 | 2 | FQDN of AD User Object, as expected | 0 | expected IP | Meraki | 1 | 4 | 1 | Meraki_VPN | 0 | 311 1 10.2.1.2 05/30/2019 02:55:51 1502 | Meraki_VPN | 1 |
The first thing I notice is the different service types.
me@mydomain can access the VPN no problem.
other_user@mydomain cannot access the VPN at all.
Any thoughts or observations? What am I missing?
Okay, sounds like you're sure that these users are members of the necessary AD users group?
If you clone one of the problem users and create a new account based off of them, can you replicate 691? Or does it work?
Interesting.
I'd:
a) remove the user from the VPN user group. Apply. Give it a few min. Add user back to the VPN user group. Test.
b) If A is a no go, remove the user from all groups but the VPN user group and test. If it works, start adding back in other groups until it breaks.
myUser can connect to VPN otherUser can't.
I copied both accounts and created two new accounts.
vpntest copied from otherUser
vpntest2 copied from myUser
Both these accounts have the same password and that password is in compliance with domain policy.
I removed all AD security groups except the one needed for Merkai authentication as defined in the NPS policy, and the Domain Users group.
Given the same computer, using iPhone hotspot (off corp network), vpntest cannot connect (691 error) to VPN vpntest2 can connect to VPN.
Even newly created users are able to access the VPN. It just seems to be with specific users who have been with the company for a very long time. Even their usernames are different naming convention. Is there an attribute some where that maybe acting as an alias for another attribute?
I'm just trying to think outside the box on this one. Very strange.
Oh, I have a thought.
Are those users allowed to dial-in remotely? Here's a goodish screenshot: https://gtacknowledge.extremenetworks.com/articles/Solution/RADIUS-Authorization-not-working-due-to-...
Huzzah! I found the solution.
Thank you Nash, your recommendation wasn't the solution, but it put me on the right path.
The users having problems had an msRADIUSServiceType value equal to 4, while users with no problem had a value for the same attribute of <not set>.
After clearing this value with ADSI Edit, the user was able to access the VPN as expected.
The following powershell cmdlet helped me proactively identify other users who may not have experienced this problem yet.
get-aduser -Filter * -Properties * | Select SAMAccountName, msRADIUSServiceType, Enabled | Where-Object {$_.Enabled -eq $true -and $_.msRADIUSServiceType -ge 1}
Thanks again for your help.
While this may be old, Nash also provided a golden nugget when everything else wasn't working because we were so focused on the error code that we forgot to check the basic settings. There are times when settings don't pass correctly or some profile was made incorrectly.
CHECK THE DARN DIAL-IN FIELD IN ACTIVE DIRECTORY!
Not sure how or why it defaulted to Deny Access for us but it's such a small flag to notice. Much frustration and sobbing. But easy to miss. The dangers of relying too much on third-party services.
Thank you, Nash, for reminding me that the Dial-In tab exists!!