cancel
Showing results for 
Search instead for 
Did you mean: 

Meraki VPN

A model citizen

Meraki VPN

I’m using a trial MX, so far everything went well except for the VPN. 

 

Im only able to connect using the Meraki authentication. Meraki recommends using PAP, but if I use that I’m not able to connect. If I use the Windows CHAP, I can connect.  

 

I like Ike to use Acrivd Directory or RADIUS for authentication, and I believe I have everything setup correctly on the Windows server side, but I’m not able to connect. 

 

Ofcourse, Meraki doesn’t have their own VPN client, this makes it more difficult. I’m thinking about going with other firewall options.  

 

Anyone able to connect using Active Directory or RADIUS?   I’m not getting much help from Meraki. I’m sorry for the rant, but just frustrated. 

30 REPLIES 30
A model citizen

Re: Meraki VPN

Hi,

I understand there are strengths and weaknesses in every solution.

Meraki MX got a collection of features / services. Agreed the solution is evolving. Every quarter you will see new updates. 

 

Ex. Auto VPN is a solid solution. Gives us lots of peace of mind.

 

However Client VPN is not  an enterprise offer say in comparison to Anyconnect or any other solution.

Hopefully we may see improvement down the line.

 

A few times it becomes a challenge integrating Active Directory with Meraki. However proper troubleshooting helps us with successful AD integration. 

 

Most of the times I found Meraki support to be very responsive and responsible. However as AD is not in their scope I have seen them limiting the assistance.

 

If Client VPN is the most required service for your enterprise may be... Meraki will not fit in well as of now.

However I have a customer with over 600+ remote users on this.

 

You may also try to connect to a Meraki Partner / SE from your region for assistance.

Finally Meraki or No Meraki is always a customers call.

Cheers
Ajit
ajitsnw@gmail.com
A model citizen

Re: Meraki VPN

I know AD is Windows, but why Meraki norm have it’s own VPN client like the Cisco AnyConnnect?  They’ve been promising this for years. I don’t understand why release a product if you can use its full features. 

 

I only have one site, so I can’t comment on site-to-site VPN. 

A model citizen

Re: Meraki VPN

I know AD is Windows, but why Meraki norm have it’s own VPN client like the Cisco AnyConnnect?  They’ve been promising this for years. I don’t understand why release a product if you can use its full features. 

 

I only have one site, so I can’t comment on site-to-site VPN. 

Getting noticed

Re: Meraki VPN

I have three clients using the Windows 10 VPN client to connect to their Meraki VPN with the authentication done by Windows 10.

 

The client side should should have the following settings checked on the Security tab of the Wan Mini Port properties:

  • Layer 2 Tunnelling Protocol with IPSec (L2TP/IPsec)
  • Require Data Encryption (disconnect if server declines)
  • Use Extensible Authentication Protocol (EAP)
  • Allow the following protocols:
  • Unencrypted PAP
  • Challenge Handshake Authentication Protocol (CHAP)
  • Microsoft CHAP Version 2 (MS-CHAP v2)
  • Leave the checkbox for Windows login name blank.

On the Networking tab, Click on Internet Protocol Version 4 (TCP/IPv6), then click on the Properties button.

Then click on the advanced button and make sure Use default gateway on remote network is checked.

 

On the Server side of things, I set up a new domain admin account for the user that will be used as the domain administrator on the Meraki web site. 

 

On the Meraki Web site, under Security & SD Wan, I setup a seperate subnet for the VPN.  Meraki will be routing between the VPN subnet and the local subnet of the domain.  I also specified the Name servers of the Domain controller.  I set Authentication to Active Directory and set new Meraki user as the domain admin.

 

That is it.  Reply to me if you have any more questions.

 

- Dave

 

 

A model citizen

Re: Meraki VPN

Thank you. I’ll try that. Are you manually doing this or by a script?  On then Merai website it says to use PAP only. 

 

https://documentation.meraki.com/MX/Client_VPN/Client_VPN_OS_Configuration

 

If you don’t mind me asking, which version of Windows 10 are you using?

Getting noticed

Re: Meraki VPN

I set up the connection manually as the number of VPN users is not that large, and most are off site.

 

As for the protocols, I originally set clients up using PAP only, but when testing Systems Manager I noticed it enabled all protocols and that works as well.

 

Most of my clients are not on the October update, and are a mix of Home and Pro.

A model citizen

Re: Meraki VPN

Ok thank you. I’ll try that Monday. 

A model citizen

Re: Meraki VPN

When users connect to VPN, do they login with domain name/username or just username?

Getting noticed

Re: Meraki VPN

Just user name.

 

- Dave

A model citizen

Re: Meraki VPN

Thanks 

Kind of a big deal

Re: Meraki VPN

Try using this powershel script to configure the client VPN on a Windows 10 machine. It is 100% correct.

http://www.ifm.net.nz/cookbooks/meraki-client-vpn.html

 

I have had issues in the past where Windows wont work because of special characters in the pre-shared key (e,g. ")" breaks it).

So you could try using a simpler PSK as well.

Highlighted
A model citizen

Re: Meraki VPN

Thanks, on the Powershell script, for the domain name do you put the full domain name?

 

for example, if my domain is test.local,

do I put test or test.local?

 

Ill try a simple psk, I don’t have any special characters, but I do have numbers. 

Getting noticed

Re: Meraki VPN

Just use the short name of test
Kind of a big deal

Re: Meraki VPN

You should use test.local, the full AD domain.

Getting noticed

Re: Meraki VPN

On the Meraki web page, it calls for the short name, and that is working for all tree clients. Perhaps the long name works as well, but I have not tested that
Kind of a big deal

Re: Meraki VPN

>On the Meraki web page, it calls for the short name, and that is working for all tree clients

 

What page is this?  It if says to use the short name - it is wrong.

Getting noticed

Re: Meraki VPN

On the Client VPN page, when the authentication is set to Active Directory, the ActiveAdiectory server settings has 4 fields.  The first fiield is titled "Short domain".

 

Are we talking about two different things?

Kind of a big deal

Re: Meraki VPN

>On the Client VPN page, when the authentication is set to Active Directory, the ActiveAdiectory server settings has 4 fields.  The first fiield is titled "Short domain".

 

In the dashboard, that is correct.

 

But we were talking about the DNS suffix field in the powershell command.

A model citizen

Re: Meraki VPN

Thanks to both. I’ll try these tomorrow and let you know if it works. 

A model citizen

Re: Meraki VPN

I’m assuming if I want to use RADIUS authentication, this will work also once I make the Meraki the client?

 

I already created a security in AD called VPN Users and made myself a member. 

Getting noticed

Re: Meraki VPN

I have one client using RADIUS authentication with JumpCloud, and it works nicely.

 

If you have AD, then secure LDAP should suffice.  If you don't want to use a certificate for LDAP, then shared secret with RADIUS is good, but a bit more work to setup.

 

A model citizen

Re: Meraki VPN

Thanks again. Going to test tomorrow. 

A model citizen

Re: Meraki VPN

Is JumpCloud only for Meraki APs only or also for MX?

Getting noticed

Re: Meraki VPN

JumpCloud is a cloud based directory replacement for AD.  It works well for distributed and or small companies where a typical AD environment would not work well.

 

It has user management (that can sync with GSuite), machine management, and some some group policies.  It supports SSO with GSuite, AD, and many sites.  Support is excellent.  They have a RADIUS implementation that is a breeze to setup.

 

You can learn more about them at JumpCloud.com

 

A model citizen

Re: Meraki VPN

Thanks. I see the first 10 accounts are free. I’ll try that. 

A model citizen

Re: Meraki VPN

I made the changes, changed the ike to "password", but when I connect using AD authentication, I'm getting.

 

"The remote connection was denied because the user name and password combination you provided is not recognized, or the selection authentication protocol is not permitted on the remote access server"

 

I tried to login with the username and using domain name\username

 

I also tried to VPN with "Dial in" enabled in Active Directory for my account.

Getting noticed

Re: Meraki VPN

When you setup the server, did you enable LDAP?  If so, is it using the default port?

 

A model citizen

Re: Meraki VPN

I'm sorry, how would I check that?  Sounds like I didn't do that.

Getting noticed

Re: Meraki VPN

There are a number of YouTube videos on it. Google LDAP with your version of Windows server. You will need a certificate, but can generate one on your server.

 

 

A model citizen

Re: Meraki VPN

I have a certificate. I remember creating one for connecting AD to MX. I’ll look at LDAP. 

Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Points Contest
Join us for a month-long contest with heaps of swag to win!

Learn More ›