I’m using a trial MX, so far everything went well except for the VPN.
Im only able to connect using the Meraki authentication. Meraki recommends using PAP, but if I use that I’m not able to connect. If I use the Windows CHAP, I can connect.
I like Ike to use Acrivd Directory or RADIUS for authentication, and I believe I have everything setup correctly on the Windows server side, but I’m not able to connect.
Ofcourse, Meraki doesn’t have their own VPN client, this makes it more difficult. I’m thinking about going with other firewall options.
Anyone able to connect using Active Directory or RADIUS? I’m not getting much help from Meraki. I’m sorry for the rant, but just frustrated.
I understand there are strengths and weaknesses in every solution.
Meraki MX got a collection of features / services. Agreed the solution is evolving. Every quarter you will see new updates.
Ex. Auto VPN is a solid solution. Gives us lots of peace of mind.
However Client VPN is not an enterprise offer say in comparison to Anyconnect or any other solution.
Hopefully we may see improvement down the line.
A few times it becomes a challenge integrating Active Directory with Meraki. However proper troubleshooting helps us with successful AD integration.
Most of the times I found Meraki support to be very responsive and responsible. However as AD is not in their scope I have seen them limiting the assistance.
If Client VPN is the most required service for your enterprise may be... Meraki will not fit in well as of now.
However I have a customer with over 600+ remote users on this.
You may also try to connect to a Meraki Partner / SE from your region for assistance.
Finally Meraki or No Meraki is always a customers call.
I know AD is Windows, but why Meraki norm have it’s own VPN client like the Cisco AnyConnnect? They’ve been promising this for years. I don’t understand why release a product if you can use its full features.
I only have one site, so I can’t comment on site-to-site VPN.
I only have one site, so I can’t comment on site-to-site VPN.
I have three clients using the Windows 10 VPN client to connect to their Meraki VPN with the authentication done by Windows 10.
The client side should should have the following settings checked on the Security tab of the Wan Mini Port properties:
On the Networking tab, Click on Internet Protocol Version 4 (TCP/IPv6), then click on the Properties button.
Then click on the advanced button and make sure Use default gateway on remote network is checked.
On the Server side of things, I set up a new domain admin account for the user that will be used as the domain administrator on the Meraki web site.
On the Meraki Web site, under Security & SD Wan, I setup a seperate subnet for the VPN. Meraki will be routing between the VPN subnet and the local subnet of the domain. I also specified the Name servers of the Domain controller. I set Authentication to Active Directory and set new Meraki user as the domain admin.
That is it. Reply to me if you have any more questions.
Thank you. I’ll try that. Are you manually doing this or by a script? On then Merai website it says to use PAP only.
If you don’t mind me asking, which version of Windows 10 are you using?
I set up the connection manually as the number of VPN users is not that large, and most are off site.
As for the protocols, I originally set clients up using PAP only, but when testing Systems Manager I noticed it enabled all protocols and that works as well.
Most of my clients are not on the October update, and are a mix of Home and Pro.
Try using this powershel script to configure the client VPN on a Windows 10 machine. It is 100% correct.
I have had issues in the past where Windows wont work because of special characters in the pre-shared key (e,g. ")" breaks it).
So you could try using a simpler PSK as well.
Thanks, on the Powershell script, for the domain name do you put the full domain name?
for example, if my domain is test.local,
do I put test or test.local?
Ill try a simple psk, I don’t have any special characters, but I do have numbers.
>On the Meraki web page, it calls for the short name, and that is working for all tree clients
What page is this? It if says to use the short name - it is wrong.
On the Client VPN page, when the authentication is set to Active Directory, the ActiveAdiectory server settings has 4 fields. The first fiield is titled "Short domain".
Are we talking about two different things?
>On the Client VPN page, when the authentication is set to Active Directory, the ActiveAdiectory server settings has 4 fields. The first fiield is titled "Short domain".
In the dashboard, that is correct.
But we were talking about the DNS suffix field in the powershell command.
I’m assuming if I want to use RADIUS authentication, this will work also once I make the Meraki the client?
I already created a security in AD called VPN Users and made myself a member.
I have one client using RADIUS authentication with JumpCloud, and it works nicely.
If you have AD, then secure LDAP should suffice. If you don't want to use a certificate for LDAP, then shared secret with RADIUS is good, but a bit more work to setup.
JumpCloud is a cloud based directory replacement for AD. It works well for distributed and or small companies where a typical AD environment would not work well.
It has user management (that can sync with GSuite), machine management, and some some group policies. It supports SSO with GSuite, AD, and many sites. Support is excellent. They have a RADIUS implementation that is a breeze to setup.
You can learn more about them at JumpCloud.com
I made the changes, changed the ike to "password", but when I connect using AD authentication, I'm getting.
"The remote connection was denied because the user name and password combination you provided is not recognized, or the selection authentication protocol is not permitted on the remote access server"
I tried to login with the username and using domain name\username
I also tried to VPN with "Dial in" enabled in Active Directory for my account.
There are a number of YouTube videos on it. Google LDAP with your version of Windows server. You will need a certificate, but can generate one on your server.