Meraki VPN

tantony
Head in the Cloud

Meraki VPN

I’m using a trial MX, so far everything went well except for the VPN. 

 

Im only able to connect using the Meraki authentication. Meraki recommends using PAP, but if I use that I’m not able to connect. If I use the Windows CHAP, I can connect.  

 

I like Ike to use Acrivd Directory or RADIUS for authentication, and I believe I have everything setup correctly on the Windows server side, but I’m not able to connect. 

 

Ofcourse, Meraki doesn’t have their own VPN client, this makes it more difficult. I’m thinking about going with other firewall options.  

 

Anyone able to connect using Active Directory or RADIUS?   I’m not getting much help from Meraki. I’m sorry for the rant, but just frustrated. 

30 Replies 30
AjitKumar
Head in the Cloud

Hi,

I understand there are strengths and weaknesses in every solution.

Meraki MX got a collection of features / services. Agreed the solution is evolving. Every quarter you will see new updates. 

 

Ex. Auto VPN is a solid solution. Gives us lots of peace of mind.

 

However Client VPN is not  an enterprise offer say in comparison to Anyconnect or any other solution.

Hopefully we may see improvement down the line.

 

A few times it becomes a challenge integrating Active Directory with Meraki. However proper troubleshooting helps us with successful AD integration. 

 

Most of the times I found Meraki support to be very responsive and responsible. However as AD is not in their scope I have seen them limiting the assistance.

 

If Client VPN is the most required service for your enterprise may be... Meraki will not fit in well as of now.

However I have a customer with over 600+ remote users on this.

 

You may also try to connect to a Meraki Partner / SE from your region for assistance.

Finally Meraki or No Meraki is always a customers call.

Regards,
Ajit
AjitsNW@gmail.com
www.ajit.network
tantony
Head in the Cloud

I know AD is Windows, but why Meraki norm have it’s own VPN client like the Cisco AnyConnnect?  They’ve been promising this for years. I don’t understand why release a product if you can use its full features. 

 

I only have one site, so I can’t comment on site-to-site VPN. 

tantony
Head in the Cloud

I know AD is Windows, but why Meraki norm have it’s own VPN client like the Cisco AnyConnnect?  They’ve been promising this for years. I don’t understand why release a product if you can use its full features. 

 

I only have one site, so I can’t comment on site-to-site VPN. 

DHAnderson
Head in the Cloud

I have three clients using the Windows 10 VPN client to connect to their Meraki VPN with the authentication done by Windows 10.

 

The client side should should have the following settings checked on the Security tab of the Wan Mini Port properties:

  • Layer 2 Tunnelling Protocol with IPSec (L2TP/IPsec)
  • Require Data Encryption (disconnect if server declines)
  • Use Extensible Authentication Protocol (EAP)
  • Allow the following protocols:
  • Unencrypted PAP
  • Challenge Handshake Authentication Protocol (CHAP)
  • Microsoft CHAP Version 2 (MS-CHAP v2)
  • Leave the checkbox for Windows login name blank.

On the Networking tab, Click on Internet Protocol Version 4 (TCP/IPv6), then click on the Properties button.

Then click on the advanced button and make sure Use default gateway on remote network is checked.

 

On the Server side of things, I set up a new domain admin account for the user that will be used as the domain administrator on the Meraki web site. 

 

On the Meraki Web site, under Security & SD Wan, I setup a seperate subnet for the VPN.  Meraki will be routing between the VPN subnet and the local subnet of the domain.  I also specified the Name servers of the Domain controller.  I set Authentication to Active Directory and set new Meraki user as the domain admin.

 

That is it.  Reply to me if you have any more questions.

 

- Dave

 

 

Dave Anderson
tantony
Head in the Cloud

Thank you. I’ll try that. Are you manually doing this or by a script?  On then Merai website it says to use PAP only. 

 

https://documentation.meraki.com/MX/Client_VPN/Client_VPN_OS_Configuration

 

If you don’t mind me asking, which version of Windows 10 are you using?

DHAnderson
Head in the Cloud

I set up the connection manually as the number of VPN users is not that large, and most are off site.

 

As for the protocols, I originally set clients up using PAP only, but when testing Systems Manager I noticed it enabled all protocols and that works as well.

 

Most of my clients are not on the October update, and are a mix of Home and Pro.

Dave Anderson
tantony
Head in the Cloud

Ok thank you. I’ll try that Monday. 

tantony
Head in the Cloud

When users connect to VPN, do they login with domain name/username or just username?

DHAnderson
Head in the Cloud

Just user name.

 

- Dave

Dave Anderson
tantony
Head in the Cloud

Thanks 

PhilipDAth
Kind of a big deal
Kind of a big deal

Try using this powershel script to configure the client VPN on a Windows 10 machine. It is 100% correct.

http://www.ifm.net.nz/cookbooks/meraki-client-vpn.html

 

I have had issues in the past where Windows wont work because of special characters in the pre-shared key (e,g. ")" breaks it).

So you could try using a simpler PSK as well.

tantony
Head in the Cloud

Thanks, on the Powershell script, for the domain name do you put the full domain name?

 

for example, if my domain is test.local,

do I put test or test.local?

 

Ill try a simple psk, I don’t have any special characters, but I do have numbers. 

DHAnderson
Head in the Cloud

Just use the short name of test
Dave Anderson
PhilipDAth
Kind of a big deal
Kind of a big deal

You should use test.local, the full AD domain.

DHAnderson
Head in the Cloud

On the Meraki web page, it calls for the short name, and that is working for all tree clients. Perhaps the long name works as well, but I have not tested that
Dave Anderson
PhilipDAth
Kind of a big deal
Kind of a big deal

>On the Meraki web page, it calls for the short name, and that is working for all tree clients

 

What page is this?  It if says to use the short name - it is wrong.

DHAnderson
Head in the Cloud

On the Client VPN page, when the authentication is set to Active Directory, the ActiveAdiectory server settings has 4 fields.  The first fiield is titled "Short domain".

 

Are we talking about two different things?

Dave Anderson
PhilipDAth
Kind of a big deal
Kind of a big deal

>On the Client VPN page, when the authentication is set to Active Directory, the ActiveAdiectory server settings has 4 fields.  The first fiield is titled "Short domain".

 

In the dashboard, that is correct.

 

But we were talking about the DNS suffix field in the powershell command.

tantony
Head in the Cloud

Thanks to both. I’ll try these tomorrow and let you know if it works. 

tantony
Head in the Cloud

I’m assuming if I want to use RADIUS authentication, this will work also once I make the Meraki the client?

 

I already created a security in AD called VPN Users and made myself a member. 

DHAnderson
Head in the Cloud

I have one client using RADIUS authentication with JumpCloud, and it works nicely.

 

If you have AD, then secure LDAP should suffice.  If you don't want to use a certificate for LDAP, then shared secret with RADIUS is good, but a bit more work to setup.

 

Dave Anderson
tantony
Head in the Cloud

Thanks again. Going to test tomorrow. 

tantony
Head in the Cloud

Is JumpCloud only for Meraki APs only or also for MX?

DHAnderson
Head in the Cloud

JumpCloud is a cloud based directory replacement for AD.  It works well for distributed and or small companies where a typical AD environment would not work well.

 

It has user management (that can sync with GSuite), machine management, and some some group policies.  It supports SSO with GSuite, AD, and many sites.  Support is excellent.  They have a RADIUS implementation that is a breeze to setup.

 

You can learn more about them at JumpCloud.com

 

Dave Anderson
tantony
Head in the Cloud

Thanks. I see the first 10 accounts are free. I’ll try that. 

tantony
Head in the Cloud

I made the changes, changed the ike to "password", but when I connect using AD authentication, I'm getting.

 

"The remote connection was denied because the user name and password combination you provided is not recognized, or the selection authentication protocol is not permitted on the remote access server"

 

I tried to login with the username and using domain name\username

 

I also tried to VPN with "Dial in" enabled in Active Directory for my account.

DHAnderson
Head in the Cloud

When you setup the server, did you enable LDAP?  If so, is it using the default port?

 

Dave Anderson
tantony
Head in the Cloud

I'm sorry, how would I check that?  Sounds like I didn't do that.

DHAnderson
Head in the Cloud

There are a number of YouTube videos on it. Google LDAP with your version of Windows server. You will need a certificate, but can generate one on your server.

 

 

Dave Anderson
tantony
Head in the Cloud

I have a certificate. I remember creating one for connecting AD to MX. I’ll look at LDAP. 

Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels