I know AD is Windows, but why Meraki norm have it’s own VPN client like the Cisco AnyConnnect?  They’ve been promising this for years. I don’t understand why release a product if you can use its full features. 

 

I only have one site, so I can’t comment on site-to-site VPN. 

I know AD is Windows, but why Meraki norm have it’s own VPN client like the Cisco AnyConnnect?  They’ve been promising this for years. I don’t understand why release a product if you can use its full features. 

 

I only have one site, so I can’t comment on site-to-site VPN. 

Thank you. I’ll try that. Are you manually doing this or by a script?  On then Merai website it says to use PAP only. 

 

https://documentation.meraki.com/MX/Client_VPN/Client_VPN_OS_Configuration

 

If you don’t mind me asking, which version of Windows 10 are you using?

I set up the connection manually as the number of VPN users is not that large, and most are off site.

 

As for the protocols, I originally set clients up using PAP only, but when testing Systems Manager I noticed it enabled all protocols and that works as well.

 

Most of my clients are not on the October update, and are a mix of Home and Pro.

Ok thank you. I’ll try that Monday. 

When users connect to VPN, do they login with domain name/username or just username?

Just user name.

 

- Dave

Thanks 

Try using this powershel script to configure the client VPN on a Windows 10 machine. It is 100% correct.

http://www.ifm.net.nz/cookbooks/meraki-client-vpn.html

 

I have had issues in the past where Windows wont work because of special characters in the pre-shared key (e,g. ")" breaks it).

So you could try using a simpler PSK as well.

Thanks, on the Powershell script, for the domain name do you put the full domain name?

 

for example, if my domain is test.local,

do I put test or test.local?

 

Ill try a simple psk, I don’t have any special characters, but I do have numbers. 

Just use the short name of test

You should use test.local, the full AD domain.

On the Meraki web page, it calls for the short name, and that is working for all tree clients. Perhaps the long name works as well, but I have not tested that

>On the Meraki web page, it calls for the short name, and that is working for all tree clients

 

What page is this?  It if says to use the short name - it is wrong.

On the Client VPN page, when the authentication is set to Active Directory, the ActiveAdiectory server settings has 4 fields.  The first fiield is titled "Short domain".

 

Are we talking about two different things?

>On the Client VPN page, when the authentication is set to Active Directory, the ActiveAdiectory server settings has 4 fields.  The first fiield is titled "Short domain".

 

In the dashboard, that is correct.

 

But we were talking about the DNS suffix field in the powershell command.

Thanks to both. I’ll try these tomorrow and let you know if it works. 

I’m assuming if I want to use RADIUS authentication, this will work also once I make the Meraki the client?

 

I already created a security in AD called VPN Users and made myself a member. 

I have one client using RADIUS authentication with JumpCloud, and it works nicely.

 

If you have AD, then secure LDAP should suffice.  If you don't want to use a certificate for LDAP, then shared secret with RADIUS is good, but a bit more work to setup.

 

Thanks again. Going to test tomorrow. 

Is JumpCloud only for Meraki APs only or also for MX?

JumpCloud is a cloud based directory replacement for AD.  It works well for distributed and or small companies where a typical AD environment would not work well.

 

It has user management (that can sync with GSuite), machine management, and some some group policies.  It supports SSO with GSuite, AD, and many sites.  Support is excellent.  They have a RADIUS implementation that is a breeze to setup.

 

You can learn more about them at JumpCloud.com

 

Thanks. I see the first 10 accounts are free. I’ll try that. 

I made the changes, changed the ike to "password", but when I connect using AD authentication, I'm getting.

 

"The remote connection was denied because the user name and password combination you provided is not recognized, or the selection authentication protocol is not permitted on the remote access server"

 

I tried to login with the username and using domain name\username

 

I also tried to VPN with "Dial in" enabled in Active Directory for my account.

When you setup the server, did you enable LDAP?  If so, is it using the default port?

 

I'm sorry, how would I check that?  Sounds like I didn't do that.

There are a number of YouTube videos on it. Google LDAP with your version of Windows server. You will need a certificate, but can generate one on your server.

 

 

I have a certificate. I remember creating one for connecting AD to MX. I’ll look at LDAP.