More than one Client VPN authentication method

Ted-Laun
Here to help

More than one Client VPN authentication method

Is there a way to set the client VPN to use AD and also Meraki authentication? I have had to shutdown all of my DCs because of an emergency power issue.  I would like to be able to connect to VPN without a DC being online.

8 Replies 8
BlakeRichardson
Kind of a big deal
Kind of a big deal

@Ted-Laun  You can only select one option at a time, your options are AD, RADIUS or Meraki Auth.

 

You could use a cloud hosted directory like Jumpcloud which might offer you with more flexability. 

If you found this post helpful, please give it Kudos. If my answer solves your problem, please click Accept as Solution so others can benefit from it.
Ted-Laun
Here to help

Seems ridiculous that a $10k Firewall would only have one option. You should be able to have at least a few admins that can authenticate client VPN locally. Keep bumping into "little" things like this with Meraki. 

CptnCrnch
Kind of a big deal
Kind of a big deal

That's not something based on the price on a firewall or something Meraki does "wrong". If you actively decide to use AD, you should have proper HA designs for that in place. 😉

 

But of course, this is just another point of view.

Ted-Laun
Here to help

I disagree, for disaster situations networking gear is going to be more robust than back-end AD or radius servers. Meraki is also designed for small to medium sized organizations, that may not have multi-site redundancy.  

CptnCrnch
Kind of a big deal
Kind of a big deal

Why not choose Meraki Cloud Authentication or something like Jumpcloud then? They‘re prolly more scalable and / or reliable from your point of view.

 

However, I don‘t think we‘ll find a common ground here. The fact is: you don‘t have a technical possibility to fulfill your requirement with Meraki or several other vendors. As these will happily build their stuff around requirements for as many customers as possible, that seem to be perfectly happy with that. Perhaps your requirements are simply different. But we‘re getting philosophical here. 🙂

cmr
Kind of a big deal
Kind of a big deal

@CptnCrnch I do actually agree with @Ted-Laun here, it should be possible to set a primary and secondary auth method, or even just have local/Meraki as secondary to a remote method such as AD. 

 

We do use a VPN head end that supports this and despite having 4x AD DCs we did come into a situation where just having one admin that could connect via local auth was useful and reduced our recovery time by about an hour when we had a vendor engineer take down our primary datacenter while our (then) primary WAN provider was having a wobble that stopped the datacenters talking despite the failover WAN being 100%.

 

One new SAN vendor and a Meraki SD-WAN solution later, we shouldn't ever need the local auth again, but it was useful that one time!

If my answer solves your problem please click Accept as Solution so others can benefit from it.
PhilipDAth
Kind of a big deal
Kind of a big deal

This is easy.  It's an emergency situation.

 

Just change it to use Meraki authentication during the emergency.  When the emergency is done - change it back.

cmr
Kind of a big deal
Kind of a big deal

🤣of course!  I was stuck in the old way of thinking where you have to be inside the LAN to manage the edge 🤦‍

 

+ infinity kudo for @PhilipDAth 

If my answer solves your problem please click Accept as Solution so others can benefit from it.
Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels