Meraki

Community

More than one Client VPN authentication method

Ted-Laun
Here to help
‎Feb 18 2021 1:26 PM
‎Feb 18 2021 1:26 PM

More than one Client VPN authentication method

Is there a way to set the client VPN to use AD and also Meraki authentication? I have had to shutdown all of my DCs because of an emergency power issue.  I would like to be able to connect to VPN without a DC being online.

0 Kudos
8 Replies 8
BlakeRichardson
Kind of a big deal
Kind of a big deal
‎Feb 18 2021 2:38 PM
‎Feb 18 2021 2:38 PM

@Ted-Laun  You can only select one option at a time, your options are AD, RADIUS or Meraki Auth.

 

You could use a cloud hosted directory like Jumpcloud which might offer you with more flexability. 

If you found this post helpful, please give it Kudos. If my answer solves your problem, please click Accept as Solution so others can benefit from it.
0 Kudos
In response to BlakeRichardson
Ted-Laun
Here to help
‎Feb 18 2021 9:50 PM
‎Feb 18 2021 9:50 PM

Seems ridiculous that a $10k Firewall would only have one option. You should be able to have at least a few admins that can authenticate client VPN locally. Keep bumping into "little" things like this with Meraki. 

0 Kudos
In response to Ted-Laun
CptnCrnch
Kind of a big deal
Kind of a big deal
‎Feb 18 2021 10:59 PM
‎Feb 18 2021 10:59 PM

That's not something based on the price on a firewall or something Meraki does "wrong". If you actively decide to use AD, you should have proper HA designs for that in place. 😉

 

But of course, this is just another point of view.

In response to CptnCrnch
Ted-Laun
Here to help
‎Feb 19 2021 11:07 AM
‎Feb 19 2021 11:07 AM

I disagree, for disaster situations networking gear is going to be more robust than back-end AD or radius servers. Meraki is also designed for small to medium sized organizations, that may not have multi-site redundancy.  

0 Kudos
In response to Ted-Laun
CptnCrnch
Kind of a big deal
Kind of a big deal
‎Feb 19 2021 1:30 PM
‎Feb 19 2021 1:30 PM

Why not choose Meraki Cloud Authentication or something like Jumpcloud then? They‘re prolly more scalable and / or reliable from your point of view.

 

However, I don‘t think we‘ll find a common ground here. The fact is: you don‘t have a technical possibility to fulfill your requirement with Meraki or several other vendors. As these will happily build their stuff around requirements for as many customers as possible, that seem to be perfectly happy with that. Perhaps your requirements are simply different. But we‘re getting philosophical here. 🙂

0 Kudos
In response to CptnCrnch
cmr
Kind of a big deal
Kind of a big deal
‎Feb 20 2021 1:03 PM
‎Feb 20 2021 1:03 PM

@CptnCrnch I do actually agree with @Ted-Laun here, it should be possible to set a primary and secondary auth method, or even just have local/Meraki as secondary to a remote method such as AD. 

 

We do use a VPN head end that supports this and despite having 4x AD DCs we did come into a situation where just having one admin that could connect via local auth was useful and reduced our recovery time by about an hour when we had a vendor engineer take down our primary datacenter while our (then) primary WAN provider was having a wobble that stopped the datacenters talking despite the failover WAN being 100%.

 

One new SAN vendor and a Meraki SD-WAN solution later, we shouldn't ever need the local auth again, but it was useful that one time!

If my answer solves your problem please click Accept as Solution so others can benefit from it.
0 Kudos
PhilipDAth
Kind of a big deal
Kind of a big deal
‎Feb 20 2021 11:45 PM
‎Feb 20 2021 11:45 PM

This is easy.  It's an emergency situation.

 

Just change it to use Meraki authentication during the emergency.  When the emergency is done - change it back.

In response to PhilipDAth
cmr
Kind of a big deal
Kind of a big deal
‎Feb 21 2021 1:15 AM
‎Feb 21 2021 1:15 AM

🤣of course!  I was stuck in the old way of thinking where you have to be inside the LAN to manage the edge 🤦‍

 

+ infinity kudo for @PhilipDAth 

If my answer solves your problem please click Accept as Solution so others can benefit from it.
Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels
© 2024 Cisco Systems, Inc.