cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Non Domain Admin Users Unable to Sign into VPN using LDAP

Highlighted
Comes here often

Non Domain Admin Users Unable to Sign into VPN using LDAP

Remote access vpn works fine using Meraki credentials.  When we moved over to using AD we noticed that only domain admins are able to sign in.  The single DC is also a CA and has a certificate installed which is still valid.  If i take jdoe and attempt to sign in I get:

 

The remote connection was denied because the user naem and password combination you provided is not recognized, or the selected authentication protocol is not permitted on the remote access server.

 

as soon as I add jdoe to domain admins however he is able to connect w/ no issues.  I'm trying to determine what would be the cause of this as the error points to a certificate issue but it works when the same user is an admin.  Has anyone seen anything similar?  Packet captures on a failed connection indicate a response is coming from the DC to reject the login.  

 

14 REPLIES 14
Highlighted
Kind of a big deal

Re: Non Domain Admin Users Unable to Sign into VPN using LDAP

Do regular users have the Dial-In permission in AD?

Highlighted
Comes here often

Re: Non Domain Admin Users Unable to Sign into VPN using LDAP

I don't believe so.  I added the permission to the test account I've been using but that still failed.

Highlighted
A model citizen

Re: Non Domain Admin Users Unable to Sign into VPN using LDAP

I have a client with Server 2016, and the VPN setup to use AD authentication.

 

I installed Network Policy Services on the server, and then setup a policy for the VPN.

 

Once that is installed, open up NPS and under NPS\Policies\Connection Request Policies, enable both TS GATEWAY AUTHORIZATION POLICY and Use Windows authentication for all users.

 

Then under NPS\Policies\Connection\Network Policies enable the RDG_CAP_AllUsers policy.

 

I can send you screenshots if you PM me.  Also, the  may be a simpler method, depending on the number of uses in your AD.

 

 

Highlighted
Comes here often

Re: Non Domain Admin Users Unable to Sign into VPN using LDAP

Thanks for the idea.  Hadn't thought about installing another role on the DC, but that might be the easier route for sure.  I'll see about getting that role installed and creating a policy and then re-pointing the MX.  

Kind of a big deal

Re: Non Domain Admin Users Unable to Sign into VPN using LDAP

Is the search DN equal to the base of your AD domain?

Highlighted
Comes here often

Re: Non Domain Admin Users Unable to Sign into VPN using LDAP

Where is the search DN defined for VPN setup?  I know on an ASA that's available and critical but I didn't see that field anywhere on the Meraki dashboard.  The account i'm testing w/ is in a different OU than the domain admins but I've confirmed moving it to the same OU has no impact.  And leaving it in the original OU but making it an admin does allow it to connect.

Highlighted
Kind of a big deal

Re: Non Domain Admin Users Unable to Sign into VPN using LDAP

My mistake.  It doesn't let you specify the base dn.

 

When the authentication fails - what do you get in the security event log in Windows?

Highlighted
Comes here often

Re: Non Domain Admin Users Unable to Sign into VPN using LDAP

I get a 691 error in Windows.

Highlighted
A model citizen

Re: Non Domain Admin Users Unable to Sign into VPN using LDAP

How are the users entering their user name?  If it is username@domain, you may just username, or domain\username.

 

Also, check out this thread:

 

https://community.meraki.com/t5/Security-SD-WAN/Meraki-VPN-Some-users-get-691-error-when-authenticat...

Highlighted
Kind of a big deal

Re: Non Domain Admin Users Unable to Sign into VPN using LDAP

Highlighted
Comes here often

Re: Non Domain Admin Users Unable to Sign into VPN using LDAP

Thanks for the links.  Users are entering username as jdoe and then the password.  Fails normally, but if I add jdoe to the Domain Admins group (w/o making any other changes) that account is able to login w/o any issues.  

Highlighted
Comes here often

Re: Non Domain Admin Users Unable to Sign into VPN using LDAP

Modified the setup and found the same thing.  Domain Admins connect w/o a problem but standard users fail.  Looking into if a GPO might be causing the issue.

Highlighted
Comes here often

Re: Non Domain Admin Users Unable to Sign into VPN using LDAP

So switched this to Radius instead of LDAP and getting the same.  Domain Admins get right in; remove the user from that group and it fails w/ an incorrect password.  

Highlighted
A model citizen

Re: Non Domain Admin Users Unable to Sign into VPN using LDAP

@mumbles202 Did you ever setup a Network Policy Manager?

Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.