Meraki

Community

Non Domain Admin Users Unable to Sign into VPN using LDAP

mumbles202
Comes here often
‎Apr 6 2020 11:45 AM
‎Apr 6 2020 11:45 AM

Non Domain Admin Users Unable to Sign into VPN using LDAP

Remote access vpn works fine using Meraki credentials.  When we moved over to using AD we noticed that only domain admins are able to sign in.  The single DC is also a CA and has a certificate installed which is still valid.  If i take jdoe and attempt to sign in I get:

 

The remote connection was denied because the user naem and password combination you provided is not recognized, or the selected authentication protocol is not permitted on the remote access server.

 

as soon as I add jdoe to domain admins however he is able to connect w/ no issues.  I'm trying to determine what would be the cause of this as the error points to a certificate issue but it works when the same user is an admin.  Has anyone seen anything similar?  Packet captures on a failed connection indicate a response is coming from the DC to reject the login.  

 

0 Kudos
14 Replies 14
CptnCrnch
Kind of a big deal
Kind of a big deal
‎Apr 6 2020 12:04 PM
‎Apr 6 2020 12:04 PM

Do regular users have the Dial-In permission in AD?

0 Kudos
In response to CptnCrnch
mumbles202
Comes here often
‎Apr 6 2020 12:46 PM
‎Apr 6 2020 12:46 PM

I don't believe so.  I added the permission to the test account I've been using but that still failed.

0 Kudos
In response to mumbles202
DHAnderson
Head in the Cloud
‎Apr 6 2020 1:31 PM
‎Apr 6 2020 1:31 PM

I have a client with Server 2016, and the VPN setup to use AD authentication.

 

I installed Network Policy Services on the server, and then setup a policy for the VPN.

 

Once that is installed, open up NPS and under NPS\Policies\Connection Request Policies, enable both TS GATEWAY AUTHORIZATION POLICY and Use Windows authentication for all users.

 

Then under NPS\Policies\Connection\Network Policies enable the RDG_CAP_AllUsers policy.

 

I can send you screenshots if you PM me.  Also, the  may be a simpler method, depending on the number of uses in your AD.

 

 

Dave Anderson
0 Kudos
In response to DHAnderson
mumbles202
Comes here often
‎Apr 6 2020 2:29 PM
‎Apr 6 2020 2:29 PM

Thanks for the idea.  Hadn't thought about installing another role on the DC, but that might be the easier route for sure.  I'll see about getting that role installed and creating a policy and then re-pointing the MX.  

0 Kudos
PhilipDAth
Kind of a big deal
Kind of a big deal
‎Apr 6 2020 9:31 PM
‎Apr 6 2020 9:31 PM

Is the search DN equal to the base of your AD domain?

0 Kudos
In response to PhilipDAth
mumbles202
Comes here often
‎Apr 7 2020 6:00 AM
‎Apr 7 2020 6:00 AM

Where is the search DN defined for VPN setup?  I know on an ASA that's available and critical but I didn't see that field anywhere on the Meraki dashboard.  The account i'm testing w/ is in a different OU than the domain admins but I've confirmed moving it to the same OU has no impact.  And leaving it in the original OU but making it an admin does allow it to connect.

0 Kudos
In response to mumbles202
PhilipDAth
Kind of a big deal
Kind of a big deal
‎Apr 7 2020 12:39 PM
‎Apr 7 2020 12:39 PM

My mistake.  It doesn't let you specify the base dn.

 

When the authentication fails - what do you get in the security event log in Windows?

0 Kudos
In response to PhilipDAth
mumbles202
Comes here often
‎Apr 7 2020 1:43 PM
‎Apr 7 2020 1:43 PM

I get a 691 error in Windows.

0 Kudos
In response to mumbles202
DHAnderson
Head in the Cloud
‎Apr 7 2020 1:50 PM
‎Apr 7 2020 1:50 PM

How are the users entering their user name?  If it is username@domain, you may just username, or domain\username.

 

Also, check out this thread:

 

https://community.meraki.com/t5/Security-SD-WAN/Meraki-VPN-Some-users-get-691-error-when-authenticat...

Dave Anderson
0 Kudos
In response to mumbles202
PhilipDAth
Kind of a big deal
Kind of a big deal
‎Apr 7 2020 2:07 PM
‎Apr 7 2020 2:07 PM

https://documentation.meraki.com/MX/Client_VPN/Troubleshooting_Client_VPN#Windows_Error_691 

0 Kudos
In response to PhilipDAth
mumbles202
Comes here often
‎Apr 7 2020 4:08 PM
‎Apr 7 2020 4:08 PM

Thanks for the links.  Users are entering username as jdoe and then the password.  Fails normally, but if I add jdoe to the Domain Admins group (w/o making any other changes) that account is able to login w/o any issues.  

0 Kudos
In response to mumbles202
mumbles202
Comes here often
‎Apr 15 2020 8:32 AM
‎Apr 15 2020 8:32 AM

Modified the setup and found the same thing.  Domain Admins connect w/o a problem but standard users fail.  Looking into if a GPO might be causing the issue.

0 Kudos
In response to mumbles202
mumbles202
Comes here often
‎May 1 2020 2:55 PM
‎May 1 2020 2:55 PM

So switched this to Radius instead of LDAP and getting the same.  Domain Admins get right in; remove the user from that group and it fails w/ an incorrect password.  

0 Kudos
In response to mumbles202
DHAnderson
Head in the Cloud
‎May 2 2020 10:26 AM
‎May 2 2020 10:26 AM

@mumbles202 Did you ever setup a Network Policy Manager?

Dave Anderson
0 Kudos
Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels
© 2024 Cisco Systems, Inc.