cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

What is needed to use active directory to authorize users on a mx67

SOLVED
Highlighted
Here to help

What is needed to use active directory to authorize users on a mx67

New user; I have mx67, ms120, windows server 2016 running active directory and dns.

Is that enough to run client vpn and authorize users or do I need additional stuff on the windows 2016 server?

"3:27:21.633548 IP 166.173.59.91.33506 > 162.233.197.233.1701: l2tp:[TLS](24253/12933)Ns=4,Nr=3 *MSGTYPE(CDN) *ASSND_SESS_ID(12055) *RESULT_CODE(768/0 )" is the last message in a packet trace before I get "authentication failed" message.

 

 

1 ACCEPTED SOLUTION

Accepted Solutions
Highlighted
Here to help

Re: What is needed to use active directory to authorize users on a mx67

I was getting authorization failed. Turns out submitting username as domain\username instead of username@domainname was the problem. I knew it had to be something simple. On to the next set of challenges.

View solution in original post

5 REPLIES 5
Highlighted
Kind of a big deal

Re: What is needed to use active directory to authorize users on a mx67

Highlighted
Here to help

Re: What is needed to use active directory to authorize users on a mx67

Thank you, I have reviewed the document step by step for the past week. My experience says it has to be something simple/basic at this point. Does the fact that I have one clan (vlan 0) for everything? No errors on the AD server. Packet capture shows traffic to and from the domain controller on port 3268 but I don't really know what I looking at beyond the traffic is there.

 

Currently, Active Directory-based authentication works only if one of the following is true:

  • The Domain Controller is in a VLAN configured on the appliance
  • The Domain Controller is in a subnet for which a static route is configured on the appliance
  • The Domain Controller is accessible through the VPN.

If there are multiple Domain Controllers in the domain, all of them must meet one of these criteria in order for Active Directory integration to function properly.

 

I think I have satisfied the above requirement because packet capture shows traffic between the  device on the wan port (IPHONE connected to let network) and Lan device (Domain Controller).

 

Meraki cloud Authentication works but it is not the best solution for my network because I have applications running on the network that will be accessed by outside vendors that I eventually will want to separate them on to a separate vlan.

 

I have to be missing something probably simple.

 

Highlighted
Kind of a big deal

Re: What is needed to use active directory to authorize users on a mx67

What is actually wrong?  What is not working?  What error messages and codes do you get?

Highlighted
Here to help

Re: What is needed to use active directory to authorize users on a mx67

I was getting authorization failed. Turns out submitting username as domain\username instead of username@domainname was the problem. I knew it had to be something simple. On to the next set of challenges.

View solution in original post

Highlighted
Getting noticed

Re: What is needed to use active directory to authorize users on a mx67

Congrats and off to the next issue!  Life in IT...

Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.