Meraki

Community

Access Point MR-xx failed to connect Active Directory

Chrisvalenzuela
Here to help
‎Mar 19 2024 11:57 AM
‎Mar 19 2024 11:57 AM

Access Point MR-xx failed to connect Active Directory

Hello everyone, I have the following problem in the communication and deployment of the captive portal (splash login) between the Meraki access points and my current active directory.

I have a total of 9 access points distributed throughout the corporate network but I cannot find the loss of communication with the captive portal (splash login)

 

Chrisvalenzuela_0-1710874452051.png

 

The passwords of the users (AD) are updated, the communication via ICMP packets to the AD server is successful but the communication with port 3268 is what fails and they cannot communicate

Labels:
0 Kudos
14 Replies 14
alemabrahao
Kind of a big deal
Kind of a big deal
‎Mar 19 2024 12:05 PM
‎Mar 19 2024 12:05 PM

Review the documentation.

 

https://documentation.meraki.com/MR/MR_Splash_Page/Integrating_Active_Directory_with_Sign-On_Splash_...

 

 

Active Directory Configuration

The following requirements must be configured on each AD server being used for authentication:

  • Every AD server specified in Dashboard must hold the Global Catalog role. Please refer to Microsoft documentation for specific configuration steps.
  • Since communication between the MR and AD server will be encrypted using TLS, a valid certificate with the appropriate parameters must be configured on the server.
    • If no certificate is present, it will be necessary to install a Self-Signed certificate.
    • If a certificate already exists, please ensure that it has been configured with the necessary parameters for TLS.
  • The MR will communicate from its LAN IP with each AD server over TCP port 3268, to ensure that no firewalls or ACLs on the network or server will block that communication.

When Active Directory authentication is configured, the MR queries the Global Catalog over TCP port 3268. Therefore the Active Directory server (Domain Controller) specified in Dashboard must also hold the Global Catalog role.

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.
In response to alemabrahao
Chrisvalenzuela
Here to help
‎Mar 19 2024 12:08 PM
‎Mar 19 2024 12:08 PM

I have reviewed all the documentation for the deployment of access control for active directory users through splash login with their accounts but I still cannot achieve effective communication.

0 Kudos
In response to Chrisvalenzuela
alemabrahao
Kind of a big deal
Kind of a big deal
‎Mar 19 2024 12:11 PM
‎Mar 19 2024 12:11 PM

alemabrahao_0-1710875455594.png

Are you using the short domain\user?

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.
0 Kudos
In response to alemabrahao
Chrisvalenzuela
Here to help
‎Mar 19 2024 12:24 PM
‎Mar 19 2024 12:24 PM

What permissions should the active directory admin account have?

and I am using the UPN of each active directory account

0 Kudos
In response to Chrisvalenzuela
alemabrahao
Kind of a big deal
Kind of a big deal
‎Mar 19 2024 12:28 PM
‎Mar 19 2024 12:28 PM

Doc 😉

 

alemabrahao_0-1710876519506.png

 

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.
In response to Chrisvalenzuela
Thommo
Comes here often
‎Mar 20 2024 8:55 AM
‎Mar 20 2024 8:55 AM

User permissions for the Active Directory account does not need to be anything special I believe. Ours is just a member of domain users

 

I am also experiencing this issue but we have a call logged with Meraki as it appears to be a wider issue and being looked at by some internal team.

0 Kudos
artboi
New here
‎Mar 20 2024 11:57 AM
‎Mar 20 2024 11:57 AM

I just got off the phone with a rep, this issue just presented itself on our network today. Nothing in the network changed, connectivity from AP to server is good, but it keeps failing on port AD Global catalog service port. They informed me that this is a meraki-wide issue, as they are seeing it in multiple networks.

0 Kudos
In response to artboi
Richard12
Just browsing
‎Mar 21 2024 8:49 AM
‎Mar 21 2024 8:49 AM

Have you gotten a solution for this? my AD connectivity failed today/yesterday, support are looking into it but haven't got back to me yet.

0 Kudos
In response to Richard12
Chrisvalenzuela
Here to help
‎Mar 22 2024 6:13 AM
‎Mar 22 2024 6:13 AM

Yesterday I was able to communicate with Meraki support by creating a ticket and they told me that they are presenting a bug about this same case, loss of communication in Meraki (MR) authentication with splash login and active directory integration

0 Kudos
In response to Chrisvalenzuela
artboi
New here
‎Mar 25 2024 8:51 AM
‎Mar 25 2024 8:51 AM

I just got a message from Meraki support that a back-end cloud communication issue was the cause of the failure of the APs communicating with AD servers on port 3268.
Now I wonder if changing the ports on the server and the APs would have fixed this problem.

Regardless, I feel like Meraki is not being transparent on this issue.

0 Kudos
In response to artboi
Thommo
Comes here often
‎Mar 25 2024 9:29 AM
‎Mar 25 2024 9:29 AM

We tried different ports 3268 and 3269 and got the same issue .. Didn't try any other port numbers ..

0 Kudos
In response to Richard12
Richard12
Just browsing
‎Mar 25 2024 8:56 AM
‎Mar 25 2024 8:56 AM

This does seem to be corrected now

0 Kudos
In response to Richard12
Thommo
Comes here often
‎Mar 25 2024 9:27 AM
‎Mar 25 2024 9:27 AM

Yes recieved word from Meraki this morning approx 8:30 GMT that the issue has been resolved . All of our users can Authenticate and all Access points can communicate with Global Catalog again.

0 Kudos
Chrisvalenzuela
Here to help
‎Mar 25 2024 9:22 AM
‎Mar 25 2024 9:22 AM

On Friday of last week he told me that the group of Meraki engineers had made some fixes in the communication with port 3268 towards the integration and active directory which now allows communication. In case of failures, it also never hurts to renew the network cabling (cat6) of the access point.

 

update access control.png

0 Kudos
Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels
© 2024 Cisco Systems, Inc.