Access Point MR-xx failed to connect Active Directory

Chrisvalenzuela
Here to help

Access Point MR-xx failed to connect Active Directory

Hello everyone, I have the following problem in the communication and deployment of the captive portal (splash login) between the Meraki access points and my current active directory.

I have a total of 9 access points distributed throughout the corporate network but I cannot find the loss of communication with the captive portal (splash login)

 

Chrisvalenzuela_0-1710874452051.png

 

The passwords of the users (AD) are updated, the communication via ICMP packets to the AD server is successful but the communication with port 3268 is what fails and they cannot communicate

14 Replies 14
alemabrahao
Kind of a big deal
Kind of a big deal

Review the documentation.

 

https://documentation.meraki.com/MR/MR_Splash_Page/Integrating_Active_Directory_with_Sign-On_Splash_...

 

 

Active Directory Configuration

The following requirements must be configured on each AD server being used for authentication:

  • Every AD server specified in Dashboard must hold the Global Catalog role. Please refer to Microsoft documentation for specific configuration steps.
  • Since communication between the MR and AD server will be encrypted using TLS, a valid certificate with the appropriate parameters must be configured on the server.
    • If no certificate is present, it will be necessary to install a Self-Signed certificate.
    • If a certificate already exists, please ensure that it has been configured with the necessary parameters for TLS.
  • The MR will communicate from its LAN IP with each AD server over TCP port 3268, to ensure that no firewalls or ACLs on the network or server will block that communication.

When Active Directory authentication is configured, the MR queries the Global Catalog over TCP port 3268. Therefore the Active Directory server (Domain Controller) specified in Dashboard must also hold the Global Catalog role.

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.

I have reviewed all the documentation for the deployment of access control for active directory users through splash login with their accounts but I still cannot achieve effective communication.

alemabrahao_0-1710875455594.png

Are you using the short domain\user?

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.

What permissions should the active directory admin account have?

and I am using the UPN of each active directory account

Doc 😉

 

alemabrahao_0-1710876519506.png

 

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.

User permissions for the Active Directory account does not need to be anything special I believe. Ours is just a member of domain users

 

I am also experiencing this issue but we have a call logged with Meraki as it appears to be a wider issue and being looked at by some internal team.

artboi
New here

I just got off the phone with a rep, this issue just presented itself on our network today. Nothing in the network changed, connectivity from AP to server is good, but it keeps failing on port AD Global catalog service port. They informed me that this is a meraki-wide issue, as they are seeing it in multiple networks.

Have you gotten a solution for this? my AD connectivity failed today/yesterday, support are looking into it but haven't got back to me yet.

Yesterday I was able to communicate with Meraki support by creating a ticket and they told me that they are presenting a bug about this same case, loss of communication in Meraki (MR) authentication with splash login and active directory integration

I just got a message from Meraki support that a back-end cloud communication issue was the cause of the failure of the APs communicating with AD servers on port 3268.
Now I wonder if changing the ports on the server and the APs would have fixed this problem.

Regardless, I feel like Meraki is not being transparent on this issue.

Thommo
Comes here often

We tried different ports 3268 and 3269 and got the same issue .. Didn't try any other port numbers ..

This does seem to be corrected now

Thommo
Comes here often

Yes recieved word from Meraki this morning approx 8:30 GMT that the issue has been resolved . All of our users can Authenticate and all Access points can communicate with Global Catalog again.

Chrisvalenzuela
Here to help

On Friday of last week he told me that the group of Meraki engineers had made some fixes in the communication with port 3268 towards the integration and active directory which now allows communication. In case of failures, it also never hurts to renew the network cabling (cat6) of the access point.

 

update access control.png

Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels