myUser can connect to VPN otherUser can't.    I copied both accounts and created two new accounts.    vpntest copied from otherUser vpntest2 copied from myUser Both these accounts have the same password and that password is in compliance with domain policy.    I removed all AD security groups except the one needed for Merkai authentication as defined in the NPS policy, and the Domain Users group.    Given the same computer, using iPhone hotspot (off corp network), vpntest cannot connect (691 error) to VPN vpntest2 can connect to VPN.    Even newly created users are able to access the VPN. It just seems to be with specific users who have been with the company for a very long time. Even their usernames are different naming convention. Is there an attribute some where that maybe acting as an alias for another attribute?    I'm just trying to think outside the box on this one. Very strange.  ... View more

in AD U&C I copied the problem user account, gave it name and pass. saved. Attempted to connect to VPN. The 691 error is replicated. ... View more

Thank you for providing feedback. Here are my findings.    Invalid User Credentials I have changed the user's credentials and verified they're correct by successful authenticating to other systems that use LDAP. The user receives an error when attempting to connect to the VPN while I and others are able to use the same computer and the same VPN configuration to connect to the network. User Not Authorized This doesn't apply as we are using RADIUS for authentication.  No Cert on AD Server Also not applicable as I'm using RADIUS for Client VPN Authentication Incorrect DNS name resolution from the MXs upstream DNS server Im not sure where I can find this setting (I still learning about Meraki) Also, if this were the problem, wouldn't all users experience the issue? Only two specific users are unable to connect to the VPN. The vast majority of other users have no problem at all.  Mismatch Pre Share Keys I created a new VPN connection on a new computer. I manually entered all configuration settings and the pre-shared key, which I verified was correct within my documentation and Meraki dashboard. I was able to successfully authenticate with my credentials, but not with this user having a problem. The same error that has been thrown during this process, was thrown again. Error 691.    On my Radius Server I have verified the users meet the conditions for windows groups for the network policy.    One thing I have noticed is these users having problems have been at the company for a long time. They have older AD accounts. I was curious if there was anything that could cause a problem related to that?    IAS Logs CLIENTCOMP ServiceName RecordDate RecordTime PackeyType UserName FQDN of UserName CallingStationID       Client IP Addr ClientFriendlyName   ServiceType? AuthenticationType PolicyName ReasonCode   MS_RAS-Client-Name MS-RAS-Client-Version NPS_Server IAS 6/21/2019 7:38:42 1 me@mydomain FQDN of AD User Object, as expected CLIENTVPN same value 3 0 expected IP Meraki 1 2 1 Meraki_VPN 0 311 1 10.2.1.2 05/30/2019 02:55:51 1501 Meraki_VPN 1 NPS_Server IAS 6/21/2019 7:38:42 2   FQDN of AD User Object, as expected       0 expected IP Meraki 1 2 1 Meraki_VPN 0 311 1 10.2.1.2 05/30/2019 02:55:51 1501 Meraki_VPN 1 NPS_Server IAS 6/21/2019 7:40:18 1 other_user@mydomain FQDN of AD User Object, as expected CLIENTVPN same value 3 0 expected IP Meraki 1   1 Meraki_VPN 0 311 1 10.2.1.2 05/30/2019 02:55:51 1502 Meraki_VPN 1 NPS_Server IAS 6/21/2019 7:40:18 2   FQDN of AD User Object, as expected       0 expected IP Meraki 1 4 1 Meraki_VPN 0 311 1 10.2.1.2 05/30/2019 02:55:51 1502 Meraki_VPN 1   The first thing I notice is the different service types.   me@mydomain can access the VPN no problem.  other_user@mydomain cannot access the VPN at all.    Any thoughts or observations? What am I missing?  ... View more