Register or Sign in
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
- About lmorel
lmorel
Getting noticed
Member since Feb 23, 2020
04-13-2023
Community Record
28
Posts
6
Kudos
0
Solutions
Badges
04-13-2023
02:31 PM
Where have you been since 1995 while using Windows?? Still same ol' Windows with a fresh coat of paint, every other year. Microsoft is the one calling it innovation 😃 Unless you have no Windows client to administer then good for you and apologies.
... View more
04-13-2023
10:16 AM
I wasn't trying to fix anything. Just the timing of me making changes to our environment last night seemed suspicious to me. It looks like it was a Edge related update, based on other Meraki threads and specifically this one: [RESOLVED] Security Center False Positive Alert - April 13th 2023 - The Meraki Community
... View more
04-13-2023
09:14 AM
Exact same SHA-256: 975c0d48c41d2ad76a242d5f7270f4bf8063bb9c753b375ab2c47c9e2060f562 with same IP 72.21.81.240 I had a couple of users with the "Try New Outlook" toggle switch in Outlook yesterday, including myself. I took steps with registry edit to force the toggle switch to be seen by more users. I also believe that toggle switch in Outlook is not used anymore but I could be wrong. Long story short, I made changes late yesterday for Office 365 so certain users could access the Office preview channel. It might be a coincidence so please take this with a grain of salt. (I am more or less "relieved" others are having the same issue so I know I didn't break anything....)
... View more
12-17-2022
10:02 AM
2 Kudos
Thank you Philip! I turned off AnyConnect then waited 30min or so (busy with something else) then turned it back on. Fixed it. I rebooted the MX first with 16.16 firmware. Didn't fix it (certificate was still expired). I did not upgrade firmware to latest either. I also asked if support could manually renew certificate and they said no (or didn't want to).
... View more
12-14-2022
01:48 PM
Thank you Phil! I created a case by calling them. Was an hour on the phone and agent was trying to figure out if certificate was expired. He also escalated the issue internally. He asked me to upgrade tonight to latest firmware to force the certificate recreation. I also used my AnyConnect android app to clearly show me the details on when the certificate expired (last night) and was not automatically renewed. I asked them via email to see if they can generate a new/valid certificate before tonight, I cannot work on that MX until late tonight or users will come out with pitchforks and torches.
... View more
12-14-2022
01:45 PM
Thank you for the tip! Meraki Certificate for that appliance is expired so it won't work, even if I use the IP. I suspect SAML authentication and possibly other things break at that point.
... View more
12-14-2022
09:52 AM
I apologize, I should have mentioned we did this already. I'm more worried about certificate and/or DNS issues. We use SAML as well for AnyConnect authentication.
... View more
12-14-2022
09:29 AM
Hello everyone! Two of my users just reported they get the following error message when using AnyConnect and connecting using the default appliance hostname as we have done for over a year now without issues. What could create this? Meraki cloud issue and/or certificate issue on Meraki's side? Running MX 16.16 on MX250.
... View more
03-01-2022
11:17 AM
So I double-checked that I didn't use the Profile Update on the MX for the AnyConnect client. It was disabled. So I decided to upload that profile.xml file with the settings I mentioned in the original post. And what do you know. It works now and the settings are properly showing the chosen options. I will monitor how the Disable Captive Portal Detection option behave.
... View more
03-01-2022
11:05 AM
OK, so I noticed under the Options of the client, I am seeing that the "Disable Captive Portal Detection" option is unchecked (value is "true" in xml file, not false...) and present ( = but User Controllable is set to false in xml file). I am not sure I understand why these values are not observed though. That would explain why I am having those pop-ups then....
... View more
02-28-2022
12:45 PM
I am testing AnyConnect and got the authentication part working well (SAML). But now I am wondering about the user experience and the AnyConnect client popping up anytime there is a change in connectivity with my wifi or ethernet connection. For example, I am in the office right now and anytime I stepped away from my desk long enough and I come back, the AnyConnect client is open with the "You may need to use a browser to gain access". Interestingly enough, my laptop is plugged in with power and set to not go to sleep. I suspect power saving changes made by Microsoft in the last few years are more aggressive and some devices go to "sleep". AnyConnect picks up on it and pops up. While this might be a small annoyance (just close it), I know my users are going to complain a lot. I thought I just needed to disable the Disable Captive Portal Detection option and I already did that. And this is what I have in my profile file: <DisableCaptivePortalDetection UserControllable="false">true</DisableCaptivePortalDetection> Other options I have currently configured in my profile file that might be relevant (or not): <AutoConnectOnStart UserControllable="false">false</AutoConnectOnStart> <MinimizeOnConnect UserControllable="true">true</MinimizeOnConnect> <AutoReconnect UserControllable="false">false</AutoReconnect> <SuspendOnConnectedStandby>false</SuspendOnConnectedStandby> <AutoUpdate UserControllable="false">true</AutoUpdate> <AutomaticVPNPolicy>true <TrustedDNSDomains>my_domain_here</TrustedDNSDomains> <TrustedNetworkPolicy>Disconnect</TrustedNetworkPolicy> <UntrustedNetworkPolicy>DoNothing</UntrustedNetworkPolicy> <AlwaysOn>false </AlwaysOn> </AutomaticVPNPolicy>
... View more
Labels:
- Labels:
-
Client VPN
02-27-2022
06:10 PM
Thank you! I also saw others discussing this topic for ASAs and SAML. I can't find that link right now though.
... View more
02-24-2022
03:34 PM
By design, I was wondering if anyone could confirm that the Start before log on (SBL) feature cannot work when using SAML authentication for AnyConnect. Correct?
... View more
Labels:
- Labels:
-
Azure
-
Client VPN
02-21-2022
10:12 PM
I apologize for the long delay. Thank you @PhilipDAth for the info! I have been using SAML and Conditional Access in Azure and require BOTH options of "Require Hybrid Azure AD joined device" and "MFA" to grant access. It works very well. Maybe I am still struggling to understand that Certificate Authentication option mentioned in my original post and what you explained earlier. Are you implying this is an option to use IF I use RADIUS only and to NOT use if I use SAML? Selecting the Enabled setting only allows to upload a "file". I am not an expert on the certificate side of things but a CSR of some sort would need to be used, right? I was watching a video on YouTube about the Certificate Authentication setup for Cisco ASAs, just to get an idea of the whole concept. There is evidently information to be used to and from the ASA in order to complete the setup. And by looking at the MX interface, it looks like things are "missing" or not well explained. But now I am re-reading your post and I am guessing it's not needed (or can't be used) with SAML. I used TDN in the AnyConnect profile to disconnect the client when inside the office. But that wouldn't stop the user from clicking on Connect again and still successfully connect while inside the office. So I created another Conditional Access rule to NOT grant access to an AnyConnect connection IF the user is physically located at a Trusted IP site (in the office). Works well as well as I get an Azure message telling me I cannot go past the SAML step. This should be clear enough to remind the user to stop trying.
... View more
01-16-2022
11:11 AM
I saw @PhilipDAth replied to another thread a few minutes ago and it might be related so I apologize in advance if I am creating a similar post here. I am playing with AnyConnect and using SAML as Authentication Type. Works well so far. I came across this setting about Certificate Authentication (showing as Disabled below). Would that be for when I deploy this certificate on my Windows 10 clients through GPO and Meraki checks and validate that this client is authorized to connect first then onto the SAML Azure AD authentication step? Can I use a 3rd-party certificate for this as opposed to self-signed? I found a couple of instructions for AnyConnect and SAML configuration (one simple and one detailed) off the Meraki website but I don't think this setting was explained.
... View more
01-12-2022
06:49 PM
We have been Advanced Security licensed for years and it's been good/great to us. We also use the Client VPN with Windows and been playing with AnyConnect as well. I was wondering about your opinion regarding the Advanced Security license and me thinking about routing my users through Azure point to site VPN instead of routing them back to my HQ though my MX250. I understand I will lose the ability of having their VPN traffic being "cleaned up" by the MX250 and the Advanced Security license while they WFH. I was thinking stability, better performance and Azure infrastructure in general would be better than my HQ and a single MX250 to handle my VPN users. Just thinking it would be a waste to not rely on the Advanced Security license and a lot riskier for my users and our business based on their traffic habits. We do have EDR loaded on clients.
... View more
Labels:
- Labels:
-
Azure
-
Client VPN
02-11-2021
02:01 PM
1 Kudo
Yeah, I regret not taking a screenshot. They locked it down shortly after. It's funny, I asked my Meraki sales rep and his engineer about it and forwarded the link. Then I implied that it was getting frustrating that here we go once again, getting some new info that might be conflicting with everything else we hear or read so far. The engineer came back the next day with a "hey, I can't even access this link!". And I thought he was messing with me only to realize they locked it down and even he couldn't access the info.............. dude, for real. ???
... View more
09-02-2020
11:35 AM
Thank you very much @SoCalRacer ! I checked and confirmed their subnets didn't conflict with anything. They are traveling right now. Used Comcast in California at home and using Spectrum right now in NC. I do not routers specifics. I also tried myself right now and ran into same issue through AT&T fiber and also tested through AT&T wireless and hotspot. So getting consistently same problem/behavior. I am going to revert to 14.42. Should I call support in case it is a setting they can adjust manually under beta or don't even bother?
... View more
09-02-2020
10:40 AM
Thank you @SoCalRacer ! I could definitely try that. I was just wondering if that is something others have ever experienced. I remember running into that over 15 years ago through an ASA and AnyConnect only allowing one connection at a time from a VPN client and we could change that setting/value. I can't remember the details. But I guess our workforce has been working in the office most of the time in the last 4 years since we became Meraki customers and this is a "new" one right now. If anyone else has any input or suggestions, please let me know or share this here. I will try to revert to stable firmware this coming weekend.
... View more
09-02-2020
08:59 AM
I apologize in advance if this is a super dumb question. But I have a married WFH from same location and they can only connect one at a time. 2 separate laptops (assigned individually), Windows 10, built-in VPN client, full tunnel and RADIUS with AD. I actually watched the consistent behavior while I was pinging continuously. I had the Wife connected, pinging her VPN client IP, all fine. Then her Husband started to connect, showing as "Connecting..." while it seems to be in that state for a while and I can see his Wife's VPN IP immediately and fully dropping packets but NOT disconnecting. After what seems to be 20-30 seconds, the Husband gets the red error message about "The network connection between your computer and the VPN server.... (firewalls, NAT,...)". Right then I can see that the successful pinging is resuming on the Wife's laptop. If I have her disconnect and her husband connects, the reverse is also happening when she tries to connect and is already connected, consistently. As if the MX250 (running beta 15.34) only accepts one VPN client at a time from that public IP address where the married couple is located. Any suggestions or ideas?
... View more
08-04-2020
09:54 PM
@Bsalami Curious since this is still a unicorn right about now: what kind of MFA support should we be expecting once the AnyConnect client is released? Or anyone who might be evaluating the beta AnyConnect client on a MX, would you care to share how you can handle MFA for Client VPN access? After all, Duo Security was acquired by Cisco. Just like Meraki....................................... It would be amazing if we could get some decent updates around here. I already complained to my Meraki rep about the serious lack of communication from Meraki to the masses. In comparison, it almost makes the White House look like masters in public relations in the last 6 months over anything that is COVID19 related......
... View more
03-25-2020
08:19 AM
Once enabled by support in the closed beta, is it a all or nothing type of feature or an additional option and you can have mix and match versions of VPN client configs (meraki cloud, AD, Radius, etc)? (apologies in advance if I didn't use the proper terminology).
... View more
03-12-2020
08:13 PM
3 Kudos
Was told today same thing. I am getting an additional MX through SHI and my account manager was going back and forth with his Meraki point of contact. Then I remembered this thread so I asked him about AnyConnect. He came back and said that he was told AnyConnect is in beta and release should be late spring. Exciting news to say the least. So the real question is: has anyone taken a 4K picture of Big Foot yet?
... View more
My Top Kudoed Posts
