cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
  • About CloudViking86

Re: Anyconnect on MX64 support

by in Security / SD-WAN
‎10-18-2021 11:41 PM
‎10-18-2021 11:41 PM
Did you ever get this resolved? Same situation, running 16.13 on our MX64 w. "Advanced Security": no option for "AnyConnect".   Recently applied 16.13 (just yesterday) but have restarted the MX. Feels weird it ("AnyConnect") should just be there after X amount of days w. beta firmware? ... View more

Configuring Active Directory Authentication

by in Security / SD-WAN
‎10-18-2021 09:09 AM
3 Kudos
‎10-18-2021 09:09 AM
3 Kudos
Hello, So I've actually finished configuring our MX to use Active Directory-authentication and wanted to share what I've learned which hopefully can help others.   Now this worked for me, it doesn't have to work for you and my DCs are located upstream (i.e. in a remote subnet which we reach through the site-to-site VPN); * Regarding the cert: ** Remember that you enter the IP (or at least I did) in the Meraki dashboard so the cert needs to have the IP of the server and not just the FQDN of the server You can test this using "ldp.exe" which is included (?) on Windows Server, if you are running this on your own desktop then you will need to copy the "ldp.exe" and also "ldp.exe.mui" as well as creating a folder called "en-us" in the directory where "ldp.exe" resides and move "ldp.exe.mui" to the "en-us" folder. ** Remember to add the cert to "Active Directory Domain Services"; LDAP over SSL (LDAPS) Certificate - TechNet Articles - United States (English) - TechNet Wiki (microsoft.com)   * Regarding the user / pass ** Remember to use only a-z and 0-9 for the username and password. ** Remember to check the account you created to see what it's "Pre-Windows 2000" username is, my username was too long when checking the "Pre-Windows 2000"-field so it had been cut off when it had reached the max. amount of character.   * To get this working with an account that isn't domadmin; Grant Minimum Permission to an Active Directory User Account Used by the Sourcefire User Agent - Cisco ^ I followed these steps; ** Giving the user WMI-permissions ** Giving the user DCOM-permissions (I am yet to actually see if the group policy works, it doesn't seem to be supported through ClientVPN but Cisco states that it doesn't and I don't have the appliance where I am so waiting for a colleague to verify. The config works however and I can fetch AD-groups)   * Regarding network connectivity TCP 135 TCP 445 TCP 3268 TCP 49152-65535 (RPC "high-ports") whitelisted against the MX's highest numbered VLAN participating in the site-to-site VPN ex; 192.168.1.1/24 = VLAN 1 = Not participating 192.168.2.1/24 = VLAN 200 = Participating <-- This is not the highest numbered VLAN but it is the highest numbered VLAN participating in the site-to-site so 192.168.2.1/32 is the MX's IP calling the DCs 192.168.3.1/24 = VLAN 300 = Not participating Active Directory Issue Resolution Guide - Cisco Meraki   * Regarding general config ** Domain = the "shortname" of the domain, ex. "ad.mydomain.com" is the FQDN then "ad" is the shortname ** IP = the IP without any CIDR notation ex. "192.168.4.1" ** Username = the username without any domain prefix, ex. "myuseraccount" and NOT "ad\myuseraccount" ^ Remember a-z, 0-9 and check the "Pre-Windows 2000" for the user so your username hasn't been shortened due to too many chars. ** Password = a password (see below) ^ Remember a-z, 0-9 Hopefully this might have helped someone who is setting this up! Best Regards - Karl ... View more
Labels:

Re: Best practice to deploy Meraki client VPN to laptops? All methods seem ...

by in Security / SD-WAN
‎03-29-2021 04:14 AM
‎03-29-2021 04:14 AM
Just wanted to reference to this "UserVoice" idea which is that Intune should support configuring VPN w. L2TP-PSK / PAP; https://microsoftintune.uservoice.com/forums/291681-ideas/suggestions/41712955-enhanced-l2tp-configu... Please upvote that if you are using Intune and want to easier be able to manage MerakiVPN. ... View more

Re: [Question] - How to deploy Client-VPN, L2TP+PSK? CMAK? GPO?

by in Security / SD-WAN
‎03-29-2021 04:03 AM
1 Kudo
‎03-29-2021 04:03 AM
1 Kudo
Just wanted to reference to this "UserVoice" idea which is that Intune should support configuring VPN w. L2TP-PSK / PAP; https://microsoftintune.uservoice.com/forums/291681-ideas/suggestions/41712955-enhanced-l2tp-configuration-profiles-for-windows Please upvote that if you are using Intune and want to easier be able to manage MerakiVPN. ... View more

Re: VPN DNS - Host name, Not FQDN

by in Security / SD-WAN
‎03-22-2021 09:14 AM
‎03-22-2021 09:14 AM
Hello,   In the same situation here; * I can specify the DNS-servers for the VPN-adapter (Meraki VPN) which would overwrite the default DNS-server specified in Meraki (such as Google) to resolve FQDN however resolving shortnames such as "mycomputer" as opposed to "mycomputer.ad.mydomain.com" fails since you can't append DNS-suffixes since it is greyed out. You can specify a WINS-server in the VPN-settings; https://documentation.meraki.com/MX/Client_VPN/Troubleshooting_Client_VPN#Resolving_NetBIOS_names_over_Client_VPN however I fail to see how that would solve that the client knows which domain to append to the shortname i.e. to append "ad.mydomain.com" to "computer1"? Unless its inferred when specifying a WINS-server (i.e. use the domain that the WINS-server belongs to)?  ... View more
© 2021 Meraki