Register or Sign in
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
- About CloudViking86
Community Record
11
Posts
5
Kudos
0
Solutions
Badges
03-14-2022
04:05 AM
Thanks for your reply. As I wrote in a reply to Phillip we already have AzureMFA included and don't pay any additional cost to use it and it makes administration easier and easier for the end-user. Thanks for the suggestion though!
... View more
03-14-2022
04:02 AM
Thank you (once again) for a helpful reply. I really don't understand why my user seems to fulfill the MFA-requirement, checking the Conditional Access Sign-In Logs and searching for the correlation ID which I got when looking into my "Success"-event; Activity Details: Sign-ins > Basic Info
Additional Details
MFA requirement satisfied by claim in the token
Activity Details: Sign-ins > Conditional Access
Policy Name: Not applicable
Activity Details: Sign-ins > Report Only
Enforce MFA (Cisco AnyConnect)
Require multi-factor authentication
Session Control: <blank>
Report-only: Success So I get that if I had a session control on that conditional access policy it could have been satisified when logging into other O365-services but in this case that isn't configured and no other conditional access policies are applied. AzureMFA is also included in our user's licenses so we don't pay anything extra to use AzureMFA since the user's have a license that cover that for other infrastructure needs (Intune etc.). Weird. The thing is that we basically don't want another MFA-service. It makes it harder for the end-users to use another app then Microsoft Authenticator and its another thing to administer. We could go the NPS-route and install the AzureMFA-addon but that would introduce the following problems: * The AzureMFA NPS-addon forces ALL RADIUS-clients to use MFA * RADIUS-servers are shared between IPSec-VPN and AnyConnect VPN meaning that I can't route AnyConnect to specific NPS / RADIUS-servers
... View more
03-11-2022
06:51 AM
Hello, I know that you can use RADIUS-authentication and install the NPS-addon for Azure MFA to get MFA however I am wondering if this is also possible when using SAML-authentication to AzureAD and then scoping the Cisco AnyConnect Enterprise App in a Conditional Access policy (which requires MFA)? I've tried getting it to work, i.e.: * Created a policy that scopes both my user and the Cisco AnyConnect enterprise application ** The policy has: Grant: Require multi-factor authentication When I check the "Insights & Reporting"-log and filter for that policy and the Cisco AnyConnect enterprise app I can see that the policy applies to my user (I can see my sign-in attempt) but my user is in the "Not applied"-category. I tried creating a dedicated conditional access policy for AnyConnect (since the one I mentioned before has an additional parameter - session control) and with the dedicated policy my user was in the "Success" category. Now I might be tired but I was expecting my user to be in the "User action required"-category (see below) since if the policy was enabled (it's currently in "report only"-mode) I would have needed to authenticate using my AzureMFA. Conditional Access; Success : Number of users where the selected polic(ies) granted access and the required controls were satisifed Failure : Number of users where the selected polic(ies) denied access and the required controls were not satisfied User action required : Number of users where the selected report-only policy applied but user action (e.g. MFA or Terms of Use) would be required if the policy were enabled. Not applied : Number of users that are bypassing the selected polic(ies) because the sign-in did not match at least one of the assignments or conditions. Now have I completely misunderstood "Require multi-factor authentication"; Does it actually prompt for MFA or does it simply require that the user has a MFA setup / is enrolled into MFA? If its the former then I don't understand how my login can be "Sucess" since it should have been "User action required" IF it isn't like this: Having Azure MFA on various services I might have already within some magic hidden timeframe satisfied that requirement i.e. I have authenticated with another service which requires Azure MFA. If it is the latter then I get that my login is a "Success" since my account is enrolled into MFA. Microsofts documentation about the "grant" - "Require multi-factor authentication"; Grant controls in Conditional Access policy - Azure Active Directory | Microsoft Docs Sorry for the long post! Best Regards - Karl, Sweden
... View more
03-10-2022
08:18 AM
My colleague got back to me (he is in country Z with the closest server of country B, country A is my country and is set to the default server), attaching a snippet of his "DARTBundle" AnyConnect-log below; ******************************************
Date : 03/10/2022
Time : 22:46:37
Type : Information
Source : acvpnui
Description : Function: ClientIfcBase::handleAHSPreferences
File: c:\temp\build\thehoff\phoenix_fcs0.660176920511\phoenix_fcs\vpn\api\clientifcbase.cpp
Line: 4508
OGS is enabled
******************************************
Date : 03/10/2022
Time : 22:46:37
Type : Information
Source : acvpnui
Description : Function: CHeadendSelection::selectHeadend
File: c:\temp\build\thehoff\phoenix_fcs0.660176920511\phoenix_fcs\vpn\api\ahs\headendselection.cpp
Line: 268
Starting OGS processing for connection attempt. Last headend: countrya.dynamic-m.com
******************************************
Date : 03/10/2022
Time : 22:46:37
Type : Information
Source : acvpnui
Description : Message type prompt sent to the user:
Searching for optimal server. Please wait...
******************************************
Date : 03/10/2022
Time : 22:46:37
Type : Information
Source : acvpnui
Description : Function: CHeadendSelection::startPingThreads
File: c:\temp\build\thehoff\phoenix_fcs0.660176920511\phoenix_fcs\vpn\api\ahs\headendselection.cpp
Line: 410
OGS Sending test ping to countrya.dynamic-m.com:443
******************************************
Date : 03/10/2022
Time : 22:46:37
Type : Information
Source : acvpnui
Description : Function: CThread::createThread
File: c:\temp\build\thehoff\phoenix_fcs0.660176920511\phoenix_fcs\vpn\common\utility\thread.cpp
Line: 263
The thread (0x000052AC) has been successfully created.
******************************************
Date : 03/10/2022
Time : 22:46:37
Type : Warning
Source : acvpnui
Description : Function: PluginLoader::instantiateInterfaces
File: c:\temp\build\thehoff\phoenix_fcs0.660176920511\phoenix_fcs\vpn\common\utility\pluginloader.cpp
Line: 962
Invoked Function: PluginLoader::loadModulesWithInterface
Return Code: -29294570 (0xFE410016)
Description: PLUGINLOADER_ERROR_NO_INTERFACE_NAME:No interface name.
com.cisco.anyconnect.nam.api
******************************************
Date : 03/10/2022
Time : 22:46:37
Type : Warning
Source : acvpnui
Description : Function: PluginLoader::CreateInstance
File: c:\temp\build\thehoff\phoenix_fcs0.660176920511\phoenix_fcs\vpn\common\utility\pluginloader.cpp
Line: 446
Invoked Function: PluginLoader::instantiateInterfaces
Return Code: -29294570 (0xFE410016)
Description: PLUGINLOADER_ERROR_NO_INTERFACE_NAME:No interface name.
com.cisco.anyconnect.nam.api
******************************************
Date : 03/10/2022
Time : 22:46:38
Type : Error
Source : acvpnui
Description : Function: HttpProbe::SendHttpProbe
File: c:\temp\build\thehoff\phoenix_fcs0.660176920511\phoenix_fcs\vpn\common\ip\httpsession.cpp
Line: 233
Invoked Function: IHttpSession::SendRequest
Return Code: -28966884 (0xFE46001C)
Description: HTTP_SESSION_ERROR_INVALID_SERVER_RESPONSE
Last Error: 12152
******************************************
Date : 03/10/2022
Time : 22:46:38
Type : Information
Source : acvpnui
Description : Function: CHeadendSelection::startPingThreads
File: c:\temp\build\thehoff\phoenix_fcs0.660176920511\phoenix_fcs\vpn\api\ahs\headendselection.cpp
Line: 458
OGS test ping took 578
******************************************
Date : 03/10/2022
Time : 22:46:38
Type : Information
Source : acvpnui
Description : Function: CThread::createThread
File: c:\temp\build\thehoff\phoenix_fcs0.660176920511\phoenix_fcs\vpn\common\utility\thread.cpp
Line: 263
The thread (0x000066B0) has been successfully created.
******************************************
Date : 03/10/2022
Time : 22:46:38
Type : Information
Source : acvpnui
Description : Function: CHeadendSelection::CSelectionThread::Run
File: c:\temp\build\thehoff\phoenix_fcs0.660176920511\phoenix_fcs\vpn\api\ahs\headendselection.cpp
Line: 931
OGS starting thread named countrya.dynamic-m.com
******************************************
Date : 03/10/2022
Time : 22:46:38
Type : Information
Source : acvpnui
Description : Function: PluginLoader::loadModule
File: c:\temp\build\thehoff\phoenix_fcs0.660176920511\phoenix_fcs\vpn\common\utility\pluginloader.cpp
Line: 1140
Loading plugin acfeedback.dll
******************************************
Date : 03/10/2022
Time : 22:46:38
Type : Information
Source : acvpnui
Description : Function: CVerifyFileSignatureWindows::IsValid
File: c:\temp\build\thehoff\phoenix_fcs0.660176920511\phoenix_fcs\vpn\commoncrypt\verifyfilesignaturewindows.cpp
Line: 110
Code-signing verification succeeded. File (C:\Program Files (x86)\Cisco\Cisco AnyConnect Secure Mobility Client\Plugins\acfeedback.dll)
******************************************
Date : 03/10/2022
Time : 22:46:39
Type : Error
Source : acvpnui
Description : Function: CHttpSessionWinInet::SendRequest
File: c:\temp\build\thehoff\phoenix_fcs0.660176920511\phoenix_fcs\vpn\common\utility\httpsession_wininet.cpp
Line: 664
Invoked Function: GetStatusCode
Return Code: 0 (0x00000000)
Description: unknown
******************************************
Date : 03/10/2022
Time : 22:46:39
Type : Error
Source : acvpnui
Description : Function: HttpProbe::SendHttpProbe
File: c:\temp\build\thehoff\phoenix_fcs0.660176920511\phoenix_fcs\vpn\common\ip\httpsession.cpp
Line: 233
Invoked Function: IHttpSession::SendRequest
Return Code: -28966910 (0xFE460002)
Description: HTTP_SESSION_ERROR_BAD_PARAMETER
Last Error: 0
******************************************
Date : 03/10/2022
Time : 22:46:39
Type : Warning
Source : acvpnui
Description : Function: CHeadendSelection::CSelectionThread::Run
File: c:\temp\build\thehoff\phoenix_fcs0.660176920511\phoenix_fcs\vpn\api\ahs\headendselection.cpp
Line: 1027
OGS ping error for countrya.dynamic-m.com: 0
******************************************
Date : 03/10/2022
Time : 22:46:40
Type : Error
Source : acvpnui
Description : Function: CHttpSessionWinInet::SendRequest
File: c:\temp\build\thehoff\phoenix_fcs0.660176920511\phoenix_fcs\vpn\common\utility\httpsession_wininet.cpp
Line: 664
Invoked Function: GetStatusCode
Return Code: 0 (0x00000000)
Description: unknown
******************************************
Date : 03/10/2022
Time : 22:46:40
Type : Error
Source : acvpnui
Description : Function: HttpProbe::SendHttpProbe
File: c:\temp\build\thehoff\phoenix_fcs0.660176920511\phoenix_fcs\vpn\common\ip\httpsession.cpp
Line: 233
Invoked Function: IHttpSession::SendRequest
Return Code: -28966910 (0xFE460002)
Description: HTTP_SESSION_ERROR_BAD_PARAMETER
Last Error: 0
******************************************
Date : 03/10/2022
Time : 22:46:40
Type : Warning
Source : acvpnui
Description : Function: CHeadendSelection::CSelectionThread::Run
File: c:\temp\build\thehoff\phoenix_fcs0.660176920511\phoenix_fcs\vpn\api\ahs\headendselection.cpp
Line: 1027
OGS ping error for countrya.dynamic-m.com: 0
******************************************
Date : 03/10/2022
Time : 22:46:41
Type : Error
Source : acvpnui
Description : Function: CHttpSessionWinInet::SendRequest
File: c:\temp\build\thehoff\phoenix_fcs0.660176920511\phoenix_fcs\vpn\common\utility\httpsession_wininet.cpp
Line: 664
Invoked Function: GetStatusCode
Return Code: 0 (0x00000000)
Description: unknown
******************************************
Date : 03/10/2022
Time : 22:46:41
Type : Error
Source : acvpnui
Description : Function: HttpProbe::SendHttpProbe
File: c:\temp\build\thehoff\phoenix_fcs0.660176920511\phoenix_fcs\vpn\common\ip\httpsession.cpp
Line: 233
Invoked Function: IHttpSession::SendRequest
Return Code: -28966910 (0xFE460002)
Description: HTTP_SESSION_ERROR_BAD_PARAMETER
Last Error: 0
******************************************
Date : 03/10/2022
Time : 22:46:41
Type : Warning
Source : acvpnui
Description : Function: CHeadendSelection::CSelectionThread::Run
File: c:\temp\build\thehoff\phoenix_fcs0.660176920511\phoenix_fcs\vpn\api\ahs\headendselection.cpp
Line: 1027
OGS ping error for countrya.dynamic-m.com: 0
******************************************
Date : 03/10/2022
Time : 22:46:41
Type : Information
Source : acvpnui
Description : Function: CHeadendSelection::CSelectionThread::logThreadPingResults
File: c:\temp\build\thehoff\phoenix_fcs0.660176920511\phoenix_fcs\vpn\api\ahs\headendselection.cpp
Line: 1140
OGS ping results for countrya.dynamic-m.com: (1234 1079 1078 )
******************************************
Date : 03/10/2022
Time : 22:46:41
Type : Information
Source : acvpnui
Description : Function: CHeadendSelection::CSelectionThread::Run
File: c:\temp\build\thehoff\phoenix_fcs0.660176920511\phoenix_fcs\vpn\api\ahs\headendselection.cpp
Line: 1046
OGS terminating thread for countrya.dynamic-m.com
******************************************
Date : 03/10/2022
Time : 22:46:41
Type : Error
Source : acvpnui
Description : Function: CThread::invokeRun
File: c:\temp\build\thehoff\phoenix_fcs0.660176920511\phoenix_fcs\vpn\common\utility\thread.cpp
Line: 463
Invoked Function: IRunnable::Run
Return Code: -28966910 (0xFE460002)
Description: HTTP_SESSION_ERROR_BAD_PARAMETER
******************************************
Date : 03/10/2022
Time : 22:46:41
Type : Information
Source : acvpnui
Description : Function: CThread::WaitForCompletion
File: c:\temp\build\thehoff\phoenix_fcs0.660176920511\phoenix_fcs\vpn\common\utility\thread.cpp
Line: 331
The thread (0x000066B0) has successfully completed execution.
******************************************
Date : 03/10/2022
Time : 22:46:41
Type : Warning
Source : acvpnui
Description : Function: CHeadendSelection::startPingThreads
File: c:\temp\build\thehoff\phoenix_fcs0.660176920511\phoenix_fcs\vpn\api\ahs\headendselection.cpp
Line: 503
Invoked Function: CSelectionThread::Run
Return Code: -28966910 (0xFE460002)
Description: HTTP_SESSION_ERROR_BAD_PARAMETER
******************************************
Date : 03/10/2022
Time : 22:46:41
Type : Information
Source : acvpnui
Description : Function: CHeadendSelection::finishAHS
File: c:\temp\build\thehoff\phoenix_fcs0.660176920511\phoenix_fcs\vpn\api\ahs\headendselection.cpp
Line: 180
OGS in finishAHS() for first time
******************************************
Date : 03/10/2022
Time : 22:46:41
Type : Information
Source : acvpnui
Description : Function: CHeadendSelection::logPingResults
File: c:\temp\build\thehoff\phoenix_fcs0.660176920511\phoenix_fcs\vpn\api\ahs\headendselection.cpp
Line: 631
*** OGS Selection Results ***
OGS performed for connection attempt. Last server: 'countrya.dynamic-m.com'
Server Address RTT (ms)
countrya.dynamic-m.com 1078
Selected 'countrya.dynamic-m.com' as the optimal server.
******************************************
Date : 03/10/2022
Time : 22:46:41
Type : Information
Source : acvpnui
Description : Function: CHeadendSelection::finishAHS
File: c:\temp\build\thehoff\phoenix_fcs0.660176920511\phoenix_fcs\vpn\api\ahs\headendselection.cpp
Line: 226
Finished OGS thread, selected countrya.dynamic-m.com
******************************************
Date : 03/10/2022
Time : 22:46:41
Type : Information
Source : acvpnui
Description : Function: CThread::createThread
File: c:\temp\build\thehoff\phoenix_fcs0.660176920511\phoenix_fcs\vpn\common\utility\thread.cpp
Line: 263
The thread (0x00002FB4) has been successfully created.
******************************************
Date : 03/10/2022
Time : 22:46:41
Type : Information
Source : acvpnui
Description : Function: ClientIfcBase::AHSSelectedHost
File: c:\temp\build\thehoff\phoenix_fcs0.660176920511\phoenix_fcs\vpn\api\clientifcbase.cpp
Line: 3896
OGS selected host Meraki VPN Global AnyConnect
******************************************
Date : 03/10/2022
Time : 22:46:41
Type : Information
Source : acvpnui
Description : Function: ClientIfcBase::AHSSelectedHost
File: c:\temp\build\thehoff\phoenix_fcs0.660176920511\phoenix_fcs\vpn\api\clientifcbase.cpp
Line: 3902
OGS saving cache to preferences.
******************************************
Date : 03/10/2022
Time : 22:46:41
Type : Information
Source : acvpnui
Description : Message type information sent to the user:
Automatically selected server: Meraki VPN Global AnyConnect
******************************************
Date : 03/10/2022
Time : 22:46:41
Type : Information
Source : acvpnagent
Description : Using default preferences. Some settings (e.g. certificate matching) may not function as expected if a local profile is expected to be used. Verify that the selected host is in the server list section of the profile and that the profile is configured on the secure gateway.
******************************************
Date : 03/10/2022
Time : 22:46:41
Type : Error
Source : acvpnagent
Description : Function: PreferenceMgr::getParsedPreferenceFile
File: c:\temp\build\thehoff\phoenix_fcs0.660176920511\phoenix_fcs\vpn\api\preferencemgr.cpp
Line: 1034
User preferences have not been loaded.
******************************************
Date : 03/10/2022
Time : 22:46:41
Type : Information
Source : acvpnui
Description : Message type prompt sent to the user:
Ready to connect.
******************************************
Date : 03/10/2022
Time : 22:46:41
Type : Information
Source : acvpnui
Description : Function: CThread::WaitForCompletion
File: c:\temp\build\thehoff\phoenix_fcs0.660176920511\phoenix_fcs\vpn\common\utility\thread.cpp
Line: 331
The thread (0x00002FB4) has successfully completed execution.
******************************************
Date : 03/10/2022
Time : 22:46:45
Type : Warning
Source : acvpnui
Description : Function: ProfileMgr::getProfileNameFromHost
File: c:\temp\build\thehoff\phoenix_fcs0.660176920511\phoenix_fcs\vpn\api\profilemgr.cpp
Line: 1269
No profile available for host Automatic Selection.
******************************************
Date : 03/10/2022
Time : 22:46:45
Type : Information
Source : acvpnui
Description : An SSL VPN connection to Meraki VPN Global AnyConnect has been requested by the user.
******************************************
Date : 03/10/2022
Time : 22:46:45
Type : Information
Source : acvpnui
Description : Loading preferences for the current user from profile C:\ProgramData\Cisco\Cisco AnyConnect Secure Mobility Client\Profile\MerakiVPNGlobalAnyConnectSAML.xml
******************************************
Date : 03/10/2022
Time : 22:46:45
Type : Error
Source : acvpnui
Description : Function: PreferenceMgr::loadPreferences
File: c:\temp\build\thehoff\phoenix_fcs0.660176920511\phoenix_fcs\vpn\api\preferencemgr.cpp
Line: 1277
Invoked Function: PreferenceInfo::getPreference
Return Code: 0 (0x00000000)
Description: EnableAutomaticServerSelection
******************************************
Date : 03/10/2022
Time : 22:46:45
Type : Information
Source : acvpnui
Description : Current Preference Settings:
ServiceDisable: false
CertificateStoreOverride: false
CertificateStore: All
ShowPreConnectMessage: false
AutoConnectOnStart: false
MinimizeOnConnect: true
LocalLanAccess: false
DisableCaptivePortalDetection: false
AutoReconnect: true
AutoReconnectBehavior: ReconnectAfterResume
SuspendOnConnectedStandby: false
UseStartBeforeLogon: false
AutoUpdate: true
RSASecurIDIntegration: Automatic
WindowsLogonEnforcement: SingleLocalLogon
WindowsVPNEstablishment: LocalUsersOnly
ProxySettings: Native
AllowLocalProxyConnections: false
PPPExclusion: Automatic
PPPExclusionServerIP:
AutomaticVPNPolicy: false
TrustedNetworkPolicy: Disconnect
UntrustedNetworkPolicy: Connect
TrustedDNSDomains:
TrustedDNSServers:
TrustedHttpsServerList:
AlwaysOn: false
ConnectFailurePolicy: Closed
AllowCaptivePortalRemediation: false
CaptivePortalRemediationTimeout: 5
ApplyLastVPNLocalResourceRules: false
AllowVPNDisconnect: true
AllowedHosts:
EnableScripting: false
TerminateScriptOnNextEvent: false
EnablePostSBLOnConnectScript: true
AutomaticCertSelection: true
RetainVpnOnLogoff: false
UserEnforcement: SameUserOnly
EnableAutomaticServerSelection: true
AutoServerSelectionImprovement: 20
AutoServerSelectionSuspendTime: 4
AuthenticationTimeout: 30
SafeWordSofTokenIntegration: false
AllowIPsecOverSSL: false
ClearSmartcardPin: true
IPProtocolSupport: IPv4,IPv6
CaptivePortalRemediationBrowserFailover: false
AllowManualHostInput: true
BlockUntrustedServers: true
PublicProxyServerAddress:
CertificatePinning: false
******************************************
Date : 03/10/2022
Time : 22:46:45
Type : Information
Source : acvpnui
Description : Function: ConnectMgr::setConnectionData
File: c:\temp\build\thehoff\phoenix_fcs0.660176920511\phoenix_fcs\vpn\api\connectmgr.cpp
Line: 2076
Resetting client certificate list.
****************************************** it does not seem to evalute country B at all as shown in row 312-325, it only pings country A and therefore it is the only alternative even though country B is specified in the "Backup Servers"-list. It is the first time he has tried AnyConnect so there shouldn't be a cached result "mudding the waters" so to speak.
... View more
03-09-2022
08:06 AM
Thank you for your reply. I will try it out (reached out to a colleague who is located closer to Country B then my Country A) and update this thread 🙂
... View more
03-08-2022
08:34 AM
Hello, New to AnyConnect and this is what I would like to accomplish: - MX running AnyConnect in Country A <-- Default server (since a server needs to be entered as the default server) - MX running AnyConnect in Country B - MX running Anyconnect in Country C All other settings not mentioned below are set to their default value - AnyConnect Profile Editor; Preferences (Part 2) Enable Optimal Gateway Selection = Checked User Controllable = Checked Suspension Time Threshold (hours) = 4 Performance Improvement Threshold (%) = 20 Server List > Server List Entry Tab: Server FQDN or IP Address: https://countrya.dynamic-m.com User Group: ogs <-- Is this correct? I don't have any such group in Meraki Backup Servers: https://countryb.dynamic-m.com/ogs <-- Is this correct? I don't have any such group in Meraki I can successfully connect using this profile but when I tried to use another VPN to place myself in Country D which would be closest to Country B rather then A and then try to connect to AnyConnect I still get the primary server - Country A - when Country B would be closer. This is what I found regarding OGS; https://www.cisco.com/c/en/us/support/docs/security/anyconnect-secure-mobility-client/116721-technote-ogs-00.html Would appreciate another set of eyes and feedback so I haven't misconfigured anything - Karl, Sweden
... View more
10-18-2021
11:41 PM
Did you ever get this resolved? Same situation, running 16.13 on our MX64 w. "Advanced Security": no option for "AnyConnect". Recently applied 16.13 (just yesterday) but have restarted the MX. Feels weird it ("AnyConnect") should just be there after X amount of days w. beta firmware?
... View more
10-18-2021
09:09 AM
3 Kudos
Hello, So I've actually finished configuring our MX to use Active Directory-authentication and wanted to share what I've learned which hopefully can help others. Now this worked for me, it doesn't have to work for you and my DCs are located upstream (i.e. in a remote subnet which we reach through the site-to-site VPN); * Regarding the cert: ** Remember that you enter the IP (or at least I did) in the Meraki dashboard so the cert needs to have the IP of the server and not just the FQDN of the server You can test this using "ldp.exe" which is included (?) on Windows Server, if you are running this on your own desktop then you will need to copy the "ldp.exe" and also "ldp.exe.mui" as well as creating a folder called "en-us" in the directory where "ldp.exe" resides and move "ldp.exe.mui" to the "en-us" folder. ** Remember to add the cert to "Active Directory Domain Services"; LDAP over SSL (LDAPS) Certificate - TechNet Articles - United States (English) - TechNet Wiki (microsoft.com) * Regarding the user / pass ** Remember to use only a-z and 0-9 for the username and password. ** Remember to check the account you created to see what it's "Pre-Windows 2000" username is, my username was too long when checking the "Pre-Windows 2000"-field so it had been cut off when it had reached the max. amount of character. * To get this working with an account that isn't domadmin; Grant Minimum Permission to an Active Directory User Account Used by the Sourcefire User Agent - Cisco ^ I followed these steps; ** Giving the user WMI-permissions ** Giving the user DCOM-permissions (I am yet to actually see if the group policy works, it doesn't seem to be supported through ClientVPN but Cisco states that it doesn't and I don't have the appliance where I am so waiting for a colleague to verify. The config works however and I can fetch AD-groups) * Regarding network connectivity TCP 135 TCP 445 TCP 3268 TCP 49152-65535 (RPC "high-ports") whitelisted against the MX's highest numbered VLAN participating in the site-to-site VPN ex; 192.168.1.1/24 = VLAN 1 = Not participating 192.168.2.1/24 = VLAN 200 = Participating <-- This is not the highest numbered VLAN but it is the highest numbered VLAN participating in the site-to-site so 192.168.2.1/32 is the MX's IP calling the DCs 192.168.3.1/24 = VLAN 300 = Not participating Active Directory Issue Resolution Guide - Cisco Meraki * Regarding general config ** Domain = the "shortname" of the domain, ex. "ad.mydomain.com" is the FQDN then "ad" is the shortname ** IP = the IP without any CIDR notation ex. "192.168.4.1" ** Username = the username without any domain prefix, ex. "myuseraccount" and NOT "ad\myuseraccount" ^ Remember a-z, 0-9 and check the "Pre-Windows 2000" for the user so your username hasn't been shortened due to too many chars. ** Password = a password (see below) ^ Remember a-z, 0-9 Hopefully this might have helped someone who is setting this up! Best Regards - Karl
... View more
Labels:
- Labels:
-
Other
03-29-2021
04:14 AM
1 Kudo
Just wanted to reference to this "UserVoice" idea which is that Intune should support configuring VPN w. L2TP-PSK / PAP; https://microsoftintune.uservoice.com/forums/291681-ideas/suggestions/41712955-enhanced-l2tp-configu... Please upvote that if you are using Intune and want to easier be able to manage MerakiVPN.
... View more
03-29-2021
04:03 AM
1 Kudo
Just wanted to reference to this "UserVoice" idea which is that Intune should support configuring VPN w. L2TP-PSK / PAP; https://microsoftintune.uservoice.com/forums/291681-ideas/suggestions/41712955-enhanced-l2tp-configuration-profiles-for-windows Please upvote that if you are using Intune and want to easier be able to manage MerakiVPN.
... View more
03-22-2021
09:14 AM
Hello, In the same situation here; * I can specify the DNS-servers for the VPN-adapter (Meraki VPN) which would overwrite the default DNS-server specified in Meraki (such as Google) to resolve FQDN however resolving shortnames such as "mycomputer" as opposed to "mycomputer.ad.mydomain.com" fails since you can't append DNS-suffixes since it is greyed out. You can specify a WINS-server in the VPN-settings; https://documentation.meraki.com/MX/Client_VPN/Troubleshooting_Client_VPN#Resolving_NetBIOS_names_over_Client_VPN however I fail to see how that would solve that the client knows which domain to append to the shortname i.e. to append "ad.mydomain.com" to "computer1"? Unless its inferred when specifying a WINS-server (i.e. use the domain that the WINS-server belongs to)?
... View more
My Top Kudoed Posts
