The Meraki Community
Register or Sign in
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
  • About CloudViking86
CloudViking86

CloudViking86

Here to help

Member since Mar 22, 2021

‎03-14-2022
Kudos from
User Count
cwal21
cwal21
1
BrandonS
BrandonS
2
MeredithW
Community Manager MeredithW
1
PhilipDAth
Kind of a big deal PhilipDAth
1
View All
Kudos given to
User Count
MillerJ
MillerJ
1
View All

Community Record

11
Posts
5
Kudos
0
Solutions

Badges

First 5 Posts
Lift-Off View All
Latest Contributions by CloudViking86
  • Topics CloudViking86 has Participated In
  • Latest Contributions by CloudViking86

Re: AnyConnect w. SAML (AzureAD) Azure MFA using Conditional Access?

by CloudViking86 in Security / SD-WAN
‎03-14-2022 04:05 AM
‎03-14-2022 04:05 AM
Thanks for your reply. As I wrote in a reply to Phillip we already have AzureMFA included and don't pay any additional cost to use it and it makes administration easier and easier for the end-user. Thanks for the suggestion though! ... View more

Re: AnyConnect w. SAML (AzureAD) Azure MFA using Conditional Access?

by CloudViking86 in Security / SD-WAN
‎03-14-2022 04:02 AM
‎03-14-2022 04:02 AM
Thank you (once again) for a helpful reply.   I really don't understand why my user seems to fulfill the MFA-requirement, checking the Conditional Access Sign-In Logs and searching for the correlation ID which I got when looking into my "Success"-event;     Activity Details: Sign-ins > Basic Info Additional Details MFA requirement satisfied by claim in the token Activity Details: Sign-ins > Conditional Access Policy Name: Not applicable Activity Details: Sign-ins > Report Only Enforce MFA (Cisco AnyConnect) Require multi-factor authentication Session Control: <blank> Report-only: Success     So I get that if I had a session control on that conditional access policy it could have been satisified when logging into other O365-services but in this case that isn't configured and no other conditional access policies are applied. AzureMFA is also included in our user's licenses so we don't pay anything extra to use AzureMFA since the user's have a license that cover that for other infrastructure needs (Intune etc.).   Weird.   The thing is that we basically don't want another MFA-service. It makes it harder for the end-users to use another app then Microsoft Authenticator and its another thing to administer.   We could go the NPS-route and install the AzureMFA-addon but that would introduce the following problems: * The AzureMFA NPS-addon forces ALL RADIUS-clients to use MFA * RADIUS-servers are shared between IPSec-VPN and AnyConnect VPN meaning that I can't route AnyConnect to specific NPS / RADIUS-servers ... View more

AnyConnect w. SAML (AzureAD) Azure MFA using Conditional Access?

by CloudViking86 in Security / SD-WAN
‎03-11-2022 06:51 AM
‎03-11-2022 06:51 AM
Hello,   I know that you can use RADIUS-authentication and install the NPS-addon for Azure MFA to get MFA however I am wondering if this is also possible when using SAML-authentication to AzureAD and then scoping the Cisco AnyConnect Enterprise App in a Conditional Access policy (which requires MFA)? I've tried getting it to work, i.e.: * Created a policy that scopes both my user and the Cisco AnyConnect enterprise application ** The policy has: Grant: Require multi-factor authentication   When I check the "Insights & Reporting"-log and filter for that policy and the Cisco AnyConnect enterprise app I can see that the policy applies to my user (I can see my sign-in attempt) but my user is in the "Not applied"-category.   I tried creating a dedicated conditional access policy for AnyConnect (since the one I mentioned before has an additional parameter - session control) and with the dedicated policy my user was in the "Success" category. Now I might be tired but I was expecting my user to be in the "User action required"-category (see below) since if the policy was enabled (it's currently in "report only"-mode) I would have needed to authenticate using my AzureMFA.   Conditional Access; Success : Number of users where the selected polic(ies) granted access and the required controls were satisifed Failure : Number of users where the selected polic(ies) denied access and the required controls were not satisfied User action required : Number of users where the selected report-only policy applied but user action (e.g. MFA or Terms of Use) would be required if the policy were enabled. Not applied : Number of users that are bypassing the selected polic(ies) because the sign-in did not match at least one of the assignments or conditions.   Now have I completely misunderstood "Require multi-factor authentication"; Does it actually prompt for MFA or does it simply require that the user has a MFA setup / is enrolled into MFA? If its the former then I don't understand how my login can be "Sucess" since it should have been "User action required" IF it isn't like this: Having Azure MFA on various services I might have already within some magic hidden timeframe  satisfied that requirement i.e. I have authenticated with another service which requires Azure MFA. If it is the latter then I get that my login is a "Success" since my account is enrolled into MFA.   Microsofts documentation about the "grant" - "Require multi-factor authentication"; Grant controls in Conditional Access policy - Azure Active Directory | Microsoft Docs Sorry for the long post! Best Regards - Karl, Sweden ... View more

Re: AnyConnect OGS setup

by CloudViking86 in Security / SD-WAN
‎03-10-2022 08:18 AM
‎03-10-2022 08:18 AM
My colleague got back to me (he is in country Z with the closest server of country B, country A is my country and is set to the default server), attaching a snippet of his  "DARTBundle" AnyConnect-log below; ****************************************** Date : 03/10/2022 Time : 22:46:37 Type : Information Source : acvpnui Description : Function: ClientIfcBase::handleAHSPreferences File: c:\temp\build\thehoff\phoenix_fcs0.660176920511\phoenix_fcs\vpn\api\clientifcbase.cpp Line: 4508 OGS is enabled ****************************************** Date : 03/10/2022 Time : 22:46:37 Type : Information Source : acvpnui Description : Function: CHeadendSelection::selectHeadend File: c:\temp\build\thehoff\phoenix_fcs0.660176920511\phoenix_fcs\vpn\api\ahs\headendselection.cpp Line: 268 Starting OGS processing for connection attempt. Last headend: countrya.dynamic-m.com ****************************************** Date : 03/10/2022 Time : 22:46:37 Type : Information Source : acvpnui Description : Message type prompt sent to the user: Searching for optimal server. Please wait... ****************************************** Date : 03/10/2022 Time : 22:46:37 Type : Information Source : acvpnui Description : Function: CHeadendSelection::startPingThreads File: c:\temp\build\thehoff\phoenix_fcs0.660176920511\phoenix_fcs\vpn\api\ahs\headendselection.cpp Line: 410 OGS Sending test ping to countrya.dynamic-m.com:443 ****************************************** Date : 03/10/2022 Time : 22:46:37 Type : Information Source : acvpnui Description : Function: CThread::createThread File: c:\temp\build\thehoff\phoenix_fcs0.660176920511\phoenix_fcs\vpn\common\utility\thread.cpp Line: 263 The thread (0x000052AC) has been successfully created. ****************************************** Date : 03/10/2022 Time : 22:46:37 Type : Warning Source : acvpnui Description : Function: PluginLoader::instantiateInterfaces File: c:\temp\build\thehoff\phoenix_fcs0.660176920511\phoenix_fcs\vpn\common\utility\pluginloader.cpp Line: 962 Invoked Function: PluginLoader::loadModulesWithInterface Return Code: -29294570 (0xFE410016) Description: PLUGINLOADER_ERROR_NO_INTERFACE_NAME:No interface name. com.cisco.anyconnect.nam.api ****************************************** Date : 03/10/2022 Time : 22:46:37 Type : Warning Source : acvpnui Description : Function: PluginLoader::CreateInstance File: c:\temp\build\thehoff\phoenix_fcs0.660176920511\phoenix_fcs\vpn\common\utility\pluginloader.cpp Line: 446 Invoked Function: PluginLoader::instantiateInterfaces Return Code: -29294570 (0xFE410016) Description: PLUGINLOADER_ERROR_NO_INTERFACE_NAME:No interface name. com.cisco.anyconnect.nam.api ****************************************** Date : 03/10/2022 Time : 22:46:38 Type : Error Source : acvpnui Description : Function: HttpProbe::SendHttpProbe File: c:\temp\build\thehoff\phoenix_fcs0.660176920511\phoenix_fcs\vpn\common\ip\httpsession.cpp Line: 233 Invoked Function: IHttpSession::SendRequest Return Code: -28966884 (0xFE46001C) Description: HTTP_SESSION_ERROR_INVALID_SERVER_RESPONSE Last Error: 12152 ****************************************** Date : 03/10/2022 Time : 22:46:38 Type : Information Source : acvpnui Description : Function: CHeadendSelection::startPingThreads File: c:\temp\build\thehoff\phoenix_fcs0.660176920511\phoenix_fcs\vpn\api\ahs\headendselection.cpp Line: 458 OGS test ping took 578 ****************************************** Date : 03/10/2022 Time : 22:46:38 Type : Information Source : acvpnui Description : Function: CThread::createThread File: c:\temp\build\thehoff\phoenix_fcs0.660176920511\phoenix_fcs\vpn\common\utility\thread.cpp Line: 263 The thread (0x000066B0) has been successfully created. ****************************************** Date : 03/10/2022 Time : 22:46:38 Type : Information Source : acvpnui Description : Function: CHeadendSelection::CSelectionThread::Run File: c:\temp\build\thehoff\phoenix_fcs0.660176920511\phoenix_fcs\vpn\api\ahs\headendselection.cpp Line: 931 OGS starting thread named countrya.dynamic-m.com ****************************************** Date : 03/10/2022 Time : 22:46:38 Type : Information Source : acvpnui Description : Function: PluginLoader::loadModule File: c:\temp\build\thehoff\phoenix_fcs0.660176920511\phoenix_fcs\vpn\common\utility\pluginloader.cpp Line: 1140 Loading plugin acfeedback.dll ****************************************** Date : 03/10/2022 Time : 22:46:38 Type : Information Source : acvpnui Description : Function: CVerifyFileSignatureWindows::IsValid File: c:\temp\build\thehoff\phoenix_fcs0.660176920511\phoenix_fcs\vpn\commoncrypt\verifyfilesignaturewindows.cpp Line: 110 Code-signing verification succeeded. File (C:\Program Files (x86)\Cisco\Cisco AnyConnect Secure Mobility Client\Plugins\acfeedback.dll) ****************************************** Date : 03/10/2022 Time : 22:46:39 Type : Error Source : acvpnui Description : Function: CHttpSessionWinInet::SendRequest File: c:\temp\build\thehoff\phoenix_fcs0.660176920511\phoenix_fcs\vpn\common\utility\httpsession_wininet.cpp Line: 664 Invoked Function: GetStatusCode Return Code: 0 (0x00000000) Description: unknown ****************************************** Date : 03/10/2022 Time : 22:46:39 Type : Error Source : acvpnui Description : Function: HttpProbe::SendHttpProbe File: c:\temp\build\thehoff\phoenix_fcs0.660176920511\phoenix_fcs\vpn\common\ip\httpsession.cpp Line: 233 Invoked Function: IHttpSession::SendRequest Return Code: -28966910 (0xFE460002) Description: HTTP_SESSION_ERROR_BAD_PARAMETER Last Error: 0 ****************************************** Date : 03/10/2022 Time : 22:46:39 Type : Warning Source : acvpnui Description : Function: CHeadendSelection::CSelectionThread::Run File: c:\temp\build\thehoff\phoenix_fcs0.660176920511\phoenix_fcs\vpn\api\ahs\headendselection.cpp Line: 1027 OGS ping error for countrya.dynamic-m.com: 0 ****************************************** Date : 03/10/2022 Time : 22:46:40 Type : Error Source : acvpnui Description : Function: CHttpSessionWinInet::SendRequest File: c:\temp\build\thehoff\phoenix_fcs0.660176920511\phoenix_fcs\vpn\common\utility\httpsession_wininet.cpp Line: 664 Invoked Function: GetStatusCode Return Code: 0 (0x00000000) Description: unknown ****************************************** Date : 03/10/2022 Time : 22:46:40 Type : Error Source : acvpnui Description : Function: HttpProbe::SendHttpProbe File: c:\temp\build\thehoff\phoenix_fcs0.660176920511\phoenix_fcs\vpn\common\ip\httpsession.cpp Line: 233 Invoked Function: IHttpSession::SendRequest Return Code: -28966910 (0xFE460002) Description: HTTP_SESSION_ERROR_BAD_PARAMETER Last Error: 0 ****************************************** Date : 03/10/2022 Time : 22:46:40 Type : Warning Source : acvpnui Description : Function: CHeadendSelection::CSelectionThread::Run File: c:\temp\build\thehoff\phoenix_fcs0.660176920511\phoenix_fcs\vpn\api\ahs\headendselection.cpp Line: 1027 OGS ping error for countrya.dynamic-m.com: 0 ****************************************** Date : 03/10/2022 Time : 22:46:41 Type : Error Source : acvpnui Description : Function: CHttpSessionWinInet::SendRequest File: c:\temp\build\thehoff\phoenix_fcs0.660176920511\phoenix_fcs\vpn\common\utility\httpsession_wininet.cpp Line: 664 Invoked Function: GetStatusCode Return Code: 0 (0x00000000) Description: unknown ****************************************** Date : 03/10/2022 Time : 22:46:41 Type : Error Source : acvpnui Description : Function: HttpProbe::SendHttpProbe File: c:\temp\build\thehoff\phoenix_fcs0.660176920511\phoenix_fcs\vpn\common\ip\httpsession.cpp Line: 233 Invoked Function: IHttpSession::SendRequest Return Code: -28966910 (0xFE460002) Description: HTTP_SESSION_ERROR_BAD_PARAMETER Last Error: 0 ****************************************** Date : 03/10/2022 Time : 22:46:41 Type : Warning Source : acvpnui Description : Function: CHeadendSelection::CSelectionThread::Run File: c:\temp\build\thehoff\phoenix_fcs0.660176920511\phoenix_fcs\vpn\api\ahs\headendselection.cpp Line: 1027 OGS ping error for countrya.dynamic-m.com: 0 ****************************************** Date : 03/10/2022 Time : 22:46:41 Type : Information Source : acvpnui Description : Function: CHeadendSelection::CSelectionThread::logThreadPingResults File: c:\temp\build\thehoff\phoenix_fcs0.660176920511\phoenix_fcs\vpn\api\ahs\headendselection.cpp Line: 1140 OGS ping results for countrya.dynamic-m.com: (1234 1079 1078 ) ****************************************** Date : 03/10/2022 Time : 22:46:41 Type : Information Source : acvpnui Description : Function: CHeadendSelection::CSelectionThread::Run File: c:\temp\build\thehoff\phoenix_fcs0.660176920511\phoenix_fcs\vpn\api\ahs\headendselection.cpp Line: 1046 OGS terminating thread for countrya.dynamic-m.com ****************************************** Date : 03/10/2022 Time : 22:46:41 Type : Error Source : acvpnui Description : Function: CThread::invokeRun File: c:\temp\build\thehoff\phoenix_fcs0.660176920511\phoenix_fcs\vpn\common\utility\thread.cpp Line: 463 Invoked Function: IRunnable::Run Return Code: -28966910 (0xFE460002) Description: HTTP_SESSION_ERROR_BAD_PARAMETER ****************************************** Date : 03/10/2022 Time : 22:46:41 Type : Information Source : acvpnui Description : Function: CThread::WaitForCompletion File: c:\temp\build\thehoff\phoenix_fcs0.660176920511\phoenix_fcs\vpn\common\utility\thread.cpp Line: 331 The thread (0x000066B0) has successfully completed execution. ****************************************** Date : 03/10/2022 Time : 22:46:41 Type : Warning Source : acvpnui Description : Function: CHeadendSelection::startPingThreads File: c:\temp\build\thehoff\phoenix_fcs0.660176920511\phoenix_fcs\vpn\api\ahs\headendselection.cpp Line: 503 Invoked Function: CSelectionThread::Run Return Code: -28966910 (0xFE460002) Description: HTTP_SESSION_ERROR_BAD_PARAMETER ****************************************** Date : 03/10/2022 Time : 22:46:41 Type : Information Source : acvpnui Description : Function: CHeadendSelection::finishAHS File: c:\temp\build\thehoff\phoenix_fcs0.660176920511\phoenix_fcs\vpn\api\ahs\headendselection.cpp Line: 180 OGS in finishAHS() for first time ****************************************** Date : 03/10/2022 Time : 22:46:41 Type : Information Source : acvpnui Description : Function: CHeadendSelection::logPingResults File: c:\temp\build\thehoff\phoenix_fcs0.660176920511\phoenix_fcs\vpn\api\ahs\headendselection.cpp Line: 631 *** OGS Selection Results *** OGS performed for connection attempt. Last server: 'countrya.dynamic-m.com' Server Address RTT (ms) countrya.dynamic-m.com 1078 Selected 'countrya.dynamic-m.com' as the optimal server. ****************************************** Date : 03/10/2022 Time : 22:46:41 Type : Information Source : acvpnui Description : Function: CHeadendSelection::finishAHS File: c:\temp\build\thehoff\phoenix_fcs0.660176920511\phoenix_fcs\vpn\api\ahs\headendselection.cpp Line: 226 Finished OGS thread, selected countrya.dynamic-m.com ****************************************** Date : 03/10/2022 Time : 22:46:41 Type : Information Source : acvpnui Description : Function: CThread::createThread File: c:\temp\build\thehoff\phoenix_fcs0.660176920511\phoenix_fcs\vpn\common\utility\thread.cpp Line: 263 The thread (0x00002FB4) has been successfully created. ****************************************** Date : 03/10/2022 Time : 22:46:41 Type : Information Source : acvpnui Description : Function: ClientIfcBase::AHSSelectedHost File: c:\temp\build\thehoff\phoenix_fcs0.660176920511\phoenix_fcs\vpn\api\clientifcbase.cpp Line: 3896 OGS selected host Meraki VPN Global AnyConnect ****************************************** Date : 03/10/2022 Time : 22:46:41 Type : Information Source : acvpnui Description : Function: ClientIfcBase::AHSSelectedHost File: c:\temp\build\thehoff\phoenix_fcs0.660176920511\phoenix_fcs\vpn\api\clientifcbase.cpp Line: 3902 OGS saving cache to preferences. ****************************************** Date : 03/10/2022 Time : 22:46:41 Type : Information Source : acvpnui Description : Message type information sent to the user: Automatically selected server: Meraki VPN Global AnyConnect ****************************************** Date : 03/10/2022 Time : 22:46:41 Type : Information Source : acvpnagent Description : Using default preferences. Some settings (e.g. certificate matching) may not function as expected if a local profile is expected to be used. Verify that the selected host is in the server list section of the profile and that the profile is configured on the secure gateway. ****************************************** Date : 03/10/2022 Time : 22:46:41 Type : Error Source : acvpnagent Description : Function: PreferenceMgr::getParsedPreferenceFile File: c:\temp\build\thehoff\phoenix_fcs0.660176920511\phoenix_fcs\vpn\api\preferencemgr.cpp Line: 1034 User preferences have not been loaded. ****************************************** Date : 03/10/2022 Time : 22:46:41 Type : Information Source : acvpnui Description : Message type prompt sent to the user: Ready to connect. ****************************************** Date : 03/10/2022 Time : 22:46:41 Type : Information Source : acvpnui Description : Function: CThread::WaitForCompletion File: c:\temp\build\thehoff\phoenix_fcs0.660176920511\phoenix_fcs\vpn\common\utility\thread.cpp Line: 331 The thread (0x00002FB4) has successfully completed execution. ****************************************** Date : 03/10/2022 Time : 22:46:45 Type : Warning Source : acvpnui Description : Function: ProfileMgr::getProfileNameFromHost File: c:\temp\build\thehoff\phoenix_fcs0.660176920511\phoenix_fcs\vpn\api\profilemgr.cpp Line: 1269 No profile available for host Automatic Selection. ****************************************** Date : 03/10/2022 Time : 22:46:45 Type : Information Source : acvpnui Description : An SSL VPN connection to Meraki VPN Global AnyConnect has been requested by the user. ****************************************** Date : 03/10/2022 Time : 22:46:45 Type : Information Source : acvpnui Description : Loading preferences for the current user from profile C:\ProgramData\Cisco\Cisco AnyConnect Secure Mobility Client\Profile\MerakiVPNGlobalAnyConnectSAML.xml ****************************************** Date : 03/10/2022 Time : 22:46:45 Type : Error Source : acvpnui Description : Function: PreferenceMgr::loadPreferences File: c:\temp\build\thehoff\phoenix_fcs0.660176920511\phoenix_fcs\vpn\api\preferencemgr.cpp Line: 1277 Invoked Function: PreferenceInfo::getPreference Return Code: 0 (0x00000000) Description: EnableAutomaticServerSelection ****************************************** Date : 03/10/2022 Time : 22:46:45 Type : Information Source : acvpnui Description : Current Preference Settings: ServiceDisable: false CertificateStoreOverride: false CertificateStore: All ShowPreConnectMessage: false AutoConnectOnStart: false MinimizeOnConnect: true LocalLanAccess: false DisableCaptivePortalDetection: false AutoReconnect: true AutoReconnectBehavior: ReconnectAfterResume SuspendOnConnectedStandby: false UseStartBeforeLogon: false AutoUpdate: true RSASecurIDIntegration: Automatic WindowsLogonEnforcement: SingleLocalLogon WindowsVPNEstablishment: LocalUsersOnly ProxySettings: Native AllowLocalProxyConnections: false PPPExclusion: Automatic PPPExclusionServerIP: AutomaticVPNPolicy: false TrustedNetworkPolicy: Disconnect UntrustedNetworkPolicy: Connect TrustedDNSDomains: TrustedDNSServers: TrustedHttpsServerList: AlwaysOn: false ConnectFailurePolicy: Closed AllowCaptivePortalRemediation: false CaptivePortalRemediationTimeout: 5 ApplyLastVPNLocalResourceRules: false AllowVPNDisconnect: true AllowedHosts: EnableScripting: false TerminateScriptOnNextEvent: false EnablePostSBLOnConnectScript: true AutomaticCertSelection: true RetainVpnOnLogoff: false UserEnforcement: SameUserOnly EnableAutomaticServerSelection: true AutoServerSelectionImprovement: 20 AutoServerSelectionSuspendTime: 4 AuthenticationTimeout: 30 SafeWordSofTokenIntegration: false AllowIPsecOverSSL: false ClearSmartcardPin: true IPProtocolSupport: IPv4,IPv6 CaptivePortalRemediationBrowserFailover: false AllowManualHostInput: true BlockUntrustedServers: true PublicProxyServerAddress: CertificatePinning: false ****************************************** Date : 03/10/2022 Time : 22:46:45 Type : Information Source : acvpnui Description : Function: ConnectMgr::setConnectionData File: c:\temp\build\thehoff\phoenix_fcs0.660176920511\phoenix_fcs\vpn\api\connectmgr.cpp Line: 2076 Resetting client certificate list. ****************************************** it does not seem to evalute country B at all as shown in row 312-325, it only pings country A and therefore it is the only alternative even though country B is specified in the "Backup Servers"-list.   It is the first time he has tried AnyConnect so there shouldn't be a cached result "mudding the waters" so to speak. ... View more

Re: AnyConnect OGS setup

by CloudViking86 in Security / SD-WAN
‎03-09-2022 08:06 AM
‎03-09-2022 08:06 AM
Thank you for your reply. I will try it out (reached out to a colleague who is located closer to Country B then my Country A) and update this thread  🙂 ... View more

AnyConnect OGS setup

by CloudViking86 in Security / SD-WAN
‎03-08-2022 08:34 AM
‎03-08-2022 08:34 AM
Hello,   New to AnyConnect and this is what I would like to accomplish: - MX running AnyConnect in Country A <-- Default server (since a server needs to be entered as the default server) - MX running AnyConnect in Country B - MX running Anyconnect in Country C   All other settings not mentioned below are set to their default value - AnyConnect Profile Editor; Preferences (Part 2) Enable Optimal Gateway Selection = Checked User Controllable = Checked Suspension Time Threshold (hours) = 4 Performance Improvement Threshold (%) = 20 Server List > Server List Entry Tab: Server FQDN or IP Address: https://countrya.dynamic-m.com User Group: ogs <-- Is this correct? I don't have any such group in Meraki Backup Servers: https://countryb.dynamic-m.com/ogs <-- Is this correct? I don't have any such group in Meraki I can successfully connect using this profile but when I tried to use another VPN to place myself in Country D which would be closest to Country B rather then A and then try to connect to AnyConnect I still get the primary server - Country A - when Country B would be closer.   This is what I found regarding OGS; https://www.cisco.com/c/en/us/support/docs/security/anyconnect-secure-mobility-client/116721-technote-ogs-00.html   Would appreciate another set of eyes and feedback so I haven't misconfigured anything - Karl, Sweden   ... View more

Re: Anyconnect on MX64 support

by CloudViking86 in Security / SD-WAN
‎10-18-2021 11:41 PM
‎10-18-2021 11:41 PM
Did you ever get this resolved? Same situation, running 16.13 on our MX64 w. "Advanced Security": no option for "AnyConnect".   Recently applied 16.13 (just yesterday) but have restarted the MX. Feels weird it ("AnyConnect") should just be there after X amount of days w. beta firmware? ... View more

Configuring Active Directory Authentication

by CloudViking86 in Security / SD-WAN
‎10-18-2021 09:09 AM
3 Kudos
‎10-18-2021 09:09 AM
3 Kudos
Hello, So I've actually finished configuring our MX to use Active Directory-authentication and wanted to share what I've learned which hopefully can help others.   Now this worked for me, it doesn't have to work for you and my DCs are located upstream (i.e. in a remote subnet which we reach through the site-to-site VPN); * Regarding the cert: ** Remember that you enter the IP (or at least I did) in the Meraki dashboard so the cert needs to have the IP of the server and not just the FQDN of the server You can test this using "ldp.exe" which is included (?) on Windows Server, if you are running this on your own desktop then you will need to copy the "ldp.exe" and also "ldp.exe.mui" as well as creating a folder called "en-us" in the directory where "ldp.exe" resides and move "ldp.exe.mui" to the "en-us" folder. ** Remember to add the cert to "Active Directory Domain Services"; LDAP over SSL (LDAPS) Certificate - TechNet Articles - United States (English) - TechNet Wiki (microsoft.com)   * Regarding the user / pass ** Remember to use only a-z and 0-9 for the username and password. ** Remember to check the account you created to see what it's "Pre-Windows 2000" username is, my username was too long when checking the "Pre-Windows 2000"-field so it had been cut off when it had reached the max. amount of character.   * To get this working with an account that isn't domadmin; Grant Minimum Permission to an Active Directory User Account Used by the Sourcefire User Agent - Cisco ^ I followed these steps; ** Giving the user WMI-permissions ** Giving the user DCOM-permissions (I am yet to actually see if the group policy works, it doesn't seem to be supported through ClientVPN but Cisco states that it doesn't and I don't have the appliance where I am so waiting for a colleague to verify. The config works however and I can fetch AD-groups)   * Regarding network connectivity TCP 135 TCP 445 TCP 3268 TCP 49152-65535 (RPC "high-ports") whitelisted against the MX's highest numbered VLAN participating in the site-to-site VPN ex; 192.168.1.1/24 = VLAN 1 = Not participating 192.168.2.1/24 = VLAN 200 = Participating <-- This is not the highest numbered VLAN but it is the highest numbered VLAN participating in the site-to-site so 192.168.2.1/32 is the MX's IP calling the DCs 192.168.3.1/24 = VLAN 300 = Not participating Active Directory Issue Resolution Guide - Cisco Meraki   * Regarding general config ** Domain = the "shortname" of the domain, ex. "ad.mydomain.com" is the FQDN then "ad" is the shortname ** IP = the IP without any CIDR notation ex. "192.168.4.1" ** Username = the username without any domain prefix, ex. "myuseraccount" and NOT "ad\myuseraccount" ^ Remember a-z, 0-9 and check the "Pre-Windows 2000" for the user so your username hasn't been shortened due to too many chars. ** Password = a password (see below) ^ Remember a-z, 0-9 Hopefully this might have helped someone who is setting this up! Best Regards - Karl ... View more
Labels:
  • Labels:
  • Other

Re: Best practice to deploy Meraki client VPN to laptops? All methods seem ...

by CloudViking86 in Security / SD-WAN
‎03-29-2021 04:14 AM
1 Kudo
‎03-29-2021 04:14 AM
1 Kudo
Just wanted to reference to this "UserVoice" idea which is that Intune should support configuring VPN w. L2TP-PSK / PAP; https://microsoftintune.uservoice.com/forums/291681-ideas/suggestions/41712955-enhanced-l2tp-configu... Please upvote that if you are using Intune and want to easier be able to manage MerakiVPN. ... View more

Re: [Question] - How to deploy Client-VPN, L2TP+PSK? CMAK? GPO?

by CloudViking86 in Security / SD-WAN
‎03-29-2021 04:03 AM
1 Kudo
‎03-29-2021 04:03 AM
1 Kudo
Just wanted to reference to this "UserVoice" idea which is that Intune should support configuring VPN w. L2TP-PSK / PAP; https://microsoftintune.uservoice.com/forums/291681-ideas/suggestions/41712955-enhanced-l2tp-configuration-profiles-for-windows Please upvote that if you are using Intune and want to easier be able to manage MerakiVPN. ... View more

Re: VPN DNS - Host name, Not FQDN

by CloudViking86 in Security / SD-WAN
‎03-22-2021 09:14 AM
‎03-22-2021 09:14 AM
Hello,   In the same situation here; * I can specify the DNS-servers for the VPN-adapter (Meraki VPN) which would overwrite the default DNS-server specified in Meraki (such as Google) to resolve FQDN however resolving shortnames such as "mycomputer" as opposed to "mycomputer.ad.mydomain.com" fails since you can't append DNS-suffixes since it is greyed out. You can specify a WINS-server in the VPN-settings; https://documentation.meraki.com/MX/Client_VPN/Troubleshooting_Client_VPN#Resolving_NetBIOS_names_over_Client_VPN however I fail to see how that would solve that the client knows which domain to append to the shortname i.e. to append "ad.mydomain.com" to "computer1"? Unless its inferred when specifying a WINS-server (i.e. use the domain that the WINS-server belongs to)?  ... View more
Kudos from
User Count
cwal21
cwal21
1
BrandonS
BrandonS
2
MeredithW
Community Manager MeredithW
1
PhilipDAth
Kind of a big deal PhilipDAth
1
View All
Kudos given to
User Count
MillerJ
MillerJ
1
View All
My Top Kudoed Posts
Subject Kudos Views

Configuring Active Directory Authentication

Security / SD-WAN
3 765

Re: Best practice to deploy Meraki client VPN to laptops? All methods seem ...

Security / SD-WAN
1 9111

Re: [Question] - How to deploy Client-VPN, L2TP+PSK? CMAK? GPO?

Security / SD-WAN
1 2378
View All
Powered by Khoros
custom.footer.
  • Community Guidelines
  • Cisco Privacy
  • Khoros Privacy
  • Privacy Settings
  • Terms of Use
© 2023 Meraki