Posts Tagged ‘meraki’

Customer has 2012 DC’s with NPS and the Azure MFA extension for their Cisco Meraki Client VPN
All staff were not able to connect to the VPN from 8am. I have not found why it started at this time. Users before this were able to log in…
Event Viewer showed Unknown username or bad password in use.

The NPS MFA extension leads you down a path that isn’t correct (for me). Dont trust this.

Also dont trust the reason codes in the NPS logs
You may see reason code 21, <Reason-Code data_type=”0″>21</Reason-Code></Event> Further pointing to MFA extension issues.
Run with powershell and select option 1 to temporarily remove the MFA requirement and attempt a login to prove its not MFA.
New errors in NPS logs.
I was getting <Reason-Code data_type=”0″>16</Reason-Code> Not the most helpful and there are LOTS of results. But I found the below recent article which fixed it for me. 
I did apply these keys for all the domain controllers. But that might be overkill and unnecessary. The real fix is to get off server 2012.
This isn’t complete yet, after enabling MFA I now have TLS and cipher errors from the MFA plugin. 
But hopefully this will be an easy fix.

GD Star Rating
GD Star Rating

Meraki’s Advice to enable AD authentication for VPN is to create the Service account as …. Domain Administrator

This is big security no no ( Incase the account gets compromised then the whole domain gets compromised ) 

You can set this account as Domain User which will give the access

  • Query the user database via LDAP
  • Query group membership via LDAP

You can then assign the WMI permissions for : Query the domain controller via WMI 

by doing the below on the domain controller 

To set the WMI user access permissions

  1. Select Start > Run.
  2. On the Run dialog, type wmimgmt.msc in the Open field.
  3. Click OK to display the Windows Management Infrastructure (WMI) Control Panel.
  4. In the left pane of the WMI Control Panel, highlight the WMI Control (local) entry, right-click, and select the Properties menu option. This displays the WMI Control (Local) Properties dialog box.
  5. Select the Security tab in the WMI Control (Local) Properties dialog box.
  6. In the namespace tree within the Security tab, expand the Root folder. This action lists the available WMI name spaces.
  7. Click the CIMV2 namespace to highlight it.
  8. Click Security to display the Security for ROOT\CIMV2 dialog box.
  9. Click Add in the Security for ROOT\CIMV2 dialog box to display the Select Users or Groups dialog box.
  10. Add the domain user account that will be used as your proxy data collection user account. This should be a domain account (not a local computer account), but it does not need to be an account with administrative access.
  11. Click OK to close the Select Users or Groups dialog box and return to the Security for ROOT\CIMV2 dialog box. The user account you selected should now be listed in the Name list at the top of the dialog box.
  12. Select the newly added user (if it is not already selected) and enable the following permissions:
    • Enable Account
    • Remote Enable
      Enable the permissions by clicking the Allow box, if it is not already checked for that permission. The Enable Account permission should already be selected, but the Remote Enable permission will need to be selected.
  13. Click OK to close the Security for ROOT\CIMV2 dialog box.
    The permissions should now be properly set for the proxy data collection user account.
GD Star Rating
GD Star Rating

Trying to authenticate a user with their AD credentials and the error displayed

The remote connection was denied because of the username and password combination

In the Event Log on the Meraki 


Also saw these errors

msg: invalid DH group 19.
 msg: invalid DH group 20.

msg: failed to begin ipsec sa negotiation.

You need a TLS Certificate on the Domain Controller and Radius server for Communication , run the below powershell 

New-SelfSignedCertificate -DnsName domaincontroller.domain.local -CertStoreLocation cert:\LocalMachine\My

This will create a cert for you in Personal / Certificates for the Local Computer

You will need to use the MMC to copy this to the Trusted Root Certification Authorities


I also has issues with Radius with the error : msg: failed to begin ipsec sa negotiation.

After following these settings :

In the end I had to Clear out the Conditions in the network polices ( Specifically the Calling Station ID ) and re-add

GD Star Rating
GD Star Rating

Meraki MX Router

Enable Vlans

Go to Security Appliance then Addressing & VLANs

Next setup the Subnet ID ( Number ) for your Vlans and the Address of the Router in each Vlan 

Next Change the Uplink to the Switch to a VLAN and set the Native Vlan ( this is the default usually 1 ) and the other Vlans which will pass down this trunk. The Native VLAN will need to be the same on both sides of Meraki and Cisco Switch


Go to Security Appliance then DHCP

What device will be the DHCP on this new Subnet? You can set the Meraki or if its a Windows Network point the IP Helper to your main DHCP server

Cisco Switch


On the uplink of your switch to the Meraki set e.g. GigabitEthernet1/0/1


conf t
int gi1/0/1
switchport trunk native vlan 1
switchport trunk allowed vlan 1,5
switchport mode trunk

You might see the native vlan 1 not showing in the config , this is because 1 is always the native vlan

UnTag Port on new Vlan

This changes the port to use Vlan 5

conf t
int gi1/0/2
switchport acccess vlan 5
switchport mode access
GD Star Rating
GD Star Rating

Connect to on a PC/Server connect to the meraki. The default username is the serial number of the device which can be got from the Cloud Dashboard and password is blank

The following will restart the Meraki so make sure you arrange downtime.

Change Port 2 to Internet from LAN and add the IP details and click Save

Make sure all ethernets are set to Auto for Negotiation

By default the Meraki will put the connections on Active / Passive , to enable Active / Active 

Login to your Meraki Cloud Dashboard and Enable Load Balancing : 

This will spread both inbound and outbound via both links

To force one port e.g. to a specific Link , add an Internet Traffic Flow setting


GD Star Rating
GD Star Rating