Cisco Call Manager 9 Active Directory Integration On Server How To Make Owner
Microsoft ® Active Directory ® Integration When you integrate the Polycom ® RealPresence ® DMA system ® with your Microsoft ® Active Directory ®, the enterprise users (Active Directory members) become Conferencing Users in the Polycom RealPresence DMA system.
Contents
Introduction
This document discusses these items:
Improve the security of LDAP Directory Integration with Cisco Unified CallManager (CUCM) with several configuration steps to restrict permissions. These procedures improve both an existent and new installation of directory integration.
The access and management of the directory require a special user and group. Permissions are set on objects to restrict the dedicated user and group, and the directory integration is then updated (for an existent install) or completed (for a new install). Finally, the integration is verified.
Prerequisites
Requirements
There are no specific requirements for this document.
Components Used
This document is specific to Cisco Unified CallManager 4.x.
These steps, which are shown with the Microsoft Active Directory (AD), can also apply to other supported directory products.
Conventions
Refer to Cisco Technical Tips Conventions for more information on document conventions.
Background Information
For Existent Directory Integration
Follow these steps for an existent directory integration:
Create a new group, such as CUCM Directory Group.
Set the group permissions for directory access.
Move the existent directory user to the new group.
Remove the user from the old group; members can only be of the new group.
Perform verification.
For Existent Installation Without Dedicated Account
Follow these steps for an existent directory integration where a dedicated account was not used:
Create a new user, such as CUCM Directory Manager.
Make the user a member of the new group only.
Change CUCM to use the new user; modify the registry and ini file.
Restart the Cisco Tomcat.
Change the password of the original account that had been used.
Perform verification.
For a New Installation
Follow these steps for a new installation of Directory Integration:
Create a new group, such as CUCM Directory Group.
Set restrictions on this new group.
Create a new user, such as CUCM Directory Manager.
Put the new user into a group with Administrator privileges, for example, Domain Admins.
Use the new user when you install the plug-in.
Move the user to the newly created CUCM Directory Group.
Set the new group as the primary group for the admin user.
Remove this user from the old group, which must no longer be a member of any other group.
Perform verification.
Verification
Perform Verification with this procedure:
Create a new user, ccmtest, in the directory (on the directory server).
Check that the ccmtest user is listed in CUCM Users.
Change the PIN of the ccmtest on the CUCM User Configuration page.
Ensure that the field is updated in the directory.
Change ciscoCCNatCTIUseEnabled to True for ccmtest in the directory.
Confirm that the Enable CTI Application Use check box is checked for ccmtest in CUCM.
Download secara gratis dan mudah lagu Kristal Cinta 3 Segi di kategori malaysia Mp3 - Mp4 dari Kristal. Untuk download lagu klik salah satu hasil di bawah yang cocok dengan 'Kristal Cinta 3 Segi', temukan link download lagu Kristal Cinta 3 Segi di halaman berikutnya. Karaoke Cinta Tiga Segi Kristal Musica Technics Kn7000 Hd Quality Musica Lirik No Vocal 2018. 320 kbps wahyudistoner. Download lagu Mp3 Cinta Segitiga Regita gratis dalam format MP3 dan MP4. Temukan lagu terbaru favoritmu hanya di lagu 123 stafaband planetlagu. CINTA TIGA SEGI - KRISTAL COVER NY REGITA. Stafaband Gudang Lagu. LELAKI CADANGAN - T2 (LIVE ACOUSTIC COVER BY REGITA ECHA) Stafaband Gudang Lagu. Download lagu Cinta Segitiga gratis dalam format MP3 dan MP4. Temukan lagu terbaru favoritmu hanya di lagu 123 stafaband planetlagu. LAGU123.TOP Gudang Lagu Terbaru, Download Mp3 Gratis 2019. Cinta 3 segi-Kristal. Stafaband Gudang Lagu. LELAKI CADANGAN - T2 COVER BY REGITA. Stafaband Gudang Lagu. CINTA SEGITIGA Rhoma Irama.
Delete ccmtest user.
Ensure that only wanted parts of the tree are visible with an LDAP browser: must not be able to view anything outside the Cisco Organizational Unit (OU) or Users OU.
Detailed Steps
Note: The names that are used here for the dedicated account and group are CUCM Directory Manager and CUCM Directory Group, respectively, but you can choose different names.
Start Microsoft Active Directory (ADUC)
Choose Start > Programs > Administrative Tools > Active Directory Users and Computers.
Create New Group
Follow these steps to create the new group:
Right-click the Users container.
Choose New > Group.
Enter the Group name, scope, and type, such as CUCM Directory Group, Global, and Security.
Click Next.
Click Finish.
Set Group Permissions for Directory Access
The group must be granted these rights:
These rights must apply to this object and all child objects.
Set Read/Write/Create Privileges on the Cisco OU
Follow these steps to set the Read/Write/Create privileges on the Cisco OU:
Right-click the Cisco container.
Choose Properties.
Choose the Security tab.
Click Advanced.
Click Add..
Enter CCM Directory Group.
Set Apply onto field to This object and all child objects.
Check Allow for Read All Properties.
Check Allow for Write All Properties.
Check Allow for Create All Child Objects.
Check Allow for Delete All Child Objects.
Click OK.
Set Read Privileges on OU of Users
Follow these steps to set Read privileges on the Users OU:
Right-click the Users container.
Choose Properties.
Choose the Security tab.
Click Advanced.
Click Add..
Enter CCM Directory Group.
Set Apply onto field to user objects.
Check Allow for Read All Properties.
Click OK.
Set Read/Write Privileges on Cisco Attributes
Follow these steps to set Read/Write privileges on the Cisco attributes:
Right-click the Users container.
Choose Properties.
Choose the Security tab.
Click Advanced.
Click Add..
Enter CCM Directory Group.
Set Apply onto field to user objects.
Check Allow for Read ciscoatGUID, Read ciscoatUserProfile, ReadatUserProfileString.
Check Allow for Write ciscoatGUID, Write ciscoatUserProfile, Write atUserProfileString.
Click OK.
Create New User
Follow these steps to create a new user:
Right-click the Users container.
Choose New > User.
Enter the name and logon name, such as, CUCM Directory Manager, ccmdiruser.
Fill in the Password and Confirm Password fields.
Check the Password Never Expires check box.
Click Next.
Click Finish.
Move User to New Group and Remove From Old Group
Follow these steps to move the user to a new group and remove from the old group:
Choose the Users OU.
Right-click ccmdiruser and choose Properties.
Choose the Member Of tab.
Click Add..
Enter the CCM Directory Group.
Click OK.
Choose the CCM Directory Group.
Click Set Primary Group.
Choose the old group.
Click Remove.
Three Steps Required to Change CUCM to Use the New User
Three steps are required to change CUCM to use the new user:
Obtain the encrypted password.
Set the account and password in the registry.
Set the account and password in the DC Directory initialization file.
Obtain the Encrypted Password
Note: Although the password that is used here is password for demonstration purposes, you must use a complex password instead.
Choose Start > Run.
Enter cmd.
Enter cd C:dcdsrvrbin.
Enter PasswordUtils.cmd password.
Set the Account and Password in the Registry
Caution: If you edit the wrong registry key or make a mistake while you edit the registry, your system can be unusable until you repair the registry. You must backup your registry before you make any changes. Make sure that you know how to restore the registry from the backup before you continue. Because an explanation of how to maintain the server registry is beyond the scope of this document, consult your system documentation for this information.
Choose Start > Run.
Enter regedit and click OK.
Browse to HKEY_LOCAL_MACHINESoftwareCisco Systems, Inc.Directory Configuration within the registry.
In the right pane, double-click the MGRDN registry key.
Change the user, for example, Administrator > ccmdiruser.
Double-click the MGRPW registry key.
Change the encrypted password with the value obtained from the PasswordUtils tool.
Exit Regedit.
Set Account and Password in the DC Directory ini File
Follow these steps to set the account and password in the DC Directory ini file:
Choose Start > Run.
Enter notepad C:/dcdsrvr/DirectoryConfiguration.ini and click OK.
Change the user, for example, Administrator > ccmdiruser.
Change the value to the right of passwd= to the encrypted password that you obtained from the PasswordUtils tool.
Choose File > Save.
Choose File > Exit.
Restart Cisco Tomcat
Follow these steps to restart the Cisco Tomcat service:
Choose Programs > Administrative Tools > Services.
Right-click Cisco Tomcat and choose Restart.
Verify that Temporary ccmtest User is in CUCM Directory
Follow these steps to verify that the temporary ccmtest user is in the CUCM Directory:
From the CUCM Administration pages, choose User > Global Directory.
Press the Search button.
Ensure that the ccmtest user is in the list of users.
Change the PIN of the ccmtest User
Follow these steps to change the PIN of the ccmtest user:
Choose ccmtest at the User Information Page.
Press the Change.. button.
Enter a 5-digit PIN, for example, 12345.
Press the Update and Close buttons.
Use a directory browser to choose the Cisco OU.
Navigate to CCN > profiles > ccm-test-CCNProfile.
Ensure that the CiscoCCNatPIN field has the new value.
Change the ciscoCCNatCTIUseEnabled Field
Follow these steps to change the ciscoCCNatCTIUseEnabled field:
Use a directory browser to choose the Cisco OU.
Navigate to CCN > profiles > ccm-test-CCNProfile.
Modify ciscoCCNatCTIUseEnabled to true.
Refresh the User Configuration page for user ccmtest.
Ensure that the Enable CTI Application Use check box is now marked.
Delete the ccmtest User
Follow these steps to delete the ccmtest user:
Choose the Users OU.
Right-click ccmtest and choose Delete.
Choose Yes to confirm.
Related Information
Active Directory (AD) integration allows you to restrict access to the network and enforce Group Policies based on membership in Active Directory groups.
Currently, Active Directory-based authentication works only if one of the following is true:
- The Domain Controller is in a VLAN configured on the appliance
- The Domain Controller is in a subnet for which a static route is configured on the appliance
- The Domain Controller is accessible through the VPN.
If there are multiple Domain Controllers in the domain, all of them must meet one of these criteria in order for Active Directory integration to function properly.
Note: The information listed here should be used as a general operating system configuration guideline. Your specific options and menus may differ depending on the version of Windows Server deployed.
Integrating with Group Policies
A Group Policy in the Dashboard is a set of bandwidth limits, traffic shaping and firewall rules, security filtering, and content filtering settings that can be applied on a per client basis.
Note: Cisco Meraki Active Directory-Based Group Policy on the MX should not be confused with Microsoft Active Directory Group Policy as they are in no way related.
Traffic Flow
The MX utilizes Microsoft's Windows Management Instrumentation (WMI) service to pull a continuous stream of Logon Security Events from specified Domain Controllers in the Active Directory domain. These security events have critical information that tells the MX which user accounts are logged into which computers. Specifically, the events contain the IP address of the computer and the Windows username of the logged on user.
The MX will run through the following steps to identify AD group members and apply associated group policies:
- MX securely contacts the specified Domain Controllers for the AD domain, using TLS
- MX reads WMI logon events from the DC's security events, to determine which users are logged into which devices.
- MX binds to DCs using LDAP/TLS to gather each user's AD group membership.
- Group membership is added to a database on the MX.
- If a domain user's group membership matches an AD group policy mapping in Dashboard, the MX can apply the associated group policy to the user's computer.
Because the MX is continuously gathering this information from the domain controllers, it is able to accurately apply the policy in real-time whenever a new user logs in.
Note: At this time, the MX does not support mapping group policies via Active Directory for users connecting through the Client VPN.
Benefits of Active Directory Integration
By using Microsoft WMI and standards-based LDAP to interact with the Active Directory network infrastructure, the MX can do real-time Active Directory-based Group Policy assignment without the need to install or maintain any agent software on local Active Directory Domain Controllers.
Configuration Overview
The following steps outline the required configuration (both in Dashboard and Active Directory) to allow for AD-based group policy application. Please be sure to follow each step as accurately as possible, errors can be difficult to diagnose and resolve.
Create an Active Directory Site
In Active Directory, Domain Controllers are placed into sites. Sites are assigned IP subnets. Domain users and computers authenticate with Domain Controllers located in the site (IP subnet) for which they reside. Each authentication generates a logon entry within the Domain Controllers Security Event Log. Because the MX uses these Security Events to determine which users are logged onto which computers, all of the Domain Controllers that service logons in an Active Directory site whose IP subnets also correspond to the subnets configured on the MX must be added to Dashboard.
In the example below, the MX has the following IP subnets 10.0.0.0/24 and 192.168.0.0/24 configured under Addressing & VLANs. Active Directory sites need to be applied to both subnets.
Both IP subnets on the MX, are members of the Active Directory site named 'Default-First-Site-Name' (shown below). Therefore, the IP addresses of servers DC1, DC1-UK, DC2, SE-Test, and WIN-K7346GNLZ29 located in this site must be added to Dashboard on the Active Directory page in Dashboard.
Enable Security Auditing on Active Directory Domain Controllers
Explanation
When Active Directory Group Policy is enabled, the MX pulls a continuous stream of Security Events from Windows Active Directory Domain Controllers. Using Logon Events (540 and 4624) and Account Logon Events (672 and 4768) specifically, the MX can determine which domain users are logged into which domain computers and what the IP address of those computers are. This information is then coupled with the users Group Membership retrieved from an LDAP/TLS lookup and the IP address or MAC address of the computer learned via Cisco / Meraki client detection. By combining these pieces of information, the appropriate filtering policy can be applied transparently in real-time to each computer based on the currently logged on user. If Domain Controllers specified in Dashboard do not have Security Auditing enabled, the MX will not be able to associate users to computers transparently. To ensure that a Domain Controller is configured to audit successful Logon and Account Logon Events, enable this logging using the Default Domain Controller Policy or Local Computer Policy for Domain Controllers in your domain.
Configuration
- On the Domain Controller, open the Local Computer Policy using gpedit.msc.
- Navigate to Computer Configuration>Windows Settings>Security Settings>Local Policies>Audit Policy.
- Confirm that 'Audit Account Logon Events' and 'Audit Logon Events' is set to 'Success' as shown in this image:
Note: If these auditing entries are not set to log Success events and the option to edit it is greyed out, then this setting is defined by Domain Group Policy, and you will need to modify this at the Domain level instead. This setting can be found by opening the applicable Group Policy in the server's Group Policy Management Editor and navigating to Computer Configuration > Policies > Windows Settings > Security Settings > Local Policies > Audit Policy. If further issues are encountered, please refer to Microsoft's documentation for assistance:
Enable the Global Catalog Role on Each Domain Controller
In order for a Domain Controller to maintain the logon events used by the MX for user/group identification, it must be running the Global Catalog Role. As such, a required configuration step is to enable the Global Catalog Role for each Domain Controller that the MX will be polling.
Please refer to official Microsoft documentation for specific configuration steps.
Install a Digital Certificate on Each Domain Controller
In order to communicate with a Domain Controller, the MX security appliance will need to establish Transport-Layer Security (TLS) so all communication between the MX and Active Directory will be encrypted. As a prerequisite to TLS, the MX will need to verify the identity of the Domain Controller. This is done with certificate validation.
An existing certificate can be used on the Domain Controller (so long as it meets the requisite requirements for TLS), or a self-signed certificate can be created on the server.
Certificate Requirements for TLS
The following notes describe certificate parameters used in Windows Server, but can be generalized for any certificate's parameters.
Under the General tab, check for the following attributes:
- The server must have the corresponding private key. To verify that the private key exists, view the General tab of the certificate and verify that you see the following message: 'You have a private key that corresponds to this certificate'.
- Verify that the following statement appears: 'This certificate is intended for the following purpose(s): Proves your identity to a remote computer'.
- Check that the certificate is still valid, based on the 'Valid from' values.
Under the Details tab:
- The Version value must contain 'v3', indicating that it is an X.509 Version 3 certificate.
- The Enhanced Key Usage value must contain the Server Authentication certificate purpose (OID '1.3.6.1.5.5.7.3.1').
- The Subject value must contain the Fully Qualified Domain Name of the RADIUS server or Active Directory server, e.g. myserver.mydomain.com.
- The Public key value should be set to 'RSA (2048 Bits)'.
- The 'Subject Alternative Name' value must contain the syntax 'DNS Name=myserver.mydomain.com' where the the DNS name is the Fully Qualified Domain Name of your server. This is especially important when using an Active Directory-based PKI.
- The Key usage must contain the 'Digital Signature' and 'Key Encipherment' values.
Note: In Server 2012, this option may be available as 'Data Encipherment.'
Create Groups in Active Directory
Since the MX will be mapping Active Directory groups to its own group policies, the appropriate groups will have to be created in Active Directory.
Please refer to official Microsoft documentation for specific configuration steps.
Add Users to Groups in Active Directory
When a user logs on to a domain, the logon event will include both user information and group membership. Since this group membership defines which Dashboard group policy will be applied, it is important to ensure that users are added to the appropriate groups in Active Directory.
Please refer to official Microsoft documentation for specific configuration steps.
Configure Group Policies in Dashboard
A group policy in Dashboard will determine the custom network rules and regulations that will apply to users with that policy. This can include custom bandwidth limits, more or less restrictive content filtering rules, custom access to subnets, etc.
Please refer to our documentation for more information about configuring Dashboard group policies.
Configure Active Directory Authentication in Dashboard
The following instructions explain how to add Active Directory servers to Dashboard and enable AD authentication for network clients.
- Log into Dashboard and navigate to Security & SD-WAN > Configure > Active Directory.
- From the Active Directory drop-down, select Authenticate users with Active Directory.
- For Per-VLAN settings choose to Require logon via splash or Default to network-wide settings (Use global settings). Enabling logon via splash will prompt network users with a splash page where they will log in with their domain credentials, but is not a prerequisite to group policy integration.
In our example below, we are requiring splash logon for the data VLAN and network defaults for the server VLAN.
Note: The MX AD splash page authorization expires after 2 days or if AD detects a new logon event on the client. The clear authorization button on the client list does not clear the AD splash page authorization on the MX.
- For Active Directory Servers, click Add an Active Directory domain server. Remember to add all Domain Controllers that are responsible for the sites/subnets that the MX handles. In our example below, we added all 5 Domain Controllers located in our Active Directory site.
- To add an Active Directory server, enter the following information:
- Short Domain: Short name of the domain (a.k.a., NetBIOS name), as opposed to the fully qualified domain name (FQDN). Typically if the FQDN is 'mx.meraki.com', the short domain is 'mx'.
- Server IP: The IP address of the domain controller.
- Domain admin: A domain administrator account that the MX can use to query the AD server.
- Password: The password of the domain administrator account.
Note: Unicode characters in usernames and passwords are not currently supported.
User permissions for AD integration
While the AD integration account does not have to be a domain admin, it is usually the easiest way to implement this feature. If using a domain admin account is not possible or not preferable, ensure that the account has the necessary permissions to perform the following actions:
- Query the user database via LDAP
- Query group membership via LDAP
- Query the domain controller via WMI
- Click the Save changes button.
Create LDAP Group to Group Policy Mappings in Dashboard
Once Active Directory has been successfully integrated on the MX, the following steps outline how to map Dashboard group policies to groups in AD:
- In Dashboard, navigate to Security & SD-WAN > Configure > Active Directory > LDAP policies.
- Click the Refresh LDAP Groups button to pull LDAP groups from the configured Active Directory servers based on the domain credentials provided in the dashboard.
Note: Policy mappings in Dashboard are done based on the FQDN of the group policy object in Active Directory. If the OU of any object in the FQDN path changes, the group policy mapping will need to be re-added in Dashboard.
- Under Groups, select the LDAP group, and under Policy select the appropriate group policy for that LDAP group.
- Click Save Changes at the bottom of the page.
If a user is part of more than one group specified in a Group Policy mapping the first group in the list is applied, they will not receive a combination of both policies. For example, in the screenshot below, if a user was part of both staff and executives they would be mapped to staff and only receive the policy configured as the staff policy:
Note: Active Directory group policy does not support group nesting or policy overlapping. If a domain user is a member of an AD group (e.g. staff), and that group is contained within another group that has a Group Policy mapping (e.g. executives), the mapped policy (executives) will not be applied to the user.
The best practice for deploying Active Directory-based group policy is to add users to a single AD group which is mapped to a single group policy. In the example below, a company has different security levels for its executives and staff. A user Bob is a staff member and Billy is an executive. In this case, the company creates two AD groups, staff and executives. Bob is added to the staff group and Billy the executives group. Therefore Bob receives the policy applied by staff and Billy the policy from executives:
An MX appliance must be configured in Passthrough mode when Active Directory-based content filtering is desired and the Active Directory domain controllers are located upstream or across an MPLS. Additional information on the traffic flow and the reason for this required configuration is explained below.
Passthrough Mode Configuration
To support Active Directory Group Policy mappings when Active Directory servers are located across an MPLS, the MX Security Appliance must be placed in Passthrough mode. This can be accomplished by going to Security & SD-WAN > Configure > Addressing & VLANs on the Cisco Meraki Dashboard and selecting the option for Passthrough or VPN Concentrator.
In this mode, the MX Security Appliance acts as a layer 2 bridge and does not modify the source address of traffic that traverses the WAN uplink. This configuration allows the MX to query the security logs, obtain an end-user's account name and associated device IP address, and apply the corresponding group policy.
Routed Mode Configuration
When an MX Security Appliance is configured for Routed mode and Active Directory Domain Controllers are located across an MPLS, authentication requests will traverse the MX WAN uplink. When this uplink traversal occurs, a NAT translation takes place and the source IP will be modified from the user's client device IP address to the WAN IP address of the MX Security Appliance.
In this scenario, the Active Directory security logs will contain the IP address of the MX Security Appliance, rather than the IP address of the end-user's device. This prevents the MX from knowing which device to apply the identity-based content filtering policies. Because of this, a Routed mode configuration will not support Active Directory-based group policies.
Integrating with Client VPN
The Cisco Meraki MX Security Appliance supports Active Directory authentication with Client VPN, so a client will be required to provide domain credentials in order to connect via VPN.
Traffic Flow
When a user attempts to connect to Client VPN, the following process occurs:
- The user's device attempts to establish a VPN tunnel using L2TP over IP.
- The user provides their valid domain credentials.
- The MX, from its LAN IP, queries the Global Catalog over TCP port 3268 (encrypted using TLS) to the AD server configured in Dashboard.
- If the user's credentials are valid, the AD server will send its response to the MX, completing authentication.
- The MX offers the client an IP configuration on the Client VPN subnet, and the client can start communicating on the network.
Note: At this time, the MX does not support mapping group policies via Active Directory for users connecting through the Client VPN.
Configuration Overview
In order to configure Active Directory authentication for Client VPN, configuration steps must be completed on both Dashboard and Active Directory, outlined below:
Active Directory Configuration
The following requirements must be configured on each AD server being used for authentication:
- Every AD server specified in Dashboard must hold the Global Catalog role.
- Since communication between the MX and AD server will be encrypted using TLS, a valid certificate with the appropriate parameters must be configured on the server.
- If no certificate is present, it will be necessary to install a Self-Signed certificate.
- If a certificate already exists, please ensure that it has been configured with the necessary parameters for TLS.
- The MX will communicate from its LAN IP with each AD server over TCP port 3268, ensure that no firewalls or ACLs on the network or server will block that communication.
When Active Directory authentication is configured, the MX queries the Global Catalog over TCP port 3268. Therefore the Active Directory server (Domain Controller) specified in Dashboard must also hold the Global Catalog role.
Dashboard Configuration
Once the AD servers have been primed with the configuration requirements outlined above, the following steps outline how to set up AD authentication for Client VPN:
- In Dashboard, navigate to Security & SD-WAN > Configure > Client VPN
- If Client VPN has not yet been enabled, please refer to our Client VPN documentation for info on initial configuration.
Note: In order for Client VPN users to be able to resolve internal DNS entries, the Custom nameservers option should be configured with an internal DNS server. The server's firewall may need to be adjusted to allow queries from the Client VPN subnet, and best practices dictate that a public DNS server should be listed as a secondary option.
- Set Authentication to Active Directory.
- Under Active Directory server, provide the short domain name and server IP, as well as the credentials for an AD domain admin.
Note: If the credentials provided do not have domain admin permissions, the MX will be unable to query the AD server.
- Click Save Changes.
Client Configuration
Clients can use their native VPN client to connect to Client VPN, with or without Active Directory.
Please refer to our Client VPN documentation for OS-specific configuration steps.
(Optional) Client Scoping
Due to the nature of Active Directory authentication for Client VPN, all domain users will be able to authenticate and connect to Client VPN. There is no Dashboard-native way to limit which users can authenticate, however, there is a workaround in Active Directory that allows the scope of users to be limited by specifying a domain administrator with limited group visibility.
The following article outlines how to configure this workaround for wireless networks, but the same principles can be applied to Client VPN: Scoping Active Directory per SSID
Note: This configuration is entirely reliant on Active Directory. Depending on how domain groups are managed, this may not work some environments - please refer to Microsoft documentation and support for assistance with Active Directory configuration.
User permissions for AD integration
While the AD integration account does not have to be a domain admin, it is usually the easiest way to implement this feature. If using a domain admin account is not possible or not preferable, ensure that the account has the necessary permissions to perform the following actions:
- Query the user database via LDAP
- Query group membership via LDAP
- Query the domain controller via WMI
Testing
Once the configuration above has been completed, the Meraki device should be able to communicate with the Active Directory server using TLS. If this fails, Microsoft offers the Ldp.exe tool to ensure that the LDAP service is running and compatible with the current certificate.
Please reference Microsoft documentation for error code details and troubleshooting assistance.
Additional Resources
For more information about both Client VPN and Active Directory integration, please refer to the following articles: