This guide gives instructions on creating Windows connection profiles for Meraki Client VPN with Token2 TOTPRadius two factor authentication and self-enrollment using RAS Connection Manager Administration Kit (CMAK). The main advantage of CMAK connection profiles is the possibility to define a script to run after a successful VPN connection is established and launch the LDAP web enrollment page to allow users to independently enable their second factor after initial login. The same can be applied to other solutions (such as Fortinet VPN) with slightly different VPN tunnels settings.
Open any plain text editor and enter the following lines:
REM ===Launch LDAP Web Enrollment page=== IF EXIST %Temp%\totpradius.dat goto :EOF REM launch iexplore with the URL of TOTPRadius REM Do not forget to modify the URL REM CMAK does not properly detect the VPN connection, so we have to wait a few seconds more REM there is no "sleep" feature in batch files, so we will use a workaround echo ===Launching Token2 TOTPRadius LDAP Enrollment page === ping -n 5 127.0.0.1 >nul start "" http://192.168.1.100/ldap-enroll ECHO All done>%Temp%\totpradius.dat
Do not forget to replace the URL on the 5th line with the actual one. This version of the script will only launch the enrollment page once. If you need it to be launched every time the connection is established, launch.bat file should only contain the line below:
REM CMAK does not properly detect the VPN connection, so we have to wait a few seconds more REM there is no "sleep" feature in batch files, so we will use a workaround echo ===Launching Token2 TOTPRadius LDAP Enrollment page === ping -n 5 127.0.0.1 >nul start "" http://192.168.1.100/ldap-enroll
Save this text file as launch.bat and keep it handy, the file will be added to the profile at one of the CMAK wizard steps.
If you have not already enabled the CMAK toolkit, go to Control Panel\All Control Panel Items\Programs and Features
Select RAS Connection Manager Administration Kit (CMAK)
Once completed, you should see CMAK in your Apps list
Launch the CMAK Wizard , click Next and select your operating system (Please note that we have not tested the solution on legacy non-supported Windows OS) and click Next again.
On the next window, select “New Profile” and click Next.
Set a name for the connection profile and the filename name (the 8 chars max.)
Do not change the default setting on the next window, there is no realm used for Meraki CVPN.
Leave the merged profile list empty and skip to the next window.
On the next window, check the “Phonebook from this profile” option and type the hostname of your Meraki appliance.
On the next screen select the VPN entry created and click Edit.
Select the Security tab, and make the following changes:
1) Select L2TP in the VPN strategy list
2) Leave “Unencrypted password (PAP)” only in the Authentication methods list
Click OK and click Next on the main wizard window. On the next step, uncheck “Automatically download phone book updates” option and click Next to continue.
On the next step, select the created dial-up connection entry and click Edit.
In the entry properties window, select Security tab and modify the Authentication methods to only have PAP enabled.
When you click OK, the following warning will appear.
Click Yes to continue with the wizard.
The following two steps may be left with default settings if you don’t intend to add additional routing rules or proxy settings for your VPN connection.
On the next step we will be adding the launch.bat script to launch upon successful connection establishment. From the Action type list, select Post-connect and click on New button.
Specify the name of the action in the first field and select the previously created launch.bat file by clicking the Browse button. Keep “Include the custom action program with this profile” and “Program interacts with the user” options checked.
Click OK and Next to continue.
On the following steps, you can modify the banner, logo and the icons to the VPN profile.
Afterwards, the wizard will ask to provide a custom help file, support contact information and the license agreement text. You can skip these steps if not required.
The next step allows to include additional files with the CMAK profile. Click next to continue.
On the last step, before finalizing the profile, click on Advanced customization to remove the unnecessary logon domain field from the VPN connection window.
On the customization step, select the cms in the Filename list, then Connection manager in the Section name, and Hide domain in the Key Name section. Set the value field to 1 and click Apply. Click Next to finish the profile creation.
The wizard will create a number of files under the folder shown on the last step which can be used to deploy the connection to your client machines (using GPO or running the exe manually).
Copy the folder created by CMAK wizard to a folder on the client machine. Run the executable and click Yes to start installation.
Select whether this profile should be installed for all users or only for the current one, and decide whether a desktop shortcut is needed.
This will install and immediately launch the VPN connection
The connection is now ready to use. You may want to instruct your users not to enable “Save password” and “Connect automatically” options as they will not work anyways with VPN passwords containing OTPs.
If you allow self-enrollment in your TOTPRadius appliance, users will have the possibility to log in with LDAP password only for the first time. After VPN connection is established, launch.bat will open a web browser with the web enrollment page where users will be instructed to enter the LDAP credentials and activate their second factor. For subsequent connections OTP codes will have to be appended to the LDAP password in order to establish VPN connections. Check out the video below to see how the process looks like.