Meraki

Community

Split RADIUS for client VPN based on Group authentication

George_R
New here
‎Oct 16 2024 7:27 PM
‎Oct 16 2024 7:27 PM

Split RADIUS for client VPN based on Group authentication

Hi Team,

 

I have a Meraki MX client VPN setup which authenticates with a radius server and Duo.

I need to implement an Azure MFA but need to keep it in testing mode for some time.

What I did was, installed an NPS and Azure MFA extension on a separate server and went to configure a secondary RADIUS server in Meraki Client VPN page but then I started wondering:

How to instruct existing setup that Please authenticate Group A with old radius server and Group B with new RADIUS?

Is it even possible?

0 Kudos
2 Replies 2
MartinLL
Building a reputation
‎Oct 17 2024 1:03 AM
‎Oct 17 2024 1:03 AM

I dont think you can do that. The secondary radius server in the list will only be used if the primary goes down.

If i were you i would pick a site or talk to your Cisco rep to get a vMX trial license that you can use to test the new radius server. Simply create a new network, add the client vpn config and create a new anyconnect profile you can install on test clients.

When you are happy with the result you simply change the radius server on your production network.

MLL
0 Kudos
PhilipDAth
Kind of a big deal
Kind of a big deal
‎Oct 17 2024 1:50 PM
‎Oct 17 2024 1:50 PM

You can configure your primary NPS RADIUS server to proxy/forward requests to the secondary NPS server.

https://learn.microsoft.com/en-us/windows-server/networking/technologies/nps/nps-top

 

This is an advanced RADIUS concept.  I don't recommend you do it.

 

 

Taking a step back and looking at the wider requirement, I would change over to using Cisco AnyConnect and have it SAML authentication directly against Entra ID.  Then you don't need RADIUS servers, and it will use whatever MFA you have Entra ID configured to use.

You could keep your existing users on the Windows client VPN (I believe that is what you mean), and then install AnyConnect and migrate the users across slowly.

You will need to buy AnyConnect licences, but they are not expensive.

 

https://documentation.meraki.com/MX/Client_VPN/AnyConnect_on_the_MX_Appliance/AnyConnect_Azure_AD_SA...

 

0 Kudos
Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
© 2024 Cisco Systems, Inc.