Vendor restricted VPN access?

SOLVED
LWCC
Conversationalist

Vendor restricted VPN access?

What I would like to do is restrict an outsider vendor to just be able to access a single IP resource (HVAC) on the internal network when they connect to our VPN through the MX100.Obviously, I don't want to give them full network access.

Currently, our VPN auth is being done by AD for the handful of users that use VPN. I haven't seen a way to apply a group policy to a Meraki user account or I might try that. But I am at a loss and any help would be appreciated. 

1 ACCEPTED SOLUTION
PhilipDAth
Kind of a big deal
Kind of a big deal

You need to log in as the VPN user once so that they appear in the network client view.  Then you apply the group policy to that.

In this case, the policy applies against the client VPN user rather than the device.

View solution in original post

4 REPLIES 4
SoCalRacer
Kind of a big deal

It can be done with VPN access, although I think you will run into a headache with HVAC techs with that. Most of the time we allow the ports (if secure) from their IP (Office) only that way they can manage their devices, but don't have a bunch of security to deal with. Also if there is a breach then you can rule it as it was done form their IP, instead of one of your auth'd users via the VPN.

LWCC
Conversationalist

Thank you so much for your input and timely response! I opted for the VPN with a lot of restrictions on the account and ports allowed one the single IP they need to access but you gave me something to think about for other potential vendors. 

PhilipDAth
Kind of a big deal
Kind of a big deal

You need to log in as the VPN user once so that they appear in the network client view.  Then you apply the group policy to that.

In this case, the policy applies against the client VPN user rather than the device.

LWCC
Conversationalist

Thank you!! After getting tired of reading grumblings on the web searches from people saying it couldn't be done. I figured there had to be a way and I came here to all you pros! Now I have the user locked down from all subnets and resources and they can only access the single IP and ports needed when connected. 

 

Get notified when there are additional replies to this discussion.