Meraki

Community

Vendor restricted VPN access?

Solved
LWCC
Conversationalist
‎Dec 17 2019 8:18 AM
‎Dec 17 2019 8:18 AM

Vendor restricted VPN access?

What I would like to do is restrict an outsider vendor to just be able to access a single IP resource (HVAC) on the internal network when they connect to our VPN through the MX100.Obviously, I don't want to give them full network access.

Currently, our VPN auth is being done by AD for the handful of users that use VPN. I haven't seen a way to apply a group policy to a Meraki user account or I might try that. But I am at a loss and any help would be appreciated. 

0 Kudos
1 Accepted Solution
PhilipDAth
Kind of a big deal
Kind of a big deal
‎Dec 17 2019 10:19 AM
‎Dec 17 2019 10:19 AM

You need to log in as the VPN user once so that they appear in the network client view.  Then you apply the group policy to that.

In this case, the policy applies against the client VPN user rather than the device.

View solution in original post

4 Replies 4
SoCalRacer
Kind of a big deal
‎Dec 17 2019 8:23 AM
‎Dec 17 2019 8:23 AM

It can be done with VPN access, although I think you will run into a headache with HVAC techs with that. Most of the time we allow the ports (if secure) from their IP (Office) only that way they can manage their devices, but don't have a bunch of security to deal with. Also if there is a breach then you can rule it as it was done form their IP, instead of one of your auth'd users via the VPN.

In response to SoCalRacer
LWCC
Conversationalist
‎Dec 18 2019 7:46 AM
‎Dec 18 2019 7:46 AM

Thank you so much for your input and timely response! I opted for the VPN with a lot of restrictions on the account and ports allowed one the single IP they need to access but you gave me something to think about for other potential vendors. 

0 Kudos
PhilipDAth
Kind of a big deal
Kind of a big deal
‎Dec 17 2019 10:19 AM
‎Dec 17 2019 10:19 AM

You need to log in as the VPN user once so that they appear in the network client view.  Then you apply the group policy to that.

In this case, the policy applies against the client VPN user rather than the device.

In response to PhilipDAth
LWCC
Conversationalist
‎Dec 18 2019 7:53 AM
‎Dec 18 2019 7:53 AM

Thank you!! After getting tired of reading grumblings on the web searches from people saying it couldn't be done. I figured there had to be a way and I came here to all you pros! Now I have the user locked down from all subnets and resources and they can only access the single IP and ports needed when connected. 

 

Back to the top
Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco ID. If you don't yet have a Cisco ID, you can sign up.
© 2025 Cisco Systems, Inc.