Is anyone using Meraki Client VPN with two factor authentication? The documentation refers to third party products, but without giving any further info. Also, all products are just RADIUS servers providing OTP authentication, which is really not a two factor authentication (i.e. I need AD password in addition to OTP verification)
I have not used the products mentioned specifically with Cisco Meaki VPN; but I can tell you how the Duo one works.
You log in using your AD username and password. Then the DUO service talks to an app on your phone and it asks you to allow or deny the connection. You normally click allow, and then your VPN proceeds.
So it does satisfy the requirements for 2FA, something you know and something you have.
There are two styles of hardware token.
One uses PKI (certificates). You typically have to enter a pin code (something you know) to unlock the hardware token (something you have). The VPN then uses the certificate on the token to authenticate you.
The other style uses OTP. Typically you log in using your username (something you know) and a number that comes up on the token (something you have). You enter the number in the password field.
I did study a bit Duo's documentation, and what I discovered is that self-enrollment feature (one of my requirements) is there but is available for "web integrations" only. Not sure if Meraki CVPN is a "web integration", does not seem to be so.
As per Meraki documentation "Client VPN does not natively support two-factor auth, a third-party solution is required for this configuration", which basically means that the system can only have one authentication source. All "third-party solutions" are acting as LDAP or RADIUS proxy and clients basically send both LDAP password and OTP as a single password.
I would like to reference a solution that is not listed by meraki and does exactly the same acting as an LDAP proxy accessed via RADIUS protocol. There is however one advantage, which is the possibility to implement self-service enrollment of the second factor.
More information here.
Disclaimer: I am affiliated with Token2, I hope I did not break any community rules here.
Have a look at SaasPass. It uses the Google Authenticator
It all depends what exactly you have. For our project, we ended up with Token2 TOTPRadius as it also integrates with Citrix Netscaler.
So we have an MX product and have 2FA setup via Duo Security. The MX client vpn points to the Duo Authentication Proxy which is setup to receive the RADIUS communication from the MX, then communicates with AD via LDAPS. Users login with their AD username/password and get a push notification to their phones via the Duo app. There are a few users who refuse to use their personal phone for work in any way which is fine so we have provided them with OTP fobs. They login with the same username but for password they do "ADpassword,OTP" The Duo Authentication Proxy strips out the OTP and sends the rest to AD for authentication (i have no idea how it'd handle a password with a comma in it, maybe see it's no a 6 digit pin after?). For self enrollment we have the Duo Access Gateway setup as our SSO solution which allows for self enrollment. Hope this helps clear up how a 2fa solution would interact with Meraki.
The Duo Authentication Proxy, which can do RADIUS, and a couple of other things like LDAP proxy, is included in all paid plans.