2FA for Client VPN

Emin
Conversationalist

2FA for Client VPN

Hello,

Is anyone using Meraki Client VPN with two factor authentication? The documentation refers to third party products, but without giving any further info. Also, all products are just RADIUS servers providing OTP authentication, which is really not a two factor authentication (i.e. I need AD password in addition to OTP verification)

Thanks

E.

15 REPLIES 15
PhilipDAth
Kind of a big deal

I have not used the products mentioned specifically with Cisco Meaki VPN; but I can tell you how the Duo one works.

 

You log in using your AD username and password.  Then the DUO service talks to an app on your phone and it asks you to allow or deny the connection.  You normally click allow, and then your VPN proceeds.

 

So it does satisfy the requirements for 2FA, something you know and something you have.

Emin
Conversationalist

Thanks. I wonder then how hardware tokens would work?

PhilipDAth
Kind of a big deal

There are two styles of hardware token.

 

One uses PKI (certificates).  You typically have to enter a pin code (something you know) to unlock the hardware token (something you have).  The VPN then uses the certificate on the token to authenticate you.

 

The other style uses OTP.  Typically you log in using your username (something you know) and a number that comes up on the token (something you have).  You enter the number in the password field.

Emin
Conversationalist

 I did study a bit Duo's documentation, and what I discovered is that self-enrollment feature (one of my requirements) is there but is available for "web integrations" only. Not sure if Meraki CVPN is a "web integration", does not seem to be so. 

Hello,
As per Meraki documentation "Client VPN does not natively support two-factor auth, a third-party solution is required for this configuration", which basically means that the system can only have one authentication source. All "third-party solutions" are acting as LDAP or RADIUS proxy and clients basically send both LDAP password and OTP as a single password.

I would like to reference  a solution that is not listed by meraki and does exactly the same acting as an LDAP proxy accessed via RADIUS protocol. There is however one advantage, which is the possibility to implement self-service enrollment of the second factor.

More information here.

 

 

Disclaimer: I am affiliated with Token2, I hope I did not break any community rules here.

 

Ben
A model citizen

Kbergros
Conversationalist

Hi Emin.

 

We are also looking to find à solution for two factor autentication and I wonder if you found a solution that you can rekommend?

Emin
Conversationalist

Hi,

It all depends what exactly you have. For our project, we ended up with Token2 TOTPRadius as it also integrates with Citrix Netscaler.

Regards

Emin

Kbergros
Conversationalist

Ok. Thank you, Will test token2.

So we have an MX product and have 2FA setup via Duo Security. The MX client vpn points to the Duo Authentication Proxy which is setup to receive the RADIUS communication from the MX, then communicates with AD via LDAPS. Users login with their AD username/password and get a push notification to their phones via the Duo app. There are a few users who refuse to use their personal phone for work in any way which is fine so we have provided them with OTP fobs. They login with the same username but for password they do "ADpassword,OTP"  The Duo Authentication Proxy strips out the OTP and sends the rest to AD for authentication (i have no idea how it'd handle a password with a comma in it, maybe see it's no a 6 digit pin after?). For self enrollment we have the Duo Access Gateway setup as our SSO solution which allows for self enrollment.  Hope this helps clear up how a 2fa solution would interact with Meraki. 

Thanks for that great information!!!

HI...

 

Thank you for this information, I have started to look at Duo and will start to implement it during the week.

PhilipDAth
Kind of a big deal

Is the Duo RADIUS proxy available on all Duo plans?

The Duo Authentication Proxy, which can do RADIUS, and a couple of other things like LDAP proxy, is included in all paid plans. 

Jose-Gonzalez
Conversationalist

Actually you can use DUO 

here the documentation

https://duo.com/docs/meraki-radius

Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels