Meraki

Community

2FA for Client VPN

Emin
Conversationalist
‎Oct 14 2017 11:36 AM
‎Oct 14 2017 11:36 AM

2FA for Client VPN

Hello,

Is anyone using Meraki Client VPN with two factor authentication? The documentation refers to third party products, but without giving any further info. Also, all products are just RADIUS servers providing OTP authentication, which is really not a two factor authentication (i.e. I need AD password in addition to OTP verification)

Thanks

E.

0 Kudos
15 Replies 15
PhilipDAth
Kind of a big deal
Kind of a big deal
‎Oct 14 2017 12:56 PM
‎Oct 14 2017 12:56 PM

I have not used the products mentioned specifically with Cisco Meaki VPN; but I can tell you how the Duo one works.

 

You log in using your AD username and password.  Then the DUO service talks to an app on your phone and it asks you to allow or deny the connection.  You normally click allow, and then your VPN proceeds.

 

So it does satisfy the requirements for 2FA, something you know and something you have.

In response to PhilipDAth
Emin
Conversationalist
‎Oct 14 2017 2:26 PM
‎Oct 14 2017 2:26 PM

Thanks. I wonder then how hardware tokens would work?

0 Kudos
In response to Emin
PhilipDAth
Kind of a big deal
Kind of a big deal
‎Oct 14 2017 6:25 PM
‎Oct 14 2017 6:25 PM

There are two styles of hardware token.

 

One uses PKI (certificates).  You typically have to enter a pin code (something you know) to unlock the hardware token (something you have).  The VPN then uses the certificate on the token to authenticate you.

 

The other style uses OTP.  Typically you log in using your username (something you know) and a number that comes up on the token (something you have).  You enter the number in the password field.

In response to PhilipDAth
Emin
Conversationalist
‎Oct 15 2017 11:11 AM
‎Oct 15 2017 11:11 AM

 I did study a bit Duo's documentation, and what I discovered is that self-enrollment feature (one of my requirements) is there but is available for "web integrations" only. Not sure if Meraki CVPN is a "web integration", does not seem to be so. 

0 Kudos
In response to Emin
Gulnara-Token2
New here
‎Nov 3 2017 5:17 AM
‎Nov 3 2017 5:17 AM

Hello,
As per Meraki documentation "Client VPN does not natively support two-factor auth, a third-party solution is required for this configuration", which basically means that the system can only have one authentication source. All "third-party solutions" are acting as LDAP or RADIUS proxy and clients basically send both LDAP password and OTP as a single password.

I would like to reference  a solution that is not listed by meraki and does exactly the same acting as an LDAP proxy accessed via RADIUS protocol. There is however one advantage, which is the possibility to implement self-service enrollment of the second factor.

More information here.

 

 

Disclaimer: I am affiliated with Token2, I hope I did not break any community rules here.

 

0 Kudos
In response to Emin
Ben
A model citizen
‎Nov 3 2017 8:58 AM
‎Nov 3 2017 8:58 AM

Have a look at SaasPass. It uses the Google Authenticator

 

https://saaspass.com/totp/cisco-meraki-google-authenticator-two-step-verification-2-one-time-passwor...

0 Kudos
Kbergros
Conversationalist
‎Feb 24 2018 8:34 AM
‎Feb 24 2018 8:34 AM

Hi Emin.

 

We are also looking to find à solution for two factor autentication and I wonder if you found a solution that you can rekommend?

0 Kudos
In response to Kbergros
Emin
Conversationalist
‎Feb 24 2018 9:37 AM
‎Feb 24 2018 9:37 AM

Hi,

It all depends what exactly you have. For our project, we ended up with Token2 TOTPRadius as it also integrates with Citrix Netscaler.

Regards

Emin

0 Kudos
In response to Emin
Kbergros
Conversationalist
‎Feb 24 2018 11:11 PM
‎Feb 24 2018 11:11 PM

Ok. Thank you, Will test token2.

0 Kudos
In response to Kbergros
TheLonely_SysAd
Conversationalist
‎Mar 5 2018 3:43 PM
‎Mar 5 2018 3:43 PM

So we have an MX product and have 2FA setup via Duo Security. The MX client vpn points to the Duo Authentication Proxy which is setup to receive the RADIUS communication from the MX, then communicates with AD via LDAPS. Users login with their AD username/password and get a push notification to their phones via the Duo app. There are a few users who refuse to use their personal phone for work in any way which is fine so we have provided them with OTP fobs. They login with the same username but for password they do "ADpassword,OTP"  The Duo Authentication Proxy strips out the OTP and sends the rest to AD for authentication (i have no idea how it'd handle a password with a comma in it, maybe see it's no a 6 digit pin after?). For self enrollment we have the Duo Access Gateway setup as our SSO solution which allows for self enrollment.  Hope this helps clear up how a 2fa solution would interact with Meraki. 

In response to TheLonely_SysAd
PhilipDAth
Kind of a big deal
Kind of a big deal
‎Mar 5 2018 3:54 PM
‎Mar 5 2018 3:54 PM

Thanks for that great information!!!
0 Kudos
In response to TheLonely_SysAd
Kbergros
Conversationalist
‎Mar 5 2018 11:17 PM
‎Mar 5 2018 11:17 PM

HI...

 

Thank you for this information, I have started to look at Duo and will start to implement it during the week.

0 Kudos
In response to Kbergros
PhilipDAth
Kind of a big deal
Kind of a big deal
‎Mar 27 2018 10:28 PM
‎Mar 27 2018 10:28 PM

Is the Duo RADIUS proxy available on all Duo plans?

0 Kudos
In response to PhilipDAth
TheLonely_SysAd
Conversationalist
‎Mar 28 2018 8:01 AM
‎Mar 28 2018 8:01 AM

The Duo Authentication Proxy, which can do RADIUS, and a couple of other things like LDAP proxy, is included in all paid plans. 

0 Kudos
Jose-Gonzalez
Conversationalist
‎Apr 20 2021 2:49 PM
‎Apr 20 2021 2:49 PM

Actually you can use DUO 

here the documentation

https://duo.com/docs/meraki-radius

0 Kudos
Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels
© 2024 Cisco Systems, Inc.