cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Active Directory authentication for VPN access for some users only

SOLVED
Getting noticed

Active Directory authentication for VPN access for some users only

Hello,

I use Active Directory authentication for VPN access on my MX64.

It works fine, and users can authenticate.

I would like to restrict the VPN access to an OU or a group of users.

Is it possible?

 

1 ACCEPTED SOLUTION

Accepted Solutions
Kind of a big deal

Re: Active Directory authentication for VPN access for some users only

You can use an existing server, like an AD server, and just add the role to it.

 

BUT it might be quite a steep learning curve.  It would be worthwhile getting someone to help.

 

Otherwise, this guide explains how to do it.

https://documentation.meraki.com/MX/Client_VPN/Configuring_RADIUS_Authentication_with_Client_VPN 

View solution in original post

6 REPLIES 6
Kind of a big deal

Re: Active Directory authentication for VPN access for some users only

You would need to change to using RADIUS and use the Microsoft NPS RADIUS server.

 

Typically you restrict access to a group rather than an OU (never tried an OU - so not sure about that specific case).

Getting noticed

Re: Active Directory authentication for VPN access for some users only

@PhilipDAth I have no experience with radius. Can I create on an existing server, or do I need a dedicated one?

Kind of a big deal

Re: Active Directory authentication for VPN access for some users only

You can use an existing server, like an AD server, and just add the role to it.

 

BUT it might be quite a steep learning curve.  It would be worthwhile getting someone to help.

 

Otherwise, this guide explains how to do it.

https://documentation.meraki.com/MX/Client_VPN/Configuring_RADIUS_Authentication_with_Client_VPN 

View solution in original post

Getting noticed

Re: Active Directory authentication for VPN access for some users only

@PhilipDAth I've created the Radius server and selected the appropriate group. It works like a charm.

Thank you for your help.

Kind of a big deal

Re: Active Directory authentication for VPN access for some users only

Well done!

 

Some additional benefits you'll gain:

  • In the event viewer, IDs 6272, 6273 will be logged for successful and failed logins.
  • You can integrate things like Duo MFA using the RADIUS proxy if you want to add MFA to your client VPN.
  • You can now use tools like ManageEngine ADAudit Plus to do user auditing which now includes their VPN activity (so it will be able to say things like user "x" connected via client VPN, and then accessed fileserver "y").
Getting noticed

Re: Active Directory authentication for VPN access for some users only

@PhilipDAth 

Thank you.

Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.