Active Directory authentication for VPN access for some users only

Solved
Alain_Bensimon
Getting noticed

Active Directory authentication for VPN access for some users only

Hello,

I use Active Directory authentication for VPN access on my MX64.

It works fine, and users can authenticate.

I would like to restrict the VPN access to an OU or a group of users.

Is it possible?

 

1 Accepted Solution
PhilipDAth
Kind of a big deal
Kind of a big deal

You can use an existing server, like an AD server, and just add the role to it.

 

BUT it might be quite a steep learning curve.  It would be worthwhile getting someone to help.

 

Otherwise, this guide explains how to do it.

https://documentation.meraki.com/MX/Client_VPN/Configuring_RADIUS_Authentication_with_Client_VPN 

View solution in original post

6 Replies 6
PhilipDAth
Kind of a big deal
Kind of a big deal

You would need to change to using RADIUS and use the Microsoft NPS RADIUS server.

 

Typically you restrict access to a group rather than an OU (never tried an OU - so not sure about that specific case).

Alain_Bensimon
Getting noticed

@PhilipDAth I have no experience with radius. Can I create on an existing server, or do I need a dedicated one?

PhilipDAth
Kind of a big deal
Kind of a big deal

You can use an existing server, like an AD server, and just add the role to it.

 

BUT it might be quite a steep learning curve.  It would be worthwhile getting someone to help.

 

Otherwise, this guide explains how to do it.

https://documentation.meraki.com/MX/Client_VPN/Configuring_RADIUS_Authentication_with_Client_VPN 

Alain_Bensimon
Getting noticed

@PhilipDAth I've created the Radius server and selected the appropriate group. It works like a charm.

Thank you for your help.

PhilipDAth
Kind of a big deal
Kind of a big deal

Well done!

 

Some additional benefits you'll gain:

  • In the event viewer, IDs 6272, 6273 will be logged for successful and failed logins.
  • You can integrate things like Duo MFA using the RADIUS proxy if you want to add MFA to your client VPN.
  • You can now use tools like ManageEngine ADAudit Plus to do user auditing which now includes their VPN activity (so it will be able to say things like user "x" connected via client VPN, and then accessed fileserver "y").
Alain_Bensimon
Getting noticed

@PhilipDAth 

Thank you.

Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels