Meraki

Community

Active Directory authentication for VPN access for some users only

Solved
Alain_Bensimon
Getting noticed
‎Dec 15 2020 6:02 AM
‎Dec 15 2020 6:02 AM

Active Directory authentication for VPN access for some users only

Hello,

I use Active Directory authentication for VPN access on my MX64.

It works fine, and users can authenticate.

I would like to restrict the VPN access to an OU or a group of users.

Is it possible?

 

0 Kudos
1 Accepted Solution
In response to Alain_Bensimon
PhilipDAth
Kind of a big deal
Kind of a big deal
‎Dec 15 2020 10:47 AM
‎Dec 15 2020 10:47 AM

You can use an existing server, like an AD server, and just add the role to it.

 

BUT it might be quite a steep learning curve.  It would be worthwhile getting someone to help.

 

Otherwise, this guide explains how to do it.

https://documentation.meraki.com/MX/Client_VPN/Configuring_RADIUS_Authentication_with_Client_VPN 

View solution in original post

6 Replies 6
PhilipDAth
Kind of a big deal
Kind of a big deal
‎Dec 15 2020 10:23 AM
‎Dec 15 2020 10:23 AM

You would need to change to using RADIUS and use the Microsoft NPS RADIUS server.

 

Typically you restrict access to a group rather than an OU (never tried an OU - so not sure about that specific case).

0 Kudos
In response to PhilipDAth
Alain_Bensimon
Getting noticed
‎Dec 15 2020 10:45 AM
‎Dec 15 2020 10:45 AM

@PhilipDAth I have no experience with radius. Can I create on an existing server, or do I need a dedicated one?

0 Kudos
In response to Alain_Bensimon
PhilipDAth
Kind of a big deal
Kind of a big deal
‎Dec 15 2020 10:47 AM
‎Dec 15 2020 10:47 AM

You can use an existing server, like an AD server, and just add the role to it.

 

BUT it might be quite a steep learning curve.  It would be worthwhile getting someone to help.

 

Otherwise, this guide explains how to do it.

https://documentation.meraki.com/MX/Client_VPN/Configuring_RADIUS_Authentication_with_Client_VPN 

In response to PhilipDAth
Alain_Bensimon
Getting noticed
‎Dec 15 2020 12:13 PM
‎Dec 15 2020 12:13 PM

@PhilipDAth I've created the Radius server and selected the appropriate group. It works like a charm.

Thank you for your help.

In response to Alain_Bensimon
PhilipDAth
Kind of a big deal
Kind of a big deal
‎Dec 15 2020 12:29 PM
‎Dec 15 2020 12:29 PM

Well done!

 

Some additional benefits you'll gain:

  • In the event viewer, IDs 6272, 6273 will be logged for successful and failed logins.
  • You can integrate things like Duo MFA using the RADIUS proxy if you want to add MFA to your client VPN.
  • You can now use tools like ManageEngine ADAudit Plus to do user auditing which now includes their VPN activity (so it will be able to say things like user "x" connected via client VPN, and then accessed fileserver "y").
In response to PhilipDAth
Alain_Bensimon
Getting noticed
‎Dec 15 2020 12:51 PM
‎Dec 15 2020 12:51 PM

@PhilipDAth 

Thank you.

0 Kudos
Back to the top
Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco ID. If you don't yet have a Cisco ID, you can sign up.
Labels
© 2025 Cisco Systems, Inc.