Meraki

Community

AnyConnect MX250, Radius authentication and filter-id for firewall rules with group policy

NetC
Conversationalist
‎Feb 12 2023 4:16 AM
‎Feb 12 2023 4:16 AM

AnyConnect MX250, Radius authentication and filter-id for firewall rules with group policy

I want to use AnyConnect with different firewall rules. Therefore I decided to use the Radius authentication. There you should set the filter ID and assign it to a group. Everything works correctly, but the firewall rules have no effect.
In any case, the correct group is also displayed in the log.

 

NetC_0-1676204212460.png

 

NetC_1-1676203818260.png

NetC_2-1676203983009.png

 

The target hosts in this example are located in networks behind the MX250. One IP address of them is even an address behind an AutoVPN connection.
You can see that the ping works, although everything is forbidden in this group.

Labels:
0 Kudos
22 Replies 22
alemabrahao
Kind of a big deal
‎Feb 12 2023 6:27 AM
‎Feb 12 2023 6:27 AM

Just for testing, if you apply the Group policy directly to the client, is the result the same?

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.
0 Kudos
In response to alemabrahao
NetC
Conversationalist
‎Feb 12 2023 7:09 AM
‎Feb 12 2023 7:09 AM

Do you mean this?

NetC_0-1676214038029.png

If I activate a group policy here, it takes about 3 minutes and then everything is blocked from the client. A ping is then no longer possible. This is what the policy says.

 

0 Kudos
In response to NetC
NetC
Conversationalist
‎Feb 12 2023 7:40 AM
‎Feb 12 2023 7:40 AM

I have directly assigned different group policies to the client here. This works as desired. Therefore, there seems to be a problem with the automatic assignment.

0 Kudos
In response to NetC
alemabrahao
Kind of a big deal
‎Feb 12 2023 7:49 AM
‎Feb 12 2023 7:49 AM

How is configured the client routing?

 

Screenshot_20230212-124710.png

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.
0 Kudos
In response to alemabrahao
NetC
Conversationalist
‎Feb 12 2023 7:56 AM
‎Feb 12 2023 7:56 AM

NetC_0-1676217326428.png

I switch to "Only send traffic going to these destinations" because we dont want traffic like videostreams of different platforms trough our headquarter.

0 Kudos
In response to NetC
alemabrahao
Kind of a big deal
‎Feb 12 2023 8:11 AM
‎Feb 12 2023 8:11 AM

Can you perform a test changing it to send all traffic through VPN?

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.
0 Kudos
In response to alemabrahao
NetC
Conversationalist
‎Feb 12 2023 8:28 AM
‎Feb 12 2023 8:28 AM

I have changed the setting. In the client, the default route is now also changed and all internet traffic is sent through Meraki.
But I have no restrictions on connections or firewall.

0 Kudos
In response to NetC
alemabrahao
Kind of a big deal
‎Feb 12 2023 8:45 AM
‎Feb 12 2023 8:45 AM

Do you have a default group policy configured?

 

Note: If a default group policy set and group policy with Filter-ID is also enabled, the Filter-ID policy passed by the RADIUS server will take precedence over the default group policy.

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.
0 Kudos
In response to alemabrahao
NetC
Conversationalist
‎Feb 12 2023 8:52 AM
‎Feb 12 2023 8:52 AM

Yes i configured at the Client-VPN settings:

NetC_0-1676220695418.png

The funny thing is that with the default rule everything should be forbidden. But I can still call everything.

0 Kudos
In response to NetC
alemabrahao
Kind of a big deal
‎Feb 12 2023 8:54 AM
‎Feb 12 2023 8:54 AM

Can you perform a test disabling the default group policy?

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.
0 Kudos
In response to alemabrahao
alemabrahao
Kind of a big deal
‎Feb 12 2023 9:22 AM
‎Feb 12 2023 9:22 AM

Take a look at this: 

https://documentation.meraki.com/MX/Client_VPN/AnyConnect_on_the_MX_Appliance#Dynamic_Client_Routing

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.
0 Kudos
In response to alemabrahao
NetC
Conversationalist
‎Feb 12 2023 9:54 AM
‎Feb 12 2023 9:54 AM

Same thing. Logfile says the correct filter-id, but the firewall is full open:

 

AnyConnect VPN session event msg: Peer IP=x.x.61.101 User[xxxx] Sess-ID[7]: Applied VPN filter[VPN1_deny_any] for assigned IP 10.168.250.115

0 Kudos
In response to NetC
alemabrahao
Kind of a big deal
‎Feb 12 2023 9:58 AM
‎Feb 12 2023 9:58 AM

In this case I suggest you to open a support case.

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.
0 Kudos
In response to NetC
rhbirkelund
Kind of a big deal
Kind of a big deal
‎Feb 12 2023 9:43 AM
‎Feb 12 2023 9:43 AM

I think you might want to open a case with Meraki for this one. 

Are you sure the filter-id attribute on the radius server matches 100% with the Group Policy name? Can you try without the underscores(_)?

LinkedIn ::: https://blog.rhbirkelund.dk/

Like what you see? - Give a Kudo ## Did it answer your question? - Mark it as a Solution 🙂

All code examples are provided as is. Responsibility for Code execution lies solely your own.
0 Kudos
In response to rhbirkelund
NetC
Conversationalist
‎Feb 12 2023 10:09 AM
‎Feb 12 2023 10:09 AM

I have cloned the rule in the network policy server and now removed the underscores. In Merakiportal, adjusted the filter ID in the group policy. It was also assigned the correct group policy according to the event log, but the firewall restriction is not there.

NetC_0-1676225224885.png

 

NetC_1-1676225247987.png

 

 

Eventlog:

msg: Peer IP=x.x.61.101 User[x.x] Sess-ID[8]: Applied VPN filter[VPN1DenyAnyTest] for assigned IP 10.168.250.115

0 Kudos
In response to NetC
rhbirkelund
Kind of a big deal
Kind of a big deal
‎Feb 12 2023 10:59 AM
‎Feb 12 2023 10:59 AM

Yeah - open a case with Meraki Support..

LinkedIn ::: https://blog.rhbirkelund.dk/

Like what you see? - Give a Kudo ## Did it answer your question? - Mark it as a Solution 🙂

All code examples are provided as is. Responsibility for Code execution lies solely your own.
0 Kudos
In response to rhbirkelund
NetC
Conversationalist
‎Feb 12 2023 12:10 PM
‎Feb 12 2023 12:10 PM

I have now opened a case. When the problem is found I can write it here if you want.

0 Kudos
PhilipDAth
Kind of a big deal
Kind of a big deal
‎Feb 12 2023 11:41 AM
‎Feb 12 2023 11:41 AM

I have done this before and it definately worked, but I have not retested this recently (I hope it hasn't been broken).

 

Are you using a stable firmware release or better?

0 Kudos
PhilipDAth
Kind of a big deal
Kind of a big deal
‎Feb 12 2023 11:44 AM
‎Feb 12 2023 11:44 AM

Also once the client has connected, and it's been about two minutes, you should be able to go into the client in the dashboard and it should show something called "802.1x policy", and you should see your groupmpolicy applied.

 

If their is any mis-match in the Filter-Id and the group policy name it will not be applied.  Your screen shots look correct to me, but make client the client shows as having the policy applied.  Perhaps there is a space or something in the name making it hard to see.

0 Kudos
NotKnown
Here to help
‎Jun 8 2023 4:04 AM
‎Jun 8 2023 4:04 AM

Did you fixed this back then with Support? 

I tested it before, and it did work, but know it doesnt with an other customer.

0 Kudos
NetC
Conversationalist
‎Jun 8 2023 4:25 AM
‎Jun 8 2023 4:25 AM

Yes the support was able to help me. There is an item with which you have to change the client tracking setting. Thereby the devices of a site have to be separated into Layer2/Layer3 devices.

 

Here: Security & SD-WAN => Addressing & VLANs => Client tracking had to be changed from "MAC address" to "IP address".

 

After that everything worked as it should.

0 Kudos
In response to NetC
NotKnown
Here to help
‎Jun 8 2023 4:31 AM
‎Jun 8 2023 4:31 AM

Thanks. This works. Will put this in my documentation 🙂

 

I testing with 3 users, and 2 GP's, 1 GP did work, the other didnt. Now i changed the setting you provided, and now both worked. 

 

To be honest, it is strange :S

Back to the top
Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco ID. If you don't yet have a Cisco ID, you can sign up.
Labels
© 2025 Cisco Systems, Inc.