AnyConnect MX250, Radius authentication and filter-id for firewall rules with group policy

NetC
Conversationalist

AnyConnect MX250, Radius authentication and filter-id for firewall rules with group policy

I want to use AnyConnect with different firewall rules. Therefore I decided to use the Radius authentication. There you should set the filter ID and assign it to a group. Everything works correctly, but the firewall rules have no effect.
In any case, the correct group is also displayed in the log.

 

NetC_0-1676204212460.png

 

NetC_1-1676203818260.png

NetC_2-1676203983009.png

 

The target hosts in this example are located in networks behind the MX250. One IP address of them is even an address behind an AutoVPN connection.
You can see that the ping works, although everything is forbidden in this group.

22 Replies 22
alemabrahao
Kind of a big deal
Kind of a big deal

Just for testing, if you apply the Group policy directly to the client, is the result the same?

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.
NetC
Conversationalist

Do you mean this?

NetC_0-1676214038029.png

If I activate a group policy here, it takes about 3 minutes and then everything is blocked from the client. A ping is then no longer possible. This is what the policy says.

 

NetC
Conversationalist

I have directly assigned different group policies to the client here. This works as desired. Therefore, there seems to be a problem with the automatic assignment.

alemabrahao
Kind of a big deal
Kind of a big deal

How is configured the client routing?

 

Screenshot_20230212-124710.png

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.
NetC
Conversationalist

NetC_0-1676217326428.png

I switch to "Only send traffic going to these destinations" because we dont want traffic like videostreams of different platforms trough our headquarter.

alemabrahao
Kind of a big deal
Kind of a big deal

Can you perform a test changing it to send all traffic through VPN?

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.
NetC
Conversationalist

I have changed the setting. In the client, the default route is now also changed and all internet traffic is sent through Meraki.
But I have no restrictions on connections or firewall.

alemabrahao
Kind of a big deal
Kind of a big deal

Do you have a default group policy configured?

 

Note: If a default group policy set and group policy with Filter-ID is also enabled, the Filter-ID policy passed by the RADIUS server will take precedence over the default group policy.

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.
NetC
Conversationalist

Yes i configured at the Client-VPN settings:

NetC_0-1676220695418.png

The funny thing is that with the default rule everything should be forbidden. But I can still call everything.

alemabrahao
Kind of a big deal
Kind of a big deal

Can you perform a test disabling the default group policy?

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.
alemabrahao
Kind of a big deal
Kind of a big deal

Take a look at this: 

https://documentation.meraki.com/MX/Client_VPN/AnyConnect_on_the_MX_Appliance#Dynamic_Client_Routing

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.
NetC
Conversationalist

Same thing. Logfile says the correct filter-id, but the firewall is full open:

 

AnyConnect VPN session event msg: Peer IP=x.x.61.101 User[xxxx] Sess-ID[7]: Applied VPN filter[VPN1_deny_any] for assigned IP 10.168.250.115

alemabrahao
Kind of a big deal
Kind of a big deal

In this case I suggest you to open a support case.

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.
rhbirkelund
Kind of a big deal
Kind of a big deal

I think you might want to open a case with Meraki for this one. 

Are you sure the filter-id attribute on the radius server matches 100% with the Group Policy name? Can you try without the underscores(_)?

LinkedIn ::: https://blog.rhbirkelund.dk/

Like what you see? - Give a Kudo ## Did it answer your question? - Mark it as a Solution 🙂

All code examples are provided as is. Responsibility for Code execution lies solely your own.
NetC
Conversationalist

I have cloned the rule in the network policy server and now removed the underscores. In Merakiportal, adjusted the filter ID in the group policy. It was also assigned the correct group policy according to the event log, but the firewall restriction is not there.

NetC_0-1676225224885.png

 

NetC_1-1676225247987.png

 

 

Eventlog:

msg: Peer IP=x.x.61.101 User[x.x] Sess-ID[8]: Applied VPN filter[VPN1DenyAnyTest] for assigned IP 10.168.250.115

rhbirkelund
Kind of a big deal
Kind of a big deal

Yeah - open a case with Meraki Support..

LinkedIn ::: https://blog.rhbirkelund.dk/

Like what you see? - Give a Kudo ## Did it answer your question? - Mark it as a Solution 🙂

All code examples are provided as is. Responsibility for Code execution lies solely your own.
NetC
Conversationalist

I have now opened a case. When the problem is found I can write it here if you want.

PhilipDAth
Kind of a big deal
Kind of a big deal

I have done this before and it definately worked, but I have not retested this recently (I hope it hasn't been broken).

 

Are you using a stable firmware release or better?

PhilipDAth
Kind of a big deal
Kind of a big deal

Also once the client has connected, and it's been about two minutes, you should be able to go into the client in the dashboard and it should show something called "802.1x policy", and you should see your groupmpolicy applied.

 

If their is any mis-match in the Filter-Id and the group policy name it will not be applied.  Your screen shots look correct to me, but make client the client shows as having the policy applied.  Perhaps there is a space or something in the name making it hard to see.

NotKnown
Here to help

Did you fixed this back then with Support? 

I tested it before, and it did work, but know it doesnt with an other customer.

NetC
Conversationalist

Yes the support was able to help me. There is an item with which you have to change the client tracking setting. Thereby the devices of a site have to be separated into Layer2/Layer3 devices.

 

Here: Security & SD-WAN => Addressing & VLANs => Client tracking had to be changed from "MAC address" to "IP address".

 

After that everything worked as it should.

NotKnown
Here to help

Thanks. This works. Will put this in my documentation 🙂

 

I testing with 3 users, and 2 GP's, 1 GP did work, the other didnt. Now i changed the setting you provided, and now both worked. 

 

To be honest, it is strange :S

Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels