I want to use AnyConnect with different firewall rules. Therefore I decided to use the Radius authentication. There you should set the filter ID and assign it to a group. Everything works correctly, but the firewall rules have no effect.
In any case, the correct group is also displayed in the log.
The target hosts in this example are located in networks behind the MX250. One IP address of them is even an address behind an AutoVPN connection.
You can see that the ping works, although everything is forbidden in this group.
Just for testing, if you apply the Group policy directly to the client, is the result the same?
Do you mean this?
If I activate a group policy here, it takes about 3 minutes and then everything is blocked from the client. A ping is then no longer possible. This is what the policy says.
I have directly assigned different group policies to the client here. This works as desired. Therefore, there seems to be a problem with the automatic assignment.
How is configured the client routing?
I switch to "Only send traffic going to these destinations" because we dont want traffic like videostreams of different platforms trough our headquarter.
Can you perform a test changing it to send all traffic through VPN?
I have changed the setting. In the client, the default route is now also changed and all internet traffic is sent through Meraki.
But I have no restrictions on connections or firewall.
Do you have a default group policy configured?
Note: If a default group policy set and group policy with Filter-ID is also enabled, the Filter-ID policy passed by the RADIUS server will take precedence over the default group policy.
Yes i configured at the Client-VPN settings:
The funny thing is that with the default rule everything should be forbidden. But I can still call everything.
Can you perform a test disabling the default group policy?
Take a look at this:
https://documentation.meraki.com/MX/Client_VPN/AnyConnect_on_the_MX_Appliance#Dynamic_Client_Routing
Same thing. Logfile says the correct filter-id, but the firewall is full open:
AnyConnect VPN session event msg: Peer IP=x.x.61.101 User[xxxx] Sess-ID[7]: Applied VPN filter[VPN1_deny_any] for assigned IP 10.168.250.115
In this case I suggest you to open a support case.
I think you might want to open a case with Meraki for this one.
Are you sure the filter-id attribute on the radius server matches 100% with the Group Policy name? Can you try without the underscores(_)?
I have cloned the rule in the network policy server and now removed the underscores. In Merakiportal, adjusted the filter ID in the group policy. It was also assigned the correct group policy according to the event log, but the firewall restriction is not there.
Eventlog:
msg: Peer IP=x.x.61.101 User[x.x] Sess-ID[8]: Applied VPN filter[VPN1DenyAnyTest] for assigned IP 10.168.250.115
Yeah - open a case with Meraki Support..
I have now opened a case. When the problem is found I can write it here if you want.
I have done this before and it definately worked, but I have not retested this recently (I hope it hasn't been broken).
Are you using a stable firmware release or better?
Also once the client has connected, and it's been about two minutes, you should be able to go into the client in the dashboard and it should show something called "802.1x policy", and you should see your groupmpolicy applied.
If their is any mis-match in the Filter-Id and the group policy name it will not be applied. Your screen shots look correct to me, but make client the client shows as having the policy applied. Perhaps there is a space or something in the name making it hard to see.
Did you fixed this back then with Support?
I tested it before, and it did work, but know it doesnt with an other customer.
Yes the support was able to help me. There is an item with which you have to change the client tracking setting. Thereby the devices of a site have to be separated into Layer2/Layer3 devices.
Here: Security & SD-WAN => Addressing & VLANs => Client tracking had to be changed from "MAC address" to "IP address".
After that everything worked as it should.
Thanks. This works. Will put this in my documentation 🙂
I testing with 3 users, and 2 GP's, 1 GP did work, the other didnt. Now i changed the setting you provided, and now both worked.
To be honest, it is strange :S