AnyConnect with AD Authentication - Limiting access

SOLVED
JordanCNolan
Here to help

AnyConnect with AD Authentication - Limiting access

Just started testing the AnyConnect client but did not see an option for assigning access to use the VPN.  Does AnyConnect with the AD Authentication utilize Network Policy Server like RRAS, does it use the Dial In option in the users Active Directory property, or does it just allow any active AD user?

 

Can't seem to find this info in the docs.

1 ACCEPTED SOLUTION

Accepted Solutions
JordanCNolan
Here to help

Re: AnyConnect with AD Authentication - Limiting access

After I got it to work I sent in a request to the support team to be sure I was not opening any security holes.  They confirmed that my setup pretty much matches up with what they recommend for AnyConnect with NPS.  They also sent me a link to a new article:

 

https://documentation.meraki.com/MX/AnyConnect_on_the_MX_Appliance/Authentication

 

I think they need to post this link on the AnyConnect page so others do not have this issue in the future.

View solution in original post

9 REPLIES 9
Bruce
Kind of a big deal

Re: AnyConnect with AD Authentication - Limiting access

You have multiple choices for user authentication: RADIUS (e.g. NPS), Meraki Cloud, or Active Directory. In my opinion RADIUS is probably your best choice (depending on your requirements and skill level) since it allows you to return attributes that enable you to vary the Meraki Group Policy applied to a user’s device.

Bruce
Kind of a big deal

Re: AnyConnect with AD Authentication - Limiting access

Just re-read your question and realised I didn’t really answer it. The answer is in the L2TP documents (which will also apply to AnyConnect in this case). Have a look here, https://documentation.meraki.com/MX/Content_Filtering_and_Threat_Protection/Configuring_Active_Direc... it’s in the ‘(Optional) Client Scoping’ section.

PhilipDAth
Kind of a big deal

Re: AnyConnect with AD Authentication - Limiting access

I normally use RADIUS and NPS, and create a group called "VPN Users".  Then just match that group in NPS.

JordanCNolan
Here to help

Re: AnyConnect with AD Authentication - Limiting access

It appears that Meraki does not provide a way to restrict AD authentication to an AD group, I did try to setup RADIUS, but I am not having luck with these instructions:

 

https://documentation.meraki.com/MX/Client_VPN/Configuring_RADIUS_Authentication_with_Client_VPN

 

My NPS server is Win 2019.  I could not find any additional documentation to see if there are additional steps required.

JordanCNolan
Here to help

Re: AnyConnect with AD Authentication - Limiting access

So I think I am almost there changing over to RADIUS.  First I was getting no response, but now when I try to login it comes right back with "Login Failed" in the password prompt box.  Also, on the NPS server I get Security Event ID 6273

-------------------------

Network Policy Server denied access to a user.

Contact the Network Policy Server administrator for more information.

User:
Security ID: NULL SID
Account Name: MyAccount
Account Domain: -
Fully Qualified Account Name: -

Client Machine:
Security ID: NULL SID
Account Name: -
Fully Qualified Account Name: -
Called Station Identifier: XXXXX  (Changed by me)

Calling Station Identifier: X.X.X.X (My home IP address)

NAS:
NAS IPv4 Address: -
NAS IPv6 Address: -
NAS Identifier: XXXX (Sames as Called Station ID)
NAS Port-Type: Virtual
NAS Port: 21

RADIUS Client:
Client Friendly Name: Meraki-MX100
Client IP Address: x.x.x.x (IP of my MX100)

Authentication Details:
Connection Request Policy Name: -
Network Policy Name: -
Authentication Provider: -
Authentication Server: myserver.mydomain.com
Authentication Type: -
EAP Type: -
Account Session Identifier: -
Logging Results: Accounting information was written to the local log file.
Reason Code: 49
Reason: The RADIUS request did not match any configured connection request policy (CRP).

 

I saw in the article that it said some versions of Windows might not like the CLIENTVPN as the call station ID and it said to leave it blank, but I am not able to leave it blank on Win 2019.  I did try this with the setting deleted, but the results were the same.

Bruce
Kind of a big deal

Re: AnyConnect with AD Authentication - Limiting access

Your RADIUS request is hitting the NPS server, but its not matching a Connection Request Policy in the NPS server. You'll need to try modifying your Connection Request Policy so that it matches the details in the RADIUS request (these are the details in the Security Event you've captured).

JordanCNolan
Here to help

Re: AnyConnect with AD Authentication - Limiting access

I finally managed to get this to connect, but I am concerned because my setup looks nothing like the instructions:

https://documentation.meraki.com/MX/Client_VPN/Configuring_RADIUS_Authentication_with_Client_VPN 

 

I am not sure if I have a security risk because the instructions say I should have:

 

CRP containing:

  • Framed Protocol = PPP
  • Calling Station ID = CLIENTVPN

Network Policy containing:

  • Framed Protocol = PPP
  • Calling Station ID = CLIENTVPN
  • Windows Group = MYDOMAIN\VPNUsers

But I could not get this to work with PPP or CLIENTVPN settings in the CRP or NP no matter what I did.  So I did the following:

 

CRP containing:

  • NAS PORT TYPE = Virtual (VPN)
  • Client Friendly Name = Meraki-MX100 

Network Policy containing:

  • Windows Group = MYDOMAIN\VPNUsers

 

I am able to connect and Event Viewer shows:

 

Event ID 6272:

Network Policy Server granted access to a user.

User:
    Security ID: XXX\me
    Account Name: me
    Account Domain: XXXX
    Fully Qualified Account Name: xxxx.com/Active/Users/Last, First

 

Client Machine:
Security ID: NULL SID
Account Name: -
Fully Qualified Account Name: -
Called Station Identifier: mE0553DE98AA8
Calling Station Identifier: XX.XX.166.205

NAS:
NAS IPv4 Address: -
NAS IPv6 Address: -
NAS Identifier: mE0553DE98AA8
NAS Port-Type: Virtual
NAS Port: 49

RADIUS Client:
Client Friendly Name: Meraki-MX100
Client IP Address: 10.X.X.X

Authentication Details:
Connection Request Policy Name: Meraki Radius Policy
Network Policy Name: Meraki Network Policy
Authentication Provider: Windows
Authentication Server: myserver.xxxx.com
Authentication Type: PAP
EAP Type: -
Account Session Identifier: -
Logging Results: Accounting information was not written to any data store.

 

Bruce
Kind of a big deal

Re: AnyConnect with AD Authentication - Limiting access

@JordanCNolan good job on getting it working. The reason you’ve needed different settings is that the instructions you were following are for the traditional L2TP/IPSec client VPN setup. The AnyConnect configuration appears to pass different values to the RADIUS server.

 

Your security should be fine. The Connection Request Policy limits requests to those that match the policy, in this case client VPN and from the MX, but the key to authenticating a user is the check in the Network Policy where there credentials passed in the RADIUS request have to authenticate a user who is in the VPNUsers group.

 

If you’re using the RADIUS server for other authentication on your network you may want to check that you haven’t inadvertently given VPNUsers access to those resources too - you can see in the Event you posted that the request is hitting the Connection Request called Meraki Radius Policy, and the Network Policy, Meraki Network Policy is being used. It sounds like it’s all good, but make sure you do adequate testing.

JordanCNolan
Here to help

Re: AnyConnect with AD Authentication - Limiting access

After I got it to work I sent in a request to the support team to be sure I was not opening any security holes.  They confirmed that my setup pretty much matches up with what they recommend for AnyConnect with NPS.  They also sent me a link to a new article:

 

https://documentation.meraki.com/MX/AnyConnect_on_the_MX_Appliance/Authentication

 

I think they need to post this link on the AnyConnect page so others do not have this issue in the future.

View solution in original post

Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.