Meraki

Shubh3738

We have configured a group policy and AnyConnect profile for SAP users hosted on AWS Cloud. The cloud setup includes SD-WAN with vmX configured in a VPC.

Current Scenario:
SAP users can access only SAP applications as expected.
Non-SAP users are also able to access SAP applications and other servers, despite policies in AD.
Group policies in AD are not being enforced correctly.
Key Issue:

Documentation states:
"The MX does not support mapping group policies via Active Directory for users connecting through the client VPN."

Given this limitation, how can we achieve the desired policy enforcement to restrict SAP access for non-SAP users while ensuring proper access for SAP users?

Additional Context:
We aim for a solution that enforces group-specific restrictions.

Looking forward to recommendations or workarounds!

alemabrahao

AnyConnect on the MX does not support multiple VLANs or address pools for Client VPN users. However, the MX supports the application and enforcement of policies to AnyConnect users on authentication. It is also important to note that, from a Client VPN standpoint on the MX, having users on the same subnet does not mean they are in the same VLAN. Users are assigned a /32 address (one address) from the pool configured on dashboard. Group Policies can then be used to limit users on the same AnyConnect subnet from talking to each other or other resources on the network.

https://documentation.meraki.com/MX/Client_VPN/AnyConnect_on_the_MX_Appliance#Group_Policies_with_RA...

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.

Meraki

Community

Anyconnect VPn

Anyconnect VPn