Meraki

Community

Anyconnect VPn

Shubh3738
Building a reputation
8 hours ago
8 hours ago

Anyconnect VPn

We have configured a group policy and AnyConnect profile for SAP users hosted on AWS Cloud. The cloud setup includes SD-WAN with vmX configured in a VPC.

 

Current Scenario:
SAP users can access only SAP applications as expected.
Non-SAP users are also able to access SAP applications and other servers, despite policies in AD.
Group policies in AD are not being enforced correctly.
Key Issue:


Documentation states:
"The MX does not support mapping group policies via Active Directory for users connecting through the client VPN."

Given this limitation, how can we achieve the desired policy enforcement to restrict SAP access for non-SAP users while ensuring proper access for SAP users?

 

Additional Context:
We aim for a solution that enforces group-specific restrictions.

 

Looking forward to recommendations or workarounds!

0 Kudos
2 Replies 2
alemabrahao
Kind of a big deal
Kind of a big deal
3 hours ago
3 hours ago

AnyConnect on the MX does not support multiple VLANs or address pools for Client VPN users. However, the MX supports the application and enforcement of policies to AnyConnect users on authentication. It is also important to note that, from a Client VPN standpoint on the MX, having users on the same subnet does not mean they are in the same VLAN. Users are assigned a /32 address (one address) from the pool configured on dashboard. Group Policies can then be used to limit users on the same AnyConnect subnet from talking to each other or other resources on the network.

 

https://documentation.meraki.com/MX/Client_VPN/AnyConnect_on_the_MX_Appliance#Group_Policies_with_RA...

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.
PhilipDAth
Kind of a big deal
Kind of a big deal
3m ago
3m ago

Attacking this using AnyConnect profiles is the wrong way to go.  Instead have everyone else the same profile, but have the MX enforce different sets of firewall rules.

 

If you are using RADIUS authentication, then use the Filter-Id atttribute to apply a group policy.

https://documentation.meraki.com/MX/Client_VPN/AnyConnect_on_the_MX_Appliance#Group_Policies_with_RA...

 

If you are using SAML authentication (such as Entra ID) then push a SAML attribute.

https://community.meraki.com/t5/Security-SD-WAN/AnyConnect-SAML-Group-Policy-assignment/m-p/247512/h...

 

Then just create a group policy with layer 3 firewall rules for each group saying that they can access.

0 Kudos
Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels
© 2024 Cisco Systems, Inc.