Meraki

Community

Anyconnect VPn

Shubh3738
Building a reputation
yesterday
yesterday

Anyconnect VPn

We have configured a group policy and AnyConnect profile for SAP users hosted on AWS Cloud. The cloud setup includes SD-WAN with vmX configured in a VPC.

 

Current Scenario:
SAP users can access only SAP applications as expected.
Non-SAP users are also able to access SAP applications and other servers, despite policies in AD.
Group policies in AD are not being enforced correctly.
Key Issue:


Documentation states:
"The MX does not support mapping group policies via Active Directory for users connecting through the client VPN."

Given this limitation, how can we achieve the desired policy enforcement to restrict SAP access for non-SAP users while ensuring proper access for SAP users?

 

Additional Context:
We aim for a solution that enforces group-specific restrictions.

 

Looking forward to recommendations or workarounds!

0 Kudos
3 Replies 3
alemabrahao
Kind of a big deal
Kind of a big deal
yesterday
yesterday

AnyConnect on the MX does not support multiple VLANs or address pools for Client VPN users. However, the MX supports the application and enforcement of policies to AnyConnect users on authentication. It is also important to note that, from a Client VPN standpoint on the MX, having users on the same subnet does not mean they are in the same VLAN. Users are assigned a /32 address (one address) from the pool configured on dashboard. Group Policies can then be used to limit users on the same AnyConnect subnet from talking to each other or other resources on the network.

 

https://documentation.meraki.com/MX/Client_VPN/AnyConnect_on_the_MX_Appliance#Group_Policies_with_RA...

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.
PhilipDAth
Kind of a big deal
Kind of a big deal
yesterday
yesterday

Attacking this using AnyConnect profiles is the wrong way to go.  Instead have everyone else the same profile, but have the MX enforce different sets of firewall rules.

 

If you are using RADIUS authentication, then use the Filter-Id atttribute to apply a group policy.

https://documentation.meraki.com/MX/Client_VPN/AnyConnect_on_the_MX_Appliance#Group_Policies_with_RA...

 

If you are using SAML authentication (such as Entra ID) then push a SAML attribute.

https://community.meraki.com/t5/Security-SD-WAN/AnyConnect-SAML-Group-Policy-assignment/m-p/247512/h...

 

Then just create a group policy with layer 3 firewall rules for each group saying that they can access.

0 Kudos
In response to PhilipDAth
Shubh3738
Building a reputation
yesterday
yesterday

Sir, Currently iam using fortinet vpn for roaming users, But need to replace it with AnyConnect vpn in this month as renewal is coming on last week on this month .

 

We are using Active directory for an authentication of users where we create multiple policies for Local Lan users, Critical Application users and so on.

By this if user need Critical application access only, they are not authorized to access Local Servers or Services.

 

Is there any other way to achieve solution like this. As we have on AD for authentication  only.

 

We have also vmX installed in AWS Cloud. If possible, by configure AnyConnect on vmX , we can check that scenario also.

0 Kudos
Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels
© 2024 Cisco Systems, Inc.