Meraki

Community

Anyconnect on Meraki MX

Naresh_Pattu
Here to help
‎Oct 23 2024 6:19 AM
‎Oct 23 2024 6:19 AM

Anyconnect on Meraki MX

Hi,

 

My client is currently using MX95 along with Secureclient "Advantage" subscription.

 

Currently he is adding the VPN users manually and now he wants to restrict the VPN users with MAC ID.

 

He feels that if any of the users tries to connect from personal device with his anyconnect , it should be blocked.

 

Is there any workaround for this?

 

Labels:
0 Kudos
5 Replies 5
MartinLL
Building a reputation
‎Oct 23 2024 9:21 AM
‎Oct 23 2024 9:21 AM

You would need some sort of device compliancy check. Not possible to do nativly in the dashboard.

What you could do is configure a radius service, ISE for example to get compliancy status as part of the authz sequense and grant acces based on that.

 

You could also do SAML to for example Entra ID. There you can controll access by defining policy in Conditional access.

 

Either way MAC filtering would not be a good solution even if it could be done.

MLL
In response to MartinLL
Naresh_Pattu
Here to help
‎Oct 23 2024 9:27 AM
‎Oct 23 2024 9:27 AM

Hi Martin,

 

Thanks for your response.

 

Would be great if you can share more details on Entra ID, how to implement it with Meraki.

 

0 Kudos
In response to Naresh_Pattu
MartinLL
Building a reputation
‎Oct 23 2024 9:38 AM
‎Oct 23 2024 9:38 AM

Sure. Here and here. 

 

https://documentation.meraki.com/MX/Client_VPN/AnyConnect_on_the_MX_Appliance/AnyConnect_Azure_AD_SA... 

 

https://learn.microsoft.com/en-us/entra/identity/conditional-access/overview 

MLL
In response to MartinLL
Naresh_Pattu
Here to help
‎Oct 23 2024 9:42 AM
‎Oct 23 2024 9:42 AM

Thanks Martin for the quick support.

 

Will check this and update here.

0 Kudos
In response to MartinLL
PhilipDAth
Kind of a big deal
Kind of a big deal
‎Oct 24 2024 2:11 AM
‎Oct 24 2024 2:11 AM

@MartinLL is onto to it.  This is something you would enforce in your IDP, such as Entra ID, Duo, etc.  This is exactly how I do it for our company (using Duo).  We strict VPN access to company owned machines.

 

It likes it might be possible to do this using certificates as well.  You would deploy a certificate onto the machine you want to allow.  And then you create an "Remote Access - VPN Posture" configuration that requires a certificate.

https://documentation.meraki.com/CiscoPlusSecureConnect/Cisco__Secure_Connect_Now_Remote_Access/Remo...

 

PhilipDAth_0-1729761037505.png

 

This is under Secure Connect/Endpoint Posture/VPN Access.

Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels
© 2024 Cisco Systems, Inc.