Meraki

SimonReach

When a user connects to the Meraki Client VPN, it gets a MAC address that i can go into Network-Wide > Clients, do a search for the my clientvpn user account, click on the MAC Address for the machine that corresponds to my user and then assign a Device Policy to that client.

How does Meraki assign the MAC address? If for example i connect my laptop to the client VPN from different locations, would it get a different MAC address or would the MAC stay the same, meaning, i only need to apply a policy to my machine once for the life span of the machine?

alemabrahao

You can't apply the policy until the user has connected.

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.

SimonReach

Sorry, i'm aware of that but my question is is if a user connects to the vpn with a new laptop and they've got no access, they ring me and say nothing works, i apply the relevant group policy to their new laptop and confirm everything works. End of the day, they disconnect from the VPN and then come back a few days later, will i need to apply the policy again or will Meraki remember that that device needs a certain policy and everything would just work without me having to reapply the policy to the laptop agian?

alemabrahao

You will need to reapply as this theoretically changes, but to be honest it would be a good idea to test first to be sure.
Did you do a test?

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.

SimonReach

Is there a way to apply a Group Policy to a device automatically?

We do use RADIUS for authentication for logging onto the ClientVPN but that seems, from my reading up and understanding, to be based purely on the user.

What i'd like is per device so that if a malicious party were to get my username, password and the secret key, they'd be able to log into the VPN but would have zero access if they weren't on a client that had been confirmed to be ok?

edit: Just going through the event logs, the vpn clients never seem to change the MAC address at all when reconnecting to the client vpn from today back to February. So it looks like the MAC address must be remembered somehow based on a unique identifier from the machine that is being used to connect?

alemabrahao

In this case I believe that the MAC is created when the virtual adapter of the VPN connection, in this case I think that when applying the Policy it will always be applied, but as I said it would be good for you to test it first. It should be simple and quick to test.

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.

AlexL1

Hi SimonReach,
I hope your day is going well.

It is possible to manually apply group policies to clients connected via client VPN.

A group policy applied to a client VPN user is associated with the username and not the device.
Different devices that connect to client VPN with the same username will receive the same group policy.

For more help on assigning or removing group policies applied to a client, refer to the Creating and Applying Group Policies document.

It is not possible to assign group policies automatically once a user connects to client VPN.

https://documentation.meraki.com/MX/Client_VPN/Client_VPN_Overview#Group_Policies

If you have more questions, please don't hesitate to contact us.

If you found this post helpful, please give it kudos.
If my answer solved your problem, click "accept as solution" so that others can benefit from it.

SimonReach

A group policy applied to a client VPN user is associated with the username and not the device.

Is there anyway to change it to per device? We're trying to lock the client vpn down to the a point whereby a malicious character that has got the username, password and secret key will still have zero access to the network. The testing i've done by connecting my laptop and mobile to the vpn is that both will get the same policy, even if i only apply it to one of the ClientIDs, is there no way at all to do it via device?

rhbirkelund

What kind of Client VPN solution are you using? Are you by any chance using AnyConnect?

If so, and you have configured SAML for authentication with AnyConnect, you can dynamically assign group policies to users, depending on which group they may be assigned in Entra ID. For reference, this is also described in https://community.meraki.com/t5/Security-SD-WAN/AnyConnect-SAML-Group-Policy-assignment/m-p/137691

It is currently only available as a hidden feature, so you'll have to have Meraki Support to enable it.

LinkedIn ::: https://blog.rhbirkelund.dk/

Like what you see? - Give a Kudo ## Did it answer your question? - Mark it as a Solution 🙂

All code examples are provided as is. Responsibility for Code execution lies solely your own.

SimonReach

We just use the standard Windows client vpn, we don't use AnyConnect at all.

Meraki

Community

Applying Group Policies for client machines

Applying Group Policies for client machines