Client VPN - MFA

Andrew3
Conversationalist

Client VPN - MFA

Hello

 

Is there any way right now to achieve MFA for Client VPN connection ? 
Can Anyconnect be used ?

15 Replies 15
Claes_Karlsson
Getting noticed

AnyConnect is on the roadmap, soon you can try it on a beta release. I don't know any option at the moment where you can do MFA. Maybe if you have a NAC-solution, like ISE, where you can call another authentication system like DUO for a response.

 

/CK

 

cwal21
Getting noticed

I was able to successfully set this up using Client VPN w/ Radius Auth to on-prem AD Server then using Azure AD Connect for Azure MFA using the mfa nps extension...

https://docs.microsoft.com/en-us/azure/active-directory/authentication/howto-mfa-nps-extension

The above article was very helpful in getting it all configured.

 

Hope this helps!

PabloR
Conversationalist

We need to do the same 2FA with Client VPN with Azure MFA, I understand this is possible using a Radius (NPS Server + NPS Extension) as explained in the document.
 
Did you use the native Client VPN of the OS or the new Anyconnect client with a certificate, which is a new feature?
Is this the only way to use push notifications with Microsoft Authenticator App?
Did you need to increase the Radius Timeout with Meraki support?
 
Client Anyconnect 
 
Many Thanks.
cwal21
Getting noticed

I used the native Windows client VPN.I have not seen the option of using AnyConnect with Meraki MX..are you saying that is now a new option available as I know it's been requested many a time but never came through. Your link redirects to a login I don't have access to.

 

I believe there are other options aside from the Microsoft Authenticator App such as text message etc. and that is configured within O365/Azure AD.

 

Yes I definitely increased the radius timeout to 60 secs as I believe the default is something like 5 secs, 3 times so 15 secs total. Support must be on the phone to do so btw, cannot be completed via email/case comments.

 

 

KRusch
Just browsing

@cwal21 

Sorry i know this is a bit old. but can you share you NPS settings and if you created a conditional access policy.

I read the article and got the extension installed and all that but i am not getting the connection to complete.

thanks

cwal21
Getting noticed

Which settings in particular are you looking for? I ran into issues with the extension causing issues and it ended up being a matter of updating to the latest available NPS extension, I hope this helps and sorry for the delayed reply!

veld2345
Conversationalist

We use the same setup

KRusch
Just browsing

@veld2345 

would you mind sharing your settings. i keep getting an error about the extension discarding the request on the nps server.

mmzzaq
Here to help

Same issue here. Did you ever figure this out?

The other option (Anyconnect) works fine but that is not option for us.

rubenlozada88
Conversationalist

Muchas gracias @cwal21 justo lo que requeria para aumentar la seguridad en la conexion.

cwal21
Getting noticed

Glad to help and thank you!

Roska
A model citizen

as mentioned Anyconnect is on the roadmap currently just use your preferred radius and deploy within cisco setup?

 

Some docs to cover the topic

https://documentation.meraki.com/zGeneral_Administration/Other_Topics/Two-Factor_Authentication

https://duo.com/docs/meraki-radius

 

JasonCampbell
Getting noticed

You can use DUO for MFA:

https://duo.com/docs/meraki-radius

PhilipDAth
Kind of a big deal
Kind of a big deal

I use Duo for anyone wanting MFA for client VPN.  Specifically, you use the Duo RADIUS proxy with push notifications.

https://duo.com/docs/radius 

BrandonB_FAB
Conversationalist

If you're using DUO they have an Authentication Proxy that you can use to MFA your VPN connection.  I implemented it a few months ago and it works well. 

 

https://duo.com/docs/meraki-radius 

Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels