Hello
Is there any way right now to achieve MFA for Client VPN connection ?
Can Anyconnect be used ?
AnyConnect is on the roadmap, soon you can try it on a beta release. I don't know any option at the moment where you can do MFA. Maybe if you have a NAC-solution, like ISE, where you can call another authentication system like DUO for a response.
/CK
I was able to successfully set this up using Client VPN w/ Radius Auth to on-prem AD Server then using Azure AD Connect for Azure MFA using the mfa nps extension...
https://docs.microsoft.com/en-us/azure/active-directory/authentication/howto-mfa-nps-extension
The above article was very helpful in getting it all configured.
Hope this helps!
I used the native Windows client VPN.I have not seen the option of using AnyConnect with Meraki MX..are you saying that is now a new option available as I know it's been requested many a time but never came through. Your link redirects to a login I don't have access to.
I believe there are other options aside from the Microsoft Authenticator App such as text message etc. and that is configured within O365/Azure AD.
Yes I definitely increased the radius timeout to 60 secs as I believe the default is something like 5 secs, 3 times so 15 secs total. Support must be on the phone to do so btw, cannot be completed via email/case comments.
Sorry i know this is a bit old. but can you share you NPS settings and if you created a conditional access policy.
I read the article and got the extension installed and all that but i am not getting the connection to complete.
thanks
Which settings in particular are you looking for? I ran into issues with the extension causing issues and it ended up being a matter of updating to the latest available NPS extension, I hope this helps and sorry for the delayed reply!
We use the same setup
would you mind sharing your settings. i keep getting an error about the extension discarding the request on the nps server.
Same issue here. Did you ever figure this out?
The other option (Anyconnect) works fine but that is not option for us.
Muchas gracias @cwal21 justo lo que requeria para aumentar la seguridad en la conexion.
Glad to help and thank you!
as mentioned Anyconnect is on the roadmap currently just use your preferred radius and deploy within cisco setup?
Some docs to cover the topic
https://documentation.meraki.com/zGeneral_Administration/Other_Topics/Two-Factor_Authentication
https://duo.com/docs/meraki-radius
I use Duo for anyone wanting MFA for client VPN. Specifically, you use the Duo RADIUS proxy with push notifications.
If you're using DUO they have an Authentication Proxy that you can use to MFA your VPN connection. I implemented it a few months ago and it works well.