Client VPN - MFA


Client VPN - MFA



Is there any way right now to achieve MFA for Client VPN connection ? 
Can Anyconnect be used ?

15 Replies 15
Getting noticed

AnyConnect is on the roadmap, soon you can try it on a beta release. I don't know any option at the moment where you can do MFA. Maybe if you have a NAC-solution, like ISE, where you can call another authentication system like DUO for a response.




I was able to successfully set this up using Client VPN w/ Radius Auth to on-prem AD Server then using Azure AD Connect for Azure MFA using the mfa nps extension...

The above article was very helpful in getting it all configured.


Hope this helps!


We need to do the same 2FA with Client VPN with Azure MFA, I understand this is possible using a Radius (NPS Server + NPS Extension) as explained in the document.
Did you use the native Client VPN of the OS or the new Anyconnect client with a certificate, which is a new feature?
Is this the only way to use push notifications with Microsoft Authenticator App?
Did you need to increase the Radius Timeout with Meraki support?
Client Anyconnect 
Many Thanks.
Getting noticed

I used the native Windows client VPN.I have not seen the option of using AnyConnect with Meraki MX..are you saying that is now a new option available as I know it's been requested many a time but never came through. Your link redirects to a login I don't have access to.


I believe there are other options aside from the Microsoft Authenticator App such as text message etc. and that is configured within O365/Azure AD.


Yes I definitely increased the radius timeout to 60 secs as I believe the default is something like 5 secs, 3 times so 15 secs total. Support must be on the phone to do so btw, cannot be completed via email/case comments.




Sorry i know this is a bit old. but can you share you NPS settings and if you created a conditional access policy.

I read the article and got the extension installed and all that but i am not getting the connection to complete.


Getting noticed

Which settings in particular are you looking for? I ran into issues with the extension causing issues and it ended up being a matter of updating to the latest available NPS extension, I hope this helps and sorry for the delayed reply!


We use the same setup


would you mind sharing your settings. i keep getting an error about the extension discarding the request on the nps server.

Same issue here. Did you ever figure this out?

The other option (Anyconnect) works fine but that is not option for us.

Muchas gracias @cwal21 justo lo que requeria para aumentar la seguridad en la conexion.

Glad to help and thank you!

A model citizen

as mentioned Anyconnect is on the roadmap currently just use your preferred radius and deploy within cisco setup?


Some docs to cover the topic


Getting noticed

You can use DUO for MFA:

Kind of a big deal
Kind of a big deal

I use Duo for anyone wanting MFA for client VPN.  Specifically, you use the Duo RADIUS proxy with push notifications. 


If you're using DUO they have an Authentication Proxy that you can use to MFA your VPN connection.  I implemented it a few months ago and it works well. 

Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.