Showing results for 
Show  only  | Search instead for 
Did you mean: 

Client VPN - MFA


Client VPN - MFA



Is there any way right now to achieve MFA for Client VPN connection ? 
Can Anyconnect be used ?

Getting noticed

Re: Client VPN - MFA

AnyConnect is on the roadmap, soon you can try it on a beta release. I don't know any option at the moment where you can do MFA. Maybe if you have a NAC-solution, like ISE, where you can call another authentication system like DUO for a response.




A model citizen

Re: Client VPN - MFA

as mentioned Anyconnect is on the roadmap currently just use your preferred radius and deploy within cisco setup?


Some docs to cover the topic


Getting noticed

Re: Client VPN - MFA

You can use DUO for MFA:

Kind of a big deal

Re: Client VPN - MFA

I use Duo for anyone wanting MFA for client VPN.  Specifically, you use the Duo RADIUS proxy with push notifications. 

Here to help

Re: Client VPN - MFA

I was able to successfully set this up using Client VPN w/ Radius Auth to on-prem AD Server then using Azure AD Connect for Azure MFA using the mfa nps extension...

The above article was very helpful in getting it all configured.


Hope this helps!

New here

Re: Client VPN - MFA

We need to do the same 2FA with Client VPN with Azure MFA, I understand this is possible using a Radius (NPS Server + NPS Extension) as explained in the document.
Did you use the native Client VPN of the OS or the new Anyconnect client with a certificate, which is a new feature?
Is this the only way to use push notifications with Microsoft Authenticator App?
Did you need to increase the Radius Timeout with Meraki support?
Client Anyconnect 
Many Thanks.
Here to help

Re: Client VPN - MFA

I used the native Windows client VPN.I have not seen the option of using AnyConnect with Meraki MX..are you saying that is now a new option available as I know it's been requested many a time but never came through. Your link redirects to a login I don't have access to.


I believe there are other options aside from the Microsoft Authenticator App such as text message etc. and that is configured within O365/Azure AD.


Yes I definitely increased the radius timeout to 60 secs as I believe the default is something like 5 secs, 3 times so 15 secs total. Support must be on the phone to do so btw, cannot be completed via email/case comments.



Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.