Client VPN - MFA

Andrew3
Conversationalist

Client VPN - MFA

Hello

 

Is there any way right now to achieve MFA for Client VPN connection ? 
Can Anyconnect be used ?

12 REPLIES 12
Claes_Karlsson
Getting noticed

AnyConnect is on the roadmap, soon you can try it on a beta release. I don't know any option at the moment where you can do MFA. Maybe if you have a NAC-solution, like ISE, where you can call another authentication system like DUO for a response.

 

/CK

 

I was able to successfully set this up using Client VPN w/ Radius Auth to on-prem AD Server then using Azure AD Connect for Azure MFA using the mfa nps extension...

https://docs.microsoft.com/en-us/azure/active-directory/authentication/howto-mfa-nps-extension

The above article was very helpful in getting it all configured.

 

Hope this helps!

PabloR
Conversationalist

We need to do the same 2FA with Client VPN with Azure MFA, I understand this is possible using a Radius (NPS Server + NPS Extension) as explained in the document.
 
Did you use the native Client VPN of the OS or the new Anyconnect client with a certificate, which is a new feature?
Is this the only way to use push notifications with Microsoft Authenticator App?
Did you need to increase the Radius Timeout with Meraki support?
 
Client Anyconnect 
 
Many Thanks.

I used the native Windows client VPN.I have not seen the option of using AnyConnect with Meraki MX..are you saying that is now a new option available as I know it's been requested many a time but never came through. Your link redirects to a login I don't have access to.

 

I believe there are other options aside from the Microsoft Authenticator App such as text message etc. and that is configured within O365/Azure AD.

 

Yes I definitely increased the radius timeout to 60 secs as I believe the default is something like 5 secs, 3 times so 15 secs total. Support must be on the phone to do so btw, cannot be completed via email/case comments.

 

 

@cwal21 

Sorry i know this is a bit old. but can you share you NPS settings and if you created a conditional access policy.

I read the article and got the extension installed and all that but i am not getting the connection to complete.

thanks

We use the same setup

@veld2345 

would you mind sharing your settings. i keep getting an error about the extension discarding the request on the nps server.

Muchas gracias @cwal21 justo lo que requeria para aumentar la seguridad en la conexion.

Roska
A model citizen

as mentioned Anyconnect is on the roadmap currently just use your preferred radius and deploy within cisco setup?

 

Some docs to cover the topic

https://documentation.meraki.com/zGeneral_Administration/Other_Topics/Two-Factor_Authentication

https://duo.com/docs/meraki-radius

 

JasonCampbell
Getting noticed

You can use DUO for MFA:

https://duo.com/docs/meraki-radius

PhilipDAth
Kind of a big deal

I use Duo for anyone wanting MFA for client VPN.  Specifically, you use the Duo RADIUS proxy with push notifications.

https://duo.com/docs/radius 

BrandonB_FAB
Conversationalist

If you're using DUO they have an Authentication Proxy that you can use to MFA your VPN connection.  I implemented it a few months ago and it works well. 

 

https://duo.com/docs/meraki-radius 

Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels